Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Firefox Bug IT Technology

A Glitch Is Breaking All Firefox Extensions (techcrunch.com) 311

Posted by msmash from the everything-is-broken dept.
Did you just open Firefox only to find all of your extensions disabled and/or otherwise not working? You're not alone, and it's nothing you did. From a report: Reports are pouring in of a glitch that has spontaneously disabled effectively all Firefox extensions. Each extension is now being listed as a "legacy" extension, alongside a warning that it "could not be verified for use in Firefox and has been disabled." A ticket submitted to Mozilla's Bugzilla bug tracker first hit at around 5:40 PM Pacific, and suggests the sudden failure is due to a code signing certificate built into the browser that expired just after 5 PM (or midnight on May 4th in UTC time). Because the glitch stems from an underlying certificate, re-installing extensions won't work -- if you try, you'll likely just be met with a different error message. Getting extensions back for everyone is going to require Mozilla to issue a patch.
UPDATE (5/5/2019): On Sunday Firefox released the second of two weekend updates to address the problem, tweeting that "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday."
This discussion has been archived. No new comments can be posted.

A Glitch Is Breaking All Firefox Extensions More

A Glitch Is Breaking All Firefox Extensions

Comments Filter:

  • Workaround? (Score:5, Informative)

    by Anonymous Coward on Saturday May 04, 2019 @01:10AM (#58536724)

    Go to about:config and set xpinstall.signatures.required to false

    • Mod you up +9999, and thank you so much!

    • Re:Workaround? (Score:5, Informative)

      by fahrbot-bot ( 874524 ) on Saturday May 04, 2019 @02:54AM (#58536912)

      Go to about:config and set xpinstall.signatures.required to false

      The documentation [mozilla.org] says this only works for ESR, developer and nightly versions.

      user_pref("xpinstall.signatures.required", false);
      user_pref("extensions.langpacks.signatures.required", false);

      • The parent is correct. This feature is disabled on release versions. So it will not work for most people.

        • Setting xpinstall.signatures.required to false has worked on my FF v62.0.3
          I haven't tried adding more extensions yet -- some comments are saying that it won't work -- but at least I get my browsing back.

          This is ridiculous that my browser depends on some online certificate. What if I take my computer offline camping/on the airplane while I use my browser to look at some local file? (E.g. I generate my own photo thumbnail index as a HTML file that I view in Firefox.) Whenever there is a feature that relies

      • That's what it says, but I and many other people here didn't have any trouble with it... I'm scanning through the comments here and everyone seems to be using Linux, myself included, and my about page says specifically "Mozilla Firefox for Ubuntu." I honestly don't know who compiled this, or what version they used for it. Maybe things are different for the Windows version.

    • KILL the certificate authority ! (Score:5, Interesting)

      by johnjones ( 14274 ) on Saturday May 04, 2019 @03:34AM (#58536984) Homepage Journal

      honestly this is a major problem.

      shouldn't the network/domain be the issuing authority rather than some random collection of promise not to do the wrong thing companies....

      • Re:KILL the certificate authority ! (Score:4, Interesting)

        by Anonymous Coward on Saturday May 04, 2019 @10:25AM (#58537742)

        Mozilla has been doing much wrong for some time.

        open up a log of DNS and be amazed at all the SHIT that firefox is constantly querying:

        mozilla.cloudflare-dns.com
        location.services.mozilla.com

        *.services.mozilla.com
        *.services.mozilla.org
        *.services.mozilla.net

        *.addons.mozilla.com
        *.addons.mozilla.org
        *.addons.mozilla.net

        *.mozaws.com
        *.mozaws.org
        *.mozaws.net

        *r53*.mozilla.org
        *r53*.mozilla.com
        *r53*.mozilla.net

        *aus*.mozilla.com
        *aus*.mozilla.org
        *aus*.mozilla.net

        *balrog*.mozilla.com
        *balrog*.mozilla.org
        *balrog*.mozilla.net

        detectportal.firefox.com
        detectportal.firefox.net
        detectportal.firefox.org

      • This really speaks to the fundamental flaw in all modern security authorities: trust has to begin somewhere, and trust inherently means that you're opening up yourself to harm and you're hoping the trusted party does not hurt you. You have no reason to actually trust these trusted certification authorities other than the unfortunate problem of where the trust starts. The value of trusted root CAs is that it reduces the number of entities you have to blindly trust, and greatly increases the danger to those e

    • Re: (Score:2)

      by MrL0G1C ( 867445 )

      Better workaround, install a browser which respects its users wishes and privacy.

      Waterfox: lots of legacy extensions: all working no problem, no work-around required.

      • I had one machine still on Firefox 57. This triggered my forced migration to Waterfox on that last machine. I'm done.

  • Nothing on their website (Score:5, Interesting)

    by Anonymous Coward on Saturday May 04, 2019 @01:23AM (#58536756)

    The sad part is there's no mention of this on mozilla.org or firefox.com. Users are left completely in the dark.

  • Disable signature checking (Score:3, Interesting)

    by rayko ( 1287486 ) on Saturday May 04, 2019 @01:34AM (#58536778)
    Type about:config in the address bar, change this setting to false. xpinstall.signatures.required false

  • TechCrunch is wrong; patch not needed (Score:5, Informative)

    by el_chicano ( 36361 ) on Saturday May 04, 2019 @01:38AM (#58536786) Homepage Journal
    The issue is due to an expired cert, once the cert gets renewed add-ons will start working normally again.

    A workaround is setting xpinstall.signatures.required to False in about:config.

    It works in FF 66.0.2 on Fedora Linux, YMMV...

    • And if you forget to reverse it... (Score:5, Insightful)

      by StandardCell ( 589682 ) on Saturday May 04, 2019 @02:26AM (#58536864)
      ...it's entirely possible to get an unauthorized extension installed. A much better and safer method, if much less convenient, is to enable them temporarily using about:debugging, then clicking on the xpi in the profile folder for each desired extension, and not closing the browser.

      Let's face it - this is a true epic fail if there ever was one. Whoever was responsible for renewing certs should be terminated. There is ZERO excuse for this. On a Friday fucking night yet.

      Just watch for all the malware infections coming, not to mention users defecting to other browsers.

      Shame on you, Mozilla. The public needs an alternative browser more than ever and you monkey-wrenched yourselves hard.

      • Re: (Score:2)

        by evanh ( 627108 )

        Can't install or update anything with that set to false. It just allows existing plugins to continue to operate.

        I'm surprised that a live server is needed to maintain all these plugins all the time. Way overboard, imho.

      • not to mention users defecting to other browsers.

        A little late for that. I'm apparently one of the rare holdouts mostly because I don't like to see Chrome take over the world.

        This is just sad, though. A thousand people employed at Mozilla and they still manage to screw up their most important product this badly, because of an entirely preventable mistake. Mozilla just keeps shooting themselves in the foot with incompetence and bad decisions. No matter how noble their aims appear to be regarding an open web, it means absolutely nothing if they complete

      • Re: (Score:2, Insightful)

        by bill_mcgonigle ( 4333 ) *

        Hey, they had SJW matters to attend to.

        "Renewing the certs" isn't required by any Code of Conduct.

      • "A much better and safer method" (Score:5, Interesting)

        by Shane_Optima ( 4414539 ) on Saturday May 04, 2019 @09:24AM (#58537594) Journal
        Eh, a much better method is to install Waterfox. Seriously, how much crap do we need to take from Mozilla out of loyalty? It wasn't this glitch that was quite so bad as the fact that the about:config workaround didn't work for a lot of people because Mozilla is beginning to intentionally lock down large parts of about:config. Which defeats the entire point of Firefox. If you don't want to use Firefox for the customability, why the hell do you want it? Seriously now. For years and years now, Mozilla has been hellbent on turning Firefox into a shitty Chrome clone and I just do not understand it.

        As far as I can tell, Waterfox [wikipedia.org] is very very similar to the latest Firefox but it doesn't have Pocket, doesn't have a locked down about:config, doesn't phone home user data, supports legacy extensions (which you can get by installing this extension [github.com], since Mozilla is no longer hosting the older extensions any more), allows the user to install unsigned extensions, and supports newer extensions very well (unlike the Pale Moon browser, which is interesting and ambitious but it has very spotty extension compatibility).

        I've been a user for just a few hours now and so far the UX is identical except for the above mentioned improvements.

      • Whoever was responsible for renewing certs should be terminated.

        Sure kill the messenger without resolving the systemic cause of the problem that allowed a person to not renew something in the first place. Are you by any chance the VW CEO hiding behind that StandardCell pseudonym?

  • I was working on a Firefox on a fairly new install of Tumbleweed (2-3 weeks old + patches) that I have yet to go about loading any extensions on. The warning page came up to tell me that the following "legacy" extensions were no longer working. The list of extensions was empty, though, and the next block of text on the page informed me that I had no extensions. Very weird that it would even bother to pop this up when no extensions are present.

    • Re: (Score:2)

      by qubezz ( 520511 )
      There are other hidden extensions that are part of the included "features" in Firefox.

  • Improper Signature Verification ... (Score:5, Informative)

    by Anonymous Coward on Saturday May 04, 2019 @02:20AM (#58536844)

    Now if only they had someone who knew how to validate a digital signature properly.

    Or to equate to meatspace:

    Just because the pen you used to sign a document last week ran out of ink this morning, does not mean that the signatures you made last week with that pen are no longer valid.

    If the signature was valid at the time it was made, then the subsequent expiry of the signing certificate nor any of its intermediates (nor of the trusted root) invalidates that signature.

    Obviously they are just incompetent.

  • I just realized that I was browsing without a mouse for years due to hjkl navigation. Now that it is gone , at least mozilla's bug tracker supports HJKL navigation of its own. Can slashdot do this too ?

  • The right to extend (Score:3)

    by xack ( 5304745 ) on Saturday May 04, 2019 @04:19AM (#58537074)
    All these walled garden techniques are causing problems. Open browser open extensions it’s not that hard.

  • That's it. Waterfox, here I come! (Score:4, Informative)

    by Shane_Optima ( 4414539 ) on Saturday May 04, 2019 @06:38AM (#58537238) Journal
    It's not the fact that they had this glitch that makes me walk away--shit happens, no it's not because they're supposedly letting SJW agendas distract from their coding (jeez, really? I mean I'm all for arguing politics but this is just asinine)--it's that, apparently you can't utilize the about:config workaround on the regular Windows version because you're no longer allowed to mess with those settings. And screw that. The whole POINT of about:config was that it's the ability to peek under the hood. It's one of the reasons why I always preferred Firefox over Chrome. And I mean if I wanted locked down Fischer Price crap, I'd use whatever the default browser is for my device. Jesus. What the hell is even is Firefox's target demographic any more?

    Firefox' Chrome copycatting was annoying (I don't want minimalist and 'very slightly faster', I want power and configurability), Pocket was dumb but fine they gotta make money somehow, the loss of legacy extensions (plus the lack of UI customization that came along with with the abandonment of XUL) was *really* annoying and caused me to jump ship to Pale Moon for a while--a neat and ambitious Firefox fork run by some competent and overworked folks--but it became harder and harder to get the extensions I wanted working properly and my enthusiasm for putting in so much elbow grease getting my browser working properly. (Plus, they're undermanned over the so for a while they had a hard time keeping some of the rendering backend up to date.) Reluctantly, Back to Firefox I went.

    But this is intolerable. Perfect emblem of the direction FF is headed. Yes yes, I understand that this lockdown was probably to make their browser slightly safer in the hands of clueless people who might gleefully install random third party extensions or follow instructions listed on seedy websites... but about:config was there for a reason, damnit! If I was a moron I wouldn't be trying to use Firefox to begin with. I don't want a moron-proof browser.

    Fortunately, someone in the comments reminded me that there is Waterfox [wikipedia.org], a less ambitious (compared to Pale Moon) power-user fork of Firefox that appears to have drop-in extension compatibility as well as legacy extension support--the best of both worlds.

    On my Windows boxen installing Waterfox was as simple as "sudo choco install waterfox". (If you don't know what Chocolately is and you have Windows boxen that you manage, GET IT. You won't regret it It's a fantastic apt-style installer and updater that ostensibly works by downloading the official graphical software installers and executing them and clicking through them a totally hidden fashion. It can be directly installed from the command line [chocolatey.org] in Windows. First thing I always do is enable allowGlobalConfirmation [stackoverflow.com] so I don't have to manually agree for every package that installs or updates, then I install sudo so that I don't have to manually run admin shells--it still graphically prompts you for the escalation every time you use it, so I don't believe it's particularly insecure. I run "sudo choco update all" once a week and it's totally automated and unobtrusive. It's not just OSS; there's a fair bit of lot of closed sourced freeware included as well.) You might complain it's a potential attack vector, but the company appears reputable enough and I don't run Windows as a host on any machines that I use for personal banking (I use it on a dedicated gaming box, VMs, and relatives' computers--which I view as being better off with chocolatey since I can better ensure that software is being kept up to date.)

    For my Debian boxes there are PPAs available, though I'm hoping a maintainer will set up and get it included in the main repos. It's time to move on, it really is.

    It's funny how browsers seem to degrade over time. When I was

  • https://dilbert.com/strip/1995-11-14

  • and now add ons don't work and I am buried in ad crap! Thanks Mozilla! Your just the least crappy browser!

    Just my 2 cents ;)

  • A proper fix (Score:5, Informative)

    by Artem S. Tashkinov ( 764309 ) on Saturday May 04, 2019 @08:48AM (#58537516) Homepage

    Changing an about:config entry is not required and it's probably unsafe since now your Firefox might be exposed to malicious (locally installed) add-ons.

    Here's a proper fix [mozilla.org] straight from the hourse's mouth:

    We rolled-out a fix for release, beta and nightly users on Desktop. The fix will be automatically applied in the background within the next few hours, you donâ(TM)t need to take active steps.

    In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

    You can disable studies again after your add-ons have been re-enabled.

    We are working on a general fix that doesnâ(TM)t need to rely on this and will keep you updated.

    • Re: (Score:2)

      by GbrDead ( 702506 )

      This doesn't work for Debian's build.

    • Re:A proper fix (Score:4, Insightful)

      by Luckyo ( 1726890 ) on Saturday May 04, 2019 @12:03PM (#58538044)

      Imagine being the disgusting spin doctor actually mouthing the words "macious (locally installed) add-ons". And actually getting upvoted on slashdot.

      "Remember folks, we have to protect you from yourselves. You slashdotters have no clue what you're installing on your browsers, so we must stop you from installing anything we don't expressly approve of".

      You should be ashamed of yourself.

      • I've dealt with dozens of PCs where people had malicious add-ons installed in their Firefox profiles by malware. That's the only thing I was warning against. Also, you can perfectly run unsigned add-ons using alpha or self-compiled Firefox releases.

        Cheers!

    • "The six-hour wait can be dropped to seconds if you temporarily change the value of “app.normandy.run_interval_seconds” in about:config, restart, and then change it back to 21600 (six hours) after things are working." I just read that, and I changed the value to "60", restarted, and in short order I was back up and running again, with my extensions working. Thanks goes to David, over there: https://blog.mozilla.org/addon... [mozilla.org]

  • "New Tab Homepage" is the Only add-on that didn't get Borked.
    It's a serious glitch when their featured add-ons are all blocked from running, and you can't download any of the "replacement" suggestions, either.

    Something tells me that it may cost them a very easily measurable percentage of the Browser market, if it's not fix tut suite.

  • It's called "Mozilla." Their overall goal for the last several years has been to lose to Chrome as much as possible. Sadly some of us are still using Firefox; I've switched to Waterfox on Windows but still use Firefox on my Android; and Mozilla needs to think of even more obnoxious ways to get rid of its users.
  • Mozilla broke Scrapbook, arguably the most useful and important internet research tool ever made.

  • Thanks and good bye FF (Score:3)

    by Saija ( 1114681 ) on Saturday May 04, 2019 @12:59PM (#58538220) Journal
    I've been a loyal user of FireFox for a long, long time, but this is the last nail in the coffin of user trust, this along its SJW agenda makes me search for new alternatives which not involves Chrome, for now I'm going to use WaterFox

    • I have been using Firefox since it was Phoenix. And over the years there have been several times that I have looked at alternatives because Mozilla was being an ass. In each case I was able to modify my configurations to reduce the effect of their abject stupidity. The latest being stopping the the upgrade nagging from their abusive upgrade cycles. Really, I have better things to do with my time than constantly updating software. This isn't the 90s, we all have multiple computing devices now.

      This time

  • About: config didn't work, nor did turning "studies" on, nor did updating firefox to current version, but installing WATERFOX did! Thx!

Slashdot Top Deals

Work continues in this area. -- DEC's SPR-Answering-Automaton

Close