A Glitch Is Breaking All Firefox Extensions (techcrunch.com) 311
Did you just open Firefox only to find all of your extensions disabled and/or otherwise not working? You're not alone, and it's nothing you did. From a report: Reports are pouring in of a glitch that has spontaneously disabled effectively all Firefox extensions. Each extension is now being listed as a "legacy" extension, alongside a warning that it "could not be verified for use in Firefox and has been disabled." A ticket submitted to Mozilla's Bugzilla bug tracker first hit at around 5:40 PM Pacific, and suggests the sudden failure is due to a code signing certificate built into the browser that expired just after 5 PM (or midnight on May 4th in UTC time). Because the glitch stems from an underlying certificate, re-installing extensions won't work -- if you try, you'll likely just be met with a different error message. Getting extensions back for everyone is going to require Mozilla to issue a patch.
UPDATE (5/5/2019): On Sunday Firefox released the second of two weekend updates to address the problem, tweeting that "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday."
UPDATE (5/5/2019): On Sunday Firefox released the second of two weekend updates to address the problem, tweeting that "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday."
Workaround? (Score:5, Informative)
Go to about:config and set xpinstall.signatures.required to false
Re: (Score:2)
Re:Workaround? (Score:5, Informative)
Go to about:config and set xpinstall.signatures.required to false
The documentation [mozilla.org] says this only works for ESR, developer and nightly versions.
user_pref("xpinstall.signatures.required", false);
user_pref("extensions.langpacks.signatures.required", false);
MOD PARENT UP (Score:3)
The parent is correct. This feature is disabled on release versions. So it will not work for most people.
xpinstall.signatures.required fix works for FF 62 (Score:2)
Setting xpinstall.signatures.required to false has worked on my FF v62.0.3
I haven't tried adding more extensions yet -- some comments are saying that it won't work -- but at least I get my browsing back.
This is ridiculous that my browser depends on some online certificate. What if I take my computer offline camping/on the airplane while I use my browser to look at some local file? (E.g. I generate my own photo thumbnail index as a HTML file that I view in Firefox.) Whenever there is a feature that relies
Re: (Score:2)
KILL the certificate authority ! (Score:5, Interesting)
honestly this is a major problem.
shouldn't the network/domain be the issuing authority rather than some random collection of promise not to do the wrong thing companies....
Re:KILL the certificate authority ! (Score:4, Interesting)
Mozilla has been doing much wrong for some time.
open up a log of DNS and be amazed at all the SHIT that firefox is constantly querying:
mozilla.cloudflare-dns.com
location.services.mozilla.com
*.services.mozilla.com
*.services.mozilla.org
*.services.mozilla.net
*.addons.mozilla.com
*.addons.mozilla.org
*.addons.mozilla.net
*.mozaws.com
*.mozaws.org
*.mozaws.net
*r53*.mozilla.org
*r53*.mozilla.com
*r53*.mozilla.net
*aus*.mozilla.com
*aus*.mozilla.org
*aus*.mozilla.net
*balrog*.mozilla.com
*balrog*.mozilla.org
*balrog*.mozilla.net
detectportal.firefox.com
detectportal.firefox.net
detectportal.firefox.org
Re: (Score:2)
Re: (Score:2)
Better workaround, install a browser which respects its users wishes and privacy.
Waterfox: lots of legacy extensions: all working no problem, no work-around required.
Re: (Score:2)
Nothing on their website (Score:5, Interesting)
The sad part is there's no mention of this on mozilla.org or firefox.com. Users are left completely in the dark.
Re: (Score:2)
Re: (Score:2)
If it's so inclusive why do I feel so left out? They never listen to my ideas. Sigh. Maybe if I set myself on fire they will finally listen to me. [gets can of petrol and a match...]
Disable signature checking (Score:3, Interesting)
TechCrunch is wrong; patch not needed (Score:5, Informative)
A workaround is setting xpinstall.signatures.required to False in about:config.
It works in FF 66.0.2 on Fedora Linux, YMMV...
And if you forget to reverse it... (Score:5, Insightful)
Let's face it - this is a true epic fail if there ever was one. Whoever was responsible for renewing certs should be terminated. There is ZERO excuse for this. On a Friday fucking night yet.
Just watch for all the malware infections coming, not to mention users defecting to other browsers.
Shame on you, Mozilla. The public needs an alternative browser more than ever and you monkey-wrenched yourselves hard.
Re: (Score:2)
Can't install or update anything with that set to false. It just allows existing plugins to continue to operate.
I'm surprised that a live server is needed to maintain all these plugins all the time. Way overboard, imho.
Re: (Score:2)
not to mention users defecting to other browsers.
A little late for that. I'm apparently one of the rare holdouts mostly because I don't like to see Chrome take over the world.
This is just sad, though. A thousand people employed at Mozilla and they still manage to screw up their most important product this badly, because of an entirely preventable mistake. Mozilla just keeps shooting themselves in the foot with incompetence and bad decisions. No matter how noble their aims appear to be regarding an open web, it means absolutely nothing if they complete
Re: And if you forget to reverse it... (Score:2)
In five years Mozilla will employ double as many people as it does now, but only half as many engineers. Quango bureaucracy FTW!
Re: (Score:2, Insightful)
Hey, they had SJW matters to attend to.
"Renewing the certs" isn't required by any Code of Conduct.
"A much better and safer method" (Score:5, Interesting)
As far as I can tell, Waterfox [wikipedia.org] is very very similar to the latest Firefox but it doesn't have Pocket, doesn't have a locked down about:config, doesn't phone home user data, supports legacy extensions (which you can get by installing this extension [github.com], since Mozilla is no longer hosting the older extensions any more), allows the user to install unsigned extensions, and supports newer extensions very well (unlike the Pale Moon browser, which is interesting and ambitious but it has very spotty extension compatibility).
I've been a user for just a few hours now and so far the UX is identical except for the above mentioned improvements.
Re: (Score:2)
Re: (Score:2)
Whoever was responsible for renewing certs should be terminated.
Sure kill the messenger without resolving the systemic cause of the problem that allowed a person to not renew something in the first place. Are you by any chance the VW CEO hiding behind that StandardCell pseudonym?
No extensions but saw this, too. (Score:2)
Re: (Score:2)
Improper Signature Verification ... (Score:5, Informative)
Now if only they had someone who knew how to validate a digital signature properly.
Or to equate to meatspace:
Just because the pen you used to sign a document last week ran out of ink this morning, does not mean that the signatures you made last week with that pen are no longer valid.
If the signature was valid at the time it was made, then the subsequent expiry of the signing certificate nor any of its intermediates (nor of the trusted root) invalidates that signature.
Obviously they are just incompetent.
^ MOD UP (Score:2)
Re: (Score:2)
It's not like we have some kind of magical timestamp protocol for x509 signatures or something. What would we even call that, RFC 3161?
HJKL navigation on slashdot please (Score:2)
I just realized that I was browsing without a mouse for years due to hjkl navigation. Now that it is gone , at least mozilla's bug tracker supports HJKL navigation of its own. Can slashdot do this too ?
The right to extend (Score:3)
Re: (Score:3)
Nothing's stopping you from building Firefox from source with any additional functionality you may desire...
That's your "right to extend".
That's what my grandma did.
That's it. Waterfox, here I come! (Score:4, Informative)
Firefox' Chrome copycatting was annoying (I don't want minimalist and 'very slightly faster', I want power and configurability), Pocket was dumb but fine they gotta make money somehow, the loss of legacy extensions (plus the lack of UI customization that came along with with the abandonment of XUL) was *really* annoying and caused me to jump ship to Pale Moon for a while--a neat and ambitious Firefox fork run by some competent and overworked folks--but it became harder and harder to get the extensions I wanted working properly and my enthusiasm for putting in so much elbow grease getting my browser working properly. (Plus, they're undermanned over the so for a while they had a hard time keeping some of the rendering backend up to date.) Reluctantly, Back to Firefox I went.
But this is intolerable. Perfect emblem of the direction FF is headed. Yes yes, I understand that this lockdown was probably to make their browser slightly safer in the hands of clueless people who might gleefully install random third party extensions or follow instructions listed on seedy websites... but about:config was there for a reason, damnit! If I was a moron I wouldn't be trying to use Firefox to begin with. I don't want a moron-proof browser.
Fortunately, someone in the comments reminded me that there is Waterfox [wikipedia.org], a less ambitious (compared to Pale Moon) power-user fork of Firefox that appears to have drop-in extension compatibility as well as legacy extension support--the best of both worlds.
On my Windows boxen installing Waterfox was as simple as "sudo choco install waterfox". (If you don't know what Chocolately is and you have Windows boxen that you manage, GET IT. You won't regret it It's a fantastic apt-style installer and updater that ostensibly works by downloading the official graphical software installers and executing them and clicking through them a totally hidden fashion. It can be directly installed from the command line [chocolatey.org] in Windows. First thing I always do is enable allowGlobalConfirmation [stackoverflow.com] so I don't have to manually agree for every package that installs or updates, then I install sudo so that I don't have to manually run admin shells--it still graphically prompts you for the escalation every time you use it, so I don't believe it's particularly insecure. I run "sudo choco update all" once a week and it's totally automated and unobtrusive. It's not just OSS; there's a fair bit of lot of closed sourced freeware included as well.) You might complain it's a potential attack vector, but the company appears reputable enough and I don't run Windows as a host on any machines that I use for personal banking (I use it on a dedicated gaming box, VMs, and relatives' computers--which I view as being better off with chocolatey since I can better ensure that software is being kept up to date.)
For my Debian boxes there are PPAs available, though I'm hoping a maintainer will set up and get it included in the main repos. It's time to move on, it really is.
It's funny how browsers seem to degrade over time. When I was
Re: (Score:2)
If you're doing it for performance reasons, eh, yes it's true that 64 bit software can sometimes be a bit slower, but I've not heard of a situation where a 32 bit OS was so much faster as to be worth the hassle and the RAM performance hit.
You might try Basilisk, done by the Pale Moon guys. I've never
Not happy with FF ? Write your own (Score:2)
https://dilbert.com/strip/1995-11-14
Great firefox updates without my permission (Score:2)
Just my 2 cents
A proper fix (Score:5, Informative)
Changing an about:config entry is not required and it's probably unsafe since now your Firefox might be exposed to malicious (locally installed) add-ons.
Here's a proper fix [mozilla.org] straight from the hourse's mouth:
Re: (Score:2)
This doesn't work for Debian's build.
Re: (Score:2)
For a Debian system with firefox-esr, you can download the XPI for the hotfix directly to update the cert, then restart firefox and reinstall your addons. The URL of the hotfix XPI is in this bugzilla report: https://bugzilla.mozilla.org/s... [mozilla.org]
Original source of the fix: https://github.com/NixOS/nixpk... [github.com]
Re:A proper fix (Score:4, Insightful)
Imagine being the disgusting spin doctor actually mouthing the words "macious (locally installed) add-ons". And actually getting upvoted on slashdot.
"Remember folks, we have to protect you from yourselves. You slashdotters have no clue what you're installing on your browsers, so we must stop you from installing anything we don't expressly approve of".
You should be ashamed of yourself.
Re: (Score:2)
I've dealt with dozens of PCs where people had malicious add-ons installed in their Firefox profiles by malware. That's the only thing I was warning against. Also, you can perfectly run unsigned add-ons using alpha or self-compiled Firefox releases.
Cheers!
Re: (Score:2)
All my Add-Ons but ONE... (Score:2)
"New Tab Homepage" is the Only add-on that didn't get Borked.
It's a serious glitch when their featured add-ons are all blocked from running, and you can't download any of the "replacement" suggestions, either.
Something tells me that it may cost them a very easily measurable percentage of the Browser market, if it's not fix tut suite.
The glitch has a name... (Score:2)
Should Have Stayed With XUL!!! (Score:2)
Thanks and good bye FF (Score:3)
Re: (Score:3)
I have been using Firefox since it was Phoenix. And over the years there have been several times that I have looked at alternatives because Mozilla was being an ass. In each case I was able to modify my configurations to reduce the effect of their abject stupidity. The latest being stopping the the upgrade nagging from their abusive upgrade cycles. Really, I have better things to do with my time than constantly updating software. This isn't the 90s, we all have multiple computing devices now.
This time
https://www.waterfox.net/ (Score:2)
Re: (Score:2, Informative)
This is actually being directly caused by Mozilla's anti-open code signing system. Forks are unaffected.
Re: (Score:3)
Re: (Score:2, Interesting)
What bug?
Certificates have a start time and an end time, outside of which they are not supposed to work in any way. The software is doing exactly as intended, so it's hard to argue this is a bug.
Microsoft has had driver signing certificates expire too, so unless you are so stupid as to think windows is open source.. well you probably do given your typing, so never mind.
Maybe all these technical details need phrased so you can understand:
Try pulling that cock out of your throat long enough to take a breath
Re: (Score:3)
That seems to require using a dev version or the ESR version.
Re: (Score:2)
And you're not running an ESR version?
Re:Temporary fix (Score:5, Interesting)
That is what I thought too. I was surprised that RandomInternetPerson got this supposedly disabled switch to work. Last time I checked Mozilla disabled that switch along with lots of other about:config switches that interfered with their agenda. Nowadays about:config generally solves nothing. I wonder if they are claiming it works just to get a lot of people to try it, fail, and get very annoyed. Similar to Mozilla itself actually leaving in all kinds of switches that actually do nothing. I switched to Waterfox after version 55 and am generally happy with it. This signing thing is one of the reasons I finally made the jump to a fork. I couldn't even find a developer version that worked. Seems like they were no longer available when I last checked.
Re: (Score:2)
The workaround works for me.
This is not to suggest that Mozilla isn't pissing me off by thrashing their code and policies in ways that I don't appreciate.
Re: (Score:2)
I was surprised that RandomInternetPerson got this supposedly disabled switch to work.
You're surprised someone is using the other 3 of the 4 Firefox builds? (works in the Nightly too).
I couldn't even find a developer version that worked. Seems like they were no longer available when I last checked.
You couldn't find the developer edition of an open source project that has a well known good developer edition with tons of tools used by web developers around the globe? Your failure is a thing of legends. Bards will sing about this for millennia.
https://www.mozilla.org/en-US/... [mozilla.org]
Re: (Score:2)
Mac users are SOL until an official patch is released too. Even with xpinstall.signatures.required set to false, extensions stay disabled with no way to re-enable them.
Re: (Score:2)
And safe too, words on a page make people safe dont you know.
Re: (Score:2)
Re: (Score:3)
So no searching or visiting anything I do not want recorded by Facebook. No containers either so no banking either.
Re: (Score:2)
Banks are open on weekends in your country?
Yes.
Re:totally worth (Score:4, Informative)
I'm not sure that this issue would be entirely resolved by a "do not upgrade" as it depends on certificate updates.
By not upgrading you will risk suffering from other web sites not being accessible due to invalid CA certificates.
Re: (Score:3)
"do not upgrade" does not protect you. I suspend each day (not shutdown) and have had my browser up for weeks. Today, after browser for over an hour, I got a message at the top of the current tab that an extension was disabled. I check to see which one and just about everything was disabled. I disabled signature checking and got everything back. All without a restart (or update) of the browser.
Now, do I file this under "Mozilla preoccupied with something other than developing a best-of-breed browser",
Re:totally worth (Score:4, Informative)
Wrong. The bug isn't due to an upgrade it's due to a cert in the existing version not having been renewed and expiring. Clicking the "do not upgrade" button saves you from exactly nothing in this case.
Re: (Score:2)
Yes, but for those of us who shut down updates MANY versions ago, it doesn't affect us.
I've stayed on v47 because newer versions would not allow certain extensions that I need to run, and won't allow me to enter exceptions for them. Of course, that means the "must be signed" extensions won't install. I think that's blocked maybe 1 extension I cared about.
Re:totally worth (Score:5, Interesting)
It constantly amazes me how often this sort of bug happens, from this to MMORPGs, and everywhere in between. Don't let your certs expire, it's amateur nonsense.
If you can't automate cert renewal/replacement for whatever reason, fine, maybe that's hard for you, but create a freaking team calendar in with all the cert expiry dates as events. It's trivial. There's really no excuse for this degree of "phoning it in" even for an open source project.
Re: (Score:2)
Good comment. Mod up +
Maybe they should use certbot
Re: totally worth (Score:2, Interesting)
Too much self promotion, governance, crap nobody wants like FF hello, or phone os's that were never going to take off. Instead they should have focused on speed.
Re: (Score:2)
It is relavant if you don't want to use corp webkit.
Re: (Score:3, Informative)
Apologies for posting at the top. Fix progress is being logged here:
https://discourse.mozilla.org/... [mozilla.org]
Re: (Score:3)
I note a temporary fix from the user teamzr1 there that might work on windows if you are desperate
"Simple fix for now
certificate expired as to date so get out of FF
now go to your computer’s clock and change the date for like
yesterday or day before
NOW you can go to add-ins and where shows not working click to find each and install
They now will work until computer gets back to tonight date
I did this on 2 desktops and FF add-0ns working again
even Bitwarden password add-on after reinstall all my passwords
Re:Another lesson no one will learn (Score:4, Informative)
update from Mozilla
"12:50 p.m. UTC / 03:50 a.m. PDT: We rolled-out a fix for release, beta and nightly users on Desktop. The fix will be automatically applied in the background within the next few hours, you don’t need to take active steps.
In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.
You can disable studies again after your add-ons have been re-enabled.
We are working on a general fix that doesn’t need to rely on this and will keep you updated."
Re:Another lesson no one will learn (Score:5, Interesting)
So even their patch mangement system is a failure. The only way to get the security patch is by turning your browser into Mozilla's personal sandbox by enabling "Studies". That kind of "fix" shouldn't even be considered, it's the antithesis of security - the patch should be pushed out over the normal patching channels. Too many pleebs will forgot to turn Studies back off again, leaving them open to experimentation by Mozilla.
Re: (Score:2)
Re: (Score:2)
On a related issue:
FF is FOSS. As with all FOSS, there is the expectation that if you use it, you will somehow contribute back to the developer community. You do not need to be programmer or have any developer skills to do your share.
One very simple way to contribute back is to turn on "studies" and the other ways that enable Mozilla to obtain data on how FF is actually being used. It seems to me that if you are unwilling to even give back that little bit, at no cost to you, then you are a very selfish th
Re: (Score:2)
Proselytizing notwithstanding, studies feature isn't available for Linux-based versions.
Re: (Score:2)
Re: (Score:2)
The studies feature is not only present in FF v66.0.3 (64 bit) on my Ubuntu 18.04 box, but it is currently active and providing an interim solution to the certificate problem. Studies feature is most definitely available on many Linux boxen.
Writer of parent post is either a troll or blindly ignorant about how the pipes of the intarwebs work, or too lazy to spend a couple of minutes looking things up before spewing Trumpish false truths to the world.
While I think its great that Internet access is so easily
Re: (Score:2)
Just checked my Ubuntu box and yes studies is available with FF on Ubuntu 18.04, however on Debian with 66.01 it is not. It is greyed out and not selectable. Mozilla states on their blog [mozilla.org]:
Clarified that the Studies fix applies only to Desktop users of Firefox distributed by Mozilla. Firefox ESR, Firefox for Android, and some versions of Firefox included with Linux distributions will require separate updates. (May 4, 12:03 EST)
Re: (Score:2)
It's not a mistake. Read the Mozilla blog [mozilla.org] about the bug:
Clarified that the Studies fix applies only to Desktop users of Firefox distributed by Mozilla. Firefox ESR, Firefox for Android, and some versions of Firefox included with Linux distributions will require separate updates. (May 4, 12:03 EST)
I agree with you people can come off as asswipes being overreactive.
Re: (Score:2)
Re: (Score:2)
coastwalker suggested:
note a temporary fix from the user teamzr1 there that might work on windows if you are desperate
This is a better fix - and, unlike enabling studies and letting Mozilla invade your privacy, it actually works:
https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi.
You're welcome ...
Re:EASY one word TEMP FIX (Score:5, Informative)
Re: EASY one word TEMP FIX (Score:2)
Yup. That was the solution. At least ff allows you to do this. Chrome won't ever allow it
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
open a new browser window and type - "about:config" / Firefox will warn "There Be Dragons" PRESS - I accept the risk! / In the Search: box type - "xpinstall.signatures.required" ...
This, as reported by others, simply does not work.
Best work around is use a nightly with Studies enabled.
Once your extensions works again, you can disable Studies.
Re: (Score:2)
open a new browser window and type - "about:config" / Firefox will warn "There Be Dragons" PRESS - I accept the risk! / In the Search: box type - "xpinstall.signatures.required" ...
This, as reported by others, simply does not work.
Best work around is use a nightly with Studies enabled.
Once your extensions works again, you can disable Studies.
Thanks, I considered rolling back to 62.x, don't know how that will work out - good times. Funny that the yellow banner popped up just as I was reading this story.
Re: (Score:2)
Re: Another lesson no one will learn (Score:2)
Let's stop calling it a "walled garden" and start calling it what it is: a prison state.
Re: (Score:2)
People who used their browser without the ad protection they usually had.
Re: (Score:2)
Since FF63 you can no longer disable updates
Actually, you can. You need to set a policy. You create a policies.json file in your distribution directory.
https://github.com/mozilla/pol... [github.com]
Re: (Score:2)
Yeah, if he used Windows 10 Professional or Enterprise he'd have full control.
Nice to see you agreeing.
Re: Just switched to Thunderbird (Score:2)
Typical quango leadership, headed by a lawyer. No wonder they are incompetent at technology. Whaddya bet they pay their nepotist "leaders" handsomely, and their engineers like shit?
Maybe it's time for Mozilla to have a union.
Re: (Score:3)
Maybe this only happens when (re)starting the browser. So far can't reproduce this behaviour (and no not gonna try restarting the browser)
Nope - the "extensions cannot be verified" thing appeared at the top of an open window for me; I'd been running FF for a few hours at that point.
Re: (Score:3)
The fact that it is both predictable, and single point of failure, *AND* the fact similar things have happened to other organisations, is precisely why this should never happen.
And when it does, people quite rightly point to the utter, unremitting incompetence at play!
This *IS* unacceptably crap. A number of people at Mozilla should be suitably as
Re: (Score:2)
This worked like a charm, where the about:config did nothing.
Thanks for the code snippet, and Peace!
Re: (Score:2)
Also, is there anything that needs to be done when they roll out the "cure" for this little bug?
Just in case I need to "undo" this code-patch.
Thanks again!
Re: (Score:2)
Considering the way it was going lately, I wouldn't be surprised if this was an intentional logic bomb to force those not updating to their latest and greatest because of their amputation of proper add-on functionality to update anyway. And then, being as utterly incompetent as they are, they forgot to not affect those who actually did bend the knee and already updated.