Second Firefox Fix Repairs Broken Browser Extensions For More People (cnet.com) 158
An anonymous reader quotes CNET:
"Mozilla on Sunday began distributing new Firefox updates to fix a problem that broke extensions for many browser users on Friday," reports CNET:
Mozilla had released an update Saturday, but Sunday's fix should help more people who were still affected. "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday," Mozilla said in a tweet Sunday...
"No active steps need to be taken to make add-ons work again. In particular, please do not delete and/or reinstall any add-ons as an attempt to fix the issue," Kev Needham, Mozilla's product manager for add-ons, said in a blog post about the problem.
How could FF break (Score:1)
If the last update, according to the update history in Firefox, was in early April.
Are there secret unlogged updated?
Re: How could FF break (Score:2, Informative)
A certificate embedded in the browser that verifies various signatures expired, breaking code by thinking certain things were not to be trusted.
Re: (Score:2, Interesting)
I'm using Waterfox and haven't even noticed a problem.
Waterfox has one developer and a budger of $0. Mozilla has 1,200 managers, product marketing specialists, public relations people, corporate lawyers, image consultants, performance managers, human resources people, health administrators, graphic designers, diversity consultants, administrative assistants, telephone handset sanitisers second class, a budget of around half a billion dollars, and possibly as much as a dozen developers, although in their de
Re: (Score:2)
Re: (Score:2)
How much of Waterfox uses code done by Mozilla?
Most of it, except for x64 optimizations, bunch of non-tracked bugs, and has all of the webtracking crap that Mozilla has in firefox removed. Much like how Chromium has the webtracking crap removed vs Chrome. You can compare the source via WF's repo. [github.com]
Just dloaded on Android (Score:5, Interesting)
Looking at this afterwards, seems the Study option is a great back pocket emergency tool for Firefox (A+ to the brainstormer that pushed that early on).
Thank you to all the Mozilla folks who worked all night Friday and through the weekend who almost certainly didn't have anything to do with the cause but fixed this for us users.
Mozilla, maybe having time bombing plugins after they are installed (instead off a check during installation only) isn't the best idea?
Re:Just dloaded on Android (Score:5, Insightful)
As to Studies actual purpose and creation I'm with you and would prefer it not exist in the application. I remember when they used it to push Mr. Robot advertising out. I'd also prefer we still had XUL for the UI and a bunch of other things. Amazing how much damage the execs at Mozilla have done.
Re: (Score:2)
I stayed on 50.1 and extensions still work fine.
Re:Just dloaded on Android (Score:5, Insightful)
I have a huge problem with using "studies" to push out hotfixes for critical issues:
I got stung by this - even though I avoided browsing much while my extensions were disabled, some dodgy ad managed to drive-by download a malware executable. It didn't run it (I guess it was hoping I'd run the thing from my Downloads folder by mistake), and Windows Defender defender detected it.
The whole situation is stupid. If you signed something yesterday and the pen you used runs out of ink today, that doesn't make yesterday's signature invalid. If all the certificates in the chain were valid when the code was signed, the signature is still valid. The code still hasn't changed. It's a different matter if a certificate is revoked, but that's not what happened here.
It's like an S/MIME signature on an e-mail - as long as the certificates were valid when the e-mail was signed, the signature shows that the e-mail hasn't been tampered with. It doesn't matter if the certificates lapsed or the sender lost control of the e-mail address since then. The signature still shows that the e-mail was authentic when received.
Someone at Mozilla clearly doesn't understand how cryptographic signatures are supposed to work.
Re: (Score:2)
The intermediate signing certificate expired for the Mozilla.rsa files inside all of the add-ons.
Wouldn't Timestamping open up security issues?
Where malware could replace the Firefox executable, offering other's to install illicit add-ons while the normal add-ons would still work and mask the compromise.
Re: (Score:2)
it was a waste of time to have it expire.
Worse than a waste of time, it was actively harmful.
Re: Just dloaded on Android (Score:2)
For a few Firefox versions (Android and some Linux versions - ex Debian I believe) this update 66.0.4 is the only way to fix the expired certificate.
This is not strictly true. While the "studies" functionality was not available on android, third parties had provided the associated file for download a couple days ago, while the folks at Mozilla were still twiddling their thumbs and making excuses. I used it to fix my own Firefox app.
Of course this also means that - instead of telling users to go through the convoluted process to enable "studies" (and then wait who knows how long for it to download) - they could have just linked the file on their own we
Holy **** batman, what did you just do? (Score:4, Interesting)
Has it occurred to anyone that the Mozilla team just used the back door they installed to alter a security parameter of millions of government and military computers worldwide?
Re: (Score:2)
Also, in "about:config", you can set "xpinstall.signatures.required" to "false".
Re: (Score:2)
maybe having time bombing plugins after they are installed (instead off a check during installation only) isn't the best idea?
But when we find out the EICAR plugin is REALLY a virus, how do we remove it from everyone's system at once? We could let each user affected take care of themselves, but we're trying to be proactive.
(Besides, government is always here to help you. In this case that's us. See how well it works?)
Too late. (Score:5, Interesting)
Switched to Waterfox - it was basically better at everything, and lets me continue to use what I consider to be superior versions of add-ons, so I really don't see any advantage to swapping back to Firefox.
Firefox as it exists now is a low-rent advertising service for Chrome, they sold all that was unique or important about their work a long time ago for very little in exchange.
Good luck to all of you continuing on the Firefox upgrade chain.
Re: (Score:2)
No addons to protect against the ads, malware, ads with malware?
A browser has to always block ads. That support is all that was needed.
Make a great bowser that allowed add ons to always work.
Really smart people made the add ons. That was their great work to bring to the browser.
All the browser had to do was keep on working.
Re: (Score:1)
The Opera browser blocks ads with a built-in control.
I still prefer Seamonkey with NoScript, though.
But on Android, Opera rules.
Re: (Score:1)
Re: (Score:2)
+1 for always having NoScript on :)
NoScript and Ad Block are 100% hands-down the best add-ons for Firefox (and other browsers) ever written.
They're the only two add-ons I run. Without them the web is a festering mass of shit.
(Technically it's still a festering mass of shit but at least I don't see it or get infected from every site I visit.)
Re: (Score:2)
ME TOO (Score:1)
Re: (Score:3)
Re: (Score:2)
I actually had the same thing with them keeping working on my main machine, even though it broke on my laptop. I suspect the checking mechanism is also broken in itself.
It suddenly triggered for me a day late when I was digging around the settings trying to figure out why it didn't break in the first place.
Re: (Score:2)
Hmmm, Waterfox looks interesting. I've installed it on a secondary PC (running Linux) and so far it seems fine.
Admittedly mine is a simple use-case as I only run a couple of add-ons (Noscript and Adblock), but I like what I see- it's clean and quick and free of all the bundled crap stuffed into Firefox that I don't want and don't use.
It's a shame- Firefox started out lean and mean and then over the years kept being 'improved' to the point where I was starting to really dislike it. Nearly all of the so-calle
Re: (Score:1)
Switched to Waterfox - it was basically better at everything, and lets me continue to use what I consider to be superior versions of add-ons, so I really don't see any advantage to swapping back to Firefox.
Firefox as it exists now is a low-rent advertising service for Chrome, they sold all that was unique or important about their work a long time ago for very little in exchange.
Good luck to all of you continuing on the Firefox upgrade chain.
It's slower and based on old Firefox code. I'm not seeing the point.
You could argue that it didn't suffer from this addon problem, but then Windows XP doesn't suffer from the latest Windows 10 issues either.
Re: (Score:2)
It's more capable, based on old firefox code that made firefox relevant, that was amputated from it because mozilla is no longer about making browsers.
Re: (Score:3)
Cool, so you can continue to use old, abandoned, potentially insecure XUL/XPCOM/NPAPI addons?
Re:Too late. (Score:5, Insightful)
Having used FireFox since,basically, it was first released (although I've now moved on to Pale Moon on most of my machines), I can now truthfully say that the system put in place to protect me from "old, abandoned, potentially insecure XUL/XPCOM/NPAPI addons" has now caused me more downtime than the "old, abandoned, potentially insecure XUL/XPCOM/NPAPI addons" ever did.
Newer and more centralized isn't always better.
Re: (Score:1)
Correct, because they offer critical functionality that secures the browser that isn't available in webextensions browsers, including the better of the bunch, cromium based ones.
Firefox is irrelevant because it's about as capable as chromium on extensions, and objectively worse in every other aspect, from now requiring full telemetry to fix logic bombs they leave in software to force upgrades to being less compatible as more and more sites ignore it and optimize for webkit browsers only.
Re: (Score:2)
Is there a chromium based browser that handles bookmarks decently? I need to be able to have nested folders of bookmarks, and until I looked at PaleMoon recently my only options appeared to be FireFox and Konqueror. Chromium itself seems nearly unusable in this area.
Actually, are there any alternatives that handle lots of bookmarks in nested folders well? SeaMonkey did, but the last time I tried it is wouldn't start or compile on my system. (Well, that was a couple of years ago...but how active is their
Re: (Score:2)
Most of such needs are best left to add-ons. Browsers are just platforms that you should modify to suit your actual needs with add-ons.
Re: (Score:2)
?? You didn't name any particular add-ons, so I'm guessing you don't know of any that address the problem. To me it seems like something that *should* be built into the browser, so I suspect we have very different use-cases in mind.
Re: (Score:2)
All I know that you have a problem with bookmark management.
And I know that there are hundreds of bookmark management add-ons on chromium and firefox. I would be surprised if whatever it is you feel you want wouldn't be addressed.
Re: (Score:2)
Hmmm.... yes, Vivaldi looks interesting. It's a bit (visually) noisy though, even more so than Pale Moon.
What counterpart to Keybinder? (Score:2)
Let me know when there's a WebExtension that does anything like what Keybinder [github.com] for the previous architecture did. Last I checked, that was still waiting on bug 1320332 [mozilla.org].
Re: (Score:2)
From what I've seen, they all install, but they don't all work. I installed an old XPI for New Tab Homepage and it makes the Home button go to a broken redirect URL. When you open the extensions list, it does inform you of incompatible items.
cert expiry fail (Score:5, Informative)
Their code signing is fundamentally broken. Expired signing certificates should not expire everything that was signed by those certificates (like it does for TLS, for example). Unlike a web server (IP address, content, etc.) the signed code has provably not changed since it was signed.
It doesn't seem like they understand what the purpose of code signing is.
Re: cert expiry fail (Score:5, Interesting)
Again, in TLS, if a root or intermediate pub key expires, it can no longer be used to verify things it was used to sign for.
But for code signing, it is 100% ok to use an expired public to verify that a signed piece of code was signed by that key while the key was valid. After the public root or intermediate expires, the code (unlike a TLS transaction) is still fine.
Re: cert expiry fail (Score:1)
The reason certificates expire is so that, should they become compromised, there is an upper limit on how long that compromise is useful. Certificate revocation is useful but requires an active network connection. Expiring certificates helps even computers off the public Internet remain protected.
If the certificate is compromised, than adversaries can fake the time stamp when a package was signed. Because of this, you must distrust all packages signed with an expired certificate; otherwise, you defeat the p
Re: cert expiry fail (Score:5, Informative)
To verify a signature with an expired certificate, you also must verify the timestamp countersignature. If it doesn't have one, you can't trust when the code was signed.
If the countersignature isn't valid, you can't trust that either.
For example, my old copy of Java 1.8.0u121 was signed by Oracle in 2016 with a certificate that expired last year.
That's ok because it has a signed timestamp from Symantec's time stamping service saying it was signed on 13/12/2016, which in turn expires ion 30/12/2020.
In 2021 however, that digital signature will be invalid, as the timestamp is no longer trusted.
You won't necessarily need to sign your code again, but you will need to have your signature timestamped again.
You should probably read RFC3161 to brush up on your PKI knowledge.
Re: (Score:2)
I'm more than aware of PKI and RFC3161
I'm saying the case for signing a static document (e.g. code) is different than signing a cert that will be used later to encrypt/decrypt or sign something else.
Re: (Score:3, Informative)
I'm saying the case for signing a static document (e.g. code) is different than signing a cert that will be used later to encrypt/decrypt or sign something else.
No. No, it's not.
Certificates expire because as time goes on, the chances of a private key being compromised will eventually be 100%, whether it's compromised through the signing server being hacked, flaws being discovered in the encryption algorithm, or it's eventually brute forced. The entire reason behind expiring certificates is to ensure that they can't reasonably be brute forced within the period of time they're valid, and that it's unlikely that new technology will come along to change that.
Once the
Re: (Score:3)
Verifying the signature of a piece of piece code that is already installed is very different from verifying the signature of something that you are about to install.
If I am installing something new, I would not trust a signature if any part of its certificate chain has expired. But if the code has already been installed and if it was trusted before the certificate expired, then I am much safer because I only need to verify that that code has not changed since then (and this can be done in more than one way,
Re: (Score:2)
And as soon as one of the certificates in the chain expires, the assumption MUST be that the chain is no longer safe.
The security of software I already installed has nothing to do with the safety of the supply chain right now. What matters is the safety of the supply chain when the software was installed.
Consider a food recall. Lets say that the news says there is a recall of apple juice with producer code XYZ and expiration date 2020-01-01. You look in the fridge and you have apple juice with producer code XYZ and expiration date 2019-12-01. No problem, don't throw it out, it isn't part of the recall.
Time flows in
Re: (Score:2)
Certificates expire because as time goes on, the chances of a private key being compromised will eventually be 100%
What a load of horse-pucky.
I mean, wow.
You're basically claiming that all signing is based on a race condition. Just, no. No, it isn't.
And if they did crack the signing key after I installed some software... why would I care?
Re: (Score:2)
Another program could have dropped an extension into your profile.
If you're already separately p0wned... you're already p0wned and can't achieve security.
just use the network ? (Score:2)
scary but why not use the network to verify the signatures or some DNS based system...
Re: (Score:2)
The "network" and "some DNS based system" was used to verify the signatures. The service contacted used a (currently) expired public key to verify an (old, valid at the time) signature, and incorrectly flagged the signature as expired, even though it was used while the key was still valid.
Re: (Score:2)
You've missed out a fundamental part of the security model.
The signature is only valid while the certificate is still valid - unless you have a signed timestamp, which validates when the code was signed. In that case the signature is valid until the timestamping certificate expires (or is revoked).
Eventually, it will expire.
If the signature isn't timestamped, there is no way of telling when it was signed.
I guess Mozilla isn't having their signatures timestamped.
Re: (Score:2)
If the cert was valid when I checked, then I don't need a signed timestamp; I can trust that timestamp unless my system is already cracked, in which case I can't have security to worry about anyways.
It is only the case where the certificate is not still valid at the time of installation that a signed timestamp from a trusted party could tell me that it is still safe.
If the signature isn't timestamped, but is valid now when I install something, there is no cause to even care when it was signed.
Re: (Score:2)
I remember when they announced code signing for extensions years ago, and the Mozilla community was livid about it, with plenty of negative feedback. Mozilla ignored the community and rammed it down our throats anyway. Also, that was before they moved to the new extension system that killed all the old add-ons.
Understanding is not the problem. I trust Mozilla over other entities when it comes to web technology, but I'm not foolish enough to believe they really care what's best for the community. That's
Re: (Score:2)
Mozilla believes it has no such obligations to its users, as demonstrated by actions it consistently took since the 4.0 times to this day. It's people simply do not give a toss about users.
They're there for ideological reasons and to sell search engine placement to fund these pursuits. Users are a product to be packaged and sold, and if product isn't very comfortable in the package Mozilla's folks want to put it in, adding even more pain should help product understand its position in the pecking order. A sl
Dear Mozilla (Score:5, Insightful)
Dear Mozilla,
The Document Foundation makes Libreoffice for something like â750K/annum. The Apache Foundation get by on around $500K/annum. You pull in something like $66M/annum.
Given the above, I don't understand why, unlike the Apache and Document foundations, you can't make a product which doesn't include a commercial software I can't uninstall a la Pocket (Which you bought but haven't open-sourced). I don't understand why you can't make a product which doesn't phone home every few minutes, or harass me to fill in surveys uninvited, or spam me with ads for some television program. I don't understand why you can't make a product which doesn't wipe out decades of popular, working code contributed by dedicated volunteers. I don't understand why you can't make a product which doesn't explode on a Friday night.
Bundling commercial code does not reflect the open source philosophy. Driving out people for political opinions doesn't even reflect the philosophy of a free society. Please, complete your self-destruction quickly, so that more competent, open-minded people can start to pick up the pieces.
Re:Dear Mozilla (Score:4, Insightful)
Best post in the thread.
Mozilla is a huge scam and their finances (especially where that money ends up) need to be thoroughly investigated.
Re: (Score:3)
Apache gets most of its code from external contributors. A lot of it comes from IBM and Red Hat these days. Hell, there's even a very small amount of code I wrote in Apache Xerces-C.
Re: (Score:1)
Re: (Score:2)
Problem is that firefox has the business model locked in, so there's no real money left on the table. Whoever forks it has to work on shoestring budget at best.
Re: (Score:2)
Dear AC,
We can help you with your lack of understanding, but first we don't understand why you compare us to projects that rely hugely on external contributions and support with minimal own staff (or zero in the case of Apache), and code against a stable and rarely changing base case.
As to your questions: Our product phoning home is voluntary. Don't like it, don't enable it. Us harassing you to fill in surveys is voluntary and tied to our phoning home functionality. Don't like it, don't enable it. Us "spamm
FUBAR (Score:1)
I wasted a lot of time this weekend trying to figure out why my extensions were killed off. Why the heck did I not find any notice on mozilla.org explaining the problem? There still isn't anything there just some happy shit about privacy and sharing.
Re: (Score:1)
No, he's right. Nothing at all mentioning this issue on mozilla.org / mozilla.com, at least not on the main page.
This shouldn't happen , should it? (Score:1)
Makes Mozilla and Firefox team look really incompetent and why is fixing this a big deal as well? I would think some notification is made for something as important as this that creates lot's of issues if it expires. Most of the solutions early on was just use another browser. Not exactly great news for Firefox with a dwindling market share anyway.
one word: normandy (Score:3, Insightful)
Re: (Score:2)
Thinking it through, Waterfox will still be using the Firefox engine so that's a good thing (no additional piling on to Blink in usage numbers), seems better than say Vivaldi in that
Re: (Score:2)
Mozilla hasn't operated on google's money in many years now. It operates by promoting alternative regional search engines instead.
Re: (Score:1)
Here here. Fucking scary what those shits at Mozilla are up to.
Waterfox is a good recommendation, as is PaleMoon or Vivaldi. Actually, I would advise anyone to use multiple browsers and segment their online habits.
Personally I use Chromium (never Chrome) for Google-only services. So Google can profile me all they want, but all they ever get are what Youtube videos I watch and what maps I look at, which they know from logging at their end anyway.
Firefox cannot be trusted any more. Very sad to say that, but t
Re: (Score:2)
Isn't it true, though, that all the Firefox forks rely on the main branch of Mozilla to continue being developed centrally?
I am a Seamonkey fan, actually, and I almost never run Firefox, but Seamonkey is directly a Mozilla side project.
Re: (Score:2)
Re: (Score:2)
All the major ones that were trying to track the main line have already been abandoned, I think.
The ones people talk about on slashdot are actual forks that diverged in the past, not just build versions that add patches.
Maintaining patches against somebody else's mainline is way, way more work that just independently fixing the shared bugs when found.
Focus on the tech, not the PC crap (Score:1)
I bailed to Chromium. Firefox has really lost sight of what they started with. As one poster said above, they make heaps of dollars, but cannot seem to focus on the matter at hand--namely the technical aspects. They are too concerned with women, homosexuals, or other LGBTEIEIOOMG types. I don't care who is in tech. If they can code, let them shut up and code. Let them shut up and get the UX correct and original. No one cares about numbers of certain groups, colours, genders, etc., in tech. It doesn't matter
The Result of "Post-Meritocracy" (Score:3, Informative)
Mozilla has long been hijacked by SJW-types and has been striving for a "post-meritocracy" world.
This is what happens when the lunatics take over the asylum.
All because some self-entitled queers threw a tantrum over the CEO making a personal donation to a campaign to vote No on a homosexual marriage referendum.
Some really screwed (Score:2, Insightful)
Firefox really has screwed some of us. Some of us (due to complicated issues) have to still run on XP or Vista. Version 52 is the last working version for us but it works fine. However, many add-ons wont load on anything but the latest and greatest so no TabMix Plus, no Ublock Origin, no blocking javascript. Since add-on developers cant be bothered of archiving the last working version before dropping support for an older browser no older versions are available. So no fix for FF thus no reloading of add-on
Re: (Score:1)
Waterfox:
https://www.waterfox.net/ [waterfox.net]
Then also install the Classic Add-Ons archive:
https://github.com/JustOff/ca-... [github.com]
Boom - you have all your add-ons back, forever.
I have a permanent fix.. (Score:1)
switch to an alternate like Waterfox.
Mozilla is turning into microsoft (Score:2, Insightful)
Well, update nags (next step is automatic updates whether you like it or not), telemetry bs and an overall "we know better" attitude. Of course, QA is totally absent. I'm confused, are we talking about a mozilla or a microsoft fuckup?
Mozilla will pay dearly in marketshare for this (Score:1)
Well, mozilla dropped the ball, AGAIN! I guess that when you are preoccupied with BS politics that have nothing to do with coding or IT, this is what happens. Go for Seamonkey, Waterfox and Fennec in android (Iceweasel, unfortunately, does not respect the "xpinstall.signatures.required"). This is VERY serious and is going on for 48 hours. The bullshit hotfix with the "studies" telemetry crap is just that, bullshit. I guess I won't be recommending firefox proper again. Waterfox for win/linux and fennec for a
Still broken (Score:3)
Seriously. WTF?
Re: (Score:1)
Complete incompetence (Score:1)
I am certain a expiring certificate would give ample notice before expiring. This was clearly a total failure for Mozilla who claims to be all for the end users. This company obviously has some really serious internal problems. Missing such a important certificate expiring is complete incompetence. I guess all the good people have moved on from Mozilla seeing the sinking ship going down.
Palemoon (Score:1)
Good job making everything less safe, Firefox (Score:2)
The quick'n'easy workaround for this crippling bug is to go into about:config and set xpinstall.signatures.required to false.
But after this bug gets fixed, am I going to remember to turn it back on? A few weeks from now, will I even remember what I did, and will I bother turning it back on, knowing that it still might not work?
Firefox just pissed off most of their users and even ended up encouraging many of them to permanently opt out of signatures. Just taking a guess here, but I bet that's the opposite
Re: (Score:2)
They don't care what slaves do, because this setting is already disabled on main version.
They'll just disable it on others in the next update.
still broken on Debian Buster May 6, 08:30 PDT (Score:2)
I don't know who they fixed it for, but it isn't me. I've been checking out other browsers as replacements. So far PaleMoon seems the best choice, but I still prefer the working version of FireFox.
Re: (Score:2)
Thanks. I'll probably use that for the 52.0 I use on an older Win7 system.