Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Firefox Mozilla IT Technology

Mozilla To Track Infrastructure Time-Bombs in Wake of Recent Firefox Armagadd-on (zdnet.com) 123

In the wake of the mass disablement of Mozilla Firefox's add-on ecosystem last weekend, Mozilla has committed to improving its asset tracking and developing a mechanism that can quickly push updates to users when needed. From a report: Due to an intermediate certificate expiring on May 4 at 1AM UTC, users found their browser add-ons were switched off and could not be re-enabled. Thanks to timezones and the rotation of the planet, users on the western side of the Pacific were the first hit. Writing in a blog post, Firefox CTO Eric Rescorla detailed some initial thoughts and announced a formal post-mortem would be published next week. "First, we should have a much better way of tracking the status of everything in Firefox that is a potential time bomb and making sure that we don't find ourselves in a situation where one goes off unexpectedly. We're still working out the details here, but at minimum we need to inventory everything of this nature," Rescorla wrote. "Second, we need a mechanism to be able to quickly push updates to our users even when -- especially when -- everything else is down.
This discussion has been archived. No new comments can be posted.

Mozilla To Track Infrastructure Time-Bombs in Wake of Recent Firefox Armagadd-on

Comments Filter:
  • by jellomizer ( 103300 ) on Friday May 10, 2019 @11:15AM (#58569326)

    Isn't the point of a UCT Time stamp, is that effected at the same point of time (minus speed of light, and gravitational differences) everywhere.

    • by Luthair ( 847766 ) on Friday May 10, 2019 @11:31AM (#58569432)
      The point was it happened at night while as opposed to the workday and the people affected were in pacific timezones first.
      • Where were they after that though?

      • It's almost like people think you can renew certs instantly.

        Even if you have new ones queued up and ready to go, if your infrastructure has any complexity at all, or rather if it has any isolation (redundancy) at all, it's going to take a while. Somewhere OTOO an hour to a few hours.

        That's assuming you immediately identify the problem as a bad cert or certs, and that may take most of an hour or perhaps even longer depending how indirect the root causing path is.

    • by Anonymous Coward

      Are you serious? Do you even understand the concept of time zones?

      Of course the certificate expired at the same time globally. The problem is that it happened at different local times. For some users it was at night or early in the morning. For others it was mid-day. In California, where many of Firefox's developers reside, it would have been the early evening.

      It's harder to fix problems that arise in the evening or at night. You have to start locating people who are busy doing something else (if in Califor

    • by dfm3 ( 830843 )
      The cert expiration was dependent on the user's clock, not on the time according to the server. When this issue first came to light late on the evening of the 3rd, people quickly figured out that one workaround was to set your system clock back several hours.
  • by Anonymous Coward on Friday May 10, 2019 @11:16AM (#58569332)

    Seems to me that the expiration of the certificate that broke many extensions should have by default monitored and renewed long before a crisis. Yeah its great to find a quick push for emergency updates, but how about doing better to prevent them in the first place. That would be priority one in my book, just saying Mozilla/Firefox.

    • by lgw ( 121541 ) on Friday May 10, 2019 @11:18AM (#58569356) Journal

      Seems to me that the expiration of the certificate that broke many extensions should have by default monitored and renewed long before a crisis.

      Basic professionalism. Heck, I'd look down on a hobby project that screwed up something this simple.

      However, it's nice to see they're taking the mistake seriously, rather than downplaying it. Seems they got their wake-up call.

      • by Luthair ( 847766 )
        You're basically saying that you expect everyone to be perfect all the time. The reality is that people leave, email addresses change, systems are re-provisioned and eventually its going to get missed.
        • by Antiocheian ( 859870 ) on Friday May 10, 2019 @11:43AM (#58569520) Journal
          He didn't say that. He wrote "basic professionalism".
        • by lgw ( 121541 ) on Friday May 10, 2019 @11:47AM (#58569538) Journal

          You're basically saying that you expect everyone to be perfect all the time.

          Professionalism in software is making sure things work despite human failings. You don't rely on people just happening to remember to do something important! If practical, you automate it. If not, you automate adding a team calendar entry to remind people.

          The reality is that people leave, email addresses change, systems are re-provisioned and eventually its going to get missed.

          Sure, if your hobby project isn't one you put much effort into. But if you're going to make a professional effort, not just messing around to kill time, you get on top of certs from the beginning, just like you figure out logging and test automation and deployment and your security model and all those boring things.

          • by Luthair ( 847766 ) on Friday May 10, 2019 @11:59AM (#58569594)

            Professionalism in software is making sure things work despite human failings. You don't rely on people just happening to remember to do something important! If practical, you automate it.

            Root certificates are kept on disconnected systems. This isn't automatable

            If not, you automate adding a team calendar entry to remind people.

            Sure, if your hobby project isn't one you put much effort into. But if you're going to make a professional effort, not just messing around to kill time, you get on top of certs from the beginning, just like you figure out logging and test automation and deployment and your security model and all those boring things.

            This isn't Mozilla's first root certificate, you can safely assume they've had some process of reminders that worked to this point.One can assume they'll fix this problem, but eventually something will breakdown and in some years something else will break.

            • by lgw ( 121541 )

              Good engineers don't let important things break. Even if that's hard. They rest is excuses for failure. If Mozilla can screw up something this obvious, I really have to wonder about the security of FF. Sadly there's no practical alternative for banking etc. that's not Google-tainted, but this doesn't exactly fill me with confidence.

              • Then there are no good engineers. Name one thing that has never or could never break.
                • Re: (Score:2, Insightful)

                  by lgw ( 121541 )

                  Name one thing that has never or could never break.

                  The anti-lock brake system controller in your car. If it breaks it doesn't brake, and if it brakes it doesn't break. Obviously.

                  But, seriously, do you really think engineers for somehting important should have the attitude of "mistakes happen, what can you do?" For the bridge you drive over? For MCAS? For the elevator you ride in? For the next x-ray machine you use? [wikipedia.org]

                  The point is, you make a professional effort to do important things right. Keeping a root cert renewed is important, and is a very simple

          • by raymorris ( 2726007 ) on Friday May 10, 2019 @01:19PM (#58570192) Journal

            Certainly they SHOULD have found a way to avoid this type of problem. And expiring certificates have been a problem for many organizations, including Microsoft. Why?

            The problem with "automate adding a calendar entry to remind people" is that three or five years down the road, you may very well be using a completely different calendar system. You had better be using a new version, which likely won't work quite the same. Whose calendar, by the way? It's entirely possible that the team that handles certs today won't exist, especially under the same name, a few years from now.

            Absolutely organizations need a way to ensure that several years later, an entirely different group of people, in a re-structured organization, perform a task. That's actually non-trivial though.

            Consider just with the example of Mozilla, at one point they would have needed to renew / exchange certificates that Netscape bought. How would a Netscape ops person add a calendar entry for the Mozilla foundation to do something before the foundation even existed?

            • by lgw ( 121541 )

              The problem with "automate adding a calendar entry to remind people" is that three or five years down the road, you may very well be using a completely different calendar system.

              So you forsaw a problem. That's great. Do you need me to explain how you mitigate the problem? Like, when your calendar-interaction automation breaks every time it runs, since it can't talk to the new system, how you know it's on fire? Monitoring? Alarming? Basic professionalism?

              It's entirely possible that the team that handles certs today won't exist, especially under the same name, a few years from now.

              So you forsaw a problem. That's great. I bet you can think of a way to mitigate it, if you stop explaining why it can't be done and instead just do it.

              Absolutely organizations need a way to ensure that several years later, an entirely different group of people, in a re-structured organization, perform a task. That's actually non-trivial though

              Never claimed it was trivial. Engineers get paid to solve the non-trivia

              • I didn't say it can't be done, I said a number of well-staffed, generally professional organizations have missed it.

                > When the Tower of London locks up at night, there's a ceremony every night involving 4 people and an elaborate call-and-response ritual.

                If you do it every night, it's not hard to remember (especially of you have four people doing it). If it only needs to be done once every five years, it's a lot harder to train the new guy, who won't be hired for another three years.

                Not impossible, but t

    • Security Certs in seem like a sloppy process.
      They don't really do that great of a job proving you are who you say you are, and they are relativity expensive to implement, and when they fail, it breaks down a whole slue of things.

    • by Luckyo ( 1726890 )

      This is assuming someone who was responsible didn't think this was a great way to finally force all those pre-quantum holdouts to upgrade.

    • by HiThere ( 15173 )

      No, it's not great to allow a push upgrade. No. No. No.

      The upgrade should be a pull by the user. It's fine to tell the user that they need to upgrade, but doing it behind their back is not only itself nefarious, it's an invitation to even more nefarious deeds.

    • People and companies do. In general, everyone is aware of the issue. It's surprisingly hard to get right all of the time. At scale, due to the number and variety of certificates and use cases, it's one of these "sanitation" tasks that requires meticulous attention. No matter how hard you try, at a certain size, you'll start having embarrassing outages due to expirations anyway, due to weird intersections of causes. Hopefully not many.

  • We use Venafi where I work and our one browser that refuses to play nice is Firefox. They never accept the Venafi intermediate and I have been told that's by design.

    Entertaining how that same thing has bit them in the butt!

  • Well, I'd hope so. (Score:5, Insightful)

    by QuietLagoon ( 813062 ) on Friday May 10, 2019 @11:22AM (#58569384)
    }}} Mozilla has committed to improving its asset tracking --- I have a script that runs weekly, and it checks all my domains and TLS certs. I get plenty of warning when an expiration approaches. I am really surprised that such a concept seems new to Mozilla.
  • by xack ( 5304745 ) on Friday May 10, 2019 @11:24AM (#58569396)
    Giving the beta versions of Firefox doge memes and integrating unwanted features and telemetry. It's a shame there is no truly independent mainstream (over 5% market share, not minor forks like Waterfox and Basilisk or Chrome skins like Brave/Opera) browser that isn't somehow influenced by Google bucks. It was Google's influential that lead them to making walled garden features like forced extention signing in the first place. Google is the tobacco of the IT industry, and everyone has cancer.
    • by Anonymous Coward

      You're free to move to one of the forks if you don't like it.

      Alas, that won't stop you from bitching about it in forums like this.

      • by Anonymous Coward

        Yeah! When the people who are now in charge of a project are running it into the ground, making asinine decisions, and have lost market share to the point of the project being irrelevant you need to shut up and like it. Never mind that you may have been a contributor, or financial supporter, or just a devoted fan of the project.

        "Move on to a fork" is a stupid retort on so many levels. What do you suggest people do when the project decision makers are failing in such a dramatic fashion? Let them? There shou

    • And here I naively thought they had found a way to disable Pocket.

  • by whoever57 ( 658626 ) on Friday May 10, 2019 @11:28AM (#58569418) Journal

    The real question is why should unmodified plugins that had a valid certificate chain at the time of installation become invalid later?

    The plugin didn't change. Nothing changed except the passage of time.

    • by Gravis Zero ( 934156 ) on Friday May 10, 2019 @12:06PM (#58569644)

      The real question is why should unmodified plugins that had a valid certificate chain at the time of installation become invalid later?

      Simple, programs have no sense of time. Specifically, it runs and exits repeatedly and is completely unaware of modifications made to the profile.

      This could be exploited by publishing a malware extension with the expectation that it will be quickly revoked. Once you have a valid signature, you can forcibly install your extension using a different piece of malware and replacing the central cert with an expired one. The result of Firefox not checking at every startup would be that it would allow the malware extension to be enabled.

      • by Anonymous Coward

        You have absolutely no idea how code signing works [sslshopper.com], do you?

        Not that Mozilla does either in this case, but you seem to be even more lost on the subject. I'm not even sure you understood the OP's original statement.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      why should unmodified plugins that had a valid certificate chain at the time of installation become invalid later?

      At a guess: because Firefox needs to validate the addon when it starts, in case it was modified by some malware while firefox wasn't running?

    • by Kjella ( 173770 )

      The real question is why should unmodified plugins that had a valid certificate chain at the time of installation become invalid later?

      Wouldn't such a record of already installed, no need to check plug-ins be a prime target for hackers? Install malware, flip the "you already checked me" bit and you're in the clear. This way you have to circumvent or disable the whole system to get around it.

      • by flux ( 5274 )

        If you're suggesting that the malware is able to modify Firefox configuration in general somehow before installing the malware-extension, then I'm betting it is able to do many worse things than simply setting some particular flag in Firefox configuration. For example replace the Firefox links in desktop with a malware-provided one.

  • sooo... (Score:5, Insightful)

    by BlackOverflow ( 5394496 ) on Friday May 10, 2019 @11:30AM (#58569424)
    If Mozilla went under or got hacked or whatever and their certificate server went down for an extended time, all addons would be indefinitely broken? That seems like a really fragile system.
    • Every day that goes by, we edge closer to the idea that when software is "unsupported", it will die instantly and never, ever work again. Because software goes bad over time, of course.

  • In Mozilla as an organization at this point. They have been fraught with multiple stupid decisions and fuckups that could have been easily avoided the last few years. It makes me think the org is being run by children and not professionals. They seem more interested in breaking their software and alienating their userbase than seriously competing with Chrome. It's sad, I had used Firefox for a very long time but can't find a good reason to do so anymore.
  • "Second, we need a mechanism to be able to quickly push updates to our users even when -- especially when -- everything else is down."

    Sigh, yet another thing that will I'm sure be on by default, with either no way or a very difficult way to opt out of, and gives Mozilla persistent control into your browser way past the initial download. Why can't they learn, once I download the package I should be able to do whatever I want with it, for as long as I want, without ever having to talk to their servers again.

  • Thanks to timezones and the rotation of the planet, ...

    Someone doesn't understand how Time Zones work.

  • ... why would Add-Ons that were validated and already installed, when the certificate was valid, be invalidated simply because the certificate expired? I can see why *new* versions/releases wouldn't be validated and couldn't be installed, but not the current ones. Seems like this needs to be thought through better.

  • This should have been in place years ago.
  • I work at a certain well known tech company where certs have 1 year expirations and your dashboards better contain tracking metrics along with alarms lest you be embarrassed during a presentation, or worse, have to present a discussion of an event due to an expiration.

    There are a whole lot of certs out there, and there are many reasons to change/renew them, and they live in many different environments. Some can be automagically renewed by automated systems. Some not so much. Some have to be updated on one h

  • Verisign wanted re-occuring income every year, so they limited their certificates to 1 year. All the normal BS arguments came out - this is reasonable, you can do this it's good for a whole year, etc. Try maintaining 3 thousand or more sites. Now it's a chore every day. Especially since people depend on those sites and don't want it to be down for even a minute. Coordination, etc. Then if someone screws it up? Oh my God. The complaints come in.

    Real world complaint - "Hillary was so far up my ass she spray p

  • It's the modern-day version of "DOS ain't done till Lotus won't run". If the certificates had expired 6 months ago, this would not have happened. The series of events goes like so...

    * Various websites moderate non-leftist comments out of existence, or shut down comments altogether, or point comments to Facebook forums, or Disqus.

    * Free speech website gab.com puts out a browser extension that provides a comment functionality similar to Disqus. This was popular with people who were banned from Facebook and Tw

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...