Firefox Certificate Expiration Threatens Add-ons, Streaming on March 14

A critical root certificate expiring on March 14, 2025 will disable extensions and potentially break DRM-dependent streaming services for Firefox users running outdated browsers. Users must update to at least Firefox 128 or ESR 115.13+ to maintain functionality across Windows, macOS, Linux, and Android platforms.

The expiration additionally compromises security infrastructure, including blocklists for malicious add-ons, SSL certificate revocation lists, and password breach notifications. Even those on legacy operating systems (Windows 7/8/8.1, macOS 10.12â"10.14) must update to minimum ESR 115.13+.

Not for distro handling certs

[GPLHost-Thomas]

For Debian users for example, the CA store is *not* in the browser...

Re:Not for distro handling certs

[higuita]

firefox use their own CA management, outside the system CA store. This is both great (as solves weird problems and make sure firefox behaves the same and rogue CA certs aren't really used unless the user also install them directly in firefox), but also bad, as a system update do not update firefox CA side
Not sure if iceweasel was patch to use the system CA store

Re:

[GPLHost-Thomas]

Iceweasel was renamed back as Firefox about maybe 10 years ago? When Mozilla decided that finally, Debian was not infringing its trademark by shipping a patched version of Firefox, with patches not prepared by Mozilla.

Also, yes, Firefox in Debian is patched to use the "ca-certificates" package CA store. The funny bit is that this ca-certificate is built using the certificates from ... Firefox ! Though I have no idea if the ca-certificate package is affected by this CA expiration. Anyways, if this is the c

Certificate expiries are timebombs

[xack]

Every so often a major website or product stops working because of an expired certificate somewhere. Despite "soft coding" certificates and update automation there is always a chance one will be forgotten. EOL is often enforced by manufacturers with deliberate expiration dates as well, leading to the "internet of shit" problem. All this ewaste is piling up Idiocracy/Wall-e style thanks to broken certificates. With the version number now so inflated by Chrome/Firefox, no one knows what the "correct" version is supposed to be anymore, and all these old Firefox installs on spare computers or EOL Windows 7 computers are going to blow up fast. Many non-tech savvy people will be affected, and it will increasingly destroy even more of Firefox's lost good will that has occurred over the years.

Re:

[omnichad]

It should be easier than this to manually update the certificate store on any program or automate it with third party utiltiies.

Seems that Firefox will only trust private root stores from the operating system and they don't intend to ever support using the rest of the store from the OS. Of course that doesn't help when the OS is obsolete too, but it would be much easier to import updated certs once at the OS level instead of to each individual app.

Re:

[higuita]

All OS use their own way to manage CA and mozilla always used their own CA store to workaround that. It is also safer, as rogue CA will not be used, someone have to manually install those in firefox too. Firefox does a good job updating their CA store... as long users also update their browsers.
Being so complex, no one should use out of date browsers, but even if you really need to run one old browser, nothing blocks you from loading the missing update CA in that browser too, but them is up to you maintain

Re:

[bussdriver]

Mozilla won't lift a finger to solve this self-imposed problem.

They instead DEMAND users switch browsers... to something that still runs on old computers. Not everybody runs old computers and old software on their WAN, there is plenty of LAN only computer usage out there. Even so, it's the user's freedom and they need to stop forcing their will on others. It's what drove a lot of users away from Firefox in the 1st place.

What a self entitled crybaby

[pavon]

They wrote this software for free, and they gave you for free security updates that don't require accepting any new features. They even went out of their way to continue putting out security releases (ESR 115.13) for operating systems that Microsoft and Apple don't even support anymore. And they did this all six months in advance so you would have plenty of time to upgrade.

But enjoy your freedom to run old unpatched software.

Re:

[bussdriver]

Mozilla has a ton of money to support minor things like this. There are people without money who can't upgrade their hardware so they can run a newer OS so then they can run the newer browser. Much harder for Mozilla to build the browser in much older OS than it is for them to reissue certificates.

Somebody who recycles and supports old machines that do not need to be up-to-date also makes decisions such as what browsers many other people see and likely do not change from... Upset me and I literally control

Re:

[narcc]

If only it was open source and you could fix it yourself...

Not that it matters. If Mozilla pushes an update for the older browser, the mouth-breathers will bitch and moan about Mozilla "wasting resources" on old versions that no one uses instead of "fixing" their pet problem that either never existed or was fixed 10+ years ago. The five or six people actually affected will bitch and moan about how they're being "forced" to install a patch with a "why can't they just leave things alone".

If you want to use

yep

[buck-yar]

If people liked the direction software was headed, they wouldn't be clinging to old versions. Imagine being a dev and people want an older version? I'd question my choices with the UI or features. There doesn't seem to be any self reflection in the software community. If someone makes a good UI, they can't help but screw it up by endless tinkering and refreshes. Or changing the UI beacuse they want it to look and feel like Chrome.

Re:

[bussdriver]

YES! no kidding!

The perfect would be destroyed as soon as staff changes around and not enough competent people can defend it from unnecessary changes and fads.

Re:

[bussdriver]

You can't patch forever! The OS falls behind. The OS can't update forever. The people I know won't complain, they'll either migrate away or suffer with things not working.

These are certs which we don't have control over; and running old software is a thing a lot of people like to be able to do. Security whatever; if you run windows you already don't care. Also, for testing it's necessary to have old versions and how low one goes shouldn't be decided by the cert some developer sets up who is always running

Re:

[narcc]

It's open source. Patch it yourself and you don't have to deal with all of the other unspecified changes so insignificant that most people don't even notice, yet still seem to get your panties all in a twist.

The people I know won't complain, they'll either migrate away or suffer with things not working

Get real. You're complaining right now about a patch that doesn't even exist!

Re:

[xack]

They hard coded the certificates into the executable. They are not the standard root certificates that TLS uses.

What the hell is this crap!?

[lyran74]

"10.12â"10.14"

It's 2025. I expected this in 1999. Seriously, sort out the encodings already.

Re:

[drinkypoo]

Slashdot supports endashes and emdashes with – and — respectively.

There's absolutely no good reason for it not to recognize Unicode characters in story and comment submissions, translate the supported ones to entities, and strip the rest. That would be trivial and require zero backend changes.

Defending incompetence is now an American tradition, but it's still pathetic every time.

Re:

[Khyber]

The moment Unicode gets supported you will see no end of drawn swastikas all over the fucking site.

Please think about abuse before you think about functionality. This is why so much software sucks - nobody does this.

Re:

[drinkypoo]

I am asking for only and exclusively the primary glyphs matching the HTML entities which are allowed on the site, plus curly quotes and ticks which can be implemented the same way to solve the Mac user problem some way other than finally.

Re:

[ls671]

Mac users can easily set their keyboards to behave properly.

Re:

[drinkypoo]

I actually meant iOS, sorry. And I know, they can turn off the feature too, but they aren't going to. Meanwhile, the rest of us have to deal with their output. But also, it would be of help while posting quotations.

Re:

[ls671]

I agree it's just fine the way it is right now, especially for an English only site. I never understood the bitching for unicode. Unicode brings in some security issues as well.

Re:

[ls671]

I agree, it's fine the way it is now, especially for an English only site. Unicode brings in some security issues as well.

Re:

[viperidaenz]

They accept UTF-8 as a the content-type for submitting comments, then butcher the content by not supporting it.

Timing is everything

[akw0088]

Seems like this might have been factored in with the terms of use change, force people to upgrade for streaming and get the browser tracking under the table

Re:

[higuita]

you know that this kind of CA certificates have long expiration dates... this certificate is probably like for 10 or 20 or 25 years...
call that conspiracy, planing a forced user update to a new term of services by starting to use something 10 years ago, just yo catch you now!!

Re:

[narcc]

You're insane.

The "terms of use" non-issue was a whole lot of nonsense from people who didn't understand the TOS, and a bunch of idiots that blindly repeated the bullshit. You have nothing to worry about w.r.t. Firefox and your privacy. Get a clue. [mozilla.org]

Re: Timing is everything

[RegistrationIsDumb83]

It matters. Companies shouldn't expect to be able to railroad users into unfair and predatory terms. Stop being a corpo shill.

Re:

[narcc]

You're lying about the TOS. Firefox did nothing wrong. We also need Firefox for a healthy web. Spreading bullshit like you're doing is only going to help Google completely take over the browser market, which, as we've seen, will bring to life all of your paranoid delusions and more.

Don't be corporate tool.

Re:

[markdavis]

>"Seems like this might have been factored in with the terms of use change [...]"

-1 Troll or at least -1 Overrated

The terms of service thing was a big-hype nothing-burger.

What's the name of the certificate?

[kriston]

What's the name of the certificate? Even the article doesn't say, just that it's one of Firefox's root certificate.

Re:

[kriston]

I believe it's "Entrust" which has a history of problems. [wikipedia.org]

It happened before already.

[Rexdude]

After they forced addon signing as a 'security' measure, all addons got disabled [bleepingcomputer.com] due to an expired certificate in 2019. I had stopped using it by then in favor of Seamonkey and now Pale Moon, it's ridiculous that one can't roll one's own extension to use on the regular build.