Firefox Certificate Expiration Threatens Add-ons, Streaming on March 14

A critical root certificate expiring on March 14, 2025 will disable extensions and potentially break DRM-dependent streaming services for Firefox users running outdated browsers. Users must update to at least Firefox 128 or ESR 115.13+ to maintain functionality across Windows, macOS, Linux, and Android platforms.

The expiration additionally compromises security infrastructure, including blocklists for malicious add-ons, SSL certificate revocation lists, and password breach notifications. Even those on legacy operating systems (Windows 7/8/8.1, macOS 10.12â"10.14) must update to minimum ESR 115.13+.

Not for distro handling certs

[GPLHost-Thomas]

For Debian users for example, the CA store is *not* in the browser...

Re:Not for distro handling certs

[higuita]

firefox use their own CA management, outside the system CA store. This is both great (as solves weird problems and make sure firefox behaves the same and rogue CA certs aren't really used unless the user also install them directly in firefox), but also bad, as a system update do not update firefox CA side
Not sure if iceweasel was patch to use the system CA store

Re:

[GPLHost-Thomas]

Iceweasel was renamed back as Firefox about maybe 10 years ago? When Mozilla decided that finally, Debian was not infringing its trademark by shipping a patched version of Firefox, with patches not prepared by Mozilla.

Also, yes, Firefox in Debian is patched to use the "ca-certificates" package CA store. The funny bit is that this ca-certificate is built using the certificates from ... Firefox ! Though I have no idea if the ca-certificate package is affected by this CA expiration. Anyways, if this is the c

Certificate expiries are timebombs

[xack]

Every so often a major website or product stops working because of an expired certificate somewhere. Despite "soft coding" certificates and update automation there is always a chance one will be forgotten. EOL is often enforced by manufacturers with deliberate expiration dates as well, leading to the "internet of shit" problem. All this ewaste is piling up Idiocracy/Wall-e style thanks to broken certificates. With the version number now so inflated by Chrome/Firefox, no one knows what the "correct" version is supposed to be anymore, and all these old Firefox installs on spare computers or EOL Windows 7 computers are going to blow up fast. Many non-tech savvy people will be affected, and it will increasingly destroy even more of Firefox's lost good will that has occurred over the years.

Re:

[omnichad]

It should be easier than this to manually update the certificate store on any program or automate it with third party utiltiies.

Seems that Firefox will only trust private root stores from the operating system and they don't intend to ever support using the rest of the store from the OS. Of course that doesn't help when the OS is obsolete too, but it would be much easier to import updated certs once at the OS level instead of to each individual app.

Re:

[higuita]

All OS use their own way to manage CA and mozilla always used their own CA store to workaround that. It is also safer, as rogue CA will not be used, someone have to manually install those in firefox too. Firefox does a good job updating their CA store... as long users also update their browsers.
Being so complex, no one should use out of date browsers, but even if you really need to run one old browser, nothing blocks you from loading the missing update CA in that browser too, but them is up to you maintain

Re:

[bussdriver]

Mozilla won't lift a finger to solve this self-imposed problem.

They instead DEMAND users switch browsers... to something that still runs on old computers. Not everybody runs old computers and old software on their WAN, there is plenty of LAN only computer usage out there. Even so, it's the user's freedom and they need to stop forcing their will on others. It's what drove a lot of users away from Firefox in the 1st place.

What a self entitled crybaby

[pavon]

They wrote this software for free, and they gave you for free security updates that don't require accepting any new features. They even went out of their way to continue putting out security releases (ESR 115.13) for operating systems that Microsoft and Apple don't even support anymore. And they did this all six months in advance so you would have plenty of time to upgrade.

But enjoy your freedom to run old unpatched software.

Re:

[narcc]

If only it was open source and you could fix it yourself...

Not that it matters. If Mozilla pushes an update for the older browser, the mouth-breathers will bitch and moan about Mozilla "wasting resources" on old versions that no one uses instead of "fixing" their pet problem that either never existed or was fixed 10+ years ago. The five or six people actually affected will bitch and moan about how they're being "forced" to install a patch with a "why can't they just leave things alone".

If you want to use

yep

[buck-yar]

If people liked the direction software was headed, they wouldn't be clinging to old versions. Imagine being a dev and people want an older version? I'd question my choices with the UI or features. There doesn't seem to be any self reflection in the software community. If someone makes a good UI, they can't help but screw it up by endless tinkering and refreshes. Or changing the UI beacuse they want it to look and feel like Chrome.

What the hell is this crap!?

[lyran74]

"10.12â"10.14"

It's 2025. I expected this in 1999. Seriously, sort out the encodings already.

Re:

[drinkypoo]

Slashdot supports endashes and emdashes with – and — respectively.

There's absolutely no good reason for it not to recognize Unicode characters in story and comment submissions, translate the supported ones to entities, and strip the rest. That would be trivial and require zero backend changes.

Defending incompetence is now an American tradition, but it's still pathetic every time.

Re:

[Khyber]

The moment Unicode gets supported you will see no end of drawn swastikas all over the fucking site.

Please think about abuse before you think about functionality. This is why so much software sucks - nobody does this.

Re:

[drinkypoo]

I am asking for only and exclusively the primary glyphs matching the HTML entities which are allowed on the site, plus curly quotes and ticks which can be implemented the same way to solve the Mac user problem some way other than finally.

Re:

[ls671]

Mac users can easily set their keyboards to behave properly.

Re:

[drinkypoo]

I actually meant iOS, sorry. And I know, they can turn off the feature too, but they aren't going to. Meanwhile, the rest of us have to deal with their output. But also, it would be of help while posting quotations.

Re:

[ls671]

I agree it's just fine the way it is right now, especially for an English only site. I never understood the bitching for unicode. Unicode brings in some security issues as well.

Re:

[ls671]

I agree, it's fine the way it is now, especially for an English only site. Unicode brings in some security issues as well.

Re:

[viperidaenz]

They accept UTF-8 as a the content-type for submitting comments, then butcher the content by not supporting it.

Timing is everything

[akw0088]

Seems like this might have been factored in with the terms of use change, force people to upgrade for streaming and get the browser tracking under the table

Re:

[higuita]

you know that this kind of CA certificates have long expiration dates... this certificate is probably like for 10 or 20 or 25 years...
call that conspiracy, planing a forced user update to a new term of services by starting to use something 10 years ago, just yo catch you now!!

Re:

[narcc]

You're insane.

The "terms of use" non-issue was a whole lot of nonsense from people who didn't understand the TOS, and a bunch of idiots that blindly repeated the bullshit. You have nothing to worry about w.r.t. Firefox and your privacy. Get a clue. [mozilla.org]

Re: Timing is everything

[RegistrationIsDumb83]

It matters. Companies shouldn't expect to be able to railroad users into unfair and predatory terms. Stop being a corpo shill.

Re:

[narcc]

You're lying about the TOS. Firefox did nothing wrong. We also need Firefox for a healthy web. Spreading bullshit like you're doing is only going to help Google completely take over the browser market, which, as we've seen, will bring to life all of your paranoid delusions and more.

Don't be corporate tool.

Re:

[markdavis]

>"Seems like this might have been factored in with the terms of use change [...]"

-1 Troll or at least -1 Overrated

The terms of service thing was a big-hype nothing-burger.