Expired certificate broke all Firefox add-ons

Bubbajim

TechSpot Staff
Staff member

You would think that a company whose main product is a browser would know a thing or two about security certificates. But yesterday, Firefox users with any add-on installed found their beloved browser had reverted to its 'vanilla' form, as an expired security certificate meant all add-ons couldn't be verified and thus were disabled.

Confused users headed to the Firefox subreddit and Mozilla's own 'bugzilla' forums where confirmation was given of the problem. It transpired that an intermediate signing certificate had expired, which is pivotal to the verification process for extensions and add-ons. In a statement to Engadget, Mozilla's Product Lead, Kev Needham, said "we know what the issue is and are working hard to restore add-on functionality to Firefox as soon as possible."

This is particularly embarassing for Mozilla, not least because it's not the first time this has happened. The same thing happened about three years ago but apparently Mozilla didn't learn from their mistake. Certificates such as this are pretty straightforward to renew, so it's a terrible oversight on their part.

To their credit nonetheless, they have leapt into action to tried and resolve the situation immediately. Mozilla have been updating their customers via their Twitter, and Saturday morning confirmed they had identified the problem and gave assurances that a hotfix was about to be deployed. As of writing, the behind-the-scenes hotfix should be working so no updates will be needed on users' side.

Permalink to story.

 

bluetooth fairy

TS Booster
Mobile version suffered the same issue and they didn't manage to fix it still.

".. all add-ons couldn't be verified and thus were disabled"
A new add-on can't be added to the browser as well, Firefox says "it appears to be corrupt".

But I noticed that it's now ok to browse the web without uBlockOrigin active, thanx to "Tracking protection" feature. Either it worked worse earlier, or I just haven't found inappropriate content today.

PS Firefox for Android, ver 67.0b16 (latest beta)
 

jobeard

TS Ambassador
The issue is more prolific than just addons. If ANY required certificate is "invalid, expired or missing", then SSL connections start to fail and in most cases, you can't access websites via HTTPS.

I had a case of missing a CA ROOT update and it took some time to diagnose the cause and then to find the CERT update that resolved it.
 

rickst35

TS Rookie
Mozilla Devs need to get with the program, 'Users in control of their own computers'. The FIX should not be merely a new Cert - it should also include an about:config option which presents a UI change, allowing users to ignore an "Expired, Missing, or Invalid" Certification and force-enable of a "questionable" Add-On which was disabled for this reason.

This was too much "Management Control" of end users from the Organization - an Organization which didn't even notice that it's own 'Required' Certificate was scheduled to die very soon, until it happened and thousands of user complaints started coming in. Mozilla, you're acting Shabby.
 
  • Like
Reactions: jtveg

jobeard

TS Ambassador
Mozilla Devs need to get with the program, 'Users in control of their own computers'. The FIX should not be merely a new Cert - it should also include an about:config option which presents a UI change, allowing users to ignore an "Expired, Missing, or Invalid" Certification and force-enable of a "questionable" Add-On which was disabled for this reason.
Sadly this discloses a total lack of understanding on how Certs work and would break the validity of the Certificate Chain.

It might be possible to design a new authentication protocol with this feature, but every implementation on the Internet would need to be changed, not just Mozilla (who carelessly stumbled into the issue which all SSL users are exposed to).
 
  • Like
Reactions: rickst35

ghostf1re

TS Guru
Well I was affected by this and none of my addons work. They are all saying to install an alternative because they cannot be verified. I tried to force an update, but there was none. I guess I'll just use Chrome then.
 

rickst35

TS Rookie
Sadly this discloses a total lack of understanding on how Certs work and would break the validity of the Certificate Chain.

It might be possible to design a new authentication protocol with this feature, but every implementation on the Internet would need to be changed, not just Mozilla (who carelessly stumbled into the issue which all SSL users are exposed to)....
With respect - I think that you misunderstood me (and I do know how Certs work.) I would not "make something entirely new" - I am simply suggesting that that Mozilla introduce, into Firefox, the kind of alternative which they already provide for browsing web Sites, claiming to be SSL but providing invalid or expired Certs. (That current pop-up is "Get me Out of Here .... Proceed Anyway", with an option to store the excpeption permanently.) Upon "managing" inactivated add-ons with Invalid Certificates, a similar pop-up would appear.

It's not much different than accepting a self-signed Cert which didn't present a valid chain of trust - which Computer Professionals (like me) do pretty frequently, on "test" boxes and "test" Apps
 
Last edited:

nismo91

TS Evangelist
Yesterday I was surprised when I saw an ads on youtube. I don't even see ads on my phone's youtube with vanced. tried installing the ESR, and some addons worked. then today solved it by installing back release version and going into the studies settings.

couldn't even understand how manually installing the xpi didn't work. it said the addons were corrupted. I have to temporary load some addons before the fix. I'm not turning my clock back!

it's truly a shame. I won't even be using firefox if it wasn't for the add-ons. heck I might even use edge. the very thing that kept this browser alive. neglected. never going to use it on my phone. ever.

P.S. I'm using nochromo for my android phone. blocks most ads without any config.
 
  • Like
Reactions: Dimitrios

Dimitrios

TS Guru
For me it was a nice reminder of how terrible the internet is with ads.

Same here I couldn't stand all of the freakin ads. It was so bad even the commercials on YOUTUBE were crazy. There was a damn reason why I gave up tv few years ago and relied on the internet. I just hate force fed garbage even politics, ads, commercials etc..... My blood was boiling and I gave up and didn't use the internet for a full day or so. Maybe it's because I have some sort of OCD or ADHD but I swore out loud with all the annoying clutter of ads. The internet felt like a cheap flea market flooded with ads designed by kids.

I just fixed it now and I'm happy again.
 
Last edited:
  • Like
Reactions: MaXtor

Dimitrios

TS Guru
Yesterday I was surprised when I saw an ads on youtube. I don't even see ads on my phone's youtube with vanced. tried installing the ESR, and some addons worked. then today solved it by installing back release version and going into the studies settings.

couldn't even understand how manually installing the xpi didn't work. it said the addons were corrupted. I have to temporary load some addons before the fix. I'm not turning my clock back!

it's truly a shame. I won't even be using firefox if it wasn't for the add-ons. heck I might even use edge. the very thing that kept this browser alive. neglected. never going to use it on my phone. ever.

P.S. I'm using nochromo for my android phone. blocks most ads without any config.
I agree on every word, thanks for saving the time for me to type that same comment. :)
 

Nobina

TS Evangelist
Yesterday I saw all my addons were rekt and I heard in advance this might happen. Heard of Waterfox which is some fork of it apparently and it works pretty well for a second browser. Never installing Firefox again.
 

noel24

TS Evangelist
Yesterday I saw all my addons were rekt and I heard in advance this might happen. Heard of Waterfox which is some fork of it apparently and it works pretty well for a second browser. Never installing Firefox again.
I've lost one and a half day now. I've tried everything I could find for FF 56.0.2, then tried Waterfox - still nothing. My work laptop with Win 10 and Quantum FF fixed itself on morning reboot. I got a feeling Mozilla may actually accidentally found out they can force people off forks and old, unsupported versions, but for Me if I won't get my old addons to work, It will be something else alltogether. Chrome probably, because of better support by addon developers. I give them time by tomorrow evening. F*ck!
 

jobeard

TS Ambassador
With respect - I think that you misunderstood me (and I do know how Certs work.) ...

It's not much different than accepting a self-signed Cert which didn't present a valid chain of trust - which Computer Professionals (like me) do pretty frequently, ...
Good. You might see then that the short fix would be to ensure that the Cert renewal is attended to in a timely manner and never overlooked again. This would save R&D resources and avoid a needless release of the product.
 

plplplpl

TS Member
Took me a bit of digging to find it, but this worked for me:

Type "about:config" in the address bar.
Accept the CMA *risk* disclaimer.
Scroll down to "xpinstall.signatures.required"
Double click on it so the value changes to "false"
Boo-Yah, your extensions are restored.

Curses be unto Mozilla for such a ball drop.
 

lazer

TS Addict
I had an older version of FF that had great add ons. All of a sudden nothing worked. Tried updating, still nothing. So I began using Chrome as my default.

I see FF still sucks.....