Update: a partial fix has been shipped by Mozilla
A few hours ago a security certificate that Mozilla used to sign Firefox add-ons expired. What this means is that every add-on signed by that certificate, which seems to be nearly all of them, will now be automatically disabled by Firefox as security measure.
In simpler terms, Firefox doesn’t trust any add-ons right now.
Basically, all your Firefox extensions will be disabled and won’t work until Mozilla fixes this embarrassing issue. Until they do, you can go to about:config and set xpinstall.signature.required to false. This is obviously a major security issue, so only change this flag if you know what you’re doing, and don’t forget to set it back to true once Mozilla fixes the issue.
Whose bright idea was to have certificates expire? As if it matters if a certificate whose signing key was leaked will be valid for 3 more years or forever…
Expiration and revocation of keys is essential to the current keysigning ecosystem. This is clearly a “no need to monitor this, we will fix it later” problem. It’s not a technical issue per se.
Sodki,
The way it’s used is questionable though. It could make sense to check that the certificate isn’t expired when downloading new plugins. However for pre-existing plugins, automatically revoking them without asking the user for permission to do that is extremely intrusive. Even if an author stops working on a plugin and allows a certificate to laps, that doesn’t mean firefox should deny us the right to run plugins we’ve installed earlier.
Consider a user downloads a file over HTTPS with a legitimate certificate on thursday, yet on friday the certificate expires. That does NOT mean the file is no longer secure, and fortunately HTTPS certificates only apply at the time of download. The expiration dates exist as a very conservative window during which encrypted/signed data can be protected by a public key, it’s expiration means that no new content should be signed with that key, but it doesn’t render pre-existing content less secure because it was validated when the certificate was valid. There’s no reason to purge already gotten content if the certificate hasn’t been revoked.
Certificate expiration dates are timebombs waiting to happen, I use firefox plugins mostly for privacy and convenience, but imagine a reporter or citizen living in a repressive regime who might have gotten outed as a result of this firefox stunt breaking their plugins. IMHO it’s irresponsible to take destructive actions on a user’s system without user permission. At first I didn’t even get a notification that anything was wrong.
“Expiration and revocation of keys is essential to the current keysigning ecosystem.”
Why? That’s my question.
So that you can say “I don’t trust this anymore”.
Sodki,
An expired certificate should not be used for new signatures. However it does not invalidate old signatures which were valid at the time they were signed. Even with code certificates (ie those used by microsoft kernel drivers) an expiring certificate DOES NOT disable the drivers. Expired certificates cannot be used to sign new code but it does not break existing code, which is good because things would break all the time and users would be furious when the manufacturer stops signing drivers for unsupported devices.
The way firefox is implementing certificate expiration as a kill switch goes beyond the normally accepted uses for certificates. IMHO it’s bad practice to have these time bombs where things break on arbitrary dates if the software isn’t always updated for some reason.
Why? And where do you set the cutoff for “anymore”? Most certificates have a lifetime in the years range, that looks like an awful lot of time for the baddies to release malware signed with a potentially leaked certificate.
I understand the need for revocation but not for time-based expiration.
kurkosdr,
Revocation is uglier than one might imagine under the PKI model, the top answer here does a decent job of explaining some of the problems.
https://security.stackexchange.com/questions/127988/who-is-responsible-for-revoking-a-certificate
The whole appeal behind the PKI model in typical web scenarios is that a client trusts a certificate without using any more resources to validate it. Is it current and correctly signed? If yes, then trust. However that all becomes a lot more difficult with revocation.
Here are the options (actual support for these is quite mixed in practice):
1. Have clients maintain a list of revoked certificates (this doesn’t scale well as the list grows, having shorter expiration dates allows the list to be pruned).
2. Have clients poll the CA whether the certificate is valid when it is used. If a client’s policy is to enforces realtime revokation checks, then revokation works properly but it throws the performance, scalability, and robustness aspects of PKI into the garbage and requires CAs to be online 24/7 with sizable infrastructure to handle the constant load.
3. OCSP stapling is an attempt to mitigate some the performance issues with #2 by having servers request proof of non-revocation status from the CAs and include that in HTTPS responses to clients. Having servers request certificates a hundred times per day should put less strain on CA’s than having thousands/millions of clients requesting updates individually. However it does not solve the robustness issue and if the synchronization between the server and CA fail for any reason, then the data becomes stale and this can start happening…
https://developercommunity.visualstudio.com/content/problem/62465/receiving-a-sec-error-ocsp-invalid-signing-cert-wh.html
Due to the way browsers handle it as a hard-fail, I actually don’t recommend using OCSP; it adds complexity. Browsers generally treat a certificate without OCSP stapling as a soft-fail when they can’t obtain revocation data from the CA. It kind of defeats the purpose, but alas browser makers had to deal with the fact that realtime CA validation limits SSL reliability and even breaks in firewalled environments.
In short, CA revocation today is an ugly mess This is partly why the industry has reduced certificate expiration from 3 years to 2 years (3 year certificates are no longer available to the public) and some SSL vendors actually charge you to revoke certificates (looking at you starttls with $25 per revocation). Let’s encrypt reduces that period to 3 months, which helps to reduce the costs of operating revocation infrastructure.
The root of the problem stems from the fact that we need to reliably get information from the CA to the clients, but with all of the engineering problems, my own opinion is that a simpler and equally reliable solution would just be to issue short lived certificates and due away with revocation mechanisms that are often broken anyways. From an informational perspective, having a CA sign a 24hour certificate validating authenticity for the next 24hours is functionally identical to having a CA sign a statement that a certificate has not been revoked and gets cached by clients for 24hours. In other words, there’s no additional cryptographic value in indicating a certificate is NOT trustworthy versus IS trustworthy, you’d be getting the exact same information from the CA, it’s merely negated. The actual refresh interval would have to be selected by the CA and provider based on the needs of the service being secured.
So why go through all the complex hoops to make the NOT case work for no additional security benefit when you can just issue certificates that are valid until the next time the next “revocation cycle”?
I deviated from the original topic of mozilla’s expiration kill switch, but I hope it might provide some additional insight into your question.
self,
I meant to say there’s no additional cryptographic value in indicating a certificate is NOT revoked versus IS trustworthy. Ie it’s two different ways of getting the same actionable information from the CA to the client. Therefor I feel the simpler solution should win.
I’ve been seeing speculation that maybe it wasn’t an accident but intentional. Seems older pre-quantum release versions are affected by this as well-firefox 56.0. Could it have been a attempt by Mozilla to force those users to newer versions,but blew up in their faces instead
This hit me last night around 10pm. All but three of my plug-ins suddenly disabled themselves. Weird that three seem to be just fine despite the issue…
The only thing that seemed to work for me was to go here: https://normandy.cdn.mozilla.net/api/v1/recipe/ and search for hotfix-update-xpi-signing-intermediate-bug-1548973 , then click the link three lines below that.
@Invincible Cow thanks so much man!! Your solution is the only one that worked… I’ve been trying to solve this issue with no luck. Thanks again!!
Not to be smug, but as I’m running Waterfox I haven’t had this issue, nor any of the numerous privacy and security issues one suffers when running stock Firefox.
Come on Mozilla, get your shit together! Firefox should be improving, not regressing.
Morgan,
I second this! Forks including Waterfox have done a much better job of listening to the needs of the community. Mozilla can be too stubborn for it’s own good sometimes, they need to be more pragmatic.
The fix they pushed out uses the “studies” system, which is just piling on the bad ideas coming from Mozilla. Everyone should have that turned off, especially after Mozilla abused the system to push that Mr. Robot promotion to users a couple years ago.
bartgrantham,
Not that I disagree with you, but as a developer this highlights a constant conundrum that I have: what do you think their business model should be? It costs money to keep the lights on, literally and figuratively speaking, how do you pay for it?
> It costs money to keep the lights on, literally and figuratively speaking, how do you pay for it?
I used to contribute hundreds of dollars a year to the Mozilla foundation to support their efforts… until the whole Mr. Robot study debacle.
Since then I’ve made it clear to Mozilla reps when I encounter them that they’ve lost my charitable contributions and why. The real people I speak to all seem frustrated and ashamed, but Mozilla still exhibits a strange hypocrisy by calling Apple out on mobile ID resetting while never admitting that maybe the Mr. Robot forced promotion wasn’t in keeping with their principles of online freedom.
I’m not even opposed to experimentation like Studies is built to do, but it needs to be off by default. It’s too dangerous otherwise.
The whole Mr. Robot “debacle” was more over hyped than harmful to anyone. Forced promotion? Weird, I never seen it on any of my installations and of course no one was “forced” to use it.
Mozilla did apologize and said it “did not did not meet the standards to which we hold ourselves”.
https://blog.mozilla.org/firefox/update-looking-glass-add/
We need to stop over blowing stuff that doesn’t really matter. Google has sites/services that only work on Chrome and we are talking about some nothing add-on that was meant for fun.
bartgrantham,
You really donated that much? That’s atypical, haha. The amount that mozilla makes from donations is relatively paltry. Using 2009 numbers, 97% of mozilla’s revenue was through corporate dealings, 88% of that from google.
https://www.computerworld.com/article/2514569/search-deals-generate-97–of-mozilla-s-income.html
Fast forward to today, the donations are pretty much flat, but corporate deals make them tons of money. Their revenue rose by $40 million the year you stopped donating to them.
https://www.ghacks.net/2018/11/28/mozilla-revenue-rose-by-over-40-million-in-2017/
On a moral level, I sympathize with your objections, however anyone judging mozilla’s viability based on the numbers would be forced to conclude that corporate deals (and not user donations) is where the money’s at. I’m not saying this because I think it’s good for us that mozilla aligns itself with corporations, I’m saying it as a realist. Turning down corporate money would force mozilla to cut back it’s operations in equal measure. I guess it doesn’t have to be all or nothing, but then where would you have them draw the line?
Truth be told, I really have no idea how mozilla is spending $250M on “software development” (!). Regardless though, with $6M/yr in donations, they’d likely have to close their headquarters, fire most of their staff and curtail expenditures on side projects like Rust-lang.
> You really donated that much?
Absolutely. I try to support my workhorse software or services (such as Wikipedia) by including them in my charitable giving, even if they are otherwise provided for free.
> The amount that mozilla makes from donations is relatively paltry.
Which is a damned shame. If only a tiny fraction of the people who rant online about free stuff instead just quietly closed the tab and donated $5 to whatever their favorite project is, a lot of amazing stuff would be possible.
bartgrantham,
Yeah, I hear you. I don’t like having wealthy corporations pushing so many levers, but with the economy being so imbalanced in their favor I only see it getting worse. 🙁
My favorite part of this whole debacle is how eager everyone are to give Mozilla a pass, just because they claim to be about the free and open web. Free and open web? Hah! Is that why they’ve made all extensions dependent on Mozilla’s own approval process?
If Mozilla truly believed in the free and open web, and really cared about our privacy, they would not have enforced extension signing in the first place. They would not have abused their so-called studies program to push that Mr. Robot promo, and wouldn’t keep silently turning studies back on even when they’re turned off. They wouldn’t be shoving unblockable ads at us through an in-browser API.
If this had been Google, Amazon, or Apple, everyone would be up in arms. But because Mozilla pays lip service to an ideal they clearly do not practice, we’ll let them off?
I don’t think so!
They are signed by default, but you can disable the requirement for signing. The enforcement is a configuration option.
They changed it so that this configuration option doesn’t do anything, unless you are running nightly or beta, or a special build.
Are you sure? I was able to change the option for requiring signing on a bare-vanilla Fx install on Windows and it worked.
FlyingJester,
I can’t say why it might work some places and not others, but I changed the enforcement option on FF linux and that DID work for me. However on my windows machine changing the enforcement option did NOT work and all my plugins remained disabled until I updated firefox (I was unable to use extensions over the weekend). I have another computer that may not have updated yet, I can try and see if it works there. However my own extensions were killed by mozilla in the past and that seems to be their intended behavior.
Since v48 or so, developers are required to get their extensions signed by mozilla in order to install extensions in a regular FF build, even on their own machines.
https://support.mozilla.org/en-US/questions/1134589
darknexus,
+1
I agree, this is one of mozilla’s more hypocritical positions. It bugs me an awful lot that mozilla’s actions have come down against openness. They’ll say they’re doing it to protect users from themselves (it’s the same story for the corporations who restrict owners, even when their motives are more about control), but it violates the fundamental principals of openness where end users are explicitly allowed to decide for themselves. To the extent that end users can use alpha developer builds or even compile their own builds without restrictions, well it’s better than nothing, but IMHO these barriers to openness are nevertheless indicative of mozilla’s unstated position that openness really isn’t all that important to them at heart. They can say whatever they want, and possibly even deny it, but until their actions reflect an empowerment of owners rather than restricting us, then it remains hypocrisy.
Fortunately, there are 3rd party alternatives including the waterfox project, which have done a decent job at addressing these shortcomings.
https://www.waterfox.net/
*darknexus
My favorite part of this whole debacle is how eager everyone are to give Mozilla a pass, just because they claim to be about the free and open web. Free and open web? Hah! Is that why they’ve made all extensions dependent on Mozilla’s own approval process?
If Mozilla truly believed in the free and open web, and really cared about our privacy, they would not have enforced extension signing in the first place. They would not have abused their so-called studies program to push that Mr. Robot promo, and wouldn’t keep silently turning studies back on even when they’re turned off. They wouldn’t be shoving unblockable ads at us through an in-browser API.
If this had been Google, Amazon, or Apple, everyone would be up in arms. But because Mozilla pays lip service to an ideal they clearly do not practice, we’ll let them off?
I don’t think so!*
What’s even worse is when Mozilla literally invades people’s computers to disable the extensions and perform other crap without even asking for permission to do so. and without regard for the damage they are doing.
Mozilla itself is the real security threat these days.
yoko-t,
Well, I don’t don’t find mozilla to be any worse than google, apple, amazon, microsoft, etc. But it seems to me that part of the issue is that they’re ok with sinking to the level of the industry collective when IMHO they should stand well above it.
It’s not just mozilla, but I kind of resent that the tech industry has been adding restrictions that are harmful to owner rights. Sometimes as a rebuttal, we are told that we are not the target demographic and that we should just go use/buy other products, but I feel this acceptance of the marginalization of owner rights and consolidation of control sets a terrible precedent. I always thought Richard Stallman to be an extremist in his vision, but as I grow older I find myself aligning more with him on the importance of owner freedoms.
Bit of a mess.
Edited as I posted on this older article instead of the newer one I meant to