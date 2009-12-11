A Glitch Is Breaking All Firefox Extensions
Mozilla is very sorry for the inconvenience. Slashdot and Techcrunch also discuss.
Was this a US-only problem? I haven't had an issue with add-ons at all today.
i've been dying. the internet is unacceptable without adblock. i've confined myself to mefi and ao3.
Here's the active bug report if you want to follow along.
Does automatic certificate expiration solve any real problems? I know it solves a theoretical problem. I know it causes a whole lot of real problems, all the time.
Does automatic certificate expiration solve any real problems? I know it solves a theoretical problem. I know it causes a whole lot of real problems, all the time.
I was hit with this last night, but I restarted Firefox this morning and they're all back.
I was hit by this last night. Just in the middle of browsing - BAM, all extensions, including ones released by Mozilla, suddenly stopped working. It's fixed now though and I didn't do anything.
It's been pretty depressing to see the vitriol over this. I don't just mean people saying it's a mess, but the people who are just ... so over-the-top angry about their add-ons being temporarily disabled. It's inconvenient, but nobody's day was ruined worse than the devs', yanno?
It's been pretty depressing to see the vitriol over this. I don't just mean people saying it's a mess, but the people who are just ... so over-the-top angry about their add-ons being temporarily disabled. It's inconvenient, but nobody's day was ruined worse than the devs', yanno?
Mizu...Just do the temp fix outlined in the Mozilla link, and you will be able to resume normal browsing.
winterhill, I've been hit by it here in the UK
It's inconvenient, but nobody's day was ruined worse than the devs', yanno?If I'd had the problem, I would just use a different browser until it got fixed rather than yelling at people.
Could someone explain in a low-jargon way what a signing certificate is, why this one expired, and why that disables add-ons?
Mine stopped working while reading this post, of course. I hope it is fast and easy for them to solve, but I don't see why anyone would get angry about it. Things break and need to be fixed, it's not like there is an evil cabal at Mozilla who are deliberately breaking extensions.
Yeah, I just used Chrome for a while.
I think that some people who used password managers that got disabled were more inconvenienced, but ... I would never put my passwords into a database I could only access with an add-on. Precisely because add-ons sometimes get yanked or disabled or bugged.
I think that some people who used password managers that got disabled were more inconvenienced, but ... I would never put my passwords into a database I could only access with an add-on. Precisely because add-ons sometimes get yanked or disabled or bugged.
what a signing certificate is, why this one expired, and why that disables add-ons?
A "signing certificate" is a small file on a computer that's sort of like a Notary Seal. A little rubber stamp you can apply to a document to say "this document is now notarized and therefore authentic". Only in this case instead of a paper document, it's Firefox extension code that's being stamped. We call this signing. "This extension was signed by this certificate".
Signing certificates have expiration times on them that say "this certificate cannot be used after May 4 2019". Once that expiration happens, not only can the certificate no longer be used to sign new extensions, but all the old signatures go invalid too. If this happened to Notaries it would be as if when a Notary's commission expires, then not only can they not notarize new documents, but all old documents they'd ever stamped were now also unnotarized retroactively. (We don't do this in the real world, but we do with digital certificates.)
The final piece here is that Firefox will only run signed extensions. Ie, will only accept valid notarized documents. And so if the signing certificate expires, suddenly no extensions are signed any more and nothing runs. Oops.
(One complicating factor; certificate chains. Certificates are signed by other certificates, all the way up to one of several Root Certificates with ultimate authority. It'd be like if your local Notary's stamp were itself stamped by the Governor, and the Governor's stamp was in turn stamped by the President. If any certificate in this chain expires then the whole chain falls apart. I believe this bug was an intermediate certificate in the chain expiring.)
Organizations that use a lot of certificates are supposed to have systems in place to monitor for when their certificate expires and renew it well ahead of the expiry date. That seems to have not worked in this case.
A "signing certificate" is a small file on a computer that's sort of like a Notary Seal. A little rubber stamp you can apply to a document to say "this document is now notarized and therefore authentic". Only in this case instead of a paper document, it's Firefox extension code that's being stamped. We call this signing. "This extension was signed by this certificate".
Signing certificates have expiration times on them that say "this certificate cannot be used after May 4 2019". Once that expiration happens, not only can the certificate no longer be used to sign new extensions, but all the old signatures go invalid too. If this happened to Notaries it would be as if when a Notary's commission expires, then not only can they not notarize new documents, but all old documents they'd ever stamped were now also unnotarized retroactively. (We don't do this in the real world, but we do with digital certificates.)
The final piece here is that Firefox will only run signed extensions. Ie, will only accept valid notarized documents. And so if the signing certificate expires, suddenly no extensions are signed any more and nothing runs. Oops.
(One complicating factor; certificate chains. Certificates are signed by other certificates, all the way up to one of several Root Certificates with ultimate authority. It'd be like if your local Notary's stamp were itself stamped by the Governor, and the Governor's stamp was in turn stamped by the President. If any certificate in this chain expires then the whole chain falls apart. I believe this bug was an intermediate certificate in the chain expiring.)
Organizations that use a lot of certificates are supposed to have systems in place to monitor for when their certificate expires and renew it well ahead of the expiry date. That seems to have not worked in this case.
This was the last straw and I've completely switched over to Chrome. The decision to force a restructuring of plugins about a year ago was bad enough and I purposefully disabled Firefox updates to preserve the plugins I had working. It's totally unacceptable that the Firefox developers still maintained control over my browser even after I disabled updates.
i've confined myself to mefi and ao3.
My ao3 extension is borked! Now what??
(jk. I'm just keeping my completed tabs open until the add-on is working again. The a03 rating add-on is the only way I can keep track of what I've read.)
My ao3 extension is borked! Now what??
(jk. I'm just keeping my completed tabs open until the add-on is working again. The a03 rating add-on is the only way I can keep track of what I've read.)
I purposefully disabled Firefox updates to preserve the plugins I had working.Then you were running an insecure browser. As we say here, ye daft 'apeth. Enjoy Chrome.
posted by winterhill at 8:25 AM on May 4 [10 favorites]
Organizations that use a lot of certificates are supposed to have systems in place to monitor for when their
certificate expires and renew it well ahead of the expiry date. That seems to have not worked in this case.
That's really the root cause here. The follow-on admin process failed.
This is a management issue, not a tech issue.
certificate expires and renew it well ahead of the expiry date. That seems to have not worked in this case.
That's really the root cause here. The follow-on admin process failed.
This is a management issue, not a tech issue.
The fix instructions don't seem to apply to Firefox for Android. Anyone know if there's a solution there? I'm worried I'll have to uninstall and reinstall my ao3rdr add-on, and I'll lose all my data. I'm still recovering from losing all my data two years ago.
> It's totally unacceptable that the Firefox developers still maintained control over my browser even after I disabled updates.
Nelson and mikelieman both have provided good explanations for what happened. The extension disablement was not due to a browser update. Although by disabling updates you've prevented Firefox from being able to rectify the problem.
Nelson and mikelieman both have provided good explanations for what happened. The extension disablement was not due to a browser update. Although by disabling updates you've prevented Firefox from being able to rectify the problem.
Yes, ardgedee, they've established that they make terrible technical decisions AND have significant management issues. Fool me once...
It's really sad and frustrating that a tool that was once built around ideals of giving users choices and customization now forces users to cede control of software on their computer to others who take away those choices. I understand the security tradeoffs involved but this organization has proven itself untrustworthy with these and many other decisions that have taken the focus off of providing a solid, customizable web browser and onto many unrelated, unnecessary things.
I appreciate the work of all of the developers but it's clearly time for me to uninstall this particular piece of software. Best of luck!
It's really sad and frustrating that a tool that was once built around ideals of giving users choices and customization now forces users to cede control of software on their computer to others who take away those choices. I understand the security tradeoffs involved but this organization has proven itself untrustworthy with these and many other decisions that have taken the focus off of providing a solid, customizable web browser and onto many unrelated, unnecessary things.
I appreciate the work of all of the developers but it's clearly time for me to uninstall this particular piece of software. Best of luck!
My most important extensions are to (try to) keep my privacy a bit- adblockers fall in that category of course, and it troubles me a bit that the fix is "give up some of your privacy to Firefox" by allowing studies. Forcing me to turn that back on again rubs me in exactly the wrong way.
chiming in to say thanks, Little Dawn, for this post. Noticed this problem late last night just before bedtime, woke up having forgotten about it and my first-thing visit to MeFi reminded me ... and with a quick-easy temp-fix.
Also: f*** advertising
or more to the point, that deficiency in the culture of the so-called west that seems to make it the only way to make cool things like the interwebs pay for themselves.
Also: f*** advertising
or more to the point, that deficiency in the culture of the so-called west that seems to make it the only way to make cool things like the interwebs pay for themselves.
I only use Chrome when I make the calculation that my sense of privacy is less valuable than my need to use the website, e.g. Bye, Chrome: Why I’m Switching to Firefox and You Should Too (Fast Company), Millions of Chrome Users Have Installed Malware Posing as Ad Blockers (Slashdot), Browser Autofill Used to Steal Personal Details in New Phishing Attack (Guardian), Google Eavesdropping Tool Installed on Computers without Permission (Guardian).
I imagine that the chilling effects (MIT Technology Review) induced by a feeling that we've been stripped of a sense of privacy and security by the temporary loss of extensions that claim to protect us could be related to the shaking of fists and yelling (Youtube, KHAAAAAAN!).
I imagine that the chilling effects (MIT Technology Review) induced by a feeling that we've been stripped of a sense of privacy and security by the temporary loss of extensions that claim to protect us could be related to the shaking of fists and yelling (Youtube, KHAAAAAAN!).
I've been leaving Firefox open because of a presumably unrelated issue* - wow, literally just now as I was typing this all the extension icons reappeared in the upper right corner. The hell is going on with you, Mozilla people?
*Anytime I close Firefox and then reopen it I get a message that it's already running and would I like to close and restart? So I close it (Task Manager usually shows 5 instances running) and then I get a crash message and report ticket. I report it, and then the crash report box freezes. I submitted ten reports one day, haven't heard anything back. Sorta pisses me off.
*Anytime I close Firefox and then reopen it I get a message that it's already running and would I like to close and restart? So I close it (Task Manager usually shows 5 instances running) and then I get a crash message and report ticket. I report it, and then the crash report box freezes. I submitted ten reports one day, haven't heard anything back. Sorta pisses me off.
So when I jumped online this morning, I checked right away for an update for this issue. The note was that the fix should be rolling out in the background, and sure enough - by the time I got to this thread and read to the bottom, all of my extensions and add-ons have been restored.
Inconvenient, to be sure, but I'm glad they got it corrected.
Inconvenient, to be sure, but I'm glad they got it corrected.
Calling Mozilla untrustworthy is an absolutely gigantic leap that I'm unwilling to make here. I belive that Mozilla's interests are far more likely to be aligned with my own than Google's are*, and the fact that they shipped one bug that was fixed in a few hours doesn't shake that feeling at all. Apart from the plugin migration (which I'll talk about in a second), I don't recall any Mozilla having any other major crisis in recent history.
Firefox is pretty clear about how it delivers updates, and allows you to disable both update mechanisms if you want (you shouldn't -- the benefits of automatic browser updates vastly outweigh the risks and drawbacks).
I switched to using Firefox full-time at home a year ago, and have had absolutely zero regrets. It's more stable, offers a bunch of neat privacy features (such as the officially-sanctioned extension Facebook sandboxing extension), and is significantly faster in many contexts. Go load up one of the megathreads in Firefox and Chrome, and compare the load times if you want to see what I'm talking about. On a low-powered system, these pages can take up to 10 seconds to render in Chrome, but render almost instantaneously in Firefox.
I know the plugin/extension migration was painful for many, but there was plenty of advance warning, and it unlocked many of these new performance/privacy features. The old Firefox extension system was based on a decade-old architecture that failed to achieve most of its original goals, and generally hadn't aged well -- it was well past its expiration date.
*I might be willing to concede that Apple's interests are relatively benign too, but Safari isn't cross-platform, and is generally a kind of shitty browser. Its spec-compliance is easily the worst of any modern browser (including Edge), and major rendering bugs have gone unfixed for years on end.
Firefox is pretty clear about how it delivers updates, and allows you to disable both update mechanisms if you want (you shouldn't -- the benefits of automatic browser updates vastly outweigh the risks and drawbacks).
I switched to using Firefox full-time at home a year ago, and have had absolutely zero regrets. It's more stable, offers a bunch of neat privacy features (such as the officially-sanctioned extension Facebook sandboxing extension), and is significantly faster in many contexts. Go load up one of the megathreads in Firefox and Chrome, and compare the load times if you want to see what I'm talking about. On a low-powered system, these pages can take up to 10 seconds to render in Chrome, but render almost instantaneously in Firefox.
I know the plugin/extension migration was painful for many, but there was plenty of advance warning, and it unlocked many of these new performance/privacy features. The old Firefox extension system was based on a decade-old architecture that failed to achieve most of its original goals, and generally hadn't aged well -- it was well past its expiration date.
*I might be willing to concede that Apple's interests are relatively benign too, but Safari isn't cross-platform, and is generally a kind of shitty browser. Its spec-compliance is easily the worst of any modern browser (including Edge), and major rendering bugs have gone unfixed for years on end.
Alternative to Chrome that is basically Chrome without the tracking: Brave Browser
Brave is basically "Our founder used to work at Mozilla, but resigned in disgrace for being a homophobe. We block ads, but then put our own ads on the pages you visit, because we are obviously more trustworthy, and want to keep the revenue for ourselves."
Hard pass.
Hard pass.
For one reason or another, any misstep by Firefox/Mozilla seems to inspire a largely irrational anger in otherwise rational people.*
The continued existence of this browser is a testament to the cultural value of FOSS and a push back against the handful of megacorps who are taking over the rest of the web, and the literal two massive conglomerates who produce its only real competitors. It trickles along on crumbs from Google and Cisco, and yet manages to have an immense impact on the internet as we know it.
Oh jeez, this comparatively tiny non-profit accidentally allowed a certificate to expire on a piece of incredibly complex software you got for free, causing no actual damage AFAICT, let everyone know by every channel they had access to, and fixed it within a couple hours?
Quelle fuckin' horreur.
*Yes there have been legit complaints about some of Mozilla's top-level decisions, and fuck Brendan Eich. But have you looked at Google and Apple lately?
The continued existence of this browser is a testament to the cultural value of FOSS and a push back against the handful of megacorps who are taking over the rest of the web, and the literal two massive conglomerates who produce its only real competitors. It trickles along on crumbs from Google and Cisco, and yet manages to have an immense impact on the internet as we know it.
Oh jeez, this comparatively tiny non-profit accidentally allowed a certificate to expire on a piece of incredibly complex software you got for free, causing no actual damage AFAICT, let everyone know by every channel they had access to, and fixed it within a couple hours?
Quelle fuckin' horreur.
*Yes there have been legit complaints about some of Mozilla's top-level decisions, and fuck Brendan Eich. But have you looked at Google and Apple lately?
I might be willing to concede that Apple's interests are relatively benign
Counterpoint: the very existence of those horrid Airpods.
Counterpoint: the very existence of those horrid Airpods.
Firefox is pretty clear about how it delivers updates, and allows you to disable both update mechanisms if you want (you shouldn't -- the benefits of automatic browser updates vastly outweigh the risks and drawbacks).
I used to be quite stubborn about not letting anything update itself on my computer, but then I found out about Firefox ESR, which does exactly what I wanted -- it keeps me up to date on security but doesn't change in noticeable ways during its year+ life-cycle. That's just one of many reasons I have a huge reservoir of good will toward Mozilla that isn't going to be depleted by one screwup.
I used to be quite stubborn about not letting anything update itself on my computer, but then I found out about Firefox ESR, which does exactly what I wanted -- it keeps me up to date on security but doesn't change in noticeable ways during its year+ life-cycle. That's just one of many reasons I have a huge reservoir of good will toward Mozilla that isn't going to be depleted by one screwup.
Hi, everyone. I work at Mozilla. We've got a lot of people working on this at the moment; desktop will fix itself if it hasn't already and mobile is in-flight.
I'm not operating on a ton of sleep here but I'm happy to take questions.
I'm not operating on a ton of sleep here but I'm happy to take questions.
Just a big thank you for putting in the extra hours - and on a weekend no less - from my side!
I'll just restrict myself to Metafilter for the time being and maybe go outside and look at some flowers for a change? :)
I'll just restrict myself to Metafilter for the time being and maybe go outside and look at some flowers for a change? :)
It's inconvenient, but nobody's day was ruined worse than the devs', yanno?
Or maybe dissidents and political activists in hostile countries whose use of certain extensions was a part of their online anonymity. But we probably won't ever hear about a handful of disappearances scattered around the world because Mozilla is run by incompetents.
Or maybe dissidents and political activists in hostile countries whose use of certain extensions was a part of their online anonymity. But we probably won't ever hear about a handful of disappearances scattered around the world because Mozilla is run by incompetents.
I'm not operating on a ton of sleep here but I'm happy to take questions.
What's going to be put in place so that something like this can never happen again?
What's going to be put in place so that something like this can never happen again?
Hi, everyone. I work at Mozilla.This is why I use Firefox. You wouldn't get Google or Apple coming on here saying hi. Get yourself a glass of whatever your favourite is and a nice, long rest when all this is done.
Also, on preview - there are some bad-tempered people out there!
Added on Preview: Thank you, mhoye! I appreciate your comments and explanations when Firefox issues come up. No real questions, and it isn't important, but if you have any insight into what might be happening with the installs on my computers as described below, I'd love to hear it. They're all on regular release.
I've been following along on Reddit, since the Firefox installation on my HTPC lost its add-ons last night in the middle of a Youtube video. I have Chrome installed on that computer as well, and since they decided not to kill adblocking extensions, I made do. My mother's laptop FF also lost extensions around the same time.
I put and use Firefox on all of the computers in the house. But the oddest part is that not all of my computers have been affected by this. My own laptop is still fine, though due to paranoia I haven't closed Firefox since last night. However, Firefox on the new computer I that I set up yesterday, that I synced to the Firefox install on the HTPC, is also still full of add-ons. I've closed that browser and restarted it several times since, and it is still fine.
From what I can tell, I use fewer add-ons than most, but they make all the difference in my browsing experience. The real, unfiltered Web is really unpleasant.
I've been following along on Reddit, since the Firefox installation on my HTPC lost its add-ons last night in the middle of a Youtube video. I have Chrome installed on that computer as well, and since they decided not to kill adblocking extensions, I made do. My mother's laptop FF also lost extensions around the same time.
I put and use Firefox on all of the computers in the house. But the oddest part is that not all of my computers have been affected by this. My own laptop is still fine, though due to paranoia I haven't closed Firefox since last night. However, Firefox on the new computer I that I set up yesterday, that I synced to the Firefox install on the HTPC, is also still full of add-ons. I've closed that browser and restarted it several times since, and it is still fine.
From what I can tell, I use fewer add-ons than most, but they make all the difference in my browsing experience. The real, unfiltered Web is really unpleasant.
What's going to be put in place so that something like this can never happen again?
That's going to wait for the postmortem - we're not going to let a problem like this happen again, but right now we're making sure it's fixed right for everyone. We know what the technical problem is here, and we're fixing that right now, but making sure that we understand the context of that problem in depth so that we can prevent a recurrence from a code, process and culture perspective will take some time.
Get yourself a glass of whatever your favourite is and a nice, long rest when all this is done.
Thanks. Soon enough, but you never celebrate until you're over the line.
That's going to wait for the postmortem - we're not going to let a problem like this happen again, but right now we're making sure it's fixed right for everyone. We know what the technical problem is here, and we're fixing that right now, but making sure that we understand the context of that problem in depth so that we can prevent a recurrence from a code, process and culture perspective will take some time.
Get yourself a glass of whatever your favourite is and a nice, long rest when all this is done.
Thanks. Soon enough, but you never celebrate until you're over the line.
By the time I finished reading this thread and scrolled to the bottom, the fix hit my browser. Thanks for the feedback mhoye and for getting it resolved.
I've been pleased with this browser for the last year and I've given up on Chrome.
I've been pleased with this browser for the last year and I've given up on Chrome.
So I realize it's a cert thing and my initial reaction last night was basically THIS IS IT - ADDONPOCALYPSE IS NIGH UPON US!
And ranted with a lot of "fuck"s in the reddit thread, I didn't catch the original point of it, just the "solution" being to enable unsigned in nightly, and like, fuck if that's valid.
I just want an org I can trust, and Moz was the only thing I had trust in, especially since even MS is going Blink.
Pale Moon I thought of trying, otherwise it's Vivaldi or Opera? Are they using Blink too?
Anyways, I'm still using them but keeping a more wary eye. Not cool.
And ranted with a lot of "fuck"s in the reddit thread, I didn't catch the original point of it, just the "solution" being to enable unsigned in nightly, and like, fuck if that's valid.
I just want an org I can trust, and Moz was the only thing I had trust in, especially since even MS is going Blink.
Pale Moon I thought of trying, otherwise it's Vivaldi or Opera? Are they using Blink too?
Anyways, I'm still using them but keeping a more wary eye. Not cool.
If for various reasons you can't use the official remedy, a workaround (that you probably shouldn't use for long) is to set xpinstall.signatures.required to false in about:config.
ETA - I just tried this on Android and it seems to work there too.
ETA - I just tried this on Android and it seems to work there too.
Brave is basically "Our founder used to work at Mozilla, but resigned in disgrace for being a homophobe. We block ads, but then put our own ads on the pages you visit, because we are obviously more trustworthy, and want to keep the revenue for ourselves."
I can't speak to the first assertion, but the second is false. By default the Brave browser blocks ads and does not add any.
I can't speak to the first assertion, but the second is false. By default the Brave browser blocks ads and does not add any.
The extension disablement was not due to a browser update
Except for the fact that it WAS due to an update, IIRC a year or so back, that originally implemented the change that required all extensions to use their intermediate cert to run. Which many extension devs weren't happy about. And oops, that cert expired last night! So it was absolutely broken by a browser update, quite a while ago, that didn't manifest itself until the other shoe dropped.
Except for the fact that it WAS due to an update, IIRC a year or so back, that originally implemented the change that required all extensions to use their intermediate cert to run. Which many extension devs weren't happy about. And oops, that cert expired last night! So it was absolutely broken by a browser update, quite a while ago, that didn't manifest itself until the other shoe dropped.
Also, on preview - there are some bad-tempered people out there!
People care about Firefox, sometimes intensely - my inbox is a Firehose Of Caring right now - but that's the price of doing business for us. It's work, but it's a lot better than having people not care.
People care about Firefox, sometimes intensely - my inbox is a Firehose Of Caring right now - but that's the price of doing business for us. It's work, but it's a lot better than having people not care.
maybe dissidents and political activists in hostile countries whose use of certain extensions was a part of their online anonymity
This is a valid concern, but is there any evidence whatsoever that it's even likely? Did this e.g. affect Tor?
This is a valid concern, but is there any evidence whatsoever that it's even likely? Did this e.g. affect Tor?
METAFILTER: my inbox is a Firehose Of Caring right now
It did affect Tor Browser too.
It affected Tor and some other partners, we're actively working with them now.
Here's one report from someone on HN, 13 hours ago:
Chirael 13 hours ago [-]
Just discovered the same message in the Tor browser, and it seems that NoScript got disabled. So people running Tor are a lot more vulnerable right now.
To be clear: Tor Browser, the Firefox fork, is what's been affected.
Tor the anonymity network itself is unaffected.
Tor the anonymity network itself is unaffected.
My ao3 extension is borked! Now what??
(jk. I'm just keeping my completed tabs open until the add-on is working again. The a03 rating add-on is the only way I can keep track of what I've read.)
Wait, there's an ao3 extension? ...why did I never think to look for one before.
Features include:
- Three star rating system
- Hide works
- Blacklist by tags
- Bookmark by chapter read
- Scan bookmarks for updates
- Keep track of last visit
- Backup and restore user data
- Open source code!
Wow, this is awesome. I'm glad for this glitch; I've learned an awesome new thing because of it. Thank you, greermahoney!
(jk. I'm just keeping my completed tabs open until the add-on is working again. The a03 rating add-on is the only way I can keep track of what I've read.)
Wait, there's an ao3 extension? ...why did I never think to look for one before.
Features include:
- Three star rating system
- Hide works
- Blacklist by tags
- Bookmark by chapter read
- Scan bookmarks for updates
- Keep track of last visit
- Backup and restore user data
- Open source code!
Wow, this is awesome. I'm glad for this glitch; I've learned an awesome new thing because of it. Thank you, greermahoney!
people who are just ... so over-the-top angry
It's a fundamental feature of western civilization. Getting murderously angry over trivialities is just the way things work -- if you don't get murderously angry at nearly everything that happens in your day to day life, then there's something wrong with you and we probably need to get murderously angry at you now.
It's a fundamental feature of western civilization. Getting murderously angry over trivialities is just the way things work -- if you don't get murderously angry at nearly everything that happens in your day to day life, then there's something wrong with you and we probably need to get murderously angry at you now.
I did the temporary fix to get an ad-blocker back - mostly because I just use chrome for a limited number of things. All of my bookmarks are on firefox.
I mean in that sense it was due to the big bang.
Well sure, it was due to a combination of many unfortunate events:
Well sure, it was due to a combination of many unfortunate events:
- The universe was created.
- In the course of time, the web browser became a pretty big deal.
- Someone decided that Mozilla signing all the add-ons was a good idea.
- Someone chose to implement those signatures with a cert that expires.
- Instead of checking signatures on installation and for cert revocation, it simply re-checks the signatures every day.
- Against the protest of some users, the option to turn off said signature checking was removed.
- The cert unexpectedly expired.
unacceptable that the Firefox developers still maintained control over my browser even after I disabled updates.
Oh boy you're gonna love what Google does then!
Oh boy you're gonna love what Google does then!
This has been a brief nuisance, not a reason to abandon an excellent browser and the only competitive alternative to Chromium. I switched back to FF a few months ago after years on Chrome (after a previous thread where mhoye expounded the Quantum update). It's brilliant and running ublock on my Android phone without needing to root the device has been fantastic.
mhoye, if you're listening: SWIPE DOWN TO REFRESH!!!
mhoye, if you're listening: SWIPE DOWN TO REFRESH!!!
This really sucks, and the impact has been huge, and I hope Mozilla has both a smooth rollout for the fix and comes up with some good mitigations for the future.
That said, I have a lot of empathy for the Mozilla folks here, and I get angry when I see people calling them incompetent or screaming at them.
“The certificate expired” is one of those phrases that will make most IT ops folks shudder from remembered pain. Many, many organizations have had incidents with certs expiring, including recently the US government. Mostly, when this happens, it just means your website is down; this particular Mozilla cert had a comparatively huge blast radius.
Some reasons that keeping certs up to date include:
Another option is to remove the signing cert as a requirement. Let Firefox run extensions which are not signed by Mozilla, in the default config. (IIRC this used to be how it worked?) But at that point you reduce Mozilla’s ability to police their extension ecosystem, which is not really a good thing in 2019. People are not generally good about distinguishing trustworthy from untrustworthy extensions; and previously-trustworthy extensions can and have been purchased and loaded with surveillance code.
None of this makes this particular incident suck less. Mozilla should put a lot of effort behind making this better.
But bear in mind that this class of problem has been a pain in the ass for decades, and no one has come up with a good solution for all cases yet. It seems like a stupid problem, but it gets more and more complicated when you go down the rabbit hole. So it’s fine and good to be frustrated, but cut the actual people behind this some slack, ok?
That said, I have a lot of empathy for the Mozilla folks here, and I get angry when I see people calling them incompetent or screaming at them.
“The certificate expired” is one of those phrases that will make most IT ops folks shudder from remembered pain. Many, many organizations have had incidents with certs expiring, including recently the US government. Mostly, when this happens, it just means your website is down; this particular Mozilla cert had a comparatively huge blast radius.
Some reasons that keeping certs up to date include:
- Most certificates expire on long time scales (1 or 2 years are common). Long delays between cert renewals make them easy to forget. In a lot of orgs, the state of the art in remembering this is a calendar reminder.
- You can set up automated monitoring and warnings of cert reminders, but again — because it doesn’t happen frequently, it’s hard to test if your monitoring is still working.
- Third-party monitoring helps (because they monitor many certs, and therefore exercise the code more). But because your cert still renews infrequently, there are still risks: I cannot count the number of cert renewal emails I have seen in spam folders.
- If you do manage to remember to actually do it, many orgs still have cert renewal as a manual process involving arcane text commands. “I got a new cert but I fucked it up” also happens.
- Why wasn’t it automated? Because it happens rarely, or because we tried that once and it broke when our vendor changed their code, etc.
Another option is to remove the signing cert as a requirement. Let Firefox run extensions which are not signed by Mozilla, in the default config. (IIRC this used to be how it worked?) But at that point you reduce Mozilla’s ability to police their extension ecosystem, which is not really a good thing in 2019. People are not generally good about distinguishing trustworthy from untrustworthy extensions; and previously-trustworthy extensions can and have been purchased and loaded with surveillance code.
None of this makes this particular incident suck less. Mozilla should put a lot of effort behind making this better.
But bear in mind that this class of problem has been a pain in the ass for decades, and no one has come up with a good solution for all cases yet. It seems like a stupid problem, but it gets more and more complicated when you go down the rabbit hole. So it’s fine and good to be frustrated, but cut the actual people behind this some slack, ok?
Nelson, please let me climb on a favorite hobbyhorse here for a second:
Does automatic certificate expiration solve any real problems? I know it solves a theoretical problem. I know it causes a whole lot of real problems, all the time.
Cert rotation goes wrong all the time because validity windows are too long, so rotation (whether manual or automated) is hardly ever exercised, things get forgotten, and rot goes unnoticed a long time. This is the same reason why I've stood in line for expedited passport renewal when I've had unplanned business travel but the other guy had his trip planned for six months and just forgot his passport was expiring: the solution is not long validity times, but short validity times and frequent rotation. (Bonus: switching to frequently-expiring certs when your process is manual will finally mean you automate the pain away.) Let's Encrypt does this right, but if you're paying $100 for every cert, you naturally want to minimize your costs (self-signed in pre-prod! once a year rotation in prod! This Is Fine!), which is a perverse incentive that causes expired certs and dismayed users.
On the other hand, if you had to rotate a 90-day cert every 60 days (because you're a good admin who renews and starts trying to rotate with 30 days left of your validity window, for insurance!) you'd notice when pre-prod broke, and have time to fix it before prod was at risk. Save yourselves heartache: rotate early and often!
This message has been brought to you by the letters oh crap, and the number AGAIN???
Does automatic certificate expiration solve any real problems? I know it solves a theoretical problem. I know it causes a whole lot of real problems, all the time.
Cert rotation goes wrong all the time because validity windows are too long, so rotation (whether manual or automated) is hardly ever exercised, things get forgotten, and rot goes unnoticed a long time. This is the same reason why I've stood in line for expedited passport renewal when I've had unplanned business travel but the other guy had his trip planned for six months and just forgot his passport was expiring: the solution is not long validity times, but short validity times and frequent rotation. (Bonus: switching to frequently-expiring certs when your process is manual will finally mean you automate the pain away.) Let's Encrypt does this right, but if you're paying $100 for every cert, you naturally want to minimize your costs (self-signed in pre-prod! once a year rotation in prod! This Is Fine!), which is a perverse incentive that causes expired certs and dismayed users.
On the other hand, if you had to rotate a 90-day cert every 60 days (because you're a good admin who renews and starts trying to rotate with 30 days left of your validity window, for insurance!) you'd notice when pre-prod broke, and have time to fix it before prod was at risk. Save yourselves heartache: rotate early and often!
This message has been brought to you by the letters oh crap, and the number AGAIN???
I got a bit cranky about this, too, because I use firefox everywhere...on my phone, my surface, my work machine and my newest machine, a little box I use on my TV. I have that exclusively to watch videos from youtube, really...and youtube is unwatchable without using ublock origin via firefox.
So thanks for the hard work, guys. (My work machine never lost its add-ons, but the little machine on the TV did, they're back there now.)
The web is unusable without the ability to block ads and selectively block javascript. I kind of think that's why the walled gardens have popped up...yes, you get ads but you don't have to deal with Random Web Site trying to load JS from 321 different domains.
So thanks for the hard work, guys. (My work machine never lost its add-ons, but the little machine on the TV did, they're back there now.)
The web is unusable without the ability to block ads and selectively block javascript. I kind of think that's why the walled gardens have popped up...yes, you get ads but you don't have to deal with Random Web Site trying to load JS from 321 different domains.
As an aside, in the theme of “common IT problems that make us crazy, see this tweet thread (from before the Mozilla incident):
“Let’s play a game: using five words or less, utter a phrase that will elicit a great story from a software engineer with years of operational experience.”
Certificate expiration appears many times in the replies. ;)
“Let’s play a game: using five words or less, utter a phrase that will elicit a great story from a software engineer with years of operational experience.”
Certificate expiration appears many times in the replies. ;)
My only experience with certificates has been running let’s encrypt on my home server.
What is a reasonable time frame to expect a new cert/chain to be created? I’m just surprised that the only fix available in 24hrs is various degrees of disabling cert checks, and not, like, just fixing the certificate.
What is a reasonable time frame to expect a new cert/chain to be created? I’m just surprised that the only fix available in 24hrs is various degrees of disabling cert checks, and not, like, just fixing the certificate.
"I only use Chrome when I make the calculation that my sense of privacy is less valuable than my need to use the website"
Seems a bit narrow, realistically, you're making a privacy sacrifice anytime you use any net-enabled device, or exist near any internet-connected device that has has a camera or microphone, or carry your phone or use it ever. You can't have privacy if you're using the internet.
Seems a bit narrow, realistically, you're making a privacy sacrifice anytime you use any net-enabled device, or exist near any internet-connected device that has has a camera or microphone, or carry your phone or use it ever. You can't have privacy if you're using the internet.
So what are the good browser alternatives when Firefox is borked and Chrome is undesireable? I used Chrome to look up Waterfox, which I'd never heard of until I went to Reddit/Twitter to find out what was going on with Firefox, and Waterfox auto-played an ad, so that was out for me...
→ it troubles me a bit that the fix is "give up some of your privacy to Firefox" by allowing studies.
Studies doesn't sound like it was their first choice to use as the vector to roll out a fix, but it was one that they could use fairly quickly to get people working again. I'd rather give up some of my privacy on a temporary basis to Mozilla than to almost anyone else in this industry. Now the patch is in I've turned off Studies.
Before the hotfix was in I accidentally opened up Youtube and … how do people even without an ad blocker?
Studies doesn't sound like it was their first choice to use as the vector to roll out a fix, but it was one that they could use fairly quickly to get people working again. I'd rather give up some of my privacy on a temporary basis to Mozilla than to almost anyone else in this industry. Now the patch is in I've turned off Studies.
Before the hotfix was in I accidentally opened up Youtube and … how do people even without an ad blocker?
That said, I have a lot of empathy for the Mozilla folks here, and I get angry when I see people calling them incompetent or screaming at them.
I have no beef with the employees of Mozilla, least of all mhoye. But the C-Suite is riddled with above average even for Silicon Valley venality and incompetence. I mean, seriously. The simple fact that Jascha Kaykas-Wolff still even has a job there means that everyone he reports to is incompetent and shouldn't be let anywhere near a nonprofit organization which claims to serve a mission rather than shareholders.
I have no beef with the employees of Mozilla, least of all mhoye. But the C-Suite is riddled with above average even for Silicon Valley venality and incompetence. I mean, seriously. The simple fact that Jascha Kaykas-Wolff still even has a job there means that everyone he reports to is incompetent and shouldn't be let anywhere near a nonprofit organization which claims to serve a mission rather than shareholders.
So what are the good browser alternatives when Firefox is borked and Chrome is undesireable
Brave
Brave
I am vary grateful that Firefox exists to keep the web at least slightly open and honest, but I use Safari myself. This isn't a gloat, it's just... I got so much going on in my life, tech is something I have no time for. Says the person who for the past couple of months has been hand-editing a custom Kittens Game auto-play script. Shut up.
It's inconvenient, but nobody's day was ruined worse than the devs', yanno?
In another forum, it was suggested this could actually do some real damage for people using various add-ons for privacy / protection in countries with even nastier and more privacy hating governments than my own.
In another forum, it was suggested this could actually do some real damage for people using various add-ons for privacy / protection in countries with even nastier and more privacy hating governments than my own.
It's inconvenient, but nobody's day was ruined worse than the devs', yanno?
We don't have the luxury of being glib about stuff like that. People depend on Firefox - and I don't mean use, I mean "depend" - in a lot more difficult situations than almost anyone realizes, and those are only the ones we know about.
We don't have the luxury of being glib about stuff like that. People depend on Firefox - and I don't mean use, I mean "depend" - in a lot more difficult situations than almost anyone realizes, and those are only the ones we know about.
mhoye, not to cross the streams, but (#potus45 Megathread), as a functionally tech-illiterate researcher, I'm finding it difficult to believe that it's just a coincidental expiration of security certificates happening all at once. I'd very much like to be wrong about this, fwiw.
My first comment on this thread linked to an MIT Technology Review article by Evgeny Morozov pointing out the potential implications for democracy, because in many ways, this is more than an inconvenience, and today also seems like a weird day (#potus45 Megathread) on the internet, to say the least.
And I used the phrase "sense of privacy" for several reasons, GoblinHoney, including because I think internet security and privacy is a First Amendment right, and this glitch is an example of how that works. "Chilling effects" (University of Richmond Law Review) is also a First Amendment reference (William & Mary Law School Scholarship Repository), so the stakes seem to be fundamental human rights, and Mozilla is carrying a hugely-appreciated burden in trying to protect us.
My first comment on this thread linked to an MIT Technology Review article by Evgeny Morozov pointing out the potential implications for democracy, because in many ways, this is more than an inconvenience, and today also seems like a weird day (#potus45 Megathread) on the internet, to say the least.
And I used the phrase "sense of privacy" for several reasons, GoblinHoney, including because I think internet security and privacy is a First Amendment right, and this glitch is an example of how that works. "Chilling effects" (University of Richmond Law Review) is also a First Amendment reference (William & Mary Law School Scholarship Repository), so the stakes seem to be fundamental human rights, and Mozilla is carrying a hugely-appreciated burden in trying to protect us.
If for various reasons you can't use the official remedy, a workaround (that you probably shouldn't use for long) is to set xpinstall.signatures.required to false in about:config.
Ah! Thanks, trig, that's worked nicely for me, and my user-installed extensions (as opposed to Debian-packaged extensions, which are unaffected by the bug) are all working again.
Now to avoid installing any extensions until the Debian packaging for Firefox itself catches up (Debian builds of Firefox have the Studies thing disabled at build time and rely on Debian's standard update mechanism rather than letting Firefox run its own).
Ah! Thanks, trig, that's worked nicely for me, and my user-installed extensions (as opposed to Debian-packaged extensions, which are unaffected by the bug) are all working again.
Now to avoid installing any extensions until the Debian packaging for Firefox itself catches up (Debian builds of Firefox have the Studies thing disabled at build time and rely on Debian's standard update mechanism rather than letting Firefox run its own).
Little Dawn, I think your conspiracy theory meter is set a little high. Security certificates expire at a known time, anything from a year (or more) downwards. To make this more than a coincidence (is there something special going on in US politics right now? I mean, more special than the baseline level of special which the rest of the world has come to ignore) someone would have to arrange the current knot in the ongoing US political debacle precisely at the same time in advance of the Mozilla security cert expiry.
That would require a level of mass competence and secrecy beyond any government.
That would require a level of mass competence and secrecy beyond any government.
I'm finding it difficult to believe that it's just a coincidental expiration of security certificates happening all at once.
It was the expiration of just one certificate, one which was used to sign most (or all?) of the Firefox add-ons. I gather it was an intermediate cert, which could have been relied upon by more than one signing cert, but that makes no difference if you're not concerned with the technical details.
So the official story is not difficult to believe in any way. To me the only bizarre thing is the way it was designed to shut down extensions mid browser session, rather than for example checking them on startup and showing a warning.
posted by sfenders at 12:05 PM on May 4 [1 favorite]
It was the expiration of just one certificate, one which was used to sign most (or all?) of the Firefox add-ons. I gather it was an intermediate cert, which could have been relied upon by more than one signing cert, but that makes no difference if you're not concerned with the technical details.
So the official story is not difficult to believe in any way. To me the only bizarre thing is the way it was designed to shut down extensions mid browser session, rather than for example checking them on startup and showing a warning.
Firefox is worth supporting as others upthread have said. One security scare I had recently was in finding the Accessibility screen reader option enabled by default but with the indicator turned off by the developers and not yet re-enabled. I worried that the screen reader had been enabled by malware to sniff passwords or such.
posted by anthill at 12:06 PM on May 4
I'm finding it difficult to believe that it's just a coincidental expiration of security certificates happening all at once. I'd very much like to be wrong about this, fwiw.
The core technical issue here, if not the root cause, is the expiry of an intermediate certificate that was signed two years ago, which... well, don't get me wrong: I also resent the fact that if you're navigating hyperconnected modernity after a while "think like a conspiracy theorist" starts to sound a lot like "wear your seatbelt". That's not what this is.
In this case, though, for whatever it's worth I work directly with a lot of the people involved and have known some of them for my entire adult life (lot of Canadians at Moz!) and I'm not seeing the connections you're inferring.
The core technical issue here, if not the root cause, is the expiry of an intermediate certificate that was signed two years ago, which... well, don't get me wrong: I also resent the fact that if you're navigating hyperconnected modernity after a while "think like a conspiracy theorist" starts to sound a lot like "wear your seatbelt". That's not what this is.
In this case, though, for whatever it's worth I work directly with a lot of the people involved and have known some of them for my entire adult life (lot of Canadians at Moz!) and I'm not seeing the connections you're inferring.
I’m just surprised that the only fix available in 24hrs is various degrees of disabling cert checks, and not, like, just fixing the certificate.
Fixing a certificate is not a thing that can happen. The entire point of certificates is to be demonstrably immutable.
The correct fix is for all extensions in whose authentication chain the expired certificate appeared to be re-issued on addons.mozilla.org after being signed with new certificates that don't rely on the expired one, then installed in browsers via the usual extension update mechanism.
Subsequently, Mozilla needs to keep track of every extension it has ever signed, and invent protocols for delivering timely updates to those whose certification is due to expire soon even if the original extension developers are long gone and their extensions are essentially abandonware. If they still work at all then many will still be relying on them.
Mozilla also needs to set in stone a promise to maintain the existence and effect of about:config settings sufficient to allow users to apply temporary workarounds for the next little surprise independent of any fix pushed by Mozilla.
posted by flabdablet at 12:24 PM on May 4
Fixing a certificate is not a thing that can happen. The entire point of certificates is to be demonstrably immutable.
The correct fix is for all extensions in whose authentication chain the expired certificate appeared to be re-issued on addons.mozilla.org after being signed with new certificates that don't rely on the expired one, then installed in browsers via the usual extension update mechanism.
Subsequently, Mozilla needs to keep track of every extension it has ever signed, and invent protocols for delivering timely updates to those whose certification is due to expire soon even if the original extension developers are long gone and their extensions are essentially abandonware. If they still work at all then many will still be relying on them.
Mozilla also needs to set in stone a promise to maintain the existence and effect of about:config settings sufficient to allow users to apply temporary workarounds for the next little surprise independent of any fix pushed by Mozilla.
We don't have the luxury of being glib about stuff like that.
This is a valid point and I apologize for coming across as though privacy concerns aren't real - they certainly are. Addressing this as swiftly as possible was the right thing to do.
What depressed me was going onto forums to find out what was going on with Firefox, and finding a bunch of men yelling about how Firefox is crap and and generally acting as if they had been personally betrayed by Mozilla since Mozilla made a development decision they disagreed with. Those are the people that I was thinking of.
This is a valid point and I apologize for coming across as though privacy concerns aren't real - they certainly are. Addressing this as swiftly as possible was the right thing to do.
What depressed me was going onto forums to find out what was going on with Firefox, and finding a bunch of men yelling about how Firefox is crap and and generally acting as if they had been personally betrayed by Mozilla since Mozilla made a development decision they disagreed with. Those are the people that I was thinking of.
a bunch of men yelling about how Firefox is crap and and generally acting as if they had been personally betrayed by Mozilla
There's nothing to be done about people like that. They're the same ones screaming at the Government to keep its hands off their Medicare.
There's nothing to be done about people like that. They're the same ones screaming at the Government to keep its hands off their Medicare.
My extension icons just showed up but they aren't operational, and web dev tools aren't working, so I can't pull up a console to see what the problem is. OTOH we had yet another expiring cert problem on our CI test system at work last week and we're talking about developing a way to do that. First step was to put a test at the front of the pipeline to fail when any certs are, oh, a month away from expiring. Because updating certs is much easier before they've expired than after.
morspin, I had to restart Firefox after applying the xpinstall.signatures.required workaround in order to make my extensions come alive again. If what Moz is pushing out involves some similar temporary relaxation of cert checking, perhaps it needs the same thing done after landing?
Re: ao3rdr:
Three star rating system
Its, I think, a 5-star system, and if you choose the lowest star, it hides the fic from your search results. I love that feature.
Three star rating system
Its, I think, a 5-star system, and if you choose the lowest star, it hides the fic from your search results. I love that feature.
what does it say about me that I complain about bad institutional policies, abusive market practices irl but when software has a glitch... I quietly, patiently, passively reinstall, add the add ons and start again (eg. filtering the entire web with noScript AGAIN one script at a time).
never once thought about complaining to someone.
never once thought about complaining to someone.
> I also resent the fact that if you're navigating hyperconnected modernity after a while "think like a conspiracy theorist" starts to sound a lot like "wear your seatbelt". That's not what this is.
I appreciate the clarification, because I surely don't understand what's happening, and when it looks like it's politically helpful to break adblockers on a wide scale, my own ignorance does cause me concern. I appreciate the work you're doing, and perhaps instead of resenting me, maybe see me as an example of how people who don't know how this works can interpret this kind of disruption? You are doing vitally important work, and I surely appreciate it, so thank you.
I appreciate the clarification, because I surely don't understand what's happening, and when it looks like it's politically helpful to break adblockers on a wide scale, my own ignorance does cause me concern. I appreciate the work you're doing, and perhaps instead of resenting me, maybe see me as an example of how people who don't know how this works can interpret this kind of disruption? You are doing vitally important work, and I surely appreciate it, so thank you.
I appreciate the work you're doing, and perhaps instead of resenting me, maybe see me as an example of how people who don't know how this works can interpret this kind of disruption?
I'm sorry, I didn't mean to imply that I resent you - I realized what I was saying there too late, and missed my edit window. I meant "I, like you, dislike the fact that we seem to have to think like this".
And to your point - yeah, one of the challenges of communicating this stuff is that it really is esoteric and doesn't map to conventional metaphor well.
I'm sorry, I didn't mean to imply that I resent you - I realized what I was saying there too late, and missed my edit window. I meant "I, like you, dislike the fact that we seem to have to think like this".
And to your point - yeah, one of the challenges of communicating this stuff is that it really is esoteric and doesn't map to conventional metaphor well.
I bet all those Microsoft folks are glad this happened and drew attention away from how their DNS fuckup broke a good chunk of their own products and the parts of the internet that were reliant on them.
I am entirely confident that this was a mistake, not some nefarious plot, and my heart goes out to everyone who is having a miserable weekend because of it.
Stuff happens, and I'm glad a fix went out over the fastest channel available, but I can't say it's a great look that the current fix requires turning on the "Allow Firefox to send technical and interaction data to Mozilla" pref (especially since last year, opt-out was interpreted to mean "opt-in to reporting data about the fact that you opted out"), since studies can only be enabled after telemetry is turned on. I accept that's an unavoidable consequence of using the studies feature to quickly push a fix; I just wish the blog post at least acknowledged that "turn on telemetry to fix your browser" is not what anyone wants and entirely at odds with Mozilla's stated values.
Stuff happens, and I'm glad a fix went out over the fastest channel available, but I can't say it's a great look that the current fix requires turning on the "Allow Firefox to send technical and interaction data to Mozilla" pref (especially since last year, opt-out was interpreted to mean "opt-in to reporting data about the fact that you opted out"), since studies can only be enabled after telemetry is turned on. I accept that's an unavoidable consequence of using the studies feature to quickly push a fix; I just wish the blog post at least acknowledged that "turn on telemetry to fix your browser" is not what anyone wants and entirely at odds with Mozilla's stated values.
OK, that's kind of hilarious. My desktop firefox, which was not affected last night, just this second told me all my extensions are untrustworthy.
I wonder what kept it alive as long as it was? I guess I'll have to turn studies on here, too.
The conspiracy theorist in the back of my mind is not imagining government agents, but an MBA with nice hair and teeth who was damned if their telemetry graphs weren't going to show better numbers this month...
Joke. I think.
I wonder what kept it alive as long as it was? I guess I'll have to turn studies on here, too.
The conspiracy theorist in the back of my mind is not imagining government agents, but an MBA with nice hair and teeth who was damned if their telemetry graphs weren't going to show better numbers this month...
Joke. I think.
Saw this post, turned on studies (which i had off on purpose). A long while later my extensions finally get disabled, but the fix had not downloaded yet.
Went to about:config and set "app.normandy.run_interval_seconds" to five seconds, restarted the browser. The fixes were downloaded and my extensions came back. Reset the seconds setting to default.
Noticed that having studies on downloaded some study not related to the fix. Also noticed, as some people commenting on the Mozilla blog post also did, THAT MY CONTAINERS HAVE BEEN WIPED AND RESET TO DEFAULT. Not a big deal for me, personally, but WTF. I hope that they were at least reset in a way that is not leaving obsolete/corrupt settings files in my user folder for all eternity.
Went to about:config and set "app.normandy.run_interval_seconds" to five seconds, restarted the browser. The fixes were downloaded and my extensions came back. Reset the seconds setting to default.
Noticed that having studies on downloaded some study not related to the fix. Also noticed, as some people commenting on the Mozilla blog post also did, THAT MY CONTAINERS HAVE BEEN WIPED AND RESET TO DEFAULT. Not a big deal for me, personally, but WTF. I hope that they were at least reset in a way that is not leaving obsolete/corrupt settings files in my user folder for all eternity.
I wonder what kept it alive as long as it was?
It checks the signatures periodically; based on other values I remember from about:config I would guess once every 24 hours. So for each user it failed at some random time since last midnight UTC.
It checks the signatures periodically; based on other values I remember from about:config I would guess once every 24 hours. So for each user it failed at some random time since last midnight UTC.
This thread is so helpful! Not only about the glitch but also people discussing the add-ons they miss the most, I am taking notes.
Always a shock to be reminded how many people think that the internet is unusable without an adblocker, but the idea that they're going to quit using their web browser over not being able to use their ad blocker for a little while is a new level
Jeez, I'm glad the tone of the thread seemed to have righted itself because I was seriously thinking I had woken up in bizarro world. Shit happens, y'all. Nobody's trust was violated, a simple oversight happened to some people who usually get it right and are almost radically transparent about both process and rationale.
The worst aspects of social media, still unchecked, are destroying us, but we keep doubling down on instant outrage.
The worst aspects of social media, still unchecked, are destroying us, but we keep doubling down on instant outrage.
This was the last straw and I've completely switched over to Chrome.
Who the hell voluntarily chooses that Google abomination ?
Who the hell voluntarily chooses that Google abomination ?
Like Devs, certs & cert renewals are the bane of an Ops/Infra teams life (effectively superseding the long held hatred for printer & fax-machines). The chaos that can ensue when a renewal doesn't occur in a timely fashion can be epic. Whats worse is the sense of impending doom when you know you need to renew a cert but all the doco on how to do it and where its required is either non-existent, full of gaps or just plain wrong. And sure, you can automate all of this but its typically held together with tape & twine - when the person that cobbled that together is gone and 3yrs later theres a cert to renew then you're in the poo again.
Nice work Mozilla - I was almost at the point of just not browsing until it was resolved - I'd forgotten how truly dire the unfiltered web can be.
Nice work Mozilla - I was almost at the point of just not browsing until it was resolved - I'd forgotten how truly dire the unfiltered web can be.
It checks the signatures periodically
or else it gets the hose again
or else it gets the hose again
Previously on MetaFilter. Traditionally, certificates use advanced mathematical calculations to expire at the least convenient time.
Does automatic certificate expiration solve any real problems?
The entire point of certificates is to be demonstrably immutable.
When there is a good reason to revoke a certificate e.g. when Google stopped trusting Symantec-issued SSL/TLS certs, it can take months and require a browser update.
I don't understand why we can't have a system where each certificate is trusted for an indefinite period into the future but can also be revoked with immediate effect?
I know that's not how the current certificate chain works but it doesn't seem like an impossible thing to engineer.
The entire point of certificates is to be demonstrably immutable.
When there is a good reason to revoke a certificate e.g. when Google stopped trusting Symantec-issued SSL/TLS certs, it can take months and require a browser update.
I don't understand why we can't have a system where each certificate is trusted for an indefinite period into the future but can also be revoked with immediate effect?
I know that's not how the current certificate chain works but it doesn't seem like an impossible thing to engineer.
Always a shock to be reminded how many people think that the internet is
unusable without an adblocker
FTFY
FTFY
I don't understand why we can't have a system where each certificate is trusted for an indefinite period into the future but can also be revoked with immediate effect?
One advantage of building an expiration date into the certificate, rather than relying on revocation, is that it doesn’t require any additional infrastructure.
If you want to rely on revocation, you need to have servers that host the revocation list, those servers need to be reliable and secure and performant, the system needs to be robust to attack by bad actors, etc. You also need to be damn sure you trust the people running those systems. It turns into a huge mess, and gets expensive fast. For expiration, you just include a little bit of data that is downloaded once.
(A variety of revocation mechanisms do exist, but they are in fact a huge mess to deal with.)
One advantage of building an expiration date into the certificate, rather than relying on revocation, is that it doesn’t require any additional infrastructure.
If you want to rely on revocation, you need to have servers that host the revocation list, those servers need to be reliable and secure and performant, the system needs to be robust to attack by bad actors, etc. You also need to be damn sure you trust the people running those systems. It turns into a huge mess, and gets expensive fast. For expiration, you just include a little bit of data that is downloaded once.
(A variety of revocation mechanisms do exist, but they are in fact a huge mess to deal with.)
Lanark, that's what revocation lists and OCSP checks are for. For various reasons, one of the big ones being the unreliable nature of the Internet and the fact that there is simply no "right thing to do" when the necessary servers are unavailable for whatever reason (all options suck), they have never been implemented with a policy of strict checking in consumer software.
I don't understand why we can't have a system where each certificate is trusted for an indefinite period into the future but can also be revoked with immediate effect?
I suppose we could, but that would perhaps involve designing something new, and designing new things that do cryptography is scary. Which is probably one reason why the system used is as similar to web server certs as it is, though in practice it's not quite so identical as some people in the comments sections of the internet have assumed, e.g. those who think that simply issuing a new one to fix the problem should have been a twenty minute job.
To me it would make more sense to leave things otherwise as they are, except use the signing date when considering whether the signature is valid, rather than the current date.
I suppose we could, but that would perhaps involve designing something new, and designing new things that do cryptography is scary. Which is probably one reason why the system used is as similar to web server certs as it is, though in practice it's not quite so identical as some people in the comments sections of the internet have assumed, e.g. those who think that simply issuing a new one to fix the problem should have been a twenty minute job.
To me it would make more sense to leave things otherwise as they are, except use the signing date when considering whether the signature is valid, rather than the current date.
Also, the belittlement I'm seeing of people's real feelings of anger and frustration at the sudden profound disruption of their entire online experience wouldn't be allowed to fly in any other Metafilter thread.
Count me among the annoyed, but not enraged. I can only imagine what it's like for people who are the Technical Support Person for their aging parents/grandparents and have to try to explain this issue to them. Good luck.
I thought the problem was on my end, and I had no indication of why it happened. I actually uninstalled ublock origin, and went to reinstall it, and got an error stating that something was wrong with my connection. I wish there had been a more informative error message to point me in the right direction. I finally got it reinstalled at least.
Also the expiration of certificates - I have really not a lot of sympathy there. I don't want to express myself in a pissy manner here, but maybe offload the certificate expiration reminders to someone who isn't going to automate it, such as an administrative assistant? Or use a paper calendar or something? That won't end up in your spam folder. I mean, companies/organizations have to renew contracts and things every year, have the person keeping track of that walk over to Cert Person and say "hey, time to renew the Super Important Certificate" like a month before. Seriously, I don't get why this is so hard. Paper calendars, use them!
I thought the problem was on my end, and I had no indication of why it happened. I actually uninstalled ublock origin, and went to reinstall it, and got an error stating that something was wrong with my connection. I wish there had been a more informative error message to point me in the right direction. I finally got it reinstalled at least.
Also the expiration of certificates - I have really not a lot of sympathy there. I don't want to express myself in a pissy manner here, but maybe offload the certificate expiration reminders to someone who isn't going to automate it, such as an administrative assistant? Or use a paper calendar or something? That won't end up in your spam folder. I mean, companies/organizations have to renew contracts and things every year, have the person keeping track of that walk over to Cert Person and say "hey, time to renew the Super Important Certificate" like a month before. Seriously, I don't get why this is so hard. Paper calendars, use them!
There is a big difference between being understandably annoyed about having to be assaulted with ads and assuming bad faith and/or promoting baseless conspiracy theories.
I try to be understanding because Trump is literally making people crazy, bringing psyops tactics that had previously been reserved for recruiting the far right to the public at large. In my defense, it's distressing to me that it has become nearly impossible to escape the catastrophizing and the outrage machine. There once was a time when simply avoiding a relative few websites was enough to prevent oneself from being steeped in the toxic stew. Getting splashed on a regular basis was bad enough, but now we're all in the pool and there is no escape that doesn't involve not knowing what is going on in the world around us.
I try to be understanding because Trump is literally making people crazy, bringing psyops tactics that had previously been reserved for recruiting the far right to the public at large. In my defense, it's distressing to me that it has become nearly impossible to escape the catastrophizing and the outrage machine. There once was a time when simply avoiding a relative few websites was enough to prevent oneself from being steeped in the toxic stew. Getting splashed on a regular basis was bad enough, but now we're all in the pool and there is no escape that doesn't involve not knowing what is going on in the world around us.
I did the temporary fix, and all seems well for now.
It's really weird to see the web without the add-ons running. It really is a hot mess.
posted by Thorzdad at 7:52 AM on May 4 [15 favorites]