Widespread Firefox issues
Just an FYI since this is bound to impact users: https://bugzilla.mozilla.org/show_bug.cgi?id=1548973 Basically, Mozilla forgot to renew an intermediate cert, and people's Firefox browsers have mass-disabled addons. Whoops. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing whatsoever happened to my Firefox browser, and all the extensions are still working just fine. --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Brielle Bruns Sent: Friday, 3 May, 2019 19:56 To: NANOG list Subject: Widespread Firefox issues
Just an FYI since this is bound to impact users:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Basically, Mozilla forgot to renew an intermediate cert, and people's Firefox browsers have mass-disabled addons.
Whoops. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Besides which, if something was signed AT THE TIME when the certificate chain was valid, then that signature will be a valid signature forever (unless one of the certificates in the chain is revoked). The future or current expiry of a certificate or an intermediary has no effect whatsoever on the validity of a signature IF THE CERTIFICATE CHAIN WAS VALID at the time the signature was made, and the chain can be verified TO HAVE BEEN VALID at the time the signature was made. In other words, the fact that subsequent to making a signature the pen ran out of ink does not make the signature invalid. If it did so then there would be no point in having signatures. It may be impossible to make a valid signature with a pen that is out of ink, but that does not invalidate signatures made before the ink ran out. --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces+kmedcalf=dessus.com@nanog.org] On Behalf Of Keith Medcalf Sent: Friday, 3 May, 2019 20:48 To: NANOG list Subject: RE: Widespread Firefox issues
Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing whatsoever happened to my Firefox browser, and all the extensions are still working just fine.
--- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Brielle Bruns Sent: Friday, 3 May, 2019 19:56 To: NANOG list Subject: Widespread Firefox issues
Just an FYI since this is bound to impact users:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Basically, Mozilla forgot to renew an intermediate cert, and people's Firefox browsers have mass-disabled addons.
Whoops. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Fri, 2019-05-03 at 20:48 -0600, Keith Medcalf wrote:
Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing whatsoever happened to my Firefox browser, and all the extensions are still working just fine.
The diagnosis in the OP's message may be false, but there is most definitely a widespread FF issue (or was, maybe fixed now). It affected me and numerous others. Simple temporary fix is to browse to "about:config" and change the value for "xpinstall.signatures.required" to false. Well, that worked for me, anyway. When Mozilla fixes whatever the issue is, I'll set it back to true. BTW it hit at midnight UTC,so different people saw the effect at different times depending on their timezone. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D Old fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
On 5/3/2019 9:10 PM, Karl Auer wrote:
The diagnosis in the OP's message may be false, but there is most definitely a widespread FF issue (or was, maybe fixed now). It affected me and numerous others.
I'm just repeating what was mentioned elsewhere - don't shoot the messenger. We'll have to wait for them to tell us what exactly happened (if they do) to know for sure. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On 5/3/2019 8:48 PM, Keith Medcalf wrote:
Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing whatsoever happened to my Firefox browser, and all the extensions are still working just fine.
Clearly you are not reading the bug reports and paying attention. Its not happening to everyone, but a large enough group of people are experiencing it. My desktop for example, is having the issue, my laptop is not. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
So, for being "Clearly false", the hotfix pushed out by the Firefox Studies feature is... *drumroll* An updated intermediate certificate! You can turn on the Studies option under Privacy & Security for a little while, then check about:studies and you should see one or two in there regarding the xpi verification/signing. Once you have those two studies, you can disable Studies again. Likely we'll see a full fix with a point release of Firefox in a day or so. On 5/3/2019 8:48 PM, Keith Medcalf wrote:
Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing whatsoever happened to my Firefox browser, and all the extensions are still working just fine.
--- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Brielle Bruns Sent: Friday, 3 May, 2019 19:56 To: NANOG list Subject: Widespread Firefox issues
Just an FYI since this is bound to impact users:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Basically, Mozilla forgot to renew an intermediate cert, and people's Firefox browsers have mass-disabled addons.
Whoops. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
-- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
I will stick to the "clearly false" since it is now well to the point where we are in 2019-05-04 (even in local UT1, let alone UTC), studies are disabled (and have been since forever), no studies have been loaded, and my extensions still work quite fine, thank-you. Attempting to install a "new" extension fails with a "bad signature" error. Is the "permanent fix" going to be proper validation of signatures I wonder? Or will they still consider the signature (made while there was ink in the pen) to be invalid after the pen runs out of ink? Or, more accurately, not invalidate the handwritten signature after the death of the witness. Lordy forbid that the "real world" worked like that ... invalidating the signature on a contract merely because the witness or signer got killed by a rogue bus ... What a lovely way to render a contract nul ab initio -- just kill one of the witnesses ... --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Brielle Bruns Sent: Saturday, 4 May, 2019 08:30 To: nanog@nanog.org Subject: Re: Widespread Firefox issues
So, for being "Clearly false", the hotfix pushed out by the Firefox Studies feature is...
*drumroll*
An updated intermediate certificate!
You can turn on the Studies option under Privacy & Security for a little while, then check about:studies and you should see one or two in there regarding the xpi verification/signing. Once you have those two studies, you can disable Studies again.
Likely we'll see a full fix with a point release of Firefox in a day or so.
On 5/3/2019 8:48 PM, Keith Medcalf wrote:
Clearly false, since it is 2019-05-04 02:46:31.342994 now and
nothing whatsoever happened to my Firefox browser, and all the extensions are still working just fine.
--- The fact that there's a Highway to Hell but only a Stairway to
Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Brielle Bruns Sent: Friday, 3 May, 2019 19:56 To: NANOG list Subject: Widespread Firefox issues
Just an FYI since this is bound to impact users:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Basically, Mozilla forgot to renew an intermediate cert, and
people's
Firefox browsers have mass-disabled addons.
Whoops. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
-- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Sat, May 4, 2019 at 7:32 AM Keith Medcalf <kmedcalf@dessus.com> wrote:
I will stick to the "clearly false" since it is now well to the point where we are in 2019-05-04 (even in local UT1, let alone UTC), studies are disabled (and have been since forever), no studies have been loaded, and my extensions still work quite fine, thank-you. Attempting to install a "new" extension fails with a "bad signature" error.
Here's something interesting - a few times now, I've told Firefox to enable Studies and then restarted ... but the Studies setting reverted to being unchecked. Maybe one of my other paranoia-enabling extensions is toggling it off ... but if so, I haven't found it yet. Still investigating. Royce
On Sat, May 4, 2019 at 7:40 AM Royce Williams <royce@techsolvency.com> wrote:
On Sat, May 4, 2019 at 7:32 AM Keith Medcalf <kmedcalf@dessus.com> wrote:
I will stick to the "clearly false" since it is now well to the point where we are in 2019-05-04 (even in local UT1, let alone UTC), studies are disabled (and have been since forever), no studies have been loaded, and my extensions still work quite fine, thank-you. Attempting to install a "new" extension fails with a "bad signature" error.
Here's something interesting - a few times now, I've told Firefox to enable Studies and then restarted ... but the Studies setting reverted to being unchecked.
Maybe one of my other paranoia-enabling extensions is toggling it off ... but if so, I haven't found it yet. Still investigating.
Even stranger, I can manually toggle 'app.shield.optoutstudies.enabled' in about:config ... and *that* persists across reboots ... but Studies *still* aren't enabled (the about:preferences item is still unchecked, and the "about:studies" area still indicates that they're disabled). There's definitely something weird about enabling/disabling studies. FWIW, this is 64-bit 66.0.3 on Ubuntu, and it's an instance of Firefox that had studies disabled before this issue emerged. On a very similar setup, but one with a vanilla Firefox install that already had Studies enabled, I can't recreate this symptom - even if I turn Studies off (either using the GUI or with the about:config item). Royce
On Sat, May 4, 2019 at 8:02 AM Royce Williams <royce@techsolvency.com> wrote:
On Sat, May 4, 2019 at 7:40 AM Royce Williams <royce@techsolvency.com> wrote:
On Sat, May 4, 2019 at 7:32 AM Keith Medcalf <kmedcalf@dessus.com> wrote:
I will stick to the "clearly false" since it is now well to the point where we are in 2019-05-04 (even in local UT1, let alone UTC), studies are disabled (and have been since forever), no studies have been loaded, and my extensions still work quite fine, thank-you. Attempting to install a "new" extension fails with a "bad signature" error.
Here's something interesting - a few times now, I've told Firefox to enable Studies and then restarted ... but the Studies setting reverted to being unchecked.
Maybe one of my other paranoia-enabling extensions is toggling it off ... but if so, I haven't found it yet. Still investigating.
Even stranger, I can manually toggle 'app.shield.optoutstudies.enabled' in about:config ... and *that* persists across reboots ... but Studies *still* aren't enabled (the about:preferences item is still unchecked, and the "about:studies" area still indicates that they're disabled).
There's definitely something weird about enabling/disabling studies.
FWIW, this is 64-bit 66.0.3 on Ubuntu, and it's an instance of Firefox that had studies disabled before this issue emerged. On a very similar setup, but one with a vanilla Firefox install that already had Studies enabled, I can't recreate this symptom - even if I turn Studies off (either using the GUI or with the about:config item).
Multiple people have replied offthread that they have the same symptom. This workaround worked for me: https://www.reddit.com/r/firefox/comments/bkk5ss/if_you_dont_want_to_wait_do... Royce
Aha! Did the same and it worked. I had disabled Normandy probably immediately when it was introduced. I guess if you have it disabled then studies (even if enabled) are disabled as well. After getting the studies I disabled studies again (since I don't want them) and disabled normandy (since I do not want external third parties frikking about with my settings just cuz they feel like it) -- if you want to fiddle with the settings on my equipment you have to physically be within the blast radius of the device you are fiddling with (or the automated Nitrogen oxygen purge system). We will see what happens mid-afternoon tomorrow when Firefox tries to run a signature check again (since the original problem report was in error -- the check is only run once every 86400 seconds, so at the next check after the intermediate certificate expires the add-ons will be disabled). --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Royce Williams Sent: Saturday, 4 May, 2019 15:44 To: nanog@nanog.org Subject: Re: Widespread Firefox issues
On Sat, May 4, 2019 at 8:02 AM Royce Williams <royce@techsolvency.com> wrote:
On Sat, May 4, 2019 at 7:40 AM Royce Williams <royce@techsolvency.com> wrote:
On Sat, May 4, 2019 at 7:32 AM Keith Medcalf <kmedcalf@dessus.com> wrote:
I will stick to the "clearly false" since it is now well to the point where we are in 2019-05-04 (even in local UT1, let alone UTC), studies are disabled (and have been since forever), no studies have been loaded, and my extensions still work quite fine, thank-you. Attempting to install a "new" extension fails with a "bad signature" error.
Here's something interesting - a few times now, I've told Firefox to enable Studies and then restarted ... but the Studies setting reverted to being unchecked.
Maybe one of my other paranoia-enabling extensions is toggling it off ... but if so, I haven't found it yet. Still investigating.
Even stranger, I can manually toggle 'app.shield.optoutstudies.enabled' in about:config ... and *that* persists across reboots ... but Studies *still* aren't enabled (the about:preferences item is still unchecked, and the "about:studies" area still indicates that they're disabled).
There's definitely something weird about enabling/disabling studies.
FWIW, this is 64-bit 66.0.3 on Ubuntu, and it's an instance of Firefox that had studies disabled before this issue emerged. On a very similar setup, but one with a vanilla Firefox install that already had Studies enabled, I can't recreate this symptom - even if I turn Studies off (either using the GUI or with the about:config item).
Multiple people have replied offthread that they have the same symptom.
This workaround worked for me:
https://www.reddit.com/r/firefox/comments/bkk5ss/if_you_dont_want_to_ wait_do_this/
Royce
Guess it’s a good thing then that I’m not needing to rely on your ‘expert opinion’ since Mozilla provided (and still is providing) details as they resolve the issue, eh? Something something something long winded responses and long stretch metaphors... Sent from my iPhone
On May 4, 2019, at 9:30 AM, Keith Medcalf <kmedcalf@dessus.com> wrote:
I will stick to the "clearly false" since it is now well to the point where we are in 2019-05-04 (even in local UT1, let alone UTC), studies are disabled (and have been since forever), no studies have been loaded, and my extensions still work quite fine, thank-you. Attempting to install a "new" extension fails with a "bad signature" error.
Is the "permanent fix" going to be proper validation of signatures I wonder? Or will they still consider the signature (made while there was ink in the pen) to be invalid after the pen runs out of ink?
Or, more accurately, not invalidate the handwritten signature after the death of the witness. Lordy forbid that the "real world" worked like that ... invalidating the signature on a contract merely because the witness or signer got killed by a rogue bus ... What a lovely way to render a contract nul ab initio -- just kill one of the witnesses ...
--- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Brielle Bruns Sent: Saturday, 4 May, 2019 08:30 To: nanog@nanog.org Subject: Re: Widespread Firefox issues
So, for being "Clearly false", the hotfix pushed out by the Firefox Studies feature is...
*drumroll*
An updated intermediate certificate!
You can turn on the Studies option under Privacy & Security for a little while, then check about:studies and you should see one or two in there regarding the xpi verification/signing. Once you have those two studies, you can disable Studies again.
Likely we'll see a full fix with a point release of Firefox in a day or so.
On 5/3/2019 8:48 PM, Keith Medcalf wrote:
Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing whatsoever happened to my Firefox browser, and all the extensions are still working just fine.
--- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Brielle Bruns Sent: Friday, 3 May, 2019 19:56 To: NANOG list Subject: Widespread Firefox issues
Just an FYI since this is bound to impact users:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Basically, Mozilla forgot to renew an intermediate cert, and people's Firefox browsers have mass-disabled addons.
Whoops. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
-- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
My temporary solution was to set "xpinstall.signatures.required" to "false". On 5/4/19 4:55 AM, Brielle Bruns wrote:
Just an FYI since this is bound to impact users:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Basically, Mozilla forgot to renew an intermediate cert, and people's Firefox browsers have mass-disabled addons.
Whoops.
-- Best regards, Adrian Minta
On 5/3/2019 8:58 PM, Adrian Minta wrote:
My temporary solution was to set "xpinstall.signatures.required" to "false".
Unfortunately only works if you are using the Dev version :( They totally removed ability to bypass that in the standard distribution of Firefox. Ugh -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Fri, 2019-05-03 at 21:38 -0600, Brielle Bruns wrote:
On 5/3/2019 8:58 PM, Adrian Minta wrote:
My temporary solution was to set "xpinstall.signatures.required" to "false". Unfortunately only works if you are using the Dev version :(
Or, apparently, if you are using the Linux version. I'm on 66.0.3 Linux 64-bit. I think the Android version still allows it, too. I dislike this trend to remove features "for our own good", yet everyone seems to be doing it. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D Old fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
so is there a recipe for re-enabling the add-ons? otherwise, one is running pretty nekkid. randy
On Sat, May 4, 2019, at 08:21, Randy Bush wrote:
so is there a recipe for re-enabling the add-ons? otherwise, one is running pretty nekkid.
From https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disa...:
12:50 p.m. UTC / 03:50 a.m. PDT: We rolled-out a fix for release, beta and nightly users on Desktop. The fix will be automatically applied in the background within the next few hours, you don’t need to take active steps. In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies. You can disable studies again after your add-ons have been re-enabled. We are working on a general fix that doesn’t need to rely on this and will keep you updated. -- Harald Koch chk@pobox.com
so is there a recipe for re-enabling the add-ons? otherwise, one is running pretty nekkid.
From https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disa...:
12:50 p.m. UTC / 03:50 a.m. PDT: We rolled-out a fix for release, beta and nightly users on Desktop. The fix will be automatically applied in the background within the next few hours, you don’t need to take active steps.
In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.
You can disable studies again after your add-ons have been re-enabled.
We are working on a general fix that doesn’t need to rely on this and will keep you updated.
read that. to do it, i have to start ffox. and 100 tabs will open and javascript will flood in.
On Sat, May 4, 2019, 3:37 PM Randy Bush <randy@psg.com> wrote:
to do it, i have to start ffox. and 100 tabs will open and javascript will flood in.
Disconnect from the network, start Firefox while offline, then KILL IT WITH FIRE^W SIGKILL. After that, Firefox will start with a "Restore tabs" page which doesn't activate tabs automatically. -- Töma
On Sat, 2019-05-04 at 05:36 -0700, Randy Bush wrote:
will keep you updated. read that. to do it, i have to start ffox. and 100 tabs will open and javascript will flood in.
Disconnect from network. Start Firefox. Take a moment to appreciate the silence. Close tabs. Reconnect to network. OR: Start firefox's profile manager: firefox -P --no-remote Then create a new profile and start FireFox with the new profile. Not 100% sure how the studies feature works, but I am assuming it updates more than just the profile, so once FF has updated you should be able to open the old profile and get all your extensions and settings back. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D Old fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
to do it, i have to start ffox. and 100 tabs will open and javascript will flood in.
recipe - turn off internet connectivity - start firefox - `kill -s sigkill` it - restart it, do not restore sesstion - turn internet back on - go to prefs / privacy and enable studio - wait until `about:studies` shows you got the two updates - allow sessions to restart randy
On Sat, 04 May 2019 10:46:41 -0700, Randy Bush said:
to do it, i have to start ffox.��and 100 tabs will open and javascript will flood in.
recipe - turn off internet connectivity - start firefox - `kill -s sigkill` it - restart it, do not restore sesstion - turn internet back on - go to prefs / privacy and enable studio - wait until `about:studies` shows you got the two updates - allow sessions to restart
Keep in mind that if Firefox exits between 'do not restore session' and 'allow sessions to restart', all the tabs may vanish into the ether. Been burned by that before. May want to tar up your .mozilla directory for safe keeping (or whatever needs to be done on boxes where tar'ing up a directory isn't a thing....)
Official update from Mozilla: https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firef... Mark. On 5 May 2019 5:50:19 AM NZST, "Valdis Klētnieks" <valdis.kletnieks@vt.edu> wrote:
On Sat, 04 May 2019 10:46:41 -0700, Randy Bush said:
to do it, i have to start ffox.��and 100 tabs will open and javascript will flood in.
recipe - turn off internet connectivity - start firefox - `kill -s sigkill` it - restart it, do not restore sesstion - turn internet back on - go to prefs / privacy and enable studio - wait until `about:studies` shows you got the two updates - allow sessions to restart
Keep in mind that if Firefox exits between 'do not restore session' and 'allow sessions to restart', all the tabs may vanish into the ether. Been burned by that before. May want to tar up your .mozilla directory for safe keeping (or whatever needs to be done on boxes where tar'ing up a directory isn't a thing....)
-- Sent from a mobile device.
On 5/4/19, Mark Foster wrote:
Official update from Mozilla:
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firef... where they say Please note: The fix does not apply to Firefox ESR which is what I'm running, so about:config change xpinstall.signatures.required to false, restart and all my extensions now show xxx could not be verified for use in Firefox. Proceed with caution. but at least they're all enabled again :)
Lee
On 05/05/2019 00:04, Lee wrote:
On 5/4/19, Mark Foster wrote:
Official update from Mozilla:
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firef... where they say Please note: The fix does not apply to Firefox ESR which is what I'm running, so about:config change xpinstall.signatures.required to false, restart and all my extensions now show xxx could not be verified for use in Firefox. Proceed with caution. but at least they're all enabled again :)
Am running FF 66.0.3 and did the above but still Avira Browser Safety and Cisco Webex still show up as disabled. What am I missing? Thanks, Hank
Lee
or use the hotfix without restarting: https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi Am 04.05.2019 um 19:46 schrieb Randy Bush: >>> to do it, i have to start ffox. and 100 tabs will open and >>> javascript will flood in. > recipe > - turn off internet connectivity > - start firefox > - `kill -s sigkill` it > - restart it, do not restore sesstion > - turn internet back on > - go to prefs / privacy and enable studio > - wait until `about:studies` shows you got the two updates > - allow sessions to restart > > randy
From https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disa... :
12:50 p.m. UTC / 03:50 a.m. PDT: We rolled-out a fix for release, beta and nightly users on Desktop. The fix will be automatically applied in the background within the next few hours, you don’t need to take active steps.
In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.
This is a lie. I had both updates and studies disabled but "hotfix-update-xpi-intermediate" appeared in my addons anyway. It also failed to re-enable noscript. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Fri, 3 May 2019 at 20:57, Brielle Bruns <bruns@2mbit.com> wrote:
Just an FYI since this is bound to impact users:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Basically, Mozilla forgot to renew an intermediate cert, and people's Firefox browsers have mass-disabled addons.
Whoops.
This is why it's important that every single website on the internet is available ONLY over HTTPS. Don't forget to install an HSTS policy, too, so, if anyone ever visits Kazakhstan or a security-conscious corporate office, they'll be prevented from accessing the cute pictures of cats on your fully static website. Of course, don't forget to abandon HTTP, too, and simply issue 301 Moved Permanently redirects from all HTTP targets to HTTPS, to cover all the bases. Backwards compatibility? Don't you worry — no browser lets anyone remove HSTS, once installed, so, you're golden. And HTTPS links won't fallback to HTTP, either, so, you're good there, too — your cute cats are safe and secure, and once folks link to your new site under https://, your future self will be safe and secure from ever having the option to go insecure again. I mean, why would anyone go "insecure"? Especially now with LetsEncrypt? Oh, wait… Wait a moment, and who's the biggest player behind the HTTPS-only movement? Oh, and Mozilla's one of the biggest backers of LetsEncrypt, too? I see… Well, nothing to see here, move along! #TooBigToFail. C.
HTTPS: has nothing to do with the website being "secure". https: means that transport layer security (encryption) is in effect. https: is a PRIVACY measure, not a SECURITY measure. --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Constantine A. Murenin Sent: Friday, 3 May, 2019 21:02 To: Brielle Bruns Cc: NANOG list Subject: Re: Widespread Firefox issues
On Fri, 3 May 2019 at 20:57, Brielle Bruns <bruns@2mbit.com> wrote:
Just an FYI since this is bound to impact users:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Basically, Mozilla forgot to renew an intermediate cert, and people's Firefox browsers have mass-disabled addons.
Whoops.
This is why it's important that every single website on the internet is available ONLY over HTTPS. Don't forget to install an HSTS policy, too, so, if anyone ever visits Kazakhstan or a security- conscious corporate office, they'll be prevented from accessing the cute pictures of cats on your fully static website. Of course, don't forget to abandon HTTP, too, and simply issue 301 Moved Permanently redirects from all HTTP targets to HTTPS, to cover all the bases.
Backwards compatibility? Don't you worry — no browser lets anyone remove HSTS, once installed, so, you're golden. And HTTPS links won't fallback to HTTP, either, so, you're good there, too — your cute cats are safe and secure, and once folks link to your new site under https://, your future self will be safe and secure from ever having the option to go insecure again. I mean, why would anyone go "insecure"? Especially now with LetsEncrypt?
Oh, wait…
Wait a moment, and who's the biggest player behind the HTTPS-only movement? Oh, and Mozilla's one of the biggest backers of LetsEncrypt, too? I see… Well, nothing to see here, move along! #TooBigToFail.
C.
From: NANOG <nanog-bounces@nanog.org> on behalf of Keith Medcalf <kmedcalf@dessus.com> Sent: Saturday, May 4, 2019 3:14:53 AM To: NANOG list Cc: Constantine A. Murenin Subject: [EXT] RE: Widespread Firefox issues HTTPS: has nothing to do with the website being "secure". https: means that transport layer security (encryption) is in effect. https: is a PRIVACY measure, not a SECURITY measure. --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [ mailto:nanog-bounces@nanog.org] On Behalf Of Constantine A. Murenin Sent: Friday, 3 May, 2019 21:02 To: Brielle Bruns Cc: NANOG list Subject: Re: Widespread Firefox issues
On Fri, 3 May 2019 at 20:57, Brielle Bruns <bruns@2mbit.com> wrote:
Just an FYI since this is bound to impact users:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Basically, Mozilla forgot to renew an intermediate cert, and people's Firefox browsers have mass-disabled addons.
Whoops.
This is why it's important that every single website on the internet is available ONLY over HTTPS. Don't forget to install an HSTS policy, too, so, if anyone ever visits Kazakhstan or a security- conscious corporate office, they'll be prevented from accessing the cute pictures of cats on your fully static website. Of course, don't forget to abandon HTTP, too, and simply issue 301 Moved Permanently redirects from all HTTP targets to HTTPS, to cover all the bases.
Backwards compatibility? Don't you worry — no browser lets anyone remove HSTS, once installed, so, you're golden. And HTTPS links won't fallback to HTTP, either, so, you're good there, too — your cute cats are safe and secure, and once folks link to your new site under https://, your future self will be safe and secure from ever having the option to go insecure again. I mean, why would anyone go "insecure"? Especially now with LetsEncrypt?
Oh, wait…
Wait a moment, and who's the biggest player behind the HTTPS-only movement? Oh, and Mozilla's one of the biggest backers of LetsEncrypt, too? I see… Well, nothing to see here, move along! #TooBigToFail.
C.
I may be wrong and if so, I am happy to be corrected, but I don't think that statement is entirely true. The certificate not only encrypts the connection, it also verifies that you are connecting to the server you intend to. That second component is a security measure. Charles Bronson
On Sat, 04 May 2019 13:02:56 -0000, Charles Bronson said:
On Fri, 03 May 2019 21:14:53 -0600, "Keith Medcalf" said:
HTTPS: has nothing to do with the website being "secure". https: means that transport layer security (encryption) is in effect. https: is a PRIVACY measure, not a SECURITY measure.
I may be wrong and if so, I am happy to be corrected, but I don't think that statement is entirely true. The certificate not only encrypts the connection, it also verifies that you are connecting to the server you intend to. That second component is a security measure.
Actually, the identity component of a certificate does *not* verify you connected to the server you *intended*. It verifies that the server you actually connected to is the one that the connection was directed to, and that you didn't get MITM'ed. That's important, but not what most people think it means. In particular, it does *not* protect against typo squatters that get hits when you accidentally try to go to faceebook.com. Also, when a user enters cnn.com, they *intend* to visit cnn.com, and aren't thinking about the *other* 38 sites that get contacted (as reported by the IPvFoo extension). Did I *intend* to go to a125375509.cdn.optimizely.com - one of the sites that ends up getting called when I visit cnn.com? So while there's a useful security guarantee provided by the proof-of-identity, it's *NOT* what people usually think it is. Additionally, the first component is also a security measure as well. Googling for "3 pillars of security" shows that they're "confidentiality, integrity, and availability". In what world are the "privacy" provisions of TLS *not* part of "confidentiality"? https://www.lmgtfy.com/?q=3+pillars+of+security
participants (17)
-
Adrian Minta
-
Brielle
-
Brielle Bruns
-
Charles Bronson
-
Constantine A. Murenin
-
Hank Nussbacher
-
Harald Koch
-
Karl Auer
-
Keith Medcalf
-
Lee
-
Mark Foster
-
Patrick Schultz
-
Randy Bush
-
Royce Williams
-
Töma Gavrichenkov
-
Valdis Klētnieks
-
William Herrin