Avast WEBforum
Other => Non-Avast security products => Topic started by: polonus on May 04, 2019, 02:58:57 PM
-
Does this mean the end of Mozilla's Firefox?
In the firefox browser and also for instance in Cliqz not a single one of the add-ons will work.
No more extensions, not a single one allowed.
A golden day for those that strive for Google chromium supremacy
or mono-culture of the chromium browser forks.
No more NoScript, no more adblockers, no more LastPass.
They may have to upgrade all of the browser with what results?
How many run of the mill end-users will now switch to Google Chrome, Brave, Iridium etc,
because of this fiasco?
What will the certification war, bring us further? Problems for Kaspersky, Huawei?
Symantec is not a player anymore in the field of certification,
Let's Encrypt has many advantages,
but also has lowered the bar for cybercrime, scam, spam & fraud,
and other (political) manipulation.
Anyone to comment?
polonus
-
Hi, it's a known FF bug, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
-
Hi Asyn,
It is not bringing them Mozilla developers fame, and Google chromium staff will giggle about so much stupidity.
HavenĀ“t seen a comment from Firefox users here like DavidR etc., certainly a pain in the proverbial parts of the body. ::)
polonus
-
Hi Asyn,
It is not bringing them Mozilla developers fame, and Google chromium staff will giggle about so much stupidity.
+1 :(
-
It is also striking there is no general news about this mozilla add-ons mishap,
no news on the Reg and other main tech news outlets.
Silence reigns big time...
The problem was first expected to appear from May 10th henceon,
but now has reared it's head world-wide already when world clock struck 0:01 on May 4th 2019.
There is a work-around fix available via Firefox studies account,
but that is probably to complicated for the average user to install.
Beyond belief actually while Mozilla developers implemented this in such a way (date depending),
they have to come up with an emergency browser update now to fix this add-on Daemmerung ;) ,
and we do not know what further implications that may have.
polonus
P.S. And this bug now has a proper name "Armag-add-on 2.0" ;D
-
Further info/details here...
https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047
https://twitter.com/mozamo
-
Update Regarding Add-ons in Firefox
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/
-
@ polonus,
While this gaffe is not major as in some like McAfee bricking Windows systems en masse, because it does not brick or prevent use of Firefox, it is similar in scope and certainly a major annoyance factor for everyone. I suspect, tho, that [only] FF browsers open/running/online at 0001 UTC were affected by this bug, so the number impacted may be less than expected. Just happened again @ 1522 UTC.
Run your browsers in a sandbox always if you don't run a virtual machine. I did. So when I encountered this, simply closing and re-opening the browser brought everything back <snap>.
Good to see a fix is on the way or will be soon.
-
A fix has been rolled out since 16.00 GMT and now all my extensions in my Firefox fork, CLIQZ browser, have returned via de add-on manager, retire.JS, uMatrix, JaVascript Error Notifier extension. CLIQZ is a privacy browser fork.
polonus
-
Thanks Pol.
-
Why is Mozilla so STUPID!!!!
-
Hi SpeedyPC,
Hard to tell, why they haven't paid attention.
Now as a final solution they have to update all of the browser.
Mind, when you have your add-ons working normally again,
to disable settings in "about:studies" (via the browser-bar),
else you will continue sharing your browser data with Mozilla telemetries,
and that is not the securest settings you could have,
and may not be what you want as a continuous situation.
What I could imagine (might not be too far-fetched a thought),
that this could have been an orchestrated action against tor-browser users,
as tor-browser is basically a Firefox browser fork relenting on NoScript add-on being active,
and there this essential add-on (NoScript) for anonymous browsing was also disabled.
But again that is pure speculation on my part, and probably about such schemes we will never know.
Anyways stay on the square, and browse safely and securely,
is the wish of,
Damian aka polonus
-
Hi Asyn,
It is not bringing them Mozilla developers fame, and Google chromium staff will giggle about so much stupidity.
+1 :(
When you think about Firefox and its market share, you would think they would be more damn careful not to lose users.
-
My extensions in my Firefox still hasn't been resolved, GOD I"M SO ANGRY AS HELL.
Shame on you Mozilla >:(
-
Trust in Mozilla's diminishes with every hour this misery goes on.
A reliable alternative for the average browser user just searching for some info, banking and doing some shopping at times
= Waterfox 8), which is 64 bit, based on FF ESR 52 and with RSS read still available to the browser-user,
a functionality that regular FF took out "for reasons of user friendliness".
polonus
-
My extensions in my Firefox still hasn't been resolved, GOD I"M SO ANGRY AS HELL.
Shame on you Mozilla >:(
There are other browsers. :)
-
My extensions in my Firefox still hasn't been resolved, GOD I"M SO ANGRY AS HELL.
Shame on you Mozilla >:(
There are other browsers. :)
Such as MS Edge soon to become a Chromium clone Or Google Chrome and I know whom I trust more less ;)
The fewer players in the browser arena the less choice we have.
-
DavidR, SpeedyPC, mchain, bob3160 & others,
Happy to inform you all, Mozilla team produced an update with the fix for this included,
download firefox 66.0.4 build 1 restart the browser and voila.
polonus
-
DavidR, SpeedyPC, mchain, bob3160 & others,
Happy to inform you all, Mozilla team produced an update with the fix for this included,
download firefox 66.0.4 build 1 restart the browser and voila.
polonus
Thanks,
Strangely I hadn't been hit by this, until I opened firefox to check for this update.
It has been applied and restarted.
-
Hi DavidR,
Good Firefox can at least hold some ground, as a complete chromium mono-culture is not something to be glad about
or to look forward to. Mono-cultures always will spell elevated risks and a greater attack surface.
So those on Firefox run less risk, as all major script injection mimicks Google scripts,
as in the latest magecart gang attacks.
What Windows means as a main vector for operational system threats,
chromium will be in the case of browser vector attacks.
(e.g. against Edge, Google Chrome, chromium-forks like Iridium, Brave etc.).
Always nice to have a browser that is not a run of the mill one and kept for the masses.
polonus
-
Hi DavidR,
Good Firefox can at least hold some ground, as a complete chromium mono-culture is not something to be glad about
or to look forward to. Mono-cultures always will spell elevated risks and a greater attack surface.
So those on Firefox run less risk, as all major script injection mimicks Google scripts,
as in the latest magecart gang attacks.
What Windows means as a main vector for operational system threats,
chromium will be in the case of browser vector attacks.
(e.g. against Edge, Google Chrome, chromium-forks like Iridium, Brave etc.).
Always nice to have a browser that is not a run of the mill one and kept for the masses.
polonus
Firefox is one of my available browsers. It just doesn't happen to be my default browser. :)
I've also updated Firefox but didn't know about a problem till I saw it reported here on the forum.
-
Thank GOD!!!!!! for the new update.
-
DavidR, SpeedyPC, mchain, bob3160 & others,
Happy to inform you all, Mozilla team produced an update with the fix for this included,
download firefox 66.0.4 build 1 restart the browser and voila.
polonus
Note, Firefox ESR also got fixed (60.6.2). Cheers
-
Background on the certification mishap. Quoted info source snippet credits go to Bitwiper,
xul.dll (part of Mozilla Firefox webbrowser) has an inbuilt rootcertificate, named "root-ca-production-amo".
This certificate is not visible in Firefox certificate viewer.
Every validated Mozilla Add-on comes signed with a supplier-specific code-signing certificate, issued by Mozilla
Also in this case we see an intermediate certificate, named "signingca1.addons.mozilla.org",
that comes together with every add-on (together with the code signing certificate).
For instance the extension "https everywhere" has two certificates:
1) "https-everywhere@eff.org" - valid from 02 May, 2019 23:35:08 until 01 May, 2020 23:35:08
2) "signingca1.addons.mozilla.org" - valid from 04 May, 2017 02:09:46 until 04 May, 2019 02:09:46 <== that is strange
It is strange that no alarm bells went off, because a certificate with a later end date set than the accompanying intermediate certificate
is a stupid thing to do, it does not make sense. Probably the inplementer later left the Mozilla ranks, and nobody gave it a second thought.
The rootcertificaat ("root-ca-production-amo") is valid until15 March, 2025 00:53:57.
So some code changes were necessary to allow Firefox to surpass intermediate certificates in the normal certification store.
I thank Bitwiper for his explanation of what happened over the weekend.
polonus
-
Hey Pol,
Tell Bitwiper to come over and joined Avast and become our Firefox certificate security advisor for Avast
-
What we do when things go wrong
https://blog.mozilla.org/blog/2019/05/09/what-we-do-when-things-go-wrong/
https://hacks.mozilla.org/2019/05/technical-details-on-the-recent-firefox-add-on-outage/