Firefox extensions do not work, no more cert legacy for add-ons.

[bob3160]

My extensions in my Firefox still hasn't been resolved, GOD I"M SO ANGRY AS HELL.

Shame on you Mozilla 

There are other browsers.

[DavidR]

My extensions in my Firefox still hasn't been resolved, GOD I"M SO ANGRY AS HELL.

Shame on you Mozilla 

There are other browsers.

Such as MS Edge soon to become a Chromium clone Or Google Chrome and I know whom I trust more less

The fewer players in the browser arena the less choice we have.

[polonus]

DavidR, SpeedyPC, mchain, bob3160 & others,

Happy to inform you all, Mozilla team produced an update with the fix for this included,
download firefox 66.0.4 build 1  restart the browser and voila.

polonus

[DavidR]

DavidR, SpeedyPC, mchain, bob3160 & others,

Happy to inform you all, Mozilla team produced an update with the fix for this included,
download firefox 66.0.4 build 1  restart the browser and voila.

polonus

Thanks,

Strangely I hadn't been hit by this, until I opened firefox to check for this update.

It has been applied and restarted.

[polonus]

Hi DavidR,

Good Firefox can at least hold some ground, as a complete chromium mono-culture is not something to be glad about
or to look forward to. Mono-cultures always will spell elevated risks and a greater attack surface.

So those on Firefox run less risk, as all major script injection mimicks Google scripts,
as in the latest magecart gang attacks.

What Windows means as a main vector for operational system threats,
chromium will be in the case of browser vector attacks.
(e.g. against Edge, Google Chrome, chromium-forks like Iridium, Brave etc.).

Always nice to have a browser that is not a run of the mill one and kept for the masses.

polonus

[bob3160]

Hi DavidR,

Good Firefox can at least hold some ground, as a complete chromium mono-culture is not something to be glad about
or to look forward to. Mono-cultures always will spell elevated risks and a greater attack surface.

So those on Firefox run less risk, as all major script injection mimicks Google scripts,
as in the latest magecart gang attacks.

What Windows means as a main vector for operational system threats,
chromium will be in the case of browser vector attacks.
(e.g. against Edge, Google Chrome, chromium-forks like Iridium, Brave etc.).

Always nice to have a browser that is not a run of the mill one and kept for the masses.

polonus

Firefox is one of my available browsers. It just doesn't happen to be my default browser.
I've also updated Firefox but didn't know about a problem till I saw it reported here on the forum.

[SpeedyPC]

Thank GOD!!!!!! for the new update.

[Asyn]

DavidR, SpeedyPC, mchain, bob3160 & others,

Happy to inform you all, Mozilla team produced an update with the fix for this included,
download firefox 66.0.4 build 1  restart the browser and voila.

polonus

Note, Firefox ESR also got fixed (60.6.2). Cheers

[polonus]

Background on the certification mishap. Quoted info source snippet credits go to Bitwiper,

xul.dll (part of Mozilla Firefox webbrowser) has an inbuilt rootcertificate, named "root-ca-production-amo".
This certificate is not visible in Firefox certificate viewer.

Every validated Mozilla Add-on comes signed with a supplier-specific code-signing certificate, issued by Mozilla
Also in this case we see an intermediate certificate, named "signingca1.addons.mozilla.org",
that comes together with every add-on (together with the code signing certificate).

For instance the extension "https everywhere" has two certificates:
1) "https-everywhere@eff.org" - valid from 02 May, 2019 23:35:08 until 01 May, 2020 23:35:08
2) "signingca1.addons.mozilla.org" - valid from 04 May, 2017 02:09:46 until 04 May, 2019 02:09:46 <== that is strange

It is strange that no alarm bells went off, because a certificate with a later end date set than the accompanying intermediate certificate
is a stupid thing to do, it does not make sense. Probably the inplementer later left the Mozilla ranks, and nobody gave it a second thought.

The rootcertificaat ("root-ca-production-amo") is valid until15 March, 2025 00:53:57.

So some code changes were necessary to allow Firefox to surpass intermediate certificates in the normal certification store.

I thank Bitwiper for his explanation of what happened over the weekend.

polonus

[SpeedyPC]

Hey Pol,

Tell Bitwiper to come over and joined Avast and become our Firefox certificate security advisor for Avast

[Asyn]

What we do when things go wrong
https://blog.mozilla.org/blog/2019/05/09/what-we-do-when-things-go-wrong/
https://hacks.mozilla.org/2019/05/technical-details-on-the-recent-firefox-add-on-outage/