A Fix Has Been Released For Last Night’s Firefox Addon Issue

Last night was a pretty big mess for Firefox users (like myself) as the add-on functionality of the browser was, effectively, completely broken, due to an issue involving a security certificate expiring, rendering every add-on for the browser invalid.

To put it really simply, a while back Mozilla began validating add-ons themselves, giving them a “digital signature” to validate them for a given time period; a standard practice in digital security.

Well, the certificate expired (hooray human error) and the result was all plugins were considered invalid. Wonderful!

This is, in super basic form, what happened, and while in developer builds of Firefox there are ways to disable the check for this signature. The problem is, of course, that’s something requiring you to install the nightly Firefox build, toggle that option, and deal with in-development software while they take however long they needed to to fix the issue which, as it would turn out, was only a few hours from when the issue struck most users.

https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

Yep, they got a fix out – not an elegant one, but one that works – as soon as I woke up and got on my machines to begin working on things today they began to update and “fix” themselves. Still annoys me that I reinstalled Firefox on my main machine last night (I honestly thought at first my browser had been broken due to malware of some kind) so I have to deal with the annoyances of getting everything back in order, but then again a little refresh never hurts, right?

Anyway, this fix is a little bit of a hack in that it uses the “studies” system, a way for Firefox to test and try out various features in a pre-release state (see this link: https://support.mozilla.org/en-US/kb/shield?as=u&utm_source=inproduct )

This means that your Firefox install should be set to have studies enabled – to quote the article regarding the fix:

To provide this fix on short notice, we are using the Studies system. This system is enabled by default, and no action is needed unless Studies have been disabled. Firefox users can check if they have Studies enabled by going to:
Firefox Options/Preferences -> Privacy & Security -> Allow Firefox to install and run studies (scroll down to find the setting)

Studies can be disabled again after the add-ons have been re-enabled
It may take up to six hours for the Study to be applied to Firefox. To check if the fix has been applied, you can enter “about:studies” in the location bar. If the fix is in the active, you’ll see “hotfix-update-xpi-signing-intermediate-bug-1548973” in either the Active studies or Completed studies as follows:

You may also see “hotfix-reset-xpi-verification-timestamp-1548973” listed, which is part of the fix and may be in the Active studies or Completed studies section(s).
We are working on a general fix that doesn’t use the Studies system and will keep this blog post updated accordingly.

If that’s on, great – you should get the update soon. I prefer to leave it on, but you may choose to turn it off. Again, that’s fine – once the main fix is released you can turn the feature back off.

Now, many are complaining about this fix, but it is a stopgap measure – they fully state they are working on a proper fix to put into the proper release version of the browser. This allowed them a way to get the fix out quickly, almost like a patch, rather than have to force a release which may not be ready out to everything. The browser is stable as is, patch this issue and things are fine, then move on to working it into the next release and that’s that.

I’d rather have a bit of a hack getting things going, than for them to force a full release that is buggy, untested, and otherwise not ready just because it fixes this one issue.

But, yeah, that’s the basically that. The problem is effectively fixed for the end user, and we can only imagine that Mozilla will rethink the whole “centrally signed add-ons” method they have been using. I’m not saying get rid of it, but I am saying they should, at the very least, not let the certificates expire like they did. That would be a good start, but others in the tech scene feel differently. I don’t wish to get into that argument as it’s just past where I have experience and detailed understanding, so I can’t really form a solid opinion one way or the other on what method for securing add-ons may be better.

The point is things are back to normal, for me anyway. Awesome. Others are still quite furious over this, and while I can understand their feelings I really think the way they are expressing themselves is juvenile at best. I won’t go into that here but if you read some of the comments, well, yeah. Tact is surely lacking, to say the least.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.