1. The add-on fiasco was amateur night. If you implement a system reliant on certificates, then you better be damn sure, redundantly damn sure, mission critically damn sure, that it *always* works.
2. I have been using Firefox since 1.0 and never thought, "What if I couldn't use Firefox anymore?" Now I am thinking about it.
3. The issue with add-ons being certificate-reliant never occurred to me before. Now it is becoming *very* important to me. I'm asking myself if I want to use a critical piece of software that can essentially be disabled in an instant by a bad cert. I am now looking into how other browsers approach add-ons and whether they are also reliant on certificates. If not, I will consider switching.
4. I look forward to seeing how you address this issue and ensure that it will never happen again. I hope the decision makers have learned a lesson and will seriously consider possible consequences when making decisions like this again. As a software developer, I know if I design software where something *can* happen, it almost certainly *will* happen. I hope you understand this as well.
A Note to Mozilla
1. The add-on fiasco was amateur night. If you implement a system reliant on certificates, then you better be damn sure, redundantly damn sure, mission critically damn sure, that it *always* works.
76 thoughts on “A Note to Mozilla”
I’d give you gold if I had any to give.
> The issue with add-ons being certificate-reliant never occurred to me before. Now it is becoming very important to me. I’m asking myself if I want to use a critical piece of software that can essentially be disabled in an instant by a bad cert. I am now looking into how other browsers approach add-ons and whether they are also reliant on certificates. If not, I will consider switching.
Beyond the “bad cert” issue, I’m kind of unsettled now by the idea that someone I do not know can decide for me for whatever reason what I can or can not install on my browser. ( edit: retroactively even, that’s dystopian level type stuff)
As a side note, how would it work if I coded my own add-on and wanted to share it around with friends?
I’ve been a long time proponent of Firefox over other browsers…but with how things are going anymore I really struggle to recommend it to other people. First they nuke 90% of the addons I used to make FF better than other browsers, now the ones that I still use don’t work because of this silly oversight…if this keeps up I unfortunately will have to look into making another browser my main. That’s two strikes…I WANT to love you Firefox, please don’t be shitty.
They claim to have a fix. I’ll see if this claim is any realistic when the download will be available from their download page. As of now, it is still 66.03, not the claimed 66.04.
I never install from “drop-down menu alert”.
It’s like installing from an addon that is not signed.
I would’ve been fine with the whole thing if there were a way for typical users to say “no, this is fine”. And for expiration of currently installed add-ons to be handled more gracefully than, saying, trying in install a new add-on with a bad cert.
+1 I just installed an xpi hotfix because all other methods were not working. This hotfix came from an unknown url on googleapis someone posted on ghacks. It worked but I have no idea what was in the xpi; which is also not showing up in my addons. Seems to me, the `xpinstall.signatures.required` setting would have been far safer then installing a mysterious addon and would have fixed this problem quicker; saving me 2+ hours of headaches. At this point, I’m exasperated and really dgaf what that xpi did/does. This experience brings me so much closer to forsaking FF forever and switching to a more rational browser experience.
Are you actually arguing against certificates that expire? That is insane. Yes, someone screwed up here and they need to take steps to make sure it doesn’t happen (yet) again, but the idea that it’s bad that add-ons are “certificate-reliant” is laughable.
Now, I don’t really understand the point of checking certificates for something *after* it has been installed. That seems unnecessary, but it is absolutely critical for average end users when installing them.
For this reason alone I no longer have my parents on Firefox. They aren’t tech-savvy enough to understand why all of their add-ons broke and how to fix6 it.
Really didn’t want to, but I’ve got them using Chrome now.
This is so sloppy, I don’t even know what to say.
Edit: downvote all you want. When my parents live 100 miles away and they get a tech problem, I’m obviously not always convenient for support.
this was last mozilla’s mistake. I’m not going to use them anymore. Was a user since 2.0.
I think this highlights the danger of walled gardens. We have become accustomed to them because of the App Store. This shows what happens when one link in the chain fails. We are left with broken software at best or unusable software at worst.
Systems like this must have switches that can ‘open the gate’. The issue is if bad actors also exploit the gate.
Google probably uses a similar system too.
Think the note can be pretty simple.
Get your sh*t together.
That is it.
>I am now looking into how other browsers approach add-ons and whether they are also reliant on certificates.
Safari, Chromium based browsers all use signature verification. If you don’t want to use it in Firefox, use Firefox developer edition.
I’m evaluating my browser of choice. This has gone on long enough.
First Asstralis, now this.
Yes, more whiny posts. Keep them coming. We certainly haven’t read them the whole fucking day.
So what if I’ve got the study installed, and my @#$@#@# add-ons still don’t work?
i will not abandon firefox, I firmly believe that there should be a strong alternative to chrome/chromium at all cost, but than again, this whole debacle gave me a warning sign, so I now have brave as my backup browser, just in case, the problem have been solved for me and many others as I saw it, but I hope mozilla will learn from this ordeal and atleast let power users have more control over their browser
100% concur. This kind of thing **cannot** happen.
The worst part about this is that most people won’t even begin to try to understand what caused the problem, and will simply switch to Chrome because their browser stopped blocking their ads.
I’m also a user since 1.0 (15 years?). Today I installed ungoogled-chromium and uninstalled Firefox.
There still no update, nearly a day and I’m still missing my addons wt. This should have been fixed with a patch within an hour
It is a pretty bad look, but for some reason the bug hasn’t affected me at all (not sure why). Certs are definitely a blessing and a curse, however from devs point of view mostly a curse lol
I 100% agree. I’ve used Firefox since version 1 as well.
I never even considered using anything else.
Not sure what I’m going to end up doing now. FF has been getting slower and slower, but I don’t really trust Chrome and there aren’t enough good extensions for Edge, so IDK. I wish Firefox would just stop sucking so much now.
They need, and I cannot stress enough, ***need*** to give power users an option to have this locally configurable. I understand normal users are the reason they did this, but a fuck up this bad **with no way to revert the changes** other than downloading an alternate version is ludicrous. I tell my system what to do, not the other way around. I don’t care how they hide it, I need this option from now on because it’s obvious I can’t trust Mozilla to not nuke my addons.
So I guess I need to ask for recommendations for other browsers now. I’m still going to use FF for the time being, but I couldn’t for most of today. I’m sure as hell not going to use Chrome or anything from Microsoft, what else is out there for Windows users?
is it wierd that my ublock /https/and badger seem to be fine and operating normally?
>I have been using Firefox since 1.0 and never thought, “What if I couldn’t use Firefox anymore?” Now I am thinking about it.
Funny because I’ve been thinking that ever since I was forced to start relying on extensions for basic functionality like a status bar, and then especially once they completely removed my ability to have a browser configured the way *I* want and forced me to hand-edit a fresh userchrome file *every single update*.
Mozilla went off the deep end of deciding their users should only ever be allowed to use firefox exactly the way *they* feel is best.
Not one of them had a note in their calendar that *the* critical certificate needs to be updated.
“Oh, I see the add-ons certificate is about to expire. I’m sure Fred the cleaner, or Joan in security, or Bubbles the concierge has it under control; it’s not my job.” echoed around the building from each office on each floor.
I don’t mind mistakes but this, we all make them, but this is just a level beyond.
/u/vergestommy noted that there was even a Firefox announcement in the release notes about the add-ons failing today.
Fully agree. I even deleted the theme I made years ago from the add-ons website thinking it wasn’t compatible anymore and it was all Mozilla’s fault. Now I re-uploaded it again but add-ons approval got put on hold till they finish fixing the certificate issue.
Good thing I had a signed copy of the xpi file of my theme on my PC so I just dragged it to firefox window to install it and have it back till my re-upload gets approved.
If addons are so dependent on certificates, does that mean if Firefox isn’t connected to the internet for a long time, the addons will stop working? Or are the certificate timings, offline?
Making a hotfix rely on the studies program (which has been used to ship malware in the past), and then also doesn’t install instantly but could take up to six hours?
This kind of thing isn’t acceptable for professional software. It’s a joke.
I’m done with this shitty assed browser. On to chrome. Firefox has fucked up for the last time.
I don’t think an expiring certificate was the problem. I have signed tons of code, and it continues to work after the certificate expires.
The correct way to sign code is to use a timestamp server, which can verify that the certificate was valid at the time it was signed. This way, signed code works in perpetuity, but the ability to sign new code stops when the certificate expires.
If you sign code and choose not to timestamp it, the certificate will be checked for validity at the current time, and not at the time it was signed. When this happens, code fails to execute once the certificate expires – which appears to be what is happening now.
Everyone is arguing that they should have renewed the certificate, but that should not have been something that needed doing. If this is not the case (and this happened by design), it means that old Firefox builds will simply stop running after a year. I know it’s a bad idea to run old builds, but that’s one of Stallman’s software freedoms. We should be able to run the software freely. If I get nostalgia or want to test for backwards compatibility with an old build, I should be able to to and take the risks upon myself.
yesterday was the straw that broke the camel’s back for me.
suddenly all my extensions were disabled without warning.
I am tired of struggling with these issues. the release cycle seems to be optimized to release as many versions as quickly as possible with no common sense consideration to allow extensions developers to make their extensions compatible.
I didn’t care that firefox was slower and uses more battery and is slower with google docs. i really can’t understand what is their strategy. looks like self-sabotage to me.
Edit: I guess I came to the wrong sub and was downvoted for not thinking firefox is our savior
Had this happen to me on mobile and only ublock got disabled. Can’t wait for my phone to get slowed down and hijacked with five thousand fake virus warnings.
Last year it was discovered Stylish was stealing usee data by implementation of new owners. The extension was pulled and blocked. I’m not certain this involved revoking the certificate, but what I do know is extensions may become malicious for any number of reasons, so I’m not against strict protection. All I care about is that the certificate system works right, without the need for workarounds which casual users could be tricked into using.
My $100 donation for Mozilla this year is staying in my pocket. This debacle has made me $100 richer — thanks, Mozilla!
Yop – I’m not computer illiterate though I’m not an expert, I can know that maybe extension X comes from a very reliable source, and really I should have the option to enable it regardless of the signed status. It would be at my own risk, of course, but I really think I should have the right to take that risk….
Better would be
>This extension is not signed and has been disabled by Firefox. [Remove] [Find Updates] [Enable Anyway] *WARNING ENABLING THIS EXTENSION COULD SERIOUSLY HARM YOUR COMPUTER*
With some more dramatic confirmation page(s)
Over Mama Firefox deciding what is good for us.
I have been using Firefox since day one of Netscape, something like 15yrs+ ??
And this shit with addons since v56.0.2 has made me lose faith in Firefox and now this shit show with the certs!!??!
I’m looking at setting up Chrome as I type this and will be jumping ship.
All software ends up with mistakes occasionally. Yes they should be minimal and should not happen on such a large scale. But damn, everyone is acting like Mozilla came and shot their dog on purpose.
Mistakes happen, the company is reputable and doing great things and resolved the issue. No chill in this day and age.
Remember, Firefox is an open source project of a Mozilla Foundation, not a big enterprise.
Also consider not having a single-point-of-failure for ad/malware blocking. As well as browser extensions, which are also useful for removing the blank space, having redundant solutions like peerblock or blackhole list router-level is a prudent thing to do as well. Also, consider where and when you update lists. Using different lists and updating at different times adds redundancy as well.
I really can’t get worked up over this, I find it mildly amusing and in any case my browser is back to normal now. I do however agree with pt 1. This is as silly as organizations letting critical domains expire.
Market Share 9.63%
They should add in the ability to disable their stupid protection in the first place for just this reason. I should be able to disable certificate requirement without installing a nightly or dev version.
These people get paid, right? like this is their job? As in they get paid to put out good work? Absolutely ridiculous.
Should send them back to CS101.
This reminds me the few seconds where [Google.com](https://Google.com) was owned by someone not Google a few years ago.
Here is a [link](https://www.businessinsider.com/this-guy-bought-googlecom-from-google-for-one-minute-2015-9) for the ones curious about it.
I noticed no issue with add ons on my phone or desktop.
I just instantly deleted firefox and started using chrome, i didnt know what was going on, all i knew was my ad blocker didnt work anymore i couldnt get another.
Just got the latest beta for 67 (beta 17) and it fixed the issue!
This is also affecting Tor – although extensions that were pre-installed with Tor are still activated.
What the *actual fuck*?
I’ve been using firefox since like 3.0 probably even a lower version I’ve never been more disappointed in my life.
Its been what 2 days already. Fucking fix it.
Part of me feels like it was intentional to clear out users running older versions, but I can believe it’s just incompetence because this is the same shit that happened with Oculus last year. Though with Oculus the program couldn’t even run so they had no way of releasing an update.
@mobile users: use Firefox focus for now to get ad blocking
I almost uninstalled firefox. But that devtools script temporarily fixed it. What is the point of using a browser with no adblockers.
my addons only just now got disabled and trying to reinstall them just says it failed due to a connection error
Take time to check out my first attempt at a lofi beat https://youtu.be/G6bQqAxeg-Q
I still don’t understand what has happened. My firefox never lost any of the add-ons.
> if I want to use a critical piece of software that can essentially be disabled in an instant by a bad cert.
Normally, if an addon had a bad cert you could just install some alternative addon if you could not wait for an update. The system was designed so that addon devs would need to keep their software up to date semi-regularly.
But the problem in this case wasn’t one bad cert. The problem was because virtually every certificate had expired or failed to register properly. Even visual themes could not be installed. This is what completely broke the system.
I warned people on this sub that the “idea” that you could just have as the default option to crash a browser (in nighly for example) to force people to update their browser is just plain fucking retarded, literally taking the windows 10 approach that microsoft had at the start.
This is why nobody considers computer science a real field of engineering outside of morons in the industry, and I’m studying computer science, these kind of retarded decisions that years ago would have the king executing everyone who had been involved are just unacceptable, and seems like as years pass people in the tech industry believe that they have more and more rights to force users (the ones who are actually paying you) to do shit they don’t want to do, bunch of spoiled assholes.
I’m switching to pale moon because it has rss feed which mozilla decided that I didn’t want, and the old themes that mozilla also decided that I didn’t like.
Go downvote me again like you did before for pointing out that forced updates are something incredibly stupid, go ahead.
Such a huge fuckup from Mozilla! Was that some inside job from competition (Google)?
yea what an amateur failure
wouldnt happen at google thats why theire so strong with all these damn resources
DLed the “[email protected]” thats linked everywhere atm.
Yet my addons are still disabled. Quitting and restarting Firefox did not help.
Only method that’s worked so far is the extensions.json workaround and even then that’s only temporary.
This is with Win10 + Firefox 59.0.3, guess I’m going to have to wait for the actual fix
> I have been using Firefox since 1.0 and never thought, “What if I couldn’t use Firefox anymore?”
Never? Not even when Firefox Quantum massacred all the legacy addons?
Strangely, I’ve been using Nightly for almost a year and didn’t have any problems with add-ons at all…
Remember when “Mozilla” meant openness, privacy and security?
I had been a Netscape/Mozilla/Firefox for 23 years and I was pretty happy with this decision – the alternatives were always much worse, no matter which weird design decision Mozilla decided to implement. However, the first thing I did when I came home yesterday was uninstalling Firefox.
Mozilla Corp., the company behind Let’s Encrypt, a CA which lets you renew your certificates *every few months* for no obvious reason, has noticed that certificates expire sometimes. Their unnecessary enforcement of add-on signing (which was nothing but a disadvantage for both users and add-on devs), however, automatically invalidated all add-ons, putting us all in danger.
Now their “fix” is to enable Normandy which is a remote control software.
A **remote control software**.
We can only have a *secure browser* if we are willing to participate in a *botnet*.
Honestly, Mozilla, that’s it. I’m leaving you for good. Thank you for most of the past 23 years, but you have changed. You have changed too much.
They are digging their own grave is what it is. Trying hard to compete with Google when being Mozilla/Firefox and offering something more and different was great. No, they strip features, kill addons and now break them all too. Sadly even M$ has given up on making their own web browser despite Edge… well what’s the issue with Edge? (sure I suppose no addons or minimal etc. but as basic web browser it’s fine although not as resource light as FF) Now M$ switching to Edgium a renamed Chrome just like everyone else has done despite Chrome being one of the worst browsers there is, insanely resource hungry, blurry text with no clear rendering option (not anymore, nor for years now).
After installing the latest beta build of FF 67 (beta 17) late last night my add-ons started working again, no issues and no studies installed.
I think Mozilla should implement a system that bypasses certificate checks on the user’s request if certificates cannot be verified for whatever reason. At the end of the day, I didn’t get online much yesterday as Mozilla worked to fix the issue and in all honestly, was quite nice. lol
I’m ootl what happened?
So where’s the apology/explanation from Mozilla. Not even a mea culpa from the Mozilla Mountain. This is a PR nightmare, not to mention a monumental fuckup on the part of party or parties unknown in Mozilla. It will be/should be a huge hit to their user base but, sadly, there isn’t a competent replacement. Sigh
Firefox 1.0 was called Mozilla and I’ve been using Mozilla since it was called NetScape Navigator. And these kinds of screwups combined with the dearth of decent alternatives is exactly why NetScape was able to eat Microsoft’s lunch. Mozilla is now just as bad as Microsoft. They aren’t listening to users anymore and they’re making the kinds of mistakes bloated companies make routinely.
Add on thing got fixed real fast, so yey
(The following is not praise or condemnation of the certificate mechanism, simply a small explanation of what problem I believe they were trying to solve.)
1. Problem: Users see a box pop up in their browser UI which says [Cancel] [Install] and choose [Cancel]. It gets rid of the box, but it comes right back. They click [Install], it goes away. Malware authors can exploit lazy users who just want to get back to work.
2. Solution: Introduce a timer on the addon installation box to hopefully force users to read.
3. Problem: They don’t.
4. Solution: Prevent users from installing addons from anywhere outside AMO using certificates.
Mozilla won’t change this policy, it is the best solution they’ve found to the incredibly vulnerable attack vector addons provide. Mozilla also doesn’t want users to disable signature checking and open themselves up to that vector again.
So, the best plan of action is to own up, fix ASAP, and do better in the future.
I just want to make a small note: on my main pc the issue “resolved” after the study activate thingy. On my laptop, wich I DIDNT TURN ON FOR ONE WEEK, first thing i noticed after opening firefox for the first time: all addons disabled. This is so fishy it smells. 🙂
Okay….I’m thinking this is not what we are being lied to about by Mozilla. This whole this smells like a successful Chinese hack and Firefox is refusing to admit it because of loss of revenue and users. And it stems from a dispute originating from the time back when Firefox came onto the scene as competition for lots of other browsers. This was too clean and efficient to be just a glitch……maybe calling it a gritch would be more accurate.