Armagadd-on 2.0

[mdlbear]

If you were using Firefox any time after midnight UTC on Star Wars Day (May the 4th), you probably noticed that all your add-ons were disabled, with the unhelpful message: "... could not be verified for use in Firefox and has been disabled". If you're reading this before 9am or so Pacific time on the 4th they may still be.

This happened because a certificate in the code-signing certificate chain expired at midnight UTC. The same thing happened three years ago, causing today's version to be dubbed "Armagadd-On-2.0".

• wait for the fix to roll onto your browser (you can look for it by browsing to about:studies and looking for hotfix-update-xpi-signing-intermediate-bug-1548973) (make sure that "Firefox Options/Preferences -> Privacy & Security -> Allow Firefox to install and run studies" is checked) (it landed in my browser at 8:18 or so Pacific time)
• download and run either the Firefox nightly build, LTS, or developer edition and set xpinstall.signatures.required to false in about:config
• temporarily switch to Chrome.

This outage highlights a weakness in any security technique that involves code-signing, or indeed anything else that involves the Public Key Infrastructure and X.509 certificates (which is just about everything except SSH and PGP/GnuPG): an expired or revoked certificate can wreak wide-spread havoc. X-509 certs are used not only for code signing but for TLS/SSL (the protocol behind HTTPS). At this point there doesn't seem to be much that can be done about it in the near term.

Resources

• Firefox disabled all add-ons because a certificate expired
• Firefox add-ons disabled en masse after Mozilla certificate issue
• Update Regarding Add-ons in Firefox | Mozilla Add-ons Blog
• bug report
• 1267318 - (armagadd-on) Moving date forward to May 2nd is causing add-on signature "unrecognized issuer" errors

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

Comments

[moem]

For some reason, Waterfox on my laptop doesn't have this problem while Waterfox on my Android-ish phone does. I've switched the phone over to Icecat now and it's working fine.

[mdlbear]

It could be a function of how strict they are about checking signatures, whether Waterfox has its own extension repository, or which version of Firefox they're based on.

ETA: according to the blog post, the current hack doesn't apply to the Android version.

[moem]

Waterfox allows legacy add-ons, I wouldn't be surprised if they don't care about signatures. But that doesn't explain why the add-ons are disabled on Waterfox for Android... Oh well, I'll use Icecat for now, and permanently if need be. It's very similar and runs DecentralEyes, Privacy Possum and UBlock Origin happily.

[madfilkentist]

I stayed off the Web, except for a couple of trusted sites, till the fix came through. I just don't feel comfortable without NoScript.

A few days ago I was looking at a NIST site with links to security-related articles. One of those links gave me a warning because of an expired SSL certificate. The site with the expired certificate was the National Cyber Security Alliance. If they can't get it right, who can?

[tagryn]

Thank you, useful info and fix.

[quadriviummuse]

Thanks for posting about this. I got that message and just assumed I had interrupted an update or something. Firefox wants to update every time I turn it around it seems.