back to article Firefox armagg-add-on: Lapsed security cert kills all browser extensions, from website password managers to ad blockers

On Friday, Mozilla detected a great disturbance in its Firefox browser, as if millions of voices had cried out on social media in annoyance. Every single web extension, theme, search engine plugin, and language pack had stopped working with netizens' Firefox installations, potentially stripping any data and settings associated …

  1. Long John Baldrick

    Faith in Firefox ESR...Not

    I run FF ESR because I want some stability in my UIs. Yes I am a dinosaur, missing VMS(but not APL or PL/1).Go ahead and fix the bugs or enhance performance, but please leave an option to use the older UIs. Some of us hate tiles.

    1. gnarlymarley

      Re: Faith in Firefox ESR...Not

      but please leave an option to use the older UIs. Some of us hate tiles.

      Hence why some of us moved on from firefux. If I really wanted to use IE or edge, I would have changed to those applications. Using alternates such as opera or seamonkey can allow one to keep their old UI look. (Well until firefox convinces those to change their looks "and functionality" too.)

      1. BillG
        Facepalm

        Re: Faith in Firefox ESR...Not

        "We are very sorry for the inconvenience caused to people who use Firefox"

        Inconvenience? Stubbing your toe is an inconvenience. Wiping out people's hard work is incompetence.

        This is why I use Firefox 56. It's the last FF release before FF became Chrome.

    2. Anonymous Coward
      Anonymous Coward

      Re: Faith in Firefox ESR...Not

      One of the nicest things about VMS was the design philosophy of austerity. A window showed only what the user required - not all kinds of weird colours, animations and - God help us! - sound effects.

      That helped to keep everything as simple as possible, which of course improves reliability. Good from the point of view of those of us who just want to get work done, not pretend we are watching TV or attending a psychedelic concert.

  2. John 104
    Trollface

    "We are very sorry for the inconvenience caused to people who use Firefox"

    So a pretty small list then? I kid I kid!

    But seriously, how do you not catch an intermediate cert expiration date?

    1. Anonymous Coward
      Anonymous Coward

      'But seriously, how do you not catch an intermediate cert expiration date?'

      By thinking you are doing everything right but not bothering to double check?

      By being arrogant to the point you think your work is always right and doesn't need to be checked?

      By just not caring what crap you push out the door?

      I don't know the answer, just a few guesses.

      1. chivo243 Silver badge

        As an aging IT admin, the years fly by, I can see how somebody *singular* could say it's good until 2019! that's for next year! But for an entire department at a large organization like Mozilla?

        1. Mark 85

          But for an entire department at a large organization like Mozilla?

          "Yeah, we're a large department. But the guy who did that quit last year and we haven't replaced him". Or some answer like that.

          1. Anonymous Coward
            Anonymous Coward

            "The guy who did that quit last year and he only took it on because nobody else did it so it was never formally part of the job description and nobody noticed when nobody took it over."

            AC because I've had to clean up after one of those...

          2. Anonymous Coward
            Anonymous Coward

            "But the guy who did that quit last year and we haven't replaced him".

            That is the responsibility of the relevant manager. That's essentially what managers are for: to make sure everything gets done.

            1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          "an entire department at a large organization like *Ericcsson* ?"

          https://www.theregister.co.uk/2018/12/06/ericsson_o2_telefonica_uk_outage/

          December 2018. Loss of service for millions of end users. Certificate(s) expired and no one saw it coming (allegedly - real-world experience suggests multiple people would have seen it coming on multiple occasions but were ignored by Manglement because "that could never happen, we have processes in place").

          1. Anonymous Coward
            Anonymous Coward

            Re: "an entire department at a large organization like *Ericcsson* ?"

            "...ignored by Manglement because "that could never happen, we have processes in place".

            And there you have it. No manager must EVER think (s)he can delegate responsibility to a process, a person or a computer system without checking at appropriate intervals that everything is being done right.

        3. DuncanLarge Silver badge

          Thats a moot point.

          If you work in IT you know how you can get a computer to remind you when to renew a cert.

          Our system constantly emails us till the certs are renewed and anyone can do it using a calendar reminder.

          It really aint that hard. Its like putting dinner in the oven and just sitting in the next room till you smell smoke. Then the fireman points out the countdown timer on your smart watch, not including the one on the oven itself. Oh and the Alexa in the corner can set countdown timers too!

          Its plain common sense. There is simply no reasonable excuse other than sorry we f*cked up and forgot to set a reminder.

          1. Brewster's Angle Grinder Silver badge

            But the emails were all going to the guy who left. He probably told management, but it got overlooked, lost or forgotten. And anyway the next person hasn't been hired yet. (Or has only just "discovered" it was their responsibility.)

            Human beings: we're always finding new ways to reinvent old mistakes.

            1. Dave559 Silver badge

              This is why we have 'role' email addresses, which always go to at least two separate people.

              Anything that is ever the responsibility of just one person has a pretty serious "bus criticality factor", regardless of anything else that might happen, and represents an organisational failure.

              (And it certainly doesn't hurt to have stuff of this level of criticality in at least two separate calendar or reminder systems as well.)

              1. Fred Goldstein

                Yes, but if it goes to two guys, and both get it, then they'll both think that the other guy will do it...

              2. Kabukiwookie

                Send email to the mail interface of the incident ticketing system, so a ticket is created, which in turn winds up in a team queue.

                Unfortunately I have worked in very few organisations that actually have mature business processes, let alone maintain them.

          2. John Brown (no body) Silver badge

            "If you work in IT...and the Alexa in the corner"

            Aren't they generally exclusive statements in these here parts?

    2. Anonymous Coward
      Anonymous Coward

      "But seriously, how do you not catch an intermediate cert expiration date?"

      Having a database of certificate used, and some software checking for expiration?

      Anyway, good warning about relying too much on a browser to run too much stuff. I've been impacted, but just for ol' browsing needs.

      1. Mark 85

        Re: "But seriously, how do you not catch an intermediate cert expiration date?"

        Having a database is fine. Having someone check the database regularly (weekly maybe?) and actually be able have finance cut a check is totally different matter.

        1. DuncanLarge Silver badge

          Re: "But seriously, how do you not catch an intermediate cert expiration date?"

          "Having someone check the database regularly"

          Sorry. Its a database, not a spreadsheet. Why would anyone need to check it? Write a stored procedure that gets executed every week to check for expiry and email or report to the concerned persons.

          This is the computer age after all. You only need a human to check its still working every now and then and fix it when its not, Even then that human can be alerted to the fact it aint working by a totally free monitoring solution like Zabbix. Heck you just need Zabbix to ping the database server, check the database service is running, what the hell, have it even run the SP and email you the results!

          1. JoelLkins

            Re: "But seriously, how do you not catch an intermediate cert expiration date?"

            > Write a stored procedure that gets executed every week to check for expiry and email or report to the concerned persons.

            Who are these "concerned persons"?

            What happens when they leave the company and no one knows to update the stored procedure [sic] with the new email address?

    3. Anonymous Coward
      Anonymous Coward

      How do you not catch a cert expiration?

      By having appropriate checklists, and making it someone's primary responsibility to make sure they are followed to the letter. And of course by making sure that person has at least one stand-in should they be ill or on vacation.

  3. alain williams Silver badge

    Oh ...

    I can see all sorts of adverts down the side of El-Reg pages ... never seen them before!

    It actually feels un-nerving to know that I am leaking all sorts of info as no-script, cookie-auto-delete & others are not protecting me :-(

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh ...

      FFS El Reg,

      Let those of us who want to fund you have a mechanism to do so.

      I will will always do my best to block adverts and tracking and you know that.

      El Reg gets no exception, you know why.

      I will pay you, just not by sacrificing my privacy.

      1. bazza Silver badge

        Re: Oh ...

        Seconded - I'd happily pay a sub too!

        1. cornetman Silver badge

          Re: Oh ...

          Me also, as I have said somewhere. Sort out something on Subscribe Star or Patreon or something.

          Just do it.

          1. tin 2

            Re: Oh ...

            +1 for this thread. Never ever will I allow ads. But I will pay you money that surely must be better than the millipence you'd get paid for me seeing ads.

    2. vtcodger Silver badge

      Re: Oh ...

      I can see all sorts of adverts down the side of El-Reg pages ...

      Hmmm. No advertisements here. But I use a hosts file from http://winhelp2002.mvps.org/hosts.txt to block ads.

      Does that information help you in any way?

    3. A.P. Veening Silver badge

      Re: Oh ...

      It actually feels un-nerving to know that I am leaking all sorts of info as no-script, cookie-auto-delete & others are not protecting me :-(

      Just get yourself a Pi-Hole, that is browser independent and with proper set-up will protect everything on your home network.

    4. e^iπ+1=0

      Re: Oh ...

      xpinstall.signatures.required false fixed the problem for me over the weekend.

    5. chivo243 Silver badge

      Re: Oh ...

      Ads you say? Once in a blue moon, I see ads adorning the sidebars. I guess PiHole is working like it should, along with Ghostery, StopSocial and a few others.

      Disclaimer: FF is not my day to day browser.

  4. jake Silver badge

    For the record ...

    ... near as I can tell, nobody actually lost anything[0], they were just incapable of accessing it for a couple days.

    [0] Unless, of course, they panicked and tried the Redmond-approved "delete it all and reinstall" method of data recovery BEFORE actually understanding what was going on ...

    1. NotBob
      Headmaster

      Re: For the record ...

      I mean, I moved to another browser on several machines, so they lost a user...

      1. yoganmahew

        Re: For the record ...

        Yeah, me too. Moved to Brave. Quite like it.

        This was the last straw for me, a bunch of extensions I used didn't make it past the "extensions must now be certificate signed"; so I've already spent more time than I really need to trying to find and make extensions that do what I want.

        The whole certificates thing, given the regular expiry, bad actors at state level, and other breaches of the trust chain, seems like so much spoof anyway.

    2. ecofeco Silver badge

      Re: For the record ...

      Yep. Mine was fixed yesterday.

      Minor inconvenience at worst.

      1. Dave K

        Re: For the record ...

        To be honest, my biggest annoyance is that in the interest of "safety", there isn't an override that allows you to say "I dont care if FF can't verify the addon, just enable it anyway". It basically shows that there is a risky side to requiring all addons to be signed...

    3. DuncanLarge Silver badge

      Re: For the record ...

      You obviously didnt read the comments above, where somebody lost work due to a container addon failing.

      Also anyone with uBlockOrigin or noscript lost a lot of their security. People assume that its just annoying adverts that these addons block, what they forget is they block scripts too. The internet is not a safe place. It runs code on your machine, sometimes in your GPU. Sometimes that code is delivered to you hidden in that add banner that ublockorigin WAS blocking yesterday.

      I'm sure many antivirus products also have addons to detect and prevent fishing attacks etc that were also conveniently turned off.

      Running through the internet with firefox over this weekend felt like running nude through a field in the dark knowing that there are bramble bushes dotted about.

  5. jake Silver badge

    Out of curiosity ...

    ... what is a "content blocking add-on", and why would I want to use it? When I go to a website I'm after that site's content. By definition, anything that I choose to block is not exactly what I would call "content", rather its trash, junk, chaff, garbage, crap and what have you.

    1. Gene Cash Silver badge

      Re: Out of curiosity ...

      > what is a "content blocking add-on"

      Because obviously Google defines the ads as the content.

      Edit: seriously though, I use element helper to block things like those very large intrusive non-scrolling navigation headers/footers, and video auto-play.

    2. Phil O'Sophical Silver badge

      Re: Out of curiosity ...

      I go to a website for the content I want to see, but not necessarily for all the content it wants to foist on me.

  6. Chris Gray 1
    Meh

    Easy work-around for many

    Saw this a couple days ago on Slashdot. A work-around shown there is to go into about:config and change xpinstall.signatures.required to "false". Apparantly that doesn't work for folks with artificially restricted versions of Firefox (Windows/Mac? - I forget). It worked fine for me on Linux. When a fixed version comes through from Ubuntu, I'll flip it back (not that I'm likely to install any extensions other than "NoScript"!)

    1. jake Silver badge

      Re: Easy work-around for many

      That worked. Another work-around is to set your system clock back. (As I reported here.)

    2. N2

      Re: Easy work-around for many

      Tried that but did not work.

    3. TrumpSlurp the Troll

      Re: Easy work-around for many

      That worked on my Android tablet but seemed to really slug page load times.

      Turned it off again and just ignored the screen trash.

    4. DuncanLarge Silver badge

      Re: Easy work-around for many

      Just dont forget to reset it back to true when the issue is fixed! Otherwise you will be unprotected by the certificate signing checks.

  7. A Non e-mouse Silver badge

    Why so long?

    If the issue was "just" an expired certfificate, why did it take so long to roll out a new Firefox version with a new intermediate certificate?

  8. N2
    FAIL

    If I remember correctly

    This very nearly happened to Mozilla about 2 years ago when a certificate was close to expiration - please correct if not

    It would appear they learned nothing from this.

    I also had to poke around their website for quite a while to try and discover what was really going on.

    Not good enough really.

    1. Oldgroaner
      Thumb Up

      Re: If I remember correctly

      Ghacks was very quick off the mark with this one -- I was alerted to the problem before it hit me and so didn't waste time trying to figure out what happened. The screen garbage that appeared when deprived of UBlock and other essentials was a revelation.

  9. Anonymous Coward
    Anonymous Coward

    A silly basic error but certainly not worthy of all the 'OMG!!!!!' SUPER annoyed - moving to chrome' hysteria from the merkins, no-one died, read the temp. fixes (xpinstall.signatures.required to 'False', identified pretty early on), download 60.6.2 for ESR, 66.0.4 for Android, revert the xpinstall.signatures.required to 'True'. Carry on as before.

    1. HereIAmJH

      The xpinstall.signatures.required doesn't work on 'release' versions of Firefox. If it's working on Linux, it's likely built using the developer build settings. It did NOT work on my Arch Linux. It also doesn't work on my Windows machines. For the most part I resolved my problems by changing to Opera. My only problem system is my work machine where I have to wait for IT to roll out an update. Currently I have 60.6.1esr and no word when we'll get updated.

      And the issue here isn't the expired certificate. The issue is that users aren't trusted to manage their own hardware, so Mozilla made decisions for us that we didn't want and it bit them. Every release should have had the ability to turn off add-on signature checking, particularly on add-ons that are ALREADY INSTALLED.

      1. Anonymous Coward
        Anonymous Coward

        Well i'm using ESR on Windows, the 'xpinstall.signatures.required False' Does work (I found it within seven minutes of the issue occuring), it also worked on Firefox for Android so.....

        I find it Ironic that when the issue is, say, router firmware, Users shouldn't be trusted and firmware updates should be pushed by the manufacturers, but when it's browsers, we're all grown up enough to be able to determine if extensions / addons can and can't be trusted without Firefox curating them for us...

        So move to Chrome-by-another-name... good luck with that!

        1. Mage Silver badge
          FAIL

          Firefox madness

          The UI and settings are so crap I now use Waterfox, but they are too lazy to bother doing a 32 bit version. So the 32bit gear, or 64bit Atoms that MS can only run 32 bit Win10 on can only have Firefox.

          1. oiseau
            Flame

            Re: Firefox madness

            ... can only have Firefox.

            Sure?

            Was already fed up with Firefox and all it's UI fuckups and this was the last straw.

            Got rid of it and installed Pale Moon 28.5.0 on my Devuan ASCII workstation, works a charm.

            And does reasonably well (some tweaking still needed) on my 1000HE (Atom N280@166/2Gb RAM) on Devuan 32bit ASCII.

            YMMV.

            A.

          2. jelabarre59

            Re: Firefox madness

            The UI and settings are so crap I now use Waterfox, but they are too lazy to bother doing a 32 bit version. So the 32bit gear, or 64bit Atoms that MS can only run 32 bit Win10 on can only have Firefox.

            I also have a problem on my work RHEL7 machine that doesn't have a new enough Glibc. But this likely explains that strange "Extension Disabled" message I had today (for something under current development). Even stranger that FF wouldn't even let me into the settings to disable or delete it.

            But even with this nuisance, I absolutely am ***NOT*** switching to GoogleCrime.

          3. RFC822

            Re: Firefox madness

            I now use Waterfox, but they are too lazy to bother doing a 32 bit version.

            Waterfox is the work of a single bloke, doing it in his spare time, for free. Calling him "lazy" does Alex a major disservice.

        2. Chronos
          Flame

          So move to Chrome-by-another-name... good luck with that!

          [Chrom]ium. It's in every major distro's repo, works well, doesn't spew your PII to GoOgle (disable SafeBrowsing as you would in Fx) and supports uBlock, uMatrix in default allow/blocklist mode and HTTPS everywhere.

          What we really need is a modern day GUI-ified Lynx that supports the useful subset of HTML5, HTTPS 2.0, TLS1.4, granulated javascript control and so on without all the advertising and tracking cruft that browsers tend to come with. Stuff DOM storage, WebRTC, supercookies and Flash - nobody here needs that crap. Oh, and give me an extension in HTTP that reads a list of hostnames/IPs that the browser will never, ever make GET/POSTs to, just silently ignores them. Don't say /etc/hosts because the damned thing still tries to connect to 127.0.0.1 or ::1.

      2. Anonymous Coward
        Anonymous Coward

        'xpinstall.signatures.required False' didn't work if you had 'scenes' (WTF?!?) turned off.

        I had opted for privacy and turned off one of the "tell Moz which NSFW site caused the crash' options that just happened to include 'Scenes', which appears to be a way of pushing out small fixes (normally in response to crashes?)

  10. JcRabbit

    Armagadd-on

    For anyone who thinks 'oh, no big deal, sh*t happens, and it's been fixed already' think about this: thousands of men hours, if not millions, were wasted by Firefox users everywhere trying to determine what had happened and trying to fix the issue themselves. Many lost work (tab manager add-ons) or were unable to continue to work because their password manager add-on was also disabled. Scores lost their add-on settings because they removed their add-ons in an attempt to fix the issue.

    All this because someone at Firefox forgot to renew a cert.

    1. ecofeco Silver badge

      Re: Armagadd-on

      Because in the real world shit does happen and FF's overall record is far better than most software makers.

      This isn't even close in scale to Microshaft's constant and on-going disasters. Not by any stretch of the imagination.

      1. DropBear

        Re: Armagadd-on

        Get a better imagination.

      2. Down not across

        Re: Armagadd-on

        This isn't even close in scale to Microshaft's constant and on-going disasters. Not by any stretch of the imagination.

        Dunno. Exhibiting the "we know better than you, so won't give you a choice" attitude, is like Win 10 updates. Disabling extensions, that were already installed, is step too far. This with the increasingly annoying interface really makes me wonder if Mozilla really wants to drive people away from FF.

    2. veti Silver badge

      Re: Armagadd-on

      Yes, it was a fuckup. As Mozilla has acknowledged, apologised for, fixed to the extent possible, and promised to publish the results of an investigation into. All within three days.

      That's pretty good, I reckon.

      1. Carpet Deal 'em
        Flame

        Re: Armagadd-on

        There doesn't need to be an investigation because we all know what the actual fuckup was: creating a single point of failure by requiring all addons be signed by Mozilla. Keeping the possibility(certainty, rather) that this might happen again is the exact opposite of "pretty good".

  11. mrRabbit
    Coat

    Firefox ?

    Hopefully, I'm still using IE5...

  12. Jon Smit

    Firefox - fur coat and no nickers.

    Not so long ago No Script stopped working without warning, when Firefox was 'upgraded'. From next month Mozilla have decided to block more addons at short notice. I've lost count of the number of addons that have been blocked overnight, the majority of which have never been replaced. Practically every upgrade has cost usability, and list of bugs that have never been fixed gets longer and longer.

    Mozilla boasts about the addons available, the way things are going, there won't be any, which will solve the problem of finding any that work on their site.

  13. Anonymous Coward
    WTF?

    the only add-ons disabled on my Firefox (Linux) ...

    ... were those that dealt specifically with slurping, unwanted ads and some minimal effort - on my part - to maintain some kind of privacy:

    - uBlock Origin

    - Ghostery

    - https Everywhere

    - User-agent switcher

    All of these were disabled. Other add-ons - that didn't deal with privacy - were not disabled.

    I think some additional 'splaining from Mozilla is required at this point, because I do not believe in coincidences. I definitely see a pattern here.

    Also: since when is Mozilla so certain that they can just disable stuff running on my computer without obtaining my consent first?

    1. A.P. Veening Silver badge

      Re: the only add-ons disabled on my Firefox (Linux) ...

      If you want some privacy, I recommend Pi-Hole. It is browser independent and with proper set-up it will protect everything on your home network.

      1. quxinot

        Re: the only add-ons disabled on my Firefox (Linux) ...

        Pihole is great.

        It does not provide the same granularity for having different clients set to block different things, however. Mozilla should be ashamed and embarrassed of this cockup.

        1. jelabarre59

          Re: the only add-ons disabled on my Firefox (Linux) ...

          .Pihole is great.

          It does not provide the same granularity for having different clients set to block different things, however.

          True that. I use BraveBrowser for YouTube because I can block pretty much all the advertising there (**ESPECIALLY** the ones that barge right in mid-video).

        2. DropBear

          Re: the only add-ons disabled on my Firefox (Linux) ...

          Yes but they applied the Facebook defence: they did say they are sorry, so it must be all good now...

    2. Anonymous Coward
      Anonymous Coward

      SNAFU

      "... since when is Mozilla so certain that they can just disable stuff running on my computer without obtaining my consent first?"

      There was a bug report about Stylish and if FF hadn't unilaterally blacklisted it, I'd have simply not known about the full-on slurper that had landed in my machines until "whenever". That whole web of trust itself is no longer as trustworthy as I'm supposed to think. I know now that grandfathered permissions can and will be suddenly and silently exploited. But I have habits and expectations about how a web browser ought to work, and I keep on running stuff.

    3. oiseau
      Mushroom

      Re: the only add-ons disabled on my Firefox (Linux) ...

      ... since when is Mozilla so certain that they can just disable stuff running on my computer without obtaining my consent first?

      Obviously (unknown to me also) since always.

      So I got rid of it.

      A.

    4. PB90210

      Re: the only add-ons disabled on my Firefox (Linux) ...

      "Other add-ons - that didn't deal with privacy - were not disabled. ... I do not believe in coincidences. I definitely see a pattern here"

      I had all extensions disabled, even themes, so I see a pattern and it's probably that you have some that didn't rely on the code-signing cert

      "since when is Mozilla so certain that they can just disable stuff running on my computer without obtaining my consent first?"

      Since they started to take security a little more serious. If code is signed you need to verify the signing and disable the code if you can't. If you simply put up a warning 99.9% of people will simply click OK to get rid of it... as they do with the T&Cs and cookie policies

  14. Anonymous Coward
    Anonymous Coward

    Every single web extension

    at the same time, ad pimps all over the world saw a (momentary) spike in their revenues. Alas! - it didn't last too long. Those few minutes when all the (...) ads in the world tried to eat my lunch all at once made me appreciate AGAIN what a good ad-blocking extension (or a dozen) does: keeps me sane. We're a VERY effective team! (me, my browser, and my browser extensions).

  15. ashdav

    Firefox ?

    Are you still using Firefox ?

    Pale Moon FTW http://www.palemoon.org/

    Take control people.

    1. J. Cook Silver badge

      Re: Firefox ?

      Also, Waterfox.

    2. Anonymous Coward
      Anonymous Coward

      Re: Firefox ?

      Naaa... moved from PaleMoon to Firefox purely because of lack of control - remember PM blocking various addons (ublock origin being one) just because?

    3. Gene Cash Silver badge

      Re: Firefox ?

      Not really... Pale Moon has also done antisocial things like removing fine-grained cookie control (where you get a popup from each new domain asking if you want to block/accept/session-only)

      1. Carpet Deal 'em

        Re: Firefox ?

        The folks behind Pale Moon have done a lot of unjustifiable things(which is why I ultimately dumped it), but removing the baked-in cookie control isn't one of them. I can see why you could be against it, but I have to agree with the argument that almost all cookie-managing addons are better than the browser's handling of fine-grained control(which makes that bit of code just dead weight better removed).

    4. Anonymous Coward
      Anonymous Coward

      Re: Firefox ?

      http://www.palemoon.org/

      can't do html?

    5. Anonymous Coward
      Facepalm

      you said "control"

      But then Pale Moon became irrelevant overnight, very sad

  16. WolfFan Silver badge

    Hmm... nothing here

    I have FF 66.0.3 64-bit installed on this very machine, with 66.04 pending in the queue right now, but my adblockers etc still work. I have, at last check, 66.0.3 64-bit installed on my various home machines, Mac and Windows and one Ubuntu, all add-ons worked over the weekend. As soon as I finish typing this I will update to 66.0.4 which will, allegedly, fix a problem that doesn't seem to be happening around here.

    1. WolfFan Silver badge

      Re: Hmm... nothing here

      And we're back after the update. All add-ons are still working. Will check the home boxes and see if there's any change there, but not for a while.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hmm... nothing here

      This was my experience too. No issues at all with any of the 7 add-ons I run which others were having problems with. Was it regional version specific?

    3. Invidious Aardvark

      Re: Hmm... nothing here

      They pushed out a temporary fix via their "Studies" feature. It's possible that you've not locked that side of things down and thus received the fixes before you could notice that anything was wrong?

      There was a bit of a kerfuffle about their suggested short term fix amongst people who have deliberately turned all these features off. Essentially, they were saying that either none of our ad and script blocking add-ons would work OR we could turn on "Send technical and interaction data to Mozilla" then enable Mozilla studies in order to get that crop of fixes (plus whatever other "Studies" they felt like).

      I used the short term fix of loading addons in debug mode (about:debugging -> Load Temporary Addon) every time I started up FF. A bit more work but it avoided any Mozilla slurpage.

      1. Phil O'Sophical Silver badge

        Re: Hmm... nothing here

        They pushed out a temporary fix via their "Studies" feature.

        Which itself raises the interesting question of whether Mozilla can choose to run arbitrary code on my browser without asking first?

  17. Crazy Operations Guy

    "Firefox add-ons, also known as extensions"

    Nope, those two different things. The difference is whether Firefox is calling an external binary or a simply function call. Extensions exist outside of Firefox itself and have access to the OS, just as any executable would. Add-ons operate within a sandbox in the browser itself, and only have very access to what the browser itself grants access to, typically they are supposed to run in an instance-per-tab structure to prevent XSS-like attacks (Although whether they do that or not is something else altogether...).

    1. Havin_it

      Re: "Firefox add-ons, also known as extensions"

      Nope to your nope (though nope to the quote too).

      What you call "extensions" are plugins (e.g. Flash, Java, DRM modules etc). What you call "add-ons" are extensions, apps written in JavaScript targeting the WebExtensions API. These are a sub-type of add-on, the others being themes, search-engines and language-packs.

  18. heyrick Silver badge

    Nice show, Mozilla, well done

    I'm incandescent with rage (as I'm British, that means I'll be mildly sarcastic) as the first I knew about it was when a tonne of spam tabs opened up and apk files (I'm using Android) I never asked for started to download. After some Googling, I discovered the reason for the cause, and I'm shocked (shocked, I tell you, SHOCKED) that Firefox is stupid enough to think that a suitable action upon failing to install an update is to simply mark the add-on as "disabled because" rather than anything halfway intelligent like rolling back to the previous (known working, so don't check it again bellend) incarnation of that add-on.

    Thankfully the fix was simple - change xpinstall.signatures.required to false to get the add-ons back up and running, and then change extensions.update.enabled to false so it won't try to auto update again (because if it bloody left things alone, I'd never have noticed).

    Doing this means my slightly older (v60.something) version of Firefox can also download add-ons from the repository without having to be forced to update to the latest version (released to cure the cock up; though the fact that EVERYBODY now has to go update their version of Firefox, it's almost too easy to come up with a bunch of conspiracy theories)...

  19. Palpy

    Grmph. Noticed this, but a couple of extensions continue to work.

    NoScript, Ghostery, and some others went AWOL. Disconnect and Javascript toggle still work, though, and I'm not seeing ads. So no major pain.

    Bad cess to Mozilla, though.

  20. Anonymous Coward
    Anonymous Coward

    Speaking of Hacker News...

    WTF happened to their website?

    Used to work just fine with JavaScript disabled

    Now I can't even click an article without going into about:config

    Seems like the site is now just one big iFrame

    (Damn shame as I rather liked that site too)

  21. Anonymous Coward
    Anonymous Coward

    This is a relief. I was starting to think that my free trial of McAfee Total Protection that was bestowed upon me had forgotten to function as intended.

  22. A-nonCoward
    Boffin

    Opera?

    I had forgotten good old Opera. Just installed it. I also have Chrome for some websites that simply will not run even if I enable all their nonsense scripts. Had that issue last night trying to reserve a campsite.

    Don't all eggs same basket etc.

    https://www.opera.com

  23. Anonymous Coward
    Anonymous Coward

    The last reasonable stable FireFox (ESR 52.9.0) was spared from amargadd-on

    Remember: the cutting edge is also the bleeding edge.

    There were so many cockups post ESR 52.9.0, that if you are remotely interested in doing actual work,

    you should have been clinging on to the last resonably stable FF (with uBlock origin & NoScript of course).

    1. DropBear

      Re: The last reasonable stable FireFox (ESR 52.9.0) was spared from amargadd-on

      Yup, being out of date does have advantages occasionally. As for the "but but but updates!" crowd, security only comes first for those who don't actually plan to ever use their secure* thing - bricking up my house would be remarkably secure but strangely I prefer my horrifyingly unsecure, breakable glass windows and door-that-actually-opens.

      *still just as insecure as a sieve, but since supposedly nobody yet knows exactly how, it's apparently all good.

  24. Temmokan

    Next time the certificate will expire on April 25, 2020 (correct me if I mentioned wrong date).

    Shall we brace up for the same disaster, just in case?

  25. Shadow Systems

    "We owe both our users..."

    Both of your users?

    Wow! Two whole people? At the same time?

    *Faints in shock*

    *Inserts big, blinky, scrolling, neon, 99 point type, animated emoji SARCASM tag to make sure nobody can miss it*

  26. Anonymous Coward
    Anonymous Coward

    Too much to take in in one hit ...

    1) How can something so singular have such an impact on man-hours ? A custom-crafted Nork virus couldn't have done so well.

    2) It's intriguing that it wasn't a code error or bug, but a 3rd party certificate intended to ensure security. Meaning whatever version of FF you were running you couldn't escape.

    3) Luckily for Mozilla, FF isn't a default browser in CorporateLand (and it's even less likely it will ever be now). However, MS can't afford to be so smug. What would have happened if they'd suffered a problem which rendered all versions of IE practically useless.

    4) On a more personal note, I am amazed anyone can use the internet anymore. If nothing else, this is a terrifying reminder of why my add-ons are all concerned with making browsing halfway decent.

    I imagine there will be some more in depth reporting in the coming days.

    Can I just add my voice to those willing to pay for an ad-free Reg. C'mon guys - you've earned it.

    1. jake Silver badge

      Re: Too much to take in in one hit ...

      "What would have happened if they'd suffered a problem which rendered all versions of IE practically useless."

      Must ... not ... comment ...

  27. Mystic Megabyte
    Unhappy

    WTF is going on?

    I was shocked to find that YouTube has adverts, never seen 'em before!

  28. Chronos
    FAIL

    Eggs, single basket

    Yes, centralise everything so it all breaks at the slightest whiff of a senior moment. Well done Mozilla. Are you going to include two keys with staggered renewal dates in future or have you learnt nothing from this?

    As an aside, it's fairly easy to turn off the signed check in about:config, although it does leave your Extensions page looking like someone threw up a load of dire, bile-coloured warnings all over it. Don't enable studies, though. Yes, sure, just run arbitrary, untested code on my browser - what could possibly go wrong?

  29. Anonymous Coward
    Anonymous Coward

    Hmmm walled gardens, what can possibly go wrong with those ?

  30. Jason Bloomberg Silver badge
    FAIL

    Thanks Mozilla.

    I have a few laptops which run XP because they can't run anything later. Having been stable for years with updates and everything else which could break things turned off I had never considered it would be Firefox which was eventually going to fuck me over.

    Would it really have been so hard to present a pop-up asking ME what I wanted to do about YOUR FUCK-UP rather than just disabling everything, arrogantly presuming that YOU know what's best for ME?

  31. mihares
    Linux

    Use Lynx

    If you don't want to waste as much memory and CPU time to read a junky web page about matter falling into a black hole as would be needed to actually run the simulation.

    By the way, this comment has been written and posted from Lynx, in case you're wondering. which also means tha ElReg is functional in Lynx, which is just cool.

  32. mark l 2 Silver badge

    Interesting not every add on stopped working for me, on my CentOS box running FF ESR the HTTPS everywhere add on was still enabled and working even though no script wasn't. But on my Mint PC with the lastest FF all add on stopped working.

    Simple enough to go into about config and set javascript to false but for users who don't know about these sort of things it was a bit of a fsck up from Mozilla

  33. Spectyr

    Mozilla Meh!!!

    Typical Case of the Lunatics Taking Over The Asylum.

    Firefox (Mozilla) have become arrogant to a degree approaching Micosoft. They foist (no discussion tolerated) restrictions on what, where and how it can be used, mostly "Security" changes that make no sense at all, just done to feed some Geeks feelings of if it can be done lets do it. Pandered to by people who, in their view have perfumed excreta.

    I dont recommend it to my clients anymore. The average Joe simply does not understand the need for continually updating, adding this or that,being lectured on "this will save you losing a leg", or, without any warning removing his favorite Extension or Addon because its "unsafe".

    If you haunt some areas of the net your going to get hit but the current philosophy at Mozilla echoes that of the Nanny State, "We Know Best".Pathetic. Sure its Mozillas product, we get that, but if you put a product into the Marketplace, whether its Free, open source or whatever, your success or failure depends on its acceptance....Mozilla is treading a very fine line at the end of the spectrum where it matters most...the vast bulk of the current users..

  34. tallenglish

    This deserves to be in the Who Me? section.

    Will the Firefox engineer who forgot to check and renew key certificates please stand up.

  35. tallenglish

    It is worse for the updated Firefox 66.0.3

    Now only did we have the certificate snafum but the update auto installs the Baidu Search plugin as well.

    https://www.ghacks.net/2019/04/10/mozilla-releases-firefox-66-0-3/

    I do not want any Chinese spyware installed thank you.

    I am glad I use Ccleaner as it shows what plugins and extensions are installed for every browser - and allows easy disabling of them and the location to permanently delete them.

    What anoys me is these are hidden plugins - and that aint cool.

  36. tallenglish

    Lets not forget, they also borked Tor

    How many people that require anonymity now are compromised because no-script wouldn't load and Tor run javascript that showed their real location.

    Well played FF.

    Adding Baidu Search to the updated FF 66.0.3 adds insult to injury.

  37. Bruce Ordway

    Firefox ESR not safe?

    I was already (pretty) sure that Quantum is not in my future, this latest episode just confirms my feelings.

    In the meantime I've been hanging on to Firefox 56 here - while I look for a more permanent browser solution.

    At least I was able to reinstall Adblock Plus since "the disabling"

    But.... it looks like I've finally lost my layout forever, I have not found a way to recover the Classic Theme Restorer

    It is these little things I find alarming about "my" software.

    Where I'd want a person to announce themselves before entering my home and "improving" it?

    It is getting more routine to see programs changing without any action on a users part.

    Where I once had a blind love for all software... now I mostly see disturbing trends in Windows, Quantum, Chrome, etc...

    1. Bruce Ordway

      Re: Firefox ESR not safe?

      >>Lost.... Classic Theme Restorer

      Recovered!!! https://github.com/Aris-t2/ClassicThemeRestorer/releases/tag/1.7.7.3

      I'm a little embarrassed to find unwanted changes driving me crazy like this.

      I'm usually laughing right along with fellow developers in making fun of the users complaining about "trivial" UI changes that were pushed out.

  38. tapemonkey

    "We owe both our users and ourselves an unflinching post-mortem to make us better in the future," he said.

    Perhaps Joe Hildebrand should go work in Boeing

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like