Question Firefox add-ons disabled

Satan-IR

Distinguished
Ambassador
Has anyone else encountered this? Firefox X64 on Windows 7 disabled some add-ons for lack of signature or something of the sort.

The add-ons were directly installed from addons.mozilla.org and not from a file or anything like that. How does that add up? If they were not signed/approved why were they provided on they website in the first place?!

One of the is the uBlock Origin add-on which is well-known and safe I would say.
 

Satan-IR

Distinguished
Ambassador
Thanks for the reply, I just came across this. Apparently it's an "issue" they are aware of and are dealing with it.

https://support.mozilla.org/en-US/kb/add-ons-disabled-or-fail-to-install-firefox?redirectlocale=en-US&redirectslug=add-ons-failing-install-firefox

They're going to apply a background hot-fix through the Studies system in Firefox. They say explicitly in the notice that no active steps are necessary on the part of the user only to tick the box that activates/allows installation and application of Studies in the Privacy & Security of the Options.

If your is OK probably you have Studies active and it was applied already.
 

Satan-IR

Distinguished
Ambassador
Yes, mine is still not fixed. The notice/blog/post I linked says it might take a few hours.

It also says after it's fixed you can disable it again. I will disable it again after it's fixed. Thanks for the reply.
 

InvalidError

Titan
Moderator
If Mozilla can't be bothered to make sure its certificates remain valid, it really should give people the ability to override expirations.

The conspiration theorist in me says this could be a ploy to measure the impact of addons on Firefox usage - how many people will heavily reduce or suspend FF usage and how much of a spike other browser traffic will see because of this.
 

Satan-IR

Distinguished
Ambassador
Yes, that's a keen observation. Then again I think sometimes this might be inevitable. For example, if they have gone through and audited the updated code for an existing addon and deemed it not safe anymore users might not notice this to remove them except Mozilla pull the addon/certificate?

On the other hand, having something like that left enabled (with the capability of doing stuff in the background) is somehow like a backdoor to users' browsers/systems. I, personally, think Mozilla can be trusted to some extent but that's when I'm notified as what's going on transparently, which I give them this time, they published the blog post explaining what's going on and that the solution is done through Studies, how to check if it's resolved and that Studies can be disabled afterwards.

I agree they can measure a number of things through this. How fast do people react to the fact that some addons are disabled due to security and look for solutions. How many leave Studies enabled even after this is resolved ... etc.
...
When something like this happens (factoring where I live into the equation) the conspiracy theories/paranoid in me immediately thinks this might be yet another attempt at blocking or manipulating browser usage/traffic etc.
 

InvalidError

Titan
Moderator
Yes, that's a keen observation. Then again I think sometimes this might be inevitable. For example, if they have gone through and audited the updated code for an existing addon and deemed it not safe anymore users might not notice this to remove them except Mozilla pull the addon/certificate?
According ot Mozilla's blog post, this was a certificate expiration issue, meaning someone failed to renew a certificate in time. If it was a security audit, signatures of compromised addons can be revoked on a per-addon basis. The only case where a blanket revocation of all addons might make sense is if a signing certificate got compromised and has to be revoked to prevent third-parties from using it.
 

Satan-IR

Distinguished
Ambassador
According ot Mozilla's blog post, this was a certificate expiration issue, meaning someone failed to renew a certificate in time. If it was a security audit, signatures of compromised addons can be revoked on a per-addon basis. The only case where a blanket revocation of all addons might make sense is if a signing certificate got compromised and has to be revoked to prevent third-parties from using it.

You're right. I had a two addons disabled and assumed it was something limited.

If they in fact disabled all addons across all ecosystems that means a major/root certificate got busted and that would warrant a revocation. As you said to prevent it from being misued by unauthorized parties.

Hell if the certificate (not for addons necessarily but more general purpose) is top level and is compromised it can even be used in MITM attacks and such.
 

Satan-IR

Distinguished
Ambassador
took my FF about 10 minutes and it updated and went back to normal. that was yesterday and no issues since.

i of course turned studies back off again as soon as it updated.

Yes Math Geek, I just posted about the fix and I think we both pressed 'Post Reply' at the same time. What are the odds lol.

I have a few more addons and they were intact. The affected two were just fixed. I assume they compartmentalize the rollon process; based on regions maybe as they also do with core browser updates.

Thanks for the reply.
 

Satan-IR

Distinguished
Ambassador
I noticed something right now.

If you're using an ESR build/version of Firefox, say in a Linux distro or other situation, there's a chance the options to allow Studies to run is greyed out and doesn't work. The solution is to change a config setting to override the enforcement of the signing.

One extension that stopped working in an ESR Firefox I use is NoScript. You have to change the config to override the signing requirement to make this happen and I don't really like that.
 

Satan-IR

Distinguished
Ambassador
Regardless of whether signature checks are enabled, you still have to authorize addon installs. As long as you trust your existing installed addons, disabling signature checks has no effect until you install new addons.
Yes, you're right. I'm aware of that, then again I don't like the idea of just discarding signature verification altogether which is a 'lazy' way of dealign with this on their part.

I mean, Mozilla should have thought about this eventuality, don't you agree? Sometimes they run into "bugs/issue" and they need to alter code to resolve that in the background through Studies. Then they go and disable studies in some Firefox versions. This I think makes any 'real' fix not possible until they rollout a new update to fix the issue.

That being said, it's a bit of a temporary state of things. Probably there will be new updates soon to all versions/builds rectifying this but I'd say it's a oversight on their part, disabling something they need to fix problems.
 

InvalidError

Titan
Moderator
Yes, you're right. I'm aware of that, then again I don't like the idea of just discarding signature verification altogether which is a 'lazy' way of dealign with this on their part.
The point I was trying to make is that I don't like not having the option of ignoring signature checks when Mozilla or one of its upstream providers screws up any better as this is basically denying me service.
 
Last edited by a moderator:

Satan-IR

Distinguished
Ambassador
The point I was trying to make is that I don't like not having the option of ignoring signature checks when Mozilla or one of its upstream providers screws up any better as this is basically denying me service.

Yes I got that and I agree.

What I said is somehow in those lines and relatively the same. They screw up a signing certificate or it gets compromised or someone pooches the code etc. I, they user, get the error and notified that the addons are disabled because of this intermediate certificate goof up. I, the user, have to enable Studies to mitigate and rectify the problem. Oh wait, I'm using an ESR build and Data collections and Studies are by default inactive/nonexistent. I have to forget about authetication and certificates altogether until they roll out an update.

That too is what I would also call denying me service.
 
Last edited:

Satan-IR

Distinguished
Ambassador
FF update has been posted. All add-ons are back up and running.....
Carry on....

Yes I'm aware they rolled out 66.0.4 and today the ESR build I also use was updated too. What we were discussing, I think, is the nature of the whole thing and how Mozilla in my opinion is kind of becoming one of those companies they've always claimed they try not to be. This is somehow keeping a monopoly over centralized signing of certificates for addons and so on.

They talk the talk about software freedom and having choices but they are the central enforcers in the addons ecosystem. Now even local installation of addons requires certificates.

Their telemetry features are growing a little too much for my comfort every few releases. They require ever-increasing complicated methods or code/addons to block.
 

Blackink

Distinguished
Apr 27, 2014
604
38
19,190
66
Actually, what the OP was discussing that started this thread which was you, was that FireFox's add-ons were disabled and if anyone else was having problems.
Yes, I was having problems too but the fix was out in a relatively short amount of time...

Nobody is perfect, if we were, we'd all be in trouble!
Carry on...
 

ASK THE COMMUNITY