[conspire] Firefox Addons Being Disabled Due to an Expired Certificate

Sat May 4 15:06:59 PDT 2019

Quoting Leo P (yaconsult at gmail.com):

> https://www.bleepingcomputer.com/news/software/firefox-addons-being-disabled-due-to-an-expired-certificate/

I'm still undecided about whether Lawrence Abrams's 'bleepingcomputer.com' 
site is flakey -- but yeah, the immediate issue is/was an expired cert.
https://www.ghacks.net/2019/05/04/your-firefox-extensions-are-all-disabled-thats-a-bug/
https://www.engadget.com/2019/05/04/the-morning-after/

  If you use Firefox or Tor, you may have noticed a weird error message
  and a sudden lack of working extensions. That's because on Friday
  evening ET (midnight UTC/GMT) a certificate necessary to sign add-ons
  for the browser expired, making them suddenly invalid for use. At 6:50
  AM ET, the team announced they'd begun rolling out a fix that should be
  applied in the background -- make sure you have "studies" enabled to get
  it ASAP.

https://venturebeat.com/2019/05/04/mozilla-issues-firefox-fix-after-expired-certificate-disabled-all-add-ons/

  Mozilla has issued a hotfix to reactivate extensions for millions of
  users after they were disabled without warning late yesterday.
  [...]
  A hotfix is basically a piece of code that’s created as a temporary
  measure to fix a major fault before the next big product release is due.

  In this case, Mozilla is using Studies — a system through which the
  company tries out new features and ideas before they are released to all
  Firefox users — to automatically roll out a fix without the user having
  to do anything else.

  Studies is actually enabled by default, but if you’ve previously opted
  out of this, you’ll need to head to Options >> Privacy & Security >>
  Allow Firefox to install and run studies, and then tick the box.

  It can take a few hours for the fix to be applied, but to check if it
  has been, you can click “View Firefox Studies” to see whether the hotfix
  appended with “1548973” is in there.

But here's the (IMO) much bigger issue:  Is it acceptable that your
selected extensions can operate in/with your browser only if Mozilla,
Inc. permits them?  Personally, I would say 'No, not at all, not ever'.
And I would add that it's past time to give up on Mozilla-branded Firefox,
as their practices are inconsistent with open source principles and user
autonomy, and this has been obvious for years.

Starting with Firefox 41 in 2015[1], Mozila has enforced the requirement
that all extensions be signed by Mozilla, Inc. before the browser will
accept their installation in Firefox stable and beta versions
(https://wiki.mozilla.org/Add-ons/Extension_Signing).  To evade this
user restriction, one has several options:

1.  Firefox ESR prior to verison 45 (2016) still allowed disabling extension 
    signature checking.  But post-45 versions _removed_ that option.
2.  Firefox Developer or Firefox Nightly.  Current upstream release
    is 60.6.1.
3.  Use unbranded future variants Mozilla plans with retention of 
    the ability for users to disable extensions.  (They've promised
    this for four years but not delivered, so you're advised to not
    hold your breath waiting.)
4.  Variant browsers that have gone 'hell no' about going along with
    Mozilla, Inc.'s user-manipulation policies, such as Pale Moon.

Time to move on, mostly.

[1] In Firefox 40 (2015), unsigned extensions triggered a warning.  In 41
(2015), stable and beta versions defaulted to enforcing signatures, but
this could be disabled by setting about:config item
xpinstall.signatures.required to false.  Starting with 48 (2016), this
user-override ability was removed, and users subsequently have been 
_no longer permitted_ to run extensions not approved and
cryptographically attested by Mozilla, Inc.  Current upstream release is
66.0.3.