Recently, Firefox had an incident in which most add-ons stopped working. This was due to an error on our end: we let one of the certificates used to sign add-ons expire which had the effect of disabling the vast majority of add-ons. Now that we’ve fixed the problem for most users and most people’s add-ons are restored, I wanted to walk through the details of what happened, why, and how we repaired it.
An in-depth look at the cause and fixes for the devastating extensions bug that hit Firefox users over the weekend, written by Firefox CTO Eric Rescorla.
I find it a bit ironic that with all the criticism of backdoors, politicians are lashing out at foreign companies, meanwhile western companies like mozilla are able to use their own backdoors to remotely modify user settings.
I’m not alleging any malicious intent here, but I’m bothered by some of the political and corporate hypocrisy. Consider that mozilla’s chief legal and business officer has previously said this about backdoors:
http://time.com/4263121/apple-fbi-backdoor/
If they want to defend their backdoor (which has much deeper local access than a regular extension) as a useful tool for legitimate functions, I’ll begrudgingly say I understand their reasoning. If they want to say there is no safe backdoor, I can understand that too. However the hypocrisy is what I don’t have much tolerance for. On the one hand they tell owners we can no longer install our own extensions for our own safety, and yet on the other hand they wrote their own remote access backdoors for our machines.
I’ll give them the benefit of doubt regarding non-malicious intent, but why should they be entitled to higher access than the owners? And why, if they are so concerned about iphone backdoors being accessed by court mandate, do they place their own users at risk through their own low level backdoors? It’s do as we say, not as we do.
Sorry about the rant, I’m just venting some of my frustrations.
That was not a rant. That was a perfectly analysed and well written commentary that is entirely accurate!
You are more kind than I. Mozilla is one of the entities to which I will not give any benefit of any doubt anymore. They’ve simply gone too far, this most recent incident only being the most obvious. I gave them the benefit of the doubt when they introduced studies, then they promptly proved that I should not have via the Mr. Robot promotion. It’s been downhill ever since.
Mozilla need to do one of two things. Either they stop all this garbage and go back to practicing the ideals they’re so willing to preach, or they stop being hypocrites and become another big data miner. Should they opt for the latter, I would rather they stopped pretending to care about our privacy.
I want to put on my tinfoil hat and say this whole thing was a way to force people to turn back on “Studies” after so many people turned the off after that whole “Mr. Robot” thing. https://www.bleepingcomputer.com/news/software/mozilla-angers-firefox-users-after-force-installing-mr-robot-promo-add-on/
While i understand the need for certificate signing on the installation side of installing extensions i do not understand the kill switch on extensions that are already installed.
So here we are Google untrustworthy, Mozilla also untrustworthy what browser do we use if we value our privacy?
to be honest I don’t trust any company to respect my privacy this point i don’t care where they are based out of they will get there extra pound of sweet sweet privacy invasion flesh.
Time to move to a purely community driven Linux and bang my wall on what Browser is safe
Nah. They were able to turn studies back on when they installed updates. I saw this happen multiple times. They had a remote enable switch on that since they came out with it.
I’m of the opinion lately that the extensions ecosystem for browsers needs to be a lot more open than it is.
We need a standard framework for extensions stores, which users can use to add or retarget their browsers at.
This is no different to something like F-Droid on Android, or repos on Linux (Windows has a history of direct install, which browser makers seem to have decided is evil in general).
Having a bit of competition in this space would allow Mozilla to be held accountable for management slipups like this (people would be able to switch to another extension “store”) and would allow people burnt by things like remote extension disabling or the removal of extensions like Gab to go elsewhere.
On another note, I’m concerned that Mozilla apparently have such a poor managment/grasp of the PKI system they’re reliant on that they let a critical cert expire. They should have had a replacement cert already in the last several builds of Firefox, including the most recent ESR build, BEFORE it expired, with public docs up on how to install the updated cert for legacy/isolated setups.