Re: Widespread Firefox issues

[Patrick Schultz]

or use the hotfix without restarting: 
https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi

Am 04.05.2019 um 19:46 schrieb Randy Bush:
>>> to do it, i have to start ffox.  and 100 tabs will open and
>>> javascript will flood in.
> recipe
>   - turn off internet connectivity
>   - start firefox
>   - `kill -s sigkill` it
>   - restart it, do not restore sesstion
>   - turn internet back on
>   - go to prefs / privacy and enable studio
>   - wait until `about:studies` shows you got the two updates
>   - allow sessions to restart
>
> randy

Re: Widespread Firefox issues

[Hank Nussbacher]

On 05/05/2019 00:04, Lee wrote:

On 5/4/19, Mark Foster  wrote:

Official update from Mozilla:

https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

where they say
   Please note: The fix does not apply to Firefox ESR
which is what I'm running, so
   about:config
change
   xpinstall.signatures.required
to false, restart and all my extensions now show
   xxx could not be verified for use in Firefox.  Proceed with caution.
but at least they're all enabled again :)


Am running FF 66.0.3 and did the above but still Avira Browser Safety 
and Cisco Webex still show up as disabled.


What am I missing?

Thanks,

Hank




Lee

RE: Widespread Firefox issues

[Keith Medcalf]

Aha!  Did the same and it worked.  I had disabled Normandy probably immediately 
when it was introduced.  I guess if you have it disabled then studies (even if 
enabled) are disabled as well.

After getting the studies I disabled studies again (since I don't want them) 
and disabled normandy (since I do not want external third parties frikking 
about with my settings just cuz they feel like it) -- if you want to fiddle 
with the settings on my equipment you have to physically be within the blast 
radius of the device you are fiddling with (or the automated Nitrogen oxygen 
purge system).

We will see what happens mid-afternoon tomorrow when Firefox tries to run a 
signature check again (since the original problem report was in error -- the 
check is only run once every 86400 seconds, so at the next check after the 
intermediate certificate expires the add-ons will be disabled).

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.


>-Original Message-
>From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Royce
>Williams
>Sent: Saturday, 4 May, 2019 15:44
>To: nanog@nanog.org
>Subject: Re: Widespread Firefox issues
>
>
>On Sat, May 4, 2019 at 8:02 AM Royce Williams
> wrote:
>
>
>   On Sat, May 4, 2019 at 7:40 AM Royce Williams
> wrote:
>
>
>   On Sat, May 4, 2019 at 7:32 AM Keith Medcalf
> wrote:
>
>
>
>   I will stick to the "clearly false" since it is now
>well to the point where we are in 2019-05-04 (even in local UT1, let
>alone UTC), studies are disabled (and have been since forever), no
>studies have been loaded, and my extensions still work quite fine,
>thank-you.  Attempting to install a "new" extension fails with a "bad
>signature" error.
>
>
>
>   Here's something interesting - a few times now, I've told
>Firefox to enable Studies and then restarted ... but the Studies
>setting reverted to being unchecked.
>
>   Maybe one of my other paranoia-enabling extensions is
>toggling it off ... but if so, I haven't found it yet. Still
>investigating.
>
>
>   Even stranger, I can manually toggle
>'app.shield.optoutstudies.enabled' in about:config ... and *that*
>persists across reboots ... but Studies *still* aren't enabled (the
>about:preferences item is still unchecked, and the "about:studies"
>area still indicates that they're disabled).
>
>   There's definitely something weird about enabling/disabling
>studies.
>
>   FWIW, this is 64-bit 66.0.3 on Ubuntu, and it's an instance of
>Firefox that had studies disabled before this issue emerged. On a
>very similar setup, but one with a vanilla Firefox install that
>already had Studies enabled, I can't recreate this symptom - even if
>I turn Studies off (either using the GUI or with the about:config
>item).
>
>
>Multiple people have replied offthread that they have the same
>symptom.
>
>This workaround worked for me:
>
>https://www.reddit.com/r/firefox/comments/bkk5ss/if_you_dont_want_to_
>wait_do_this/
>
>
>Royce

Re: Widespread Firefox issues

[Royce Williams]

On Sat, May 4, 2019 at 8:02 AM Royce Williams 
wrote:

> On Sat, May 4, 2019 at 7:40 AM Royce Williams 
> wrote:
>
>> On Sat, May 4, 2019 at 7:32 AM Keith Medcalf  wrote:
>>
>>>
>>> I will stick to the "clearly false" since it is now well to the point
>>> where we are in 2019-05-04 (even in local UT1, let alone UTC), studies are
>>> disabled (and have been since forever), no studies have been loaded, and my
>>> extensions still work quite fine, thank-you.  Attempting to install a "new"
>>> extension fails with a "bad signature" error.
>>>
>>
>> Here's something interesting - a few times now, I've told Firefox to
>> enable Studies and then restarted ... but the Studies setting reverted to
>> being unchecked.
>>
>> Maybe one of my other paranoia-enabling extensions is toggling it off ...
>> but if so, I haven't found it yet. Still investigating.
>>
>
> Even stranger, I can manually toggle 'app.shield.optoutstudies.enabled' in
> about:config ... and *that* persists across reboots ... but Studies *still*
> aren't enabled (the about:preferences item is still unchecked, and the
> "about:studies" area still indicates that they're disabled).
>
> There's definitely something weird about enabling/disabling studies.
>
> FWIW, this is 64-bit 66.0.3 on Ubuntu, and it's an instance of Firefox
> that had studies disabled before this issue emerged. On a very similar
> setup, but one with a vanilla Firefox install that already had Studies
> enabled, I can't recreate this symptom - even if I turn Studies off (either
> using the GUI or with the about:config item).
>

Multiple people have replied offthread that they have the same symptom.

This workaround worked for me:

https://www.reddit.com/r/firefox/comments/bkk5ss/if_you_dont_want_to_wait_do_this/

Royce

Re: Widespread Firefox issues

[Lee]

On 5/4/19, Mark Foster  wrote:
> Official update from Mozilla:
>
> https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/
where they say
  Please note: The fix does not apply to Firefox ESR
which is what I'm running, so
  about:config
change
  xpinstall.signatures.required
to false, restart and all my extensions now show
  xxx could not be verified for use in Firefox.  Proceed with caution.
but at least they're all enabled again :)

Lee

Re: Widespread Firefox issues

[Mark Foster]

Official update from Mozilla:

https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

Mark.

On 5 May 2019 5:50:19 AM NZST, "Valdis Klētnieks"  
wrote:
>On Sat, 04 May 2019 10:46:41 -0700, Randy Bush said:
>> >> to do it, i have to start ffox.��and 100 tabs will open and
>> >> javascript will flood in.
>>
>> recipe
>>   - turn off internet connectivity
>>   - start firefox
>>   - `kill -s sigkill` it
>>   - restart it, do not restore sesstion
>>   - turn internet back on
>>   - go to prefs / privacy and enable studio
>>   - wait until `about:studies` shows you got the two updates
>>   - allow sessions to restart
>
>Keep in mind that if Firefox exits between 'do not restore session' and
>'allow sessions to restart', all the tabs may vanish into the ether. 
>Been
>burned by that before.   May want to tar up your .mozilla directory for
>safe keeping (or whatever needs to be done on boxes where tar'ing up
>a directory isn't a thing)

-- 
Sent from a mobile device.

Re: Widespread Firefox issues

[Valdis Klētnieks]

On Sat, 04 May 2019 10:46:41 -0700, Randy Bush said:
> >> to do it, i have to start ffox.��and 100 tabs will open and
> >> javascript will flood in.
>
> recipe
>   - turn off internet connectivity
>   - start firefox
>   - `kill -s sigkill` it
>   - restart it, do not restore sesstion
>   - turn internet back on
>   - go to prefs / privacy and enable studio
>   - wait until `about:studies` shows you got the two updates
>   - allow sessions to restart

Keep in mind that if Firefox exits between 'do not restore session' and
'allow sessions to restart', all the tabs may vanish into the ether.  Been
burned by that before.   May want to tar up your .mozilla directory for
safe keeping (or whatever needs to be done on boxes where tar'ing up
a directory isn't a thing)


pgp13YE_6ddff.pgp
Description: PGP signature

Re: Widespread Firefox issues

[Randy Bush]

>> to do it, i have to start ffox.  and 100 tabs will open and
>> javascript will flood in.

recipe
  - turn off internet connectivity
  - start firefox
  - `kill -s sigkill` it
  - restart it, do not restore sesstion
  - turn internet back on
  - go to prefs / privacy and enable studio
  - wait until `about:studies` shows you got the two updates
  - allow sessions to restart

randy

Re: Widespread Firefox issues

[Brielle]

Guess it’s a good thing then that I’m not needing to rely on your ‘expert 
opinion’ since Mozilla provided (and still is providing) details as they 
resolve the issue, eh?

Something something something long winded responses and long stretch 
metaphors...

Sent from my iPhone

> On May 4, 2019, at 9:30 AM, Keith Medcalf  wrote:
> 
> 
> I will stick to the "clearly false" since it is now well to the point where 
> we are in 2019-05-04 (even in local UT1, let alone UTC), studies are disabled 
> (and have been since forever), no studies have been loaded, and my extensions 
> still work quite fine, thank-you.  Attempting to install a "new" extension 
> fails with a "bad signature" error.
> 
> Is the "permanent fix" going to be proper validation of signatures I wonder?  
> Or will they still consider the signature (made while there was ink in the 
> pen) to be invalid after the pen runs out of ink?
> 
> Or, more accurately, not invalidate the handwritten signature after the death 
> of the witness.  Lordy forbid that the "real world" worked like that ... 
> invalidating the signature on a contract merely because the witness or signer 
> got killed by a rogue bus ... What a lovely way to render a contract nul ab 
> initio -- just kill one of the witnesses ...
> 
> ---
> The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
> lot about anticipated traffic volume.
> 
> 
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Brielle
>> Bruns
>> Sent: Saturday, 4 May, 2019 08:30
>> To: nanog@nanog.org
>> Subject: Re: Widespread Firefox issues
>> 
>> So, for being "Clearly false",  the hotfix pushed out by the Firefox
>> Studies feature is...
>> 
>> *drumroll*
>> 
>> An updated intermediate certificate!
>> 
>> 
>> You can turn on the Studies option under Privacy & Security for a
>> little
>> while, then check about:studies and you should see one or two in
>> there
>> regarding the xpi verification/signing.  Once you have those two
>> studies, you can disable Studies again.
>> 
>> Likely we'll see a full fix with a point release of Firefox in a day
>> or so.
>> 
>> 
>> 
>>> On 5/3/2019 8:48 PM, Keith Medcalf wrote:
>>> 
>>> Clearly false, since it is 2019-05-04 02:46:31.342994 now and
>> nothing whatsoever happened to my Firefox browser, and all the
>> extensions are still working just fine.
>>> 
>>> ---
>>> The fact that there's a Highway to Hell but only a Stairway to
>> Heaven says a lot about anticipated traffic volume.
>>> 
>>> 
>>>> -Original Message-
>>>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Brielle
>>>> Bruns
>>>> Sent: Friday, 3 May, 2019 19:56
>>>> To: NANOG list
>>>> Subject: Widespread Firefox issues
>>>> 
>>>> Just an FYI since this is bound to impact users:
>>>> 
>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
>>>> 
>>>> Basically, Mozilla forgot to renew an intermediate cert, and
>> people's
>>>> Firefox browsers have mass-disabled addons.
>>>> 
>>>> Whoops.
>>>> --
>>>> Brielle Bruns
>>>> The Summit Open Source Development Group
>>>> http://www.sosdg.org/ http://www.ahbl.org
>>> 
>>> 
>>> 
>> 
>> 
>> --
>> Brielle Bruns
>> The Summit Open Source Development Group
>> http://www.sosdg.org/ http://www.ahbl.org
> 
> 
> 

Re: Widespread Firefox issues

[Royce Williams]

On Sat, May 4, 2019 at 7:40 AM Royce Williams 
wrote:

> On Sat, May 4, 2019 at 7:32 AM Keith Medcalf  wrote:
>
>>
>> I will stick to the "clearly false" since it is now well to the point
>> where we are in 2019-05-04 (even in local UT1, let alone UTC), studies are
>> disabled (and have been since forever), no studies have been loaded, and my
>> extensions still work quite fine, thank-you.  Attempting to install a "new"
>> extension fails with a "bad signature" error.
>>
>
> Here's something interesting - a few times now, I've told Firefox to
> enable Studies and then restarted ... but the Studies setting reverted to
> being unchecked.
>
> Maybe one of my other paranoia-enabling extensions is toggling it off ...
> but if so, I haven't found it yet. Still investigating.
>

Even stranger, I can manually toggle 'app.shield.optoutstudies.enabled' in
about:config ... and *that* persists across reboots ... but Studies *still*
aren't enabled (the about:preferences item is still unchecked, and the
"about:studies" area still indicates that they're disabled).

There's definitely something weird about enabling/disabling studies.

FWIW, this is 64-bit 66.0.3 on Ubuntu, and it's an instance of Firefox that
had studies disabled before this issue emerged. On a very similar setup,
but one with a vanilla Firefox install that already had Studies enabled, I
can't recreate this symptom - even if I turn Studies off (either using the
GUI or with the about:config item).

Royce

Re: [EXT] RE: Widespread Firefox issues

[Valdis Klētnieks]

On Sat, 04 May 2019 13:02:56 -, Charles Bronson said:
> On Fri, 03 May 2019 21:14:53 -0600, "Keith Medcalf" said:
>> HTTPS: has nothing to do with the website being "secure". https: means that
>> transport layer security (encryption) is in effect. https: is a PRIVACY
>> measure, not a SECURITY measure.

> I may be wrong and if so, I am happy to be corrected, but I don't think that
> statement is entirely true. The certificate not only encrypts the connection,
> it also verifies that you are connecting to the server you intend to. That 
> second
> component is a security measure.

Actually, the identity component of a certificate does *not* verify you
connected to the server you *intended*.  It verifies that the server you 
actually
connected to is the one that the connection was directed to, and that you
didn't get MITM'ed. That's important, but not what most people think it means.

In particular, it does *not* protect against typo squatters that get hits when
you accidentally  try to go to faceebook.com.  Also, when a user enters
cnn.com, they *intend* to visit cnn.com, and aren't thinking about the *other*
38 sites that get contacted (as reported by the IPvFoo extension).  Did I
*intend* to go to a125375509.cdn.optimizely.com - one of the sites that ends up
getting called when I visit cnn.com?

So while there's a useful security guarantee provided by the proof-of-identity,
it's *NOT* what people usually think it is.

Additionally, the first component is also a security measure as well.

Googling for "3 pillars of security" shows that they're "confidentiality,
integrity, and availability".

In what world are the "privacy" provisions of TLS *not* part of
"confidentiality"?

https://www.lmgtfy.com/?q=3+pillars+of+security




pgpXRuifv5d48.pgp
Description: PGP signature

Re: Widespread Firefox issues

[Royce Williams]

On Sat, May 4, 2019 at 7:32 AM Keith Medcalf  wrote:

>
> I will stick to the "clearly false" since it is now well to the point
> where we are in 2019-05-04 (even in local UT1, let alone UTC), studies are
> disabled (and have been since forever), no studies have been loaded, and my
> extensions still work quite fine, thank-you.  Attempting to install a "new"
> extension fails with a "bad signature" error.
>

Here's something interesting - a few times now, I've told Firefox to enable
Studies and then restarted ... but the Studies setting reverted to being
unchecked.

Maybe one of my other paranoia-enabling extensions is toggling it off ...
but if so, I haven't found it yet. Still investigating.

Royce

RE: Widespread Firefox issues

[Keith Medcalf]

I will stick to the "clearly false" since it is now well to the point where we 
are in 2019-05-04 (even in local UT1, let alone UTC), studies are disabled (and 
have been since forever), no studies have been loaded, and my extensions still 
work quite fine, thank-you.  Attempting to install a "new" extension fails with 
a "bad signature" error.

Is the "permanent fix" going to be proper validation of signatures I wonder?
Or will they still consider the signature (made while there was ink in the pen) 
to be invalid after the pen runs out of ink?

Or, more accurately, not invalidate the handwritten signature after the death 
of the witness.  Lordy forbid that the "real world" worked like that ... 
invalidating the signature on a contract merely because the witness or signer 
got killed by a rogue bus ... What a lovely way to render a contract nul ab 
initio -- just kill one of the witnesses ...

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.


>-Original Message-
>From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Brielle
>Bruns
>Sent: Saturday, 4 May, 2019 08:30
>To: nanog@nanog.org
>Subject: Re: Widespread Firefox issues
>
>So, for being "Clearly false",  the hotfix pushed out by the Firefox
>Studies feature is...
>
>*drumroll*
>
>An updated intermediate certificate!
>
>
>You can turn on the Studies option under Privacy & Security for a
>little
>while, then check about:studies and you should see one or two in
>there
>regarding the xpi verification/signing.  Once you have those two
>studies, you can disable Studies again.
>
>Likely we'll see a full fix with a point release of Firefox in a day
>or so.
>
>
>
>On 5/3/2019 8:48 PM, Keith Medcalf wrote:
>>
>> Clearly false, since it is 2019-05-04 02:46:31.342994 now and
>nothing whatsoever happened to my Firefox browser, and all the
>extensions are still working just fine.
>>
>> ---
>> The fact that there's a Highway to Hell but only a Stairway to
>Heaven says a lot about anticipated traffic volume.
>>
>>
>>> -Original Message-
>>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Brielle
>>> Bruns
>>> Sent: Friday, 3 May, 2019 19:56
>>> To: NANOG list
>>> Subject: Widespread Firefox issues
>>>
>>> Just an FYI since this is bound to impact users:
>>>
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
>>>
>>> Basically, Mozilla forgot to renew an intermediate cert, and
>people's
>>> Firefox browsers have mass-disabled addons.
>>>
>>> Whoops.
>>> --
>>> Brielle Bruns
>>> The Summit Open Source Development Group
>>> http://www.sosdg.org/ http://www.ahbl.org
>>
>>
>>
>
>
>--
>Brielle Bruns
>The Summit Open Source Development Group
>http://www.sosdg.org/ http://www.ahbl.org

Re: Widespread Firefox issues

[Brielle Bruns]

So, for being "Clearly false",  the hotfix pushed out by the Firefox 
Studies feature is...


*drumroll*

An updated intermediate certificate!


You can turn on the Studies option under Privacy & Security for a little 
while, then check about:studies and you should see one or two in there 
regarding the xpi verification/signing.  Once you have those two 
studies, you can disable Studies again.


Likely we'll see a full fix with a point release of Firefox in a day or so.



On 5/3/2019 8:48 PM, Keith Medcalf wrote:


Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing 
whatsoever happened to my Firefox browser, and all the extensions are still 
working just fine.

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Brielle
Bruns
Sent: Friday, 3 May, 2019 19:56
To: NANOG list
Subject: Widespread Firefox issues

Just an FYI since this is bound to impact users:

https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

Basically, Mozilla forgot to renew an intermediate cert, and people's
Firefox browsers have mass-disabled addons.

Whoops.
--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org







--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: Widespread Firefox issues

[Karl Auer]

On Sat, 2019-05-04 at 05:36 -0700, Randy Bush wrote:
> will keep you updated. read that.  to do it, i have to start
> ffox.  and 100 tabs will open and
> javascript will flood in.

Disconnect from network.
Start Firefox.
Take a moment to appreciate the silence.
Close tabs.
Reconnect to network.

OR: Start firefox's profile manager:

   firefox -P --no-remote

Then create a new profile and start FireFox with the new profile. Not
100% sure how the studies feature works, but I am assuming it updates
more than just the profile, so once FF has updated you should be able
to open the old profile and get all your extensions and settings back.

Regards, K.


-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D
Old fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75

Re: [EXT] RE: Widespread Firefox issues

[Charles Bronson]

From: NANOG  on behalf of Keith Medcalf 

Sent: Saturday, May 4, 2019 3:14:53 AM
To: NANOG list
Cc: Constantine A. Murenin
Subject: [EXT] RE: Widespread Firefox issues


HTTPS: has nothing to do with the website being "secure".  https: means that 
transport layer security (encryption) is in effect.  https: is a PRIVACY 
measure, not a SECURITY measure.

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.


>-Original Message-
>From: NANOG [ mailto:nanog-boun...@nanog.org] On Behalf Of Constantine
>A. Murenin
>Sent: Friday, 3 May, 2019 21:02
>To: Brielle Bruns
>Cc: NANOG list
>Subject: Re: Widespread Firefox issues
>
>On Fri, 3 May 2019 at 20:57, Brielle Bruns  wrote:
>
>
>   Just an FYI since this is bound to impact users:
>
>   https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
>
>   Basically, Mozilla forgot to renew an intermediate cert, and
>people's
>   Firefox browsers have mass-disabled addons.
>
>   Whoops.
>
>
>
>This is why it's important that every single website on the internet
>is available ONLY over HTTPS.  Don't forget to install an HSTS
>policy, too, so, if anyone ever visits Kazakhstan or a security-
>conscious corporate office, they'll be prevented from accessing the
>cute pictures of cats on your fully static website.  Of course, don't
>forget to abandon HTTP, too, and simply issue 301 Moved Permanently
>redirects from all HTTP targets to HTTPS, to cover all the bases.
>
>Backwards compatibility?  Don't you worry — no browser lets anyone
>remove HSTS, once installed, so, you're golden.  And HTTPS links
>won't fallback to HTTP, either, so, you're good there, too — your
>cute cats are safe and secure, and once folks link to your new site
>under https://, your future self will be safe and secure from ever
>having the option to go insecure again.  I mean, why would anyone go
>"insecure"?  Especially now with LetsEncrypt?
>
>
>Oh, wait…
>
>
>Wait a moment, and who's the biggest player behind the HTTPS-only
>movement?  Oh, and Mozilla's one of the biggest backers of
>LetsEncrypt, too?  I see…  Well, nothing to see here, move along!
>#TooBigToFail.
>
>
>C.

I may be wrong and if so, I am happy to be corrected, but I don't think that 
statement is entirely true. The certificate not only encrypts the connection, 
it also verifies that you are connecting to the server you intend to. That 
second component is a security measure.


Charles Bronson

Re: Widespread Firefox issues

[Töma Gavrichenkov]

On Sat, May 4, 2019, 3:37 PM Randy Bush  wrote:

> to do it, i have to start ffox.  and 100 tabs will open and
> javascript will flood in.
>

Disconnect from the network, start Firefox while offline, then KILL IT WITH
FIRE^W SIGKILL.

After that, Firefox will start with a "Restore tabs" page which doesn't
activate tabs automatically.

--
Töma

>

Re: Widespread Firefox issues

[William Herrin]

>
> From
> https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047
> :
>
> 12:50 p.m. UTC / 03:50 a.m. PDT: We rolled-out a fix for release, beta and
> nightly users on Desktop. The fix will be automatically applied in the
> background within the next few hours, you don’t need to take active steps.
>
> In order to be able to provide this fix on short notice, we are using the
> Studies system. You can check if you have studies enabled by going to
> Firefox Preferences -> Privacy & Security -> Allow Firefox to install and
> run studies.
>

This is a lie. I had both updates and studies disabled but
"hotfix-update-xpi-intermediate" appeared in my addons anyway.

It also failed to re-enable noscript.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Widespread Firefox issues

[Randy Bush]

>> so is there a recipe for re-enabling the add-ons?  otherwise, one is
>> running pretty nekkid.
> 
>> From 
>> https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047:
> 
> 12:50 p.m. UTC / 03:50 a.m. PDT: We rolled-out a fix for release, beta
> and nightly users on Desktop. The fix will be automatically applied in
> the background within the next few hours, you don’t need to take
> active steps.
> 
> In order to be able to provide this fix on short notice, we are using
> the Studies system. You can check if you have studies enabled by going
> to Firefox Preferences -> Privacy & Security -> Allow Firefox to
> install and run studies.
> 
> You can disable studies again after your add-ons have been re-enabled.
> 
> We are working on a general fix that doesn’t need to rely on this and
> will keep you updated.

read that.  to do it, i have to start ffox.  and 100 tabs will open and
javascript will flood in.

Re: Widespread Firefox issues

[Harald Koch]

On Sat, May 4, 2019, at 08:21, Randy Bush wrote:
> so is there a recipe for re-enabling the add-ons?  otherwise, one is
> running pretty nekkid.

>From 
>https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047:

12:50 p.m. UTC / 03:50 a.m. PDT: We rolled-out a fix for release, beta and 
nightly users on Desktop. The fix will be automatically applied in the 
background within the next few hours, you don’t need to take active steps.

In order to be able to provide this fix on short notice, we are using the 
Studies system. You can check if you have studies enabled by going to Firefox 
Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

You can disable studies again after your add-ons have been re-enabled.

We are working on a general fix that doesn’t need to rely on this and will keep 
you updated.

-- 
Harald Koch
c...@pobox.com

Re: Widespread Firefox issues

[Randy Bush]

so is there a recipe for re-enabling the add-ons?  otherwise, one is
running pretty nekkid.

randy

Re: Widespread Firefox issues

[Karl Auer]

On Fri, 2019-05-03 at 21:38 -0600, Brielle Bruns wrote:
> On 5/3/2019 8:58 PM, Adrian Minta wrote:
> > My temporary solution was to set "xpinstall.signatures.required"
> > to "false".
> Unfortunately only works if you are using the Dev version :(

Or, apparently, if you are using the Linux version. I'm on 66.0.3 Linux
64-bit. I think the Android version still allows it, too.

I dislike this trend to remove features "for our own good", yet
everyone seems to be doing it.

Regards, K.


-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D
Old fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75

Re: Widespread Firefox issues

[Brielle Bruns]

On 5/3/2019 8:58 PM, Adrian Minta wrote:
My temporary solution was to set "xpinstall.signatures.required" to 
"false".


Unfortunately only works if you are using the Dev version :(

They totally removed ability to bypass that in the standard distribution 
of Firefox.  Ugh



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: Widespread Firefox issues

[Brielle Bruns]

On 5/3/2019 8:48 PM, Keith Medcalf wrote:


Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing 
whatsoever happened to my Firefox browser, and all the extensions are still 
working just fine.


Clearly you are not reading the bug reports and paying attention.

Its not happening to everyone, but a large enough group of people are 
experiencing it.  My desktop for example, is having the issue, my laptop 
is not.



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: Widespread Firefox issues

[Brielle Bruns]

On 5/3/2019 9:10 PM, Karl Auer wrote:

The diagnosis in the OP's message may be false, but there is most
definitely a widespread FF issue (or was, maybe fixed now). It affected
me and numerous others.


I'm just repeating what was mentioned elsewhere - don't shoot the 
messenger.  We'll have to wait for them to tell us what exactly happened 
(if they do) to know for sure.


--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

RE: Widespread Firefox issues

[Keith Medcalf]

HTTPS: has nothing to do with the website being "secure".  https: means that 
transport layer security (encryption) is in effect.  https: is a PRIVACY 
measure, not a SECURITY measure.

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.


>-Original Message-
>From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Constantine
>A. Murenin
>Sent: Friday, 3 May, 2019 21:02
>To: Brielle Bruns
>Cc: NANOG list
>Subject: Re: Widespread Firefox issues
>
>On Fri, 3 May 2019 at 20:57, Brielle Bruns  wrote:
>
>
>   Just an FYI since this is bound to impact users:
>
>   https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
>
>   Basically, Mozilla forgot to renew an intermediate cert, and
>people's
>   Firefox browsers have mass-disabled addons.
>
>   Whoops.
>
>
>
>This is why it's important that every single website on the internet
>is available ONLY over HTTPS.  Don't forget to install an HSTS
>policy, too, so, if anyone ever visits Kazakhstan or a security-
>conscious corporate office, they'll be prevented from accessing the
>cute pictures of cats on your fully static website.  Of course, don't
>forget to abandon HTTP, too, and simply issue 301 Moved Permanently
>redirects from all HTTP targets to HTTPS, to cover all the bases.
>
>Backwards compatibility?  Don't you worry — no browser lets anyone
>remove HSTS, once installed, so, you're golden.  And HTTPS links
>won't fallback to HTTP, either, so, you're good there, too — your
>cute cats are safe and secure, and once folks link to your new site
>under https://, your future self will be safe and secure from ever
>having the option to go insecure again.  I mean, why would anyone go
>"insecure"?  Especially now with LetsEncrypt?
>
>
>Oh, wait…
>
>
>Wait a moment, and who's the biggest player behind the HTTPS-only
>movement?  Oh, and Mozilla's one of the biggest backers of
>LetsEncrypt, too?  I see…  Well, nothing to see here, move along!
>#TooBigToFail.
>
>
>C.

Re: Widespread Firefox issues

[Karl Auer]

On Fri, 2019-05-03 at 20:48 -0600, Keith Medcalf wrote:
> Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing
> whatsoever happened to my Firefox browser, and all the extensions are
> still working just fine.

The diagnosis in the OP's message may be false, but there is most
definitely a widespread FF issue (or was, maybe fixed now). It affected
me and numerous others.

Simple temporary fix is to browse to "about:config" and change the
value for "xpinstall.signatures.required" to false. Well, that worked
for me, anyway. When Mozilla fixes whatever the issue is, I'll set it
back to true. 

BTW it hit at midnight UTC,so different people saw the effect at
different times depending on their timezone.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D
Old fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75

Re: Widespread Firefox issues

[Constantine A. Murenin]

On Fri, 3 May 2019 at 20:57, Brielle Bruns  wrote:

> Just an FYI since this is bound to impact users:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
>
> Basically, Mozilla forgot to renew an intermediate cert, and people's
> Firefox browsers have mass-disabled addons.
>
> Whoops.
>

This is why it's important that every single website on the internet is
available ONLY over HTTPS.  Don't forget to install an HSTS policy, too,
so, if anyone ever visits Kazakhstan or a security-conscious corporate
office, they'll be prevented from accessing the cute pictures of cats on
your fully static website.  Of course, don't forget to abandon HTTP, too,
and simply issue 301 Moved Permanently redirects from all HTTP targets to
HTTPS, to cover all the bases.

Backwards compatibility?  Don't you worry — no browser lets anyone remove
HSTS, once installed, so, you're golden.  And HTTPS links won't fallback to
HTTP, either, so, you're good there, too — your cute cats are safe and
secure, and once folks link to your new site under https://, your future
self will be safe and secure from ever having the option to go insecure
again.  I mean, why would anyone go "insecure"?  Especially now with
LetsEncrypt?

Oh, wait…

Wait a moment, and who's the biggest player behind the HTTPS-only
movement?  Oh, and Mozilla's one of the biggest backers of LetsEncrypt,
too?  I see…  Well, nothing to see here, move along!  #TooBigToFail.

C.

RE: Widespread Firefox issues

[Keith Medcalf]

Besides which, if something was signed AT THE TIME when the certificate chain 
was valid, then that signature will be a valid signature forever (unless one of 
the certificates in the chain is revoked).  The future or current expiry of a 
certificate or an intermediary has no effect whatsoever on the validity of a 
signature IF THE CERTIFICATE CHAIN WAS VALID at the time the signature was 
made, and the chain can be verified TO HAVE BEEN VALID at the time the 
signature was made.

In other words, the fact that subsequent to making a signature the pen ran out 
of ink does not make the signature invalid.  If it did so then there would be 
no point in having signatures.  It may be impossible to make a valid signature 
with a pen that is out of ink, but that does not invalidate signatures made 
before the ink ran out.

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.

>-Original Message-
>From: NANOG [mailto:nanog-bounces+kmedcalf=dessus@nanog.org] On
>Behalf Of Keith Medcalf
>Sent: Friday, 3 May, 2019 20:48
>To: NANOG list
>Subject: RE: Widespread Firefox issues
>
>
>Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing
>whatsoever happened to my Firefox browser, and all the extensions are
>still working just fine.
>
>---
>The fact that there's a Highway to Hell but only a Stairway to Heaven
>says a lot about anticipated traffic volume.
>
>
>>-Original Message-
>>From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Brielle
>>Bruns
>>Sent: Friday, 3 May, 2019 19:56
>>To: NANOG list
>>Subject: Widespread Firefox issues
>>
>>Just an FYI since this is bound to impact users:
>>
>>https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
>>
>>Basically, Mozilla forgot to renew an intermediate cert, and
>people's
>>Firefox browsers have mass-disabled addons.
>>
>>Whoops.
>>--
>>Brielle Bruns
>>The Summit Open Source Development Group
>>http://www.sosdg.org/ http://www.ahbl.org
>
>

Re: Widespread Firefox issues

[Adrian Minta]

My temporary solution was to set "xpinstall.signatures.required" to "false".


On 5/4/19 4:55 AM, Brielle Bruns wrote:

Just an FYI since this is bound to impact users:

https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

Basically, Mozilla forgot to renew an intermediate cert, and people's 
Firefox browsers have mass-disabled addons.


Whoops.


--
Best regards,
Adrian Minta

RE: Widespread Firefox issues

[Keith Medcalf]

Clearly false, since it is 2019-05-04 02:46:31.342994 now and nothing 
whatsoever happened to my Firefox browser, and all the extensions are still 
working just fine.

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.


>-Original Message-
>From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Brielle
>Bruns
>Sent: Friday, 3 May, 2019 19:56
>To: NANOG list
>Subject: Widespread Firefox issues
>
>Just an FYI since this is bound to impact users:
>
>https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
>
>Basically, Mozilla forgot to renew an intermediate cert, and people's
>Firefox browsers have mass-disabled addons.
>
>Whoops.
>--
>Brielle Bruns
>The Summit Open Source Development Group
>http://www.sosdg.org/ http://www.ahbl.org