Solving the recent Firefox ESR problem, with the Expired Extension Signing Certificate.

One of the problems that befell (almost all) Firefox users, midnight from May 3 to May 4, 2019, was, that many extensions which we had installed had suddenly become deactivated because an Intermediate Certificate used to sign those extensions, had simply expired. Apparently, somebody overlooked that status of the certificate in question.

To remedy this situation as quickly as possible, Mozilla offered to publish a “Study”, which is a kind of project that Firefox users can subscribe to, and the purpose of which usually is, to allow Mozilla to conduct experiments on users’ browsers. This study had as purpose however, just to install a renewed certificate.

One important piece of advice is, ‘If you are still experiencing this issue, Do not try to uninstall and reinstall the extensions. Doing so would delete all the data stored with the extensions, while simply to have them disabled, and then to have them re-enabled, will allow most extensions to keep their stored data!’

Therefore, to receive this fix, what Firefox users were advised to do, was to go into ‘Tools -> Preferences -> Privacy & Security’, and there, to Enable Studies. The problem which I experienced myself was, that this advice was not narrowed enough, for Linux users with ‘Firefox ESR’. First of all, the Linux versions of Firefox have their Preferences sub-menu under ‘Edit’, not under ‘Tools’, but that was the least significant problem. What was worse was that, under my Linux distribution, the option we were advised to check was greyed out, and could not be checked:

Screenshot_20190505_075343

(Edit 5/10/2019, 22h10 : )

Because as of this time, under Debian / Jessie as well as under Debian / Stretch, the official fix for this problem has been pushed through the package repositories, it’s no longer advisable by any means to apply the workaround described here. However, the update under Debian / Stretch was a bit slow in coming, for which reason this workaround served me well.

(End of Edit.)

However, I was able to get this feature of Firefox ESR to work anyway. And what follows is how I did that…

(Updated 5/06/2019, 16h00 … )

(As of 9h00 : )

Mainly, in the URL bar, I had to type ‘about:config’, and every time we do this, we get a little cautionary message, telling us that to proceed may ‘void our warranty’. Actually, there is no warranty. The fact is only, that changing these advanced options can really screw up a browser. In the page which opens – and which I’ve visited often – there is a very important search bar, into which we can next type ‘normandy’.

Searching there first, I looked at whether settings were correct, that become visible when we type in this search term:

Screenshot_20190505_080101

This is the app which Mozilla uses, to distribute Studies. But alas, on my browser, ‘app.normandy.enabled’ was already set to ‘true’. Therefore, this setting could not have been, what was stopping me at first. There was no need to change anything here.

However, the next settings I can search for, are under the keyword ‘studies’. This way, I only obtained one setting to modify, and I set this to ‘…enabled = true.’ It was set to ‘false’. The following screen-shot shows this:

Screenshot_20190505_075736

As far as I know, this may be the only setting I needed to change. But, just to enable more, similar settings, which effectively increase the amount of ‘ET Phone Home’ that the browser carries out, I also entered my Debian directory named ‘/etc/firefox-esr’ and there, edited a system-wide file, that can override what individual users select:

Screenshot_20190505_080605

As root, in this file, I put doubled slashes before the setting which I wanted to disable, thus turning that line of code into a comment.

I don’t really know that it’s necessary to edit this setting, do know that to do so decreases my privacy, and also know that once this setting has been changed, Firefox needs to be restarted, in order for this last setting to go into effect. Once I have done so, what I see next in the ‘Preferences’, GUI dialog, is the setting now still greyed, but checked, to ‘Enable Studies':

Screenshot_20190505_075946

I suppose that one question which any user may ask is, ‘Does this setting still work, even though it’s greyed out?’ And the answer I learned was ‘Yes!’ Further, once the Study in question has been downloaded and run, it can safely be Removed. Studies can be viewed by typing ‘about:studies’ into the URL Bar. In this case, its status changed from ‘Active’ to ‘Complete’.

After this was done, the very next thing I did was to disable Studies again, using ‘about:config’ and the search-term ‘studies’, as well as to set ‘app.normandy.enabled’ to ‘false’. And then, to make sure that Studies were disabled again, I re-verified that “No New Studies Will Run”:

Screenshot_20190505_080239

I repeat, this last result only appears at the top of the ‘about:studies’ page because I’ve disabled ‘Studies’ again, in addition to disabling the ‘Normandy’ app for the first time. Further, the greyed-out setting in the GUI dialog, is un-checked again.


 

As improbable as this may sound, by doing this, I caused all the disabled extensions to become re-enabled on one of my computers, and lost no data! :-)  The fact should also be mentioned however, that Even after having Enabled Studies, It may take several hours for the Study in question to download. Doing so requires an active Internet connection. On my other eligible computers, I performed the same manoeuvre, but no extensions ever became disabled on those in the first place. And the date is May 5. :-)


 

(Update 5/06/2019, 16h00 : )

Warning:

The way Linux computers work, their software is installed to a root file-system, while user-data is saved to the user’s home directory. Not violating this security principle, plus never giving the Web-browser one’s root password, implies that the Web-browser will also not be able to install any software to the computer’s root file-system.

But, user-space installation is possible under Linux in a limited way. It happens to be a game which Firefox plays extremely well under Linux, to ‘install’ XPI-Extensions, as well as a user’s certificates, to a sub-directory of the hidden Mozilla directory, somewhere in one user’s home directory. Firefox will display and treat these add-ons, almost as though they were equivalent to software installed in the root file-system. This requires that Firefox’s own settings permit this behaviour.

What an X.509 certificate may secure depends entirely on its own encryption algorithms, plus on being included in a valid signing chain that stretches back to an established root certificate. It does not depend on where the certificate came from. Inclusion into a signing chain requires that the holders of the private key, of the parent certificate that states a public key, used that private key to sign the cert to be included. And private keys are highly confidential in nature. The functioning of the public keys, all the way up the signing chain, is taken to mean that the legitimate holders of all the required certs used their own private keys. The MD5 hashing algorithm is no longer used, precisely because the whole world knows that it’s categorically been broken.

Any add-ons installed in this way will not have any effect on other users, nor on a different Firefox Profile.

Further, if the user waits longer, he will find that Mozilla has eventually published Studies, no longer related to this problem, and which will just not work again. Thus, enabling this functionality at the wrong time could have unpredictable consequences.

Dirk

 

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.