Mozilla forces third-party add-ons to be digitally signed, though an expired certificate disabled these, causing confusion among users of Firefox and the Tor browser over the weekend.
Firefox users spent much of the weekend fretting over a lapsed certificate that disabled all of the browser's add-ons. While the issue did not affect everyone, it did cause enough of a stir that Mozilla had to release updates on Twitter about how they were dealing with the issue.
Thankfully, they released Firefox 66.0.4 on Sunday, which contained a fix for the add-on issue, calming the nerves of millions of users questioning how they would get through the week without the browsers working the way they always had.
There are millions of Firefox add-ons that cover everything from password management to advertisement blockers. The issue also affected users of the Tor browser, which uses Firefox add-ons as well. The Tor browser is a security-focused version of Firefox with a number of privacy-based settings built directly into it, used to browse private websites on what is commonly referred to as the "Dark Web."
SEE: The Dark Web: A guide for business professionals (free PDF) (TechRepublic)
"There are remaining issues that we are actively working to resolve, but we wanted to get this fix out before Monday to lessen the impact of disabled add-ons before the start of the week," Mozilla's Kev Needham wrote on their blog, adding that "This release repairs the certificate chain to re-enable web extensions, themes, search engines, and language packs that had been disabled."
Many people tried to find work arounds before Mozilla released their update, but security analysts cautioned against this, as it may have adversely affected the security of certain browsers.
Specifically, Tor users lamented the loss of NoScript, a security add-on that was lost amid the larger add-on problems.
"According to the Tor Browser program, one of our browser add-ons could no longer be trusted and had been turned off - the alert didn't say which one, just that some sort of cybersecurity concern had suddenly arisen. We were online to look into a couple of untrusted sites, and we'd already started digging around when the warning popped up, which increased our sense of disquiet," wrote Paul Ducklin of NakedSecurity. "NoScript is an important security addon that's officially trusted by Tor, as well as being installed by millions of other regular browser users."
The Tor Project released their own statement explaining the issue to their users, even offering a way to get around the issue.
"Due to a mistake in Mozilla's signing infrastructure, NoScript and all other Firefox extensions signed by Mozilla have been disabled in Tor Browser. Because they use NoScript, higher security levels are currently broken for Tor Browser users," they wrote on Saturday.
"Mozilla is working on a fix, and we'll start building a new Tor Browser version as soon as their fix is available. Meanwhile, anyone who is dependent on the security provided by the higher security levels can apply the following workaround."
Troy Mursch, security researcher at Bad Packets, told Forbes on Sunday that although work arounds were discovered by some intrepid users, these were not worth it if you had access to another browser. "It's an acceptable risk for the short-term if the user remembers to reenable the 'xpinstall.signatures.required' setting once the permanent fix is in place. If they don't, it leaves the door open for malicious/untrusted add-ons to be installed," he said. "I'd rather keep my data safe versus the risk of losing it while attempting workarounds."
The entire issue started when the digital certificate that Mozilla uses to verify add-ons expired on Friday night. This caused all of the add-ons to be disabled, disrupting the normal functions users expect from the Firefox browser. Tor users were particularly mad because many of the security features they had come to love and value were compromised.
Mozilla has been fighting a dwindling market share of Firefox with a focus on speed and feature improvements. For more, learn how to use Firefox Send, how to install and use Firefox Lockbox, and find out what is coming to Microsoft's Chromium-based Edge browser.
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- 10 dangerous app vulnerabilities to watch out for (TechRepublic download)
- Windows 10 security: A guide for business leaders (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)