Will anything be done to prevent adblockers from being disabled remotely again?

I don’t really understand this whole certificate thing, what I do understand is this:
Somehow, by action or inaction, someone other than me disabled my adblocker, remotely, without asking my permission.
Will anything be done to permanently prevent this from happening? I read on reddit that the current fix will “expire” in 2025, is that true? That’s unacceptable.

I’m sure Mozilla will follow up exactly how it could get to this and how they’ll try to avoid this in the future. So the answer for now is that you should wait for the post mortem, which will hopefully outline plans to avoid this issue in the future.

1 Like

I read into this a little more, and essentially the system as it currently works is fail-deadly. At some point in the future, addons will be automatically turned off without user input, unless Mozilla renews the cert. This should be changed to be fail-safe: addons which are already installed should continue to work, even if the Mozilla team does nothing.

Expiration is an important part of certificate security, because there’s always the risk that someone will discover some old Mozilla private key on a discarded hard drive and use it to release malware. Making certificates expire limits the scope of that risk.

So the question is, is it possible to design a system for verifying that add-ons are safe that abides by the above principle, but also prevents another armagadd-on? If, for example, you allowed expired certificates to validate already installed add-ons (and only checked certificate validity at installation time), what would stop some local malware from changing your Firefox user settings to indicate that a bad add-on, signed by a leaked but expired certificate key, is already installed? How can Firefox fail safe (in your sense of the word) when its threat model assumes that certificates over a certain age can’t be trusted, and neither can any configuration on the local hard drive? I think the only solution to this kind of thing is some kind of periodic re-affirmation coming from Mozilla, or some other central, trusted source—which is basically the current state of affairs, where the re-affirmation takes the form of new certificates being shipped in new releases a while (in theory) before the old ones expire. But do you have a different idea?

2 Likes

Allow me, the user, final say on what gets run. End of story. Don’t disable stuff because you think you know better than me, I’d use Chrome if I was interested in a “central authority” controlling my computer.

That was exactly my reaction when I first heard about mandatory extension signing! Then, when the bullet came, I migrated to Dev Edition so I could turn it off. No regrets, and I wasn’t impacted at all by this latest snafu.

Dev Edition is for us, the people who believe we can keep ourselves safe and are offended by anyone else trying to do it for us. For everyone else, extension signing is, I have come to grudgingly accept, a good idea, because there is as yet no way for software on most operating systems to distinguish between ‘my user, who has final say on all things’ and ‘malware surreptitiously acting on behalf of my user, who has final say on all things’ (or in some cases, ‘my user, who has been tricked by malware into doing something other than what they think they’re doing’).

That’s a cop-out. The fact that this bug was invisible to “power users” may have caused it to be overlooked until it caused a 2 day outage and massive damage to Firefox’s reputation. This sort of bug should not be possible in the first place.

I… don’t think that’s how it worked. The cert wasn’t expired, until it was; it’s not like there was a warning period where everyone other than power users saw a bunch of precursor bugs that foretold the armegadd-on.

Agreed that this event shouldn’t have happened, though! If Mozilla chooses to take on the responsibility of keeping non-power-users safe from malicious add-ons in this way, part of that responsibility is maintaining their cert chain. They failed at that, and I’m sure we’ll hear more about what they’re going to do in the future to prevent it from happening again.

But I’m also pretty sure that it won’t be going back on the mandatory extension signing policy, or on the concept of certificate expiration, because those are still best practices for keeping the majority of people who use computers safe from the bad actors out there who actually, not theoretically, have used add-ons as exploits. I want more sovereignty over my machine than the average user does, so I opt out. You can too. You have, after all, final say on which edition of Firefox gets run.

It’s not just “the events yesterday shouldn’t have happened.”
It shouldn’t be possible that inaction by Mozilla exposes users across the globe to potentially malware-infested advertisements, even without updating their browser, (even without restarting their browser!) even on the “extended support release” which is supposed to be for people who don’t want things to suddenly stop working.

I mean, that sounds great. Do you have any idea how to do it without removing the protection against an add-on being sneakily installed by malware via a fifteen-year-old private key? I’m genuinely curious if so, and I’ll march behind your banner if you get one. But if you’re just trading one pitfall for the other, it seems a lot easier to prevent future armagadd-ons through improved ops practices than to prevent future browser hijacking by malware through… I don’t know, keeping all private keys ever used by Mozilla to validate add-ons in Fort Knox indefinitely? Secrecy is hard.

Well for starters, you could have active disabling of old keys. Not passive, where they just go away on such and such a date. Firefox 66.0.4 could have a set of keys it trusts. Those stay trusted forever, as long as that’s the version installed. In other words, if I don’t update, my browser and all addons I have installed stay working, forever, even if the mozilla foundation were to cease to exist.
When a new browser version comes out, then you can update what addons are trusted. And I have the choice whether to update or not.

1 Like

Now there’s a proposal! I don’t know of any operational reason why that couldn’t work, though that doesn’t mean one doesn’t exist. It leaves years-old browsers vulnerable to possibly being subverted by malware through add-ons if an old key is leaked, but that might be an acceptable risk to Moz—there are likely plenty of other ways to pwn years-old browsers, and the risk delta between the possibility of being infected with malware that has access to a private key in use in the correct date range versus having that vector blocked is possibly less than the risk delta between letting a years-old browser on the internet with its add-ons versus without, after multiplying the probabilities of each by the respective potentials for damage. I’d support it; people who don’t update their browsers in years shouldn’t have a reasonable expectation of security on the internet, IMO.

Just replying to link in the associated bug from mozilla’s bug tracker, I don’t really have any other ideas on how to implement this.

re,will anything be done. Well i have seen this before, several times n instigated by the gov. Point to note n fact, during the ladt 2 days onlyofno ad ons in uk, on my pad, i noticed lots of adds, plus the gov spooks 6th or 7th atempt to install thrre spyware on my pad, this timebusing the cover of masses of crappy adds.nwhich are traffic on your net, making it less noticable that they were trying to sneak lots of there latest spyware onto my pad,n im guessin your equiptment to. Add blockers n no script adon are not their friend. Plus their limited thinking that lots of google instigated adds along with face crook n twit er spyware based under a vitrual layer takes time to install n set up. Esp as your thumpin away at your dam keyboardvin frustration, so with a word from our oppressive gov, please be patient til we get setbup n use half ofbyour resources for free. Love you.

oh n if your on about certs, their spyware comes complete with blank certs n fake ones installed. Also try lookin at trust certs, n trust dll’s. Funny ole world aint it, every cert in your piece of equip is totaly worthless. i know, i have bern watchin them watchin us for over 5 years now, 6 or 7 atempts toninstall their spyware caught out, i have got copies of their blank certs their facebook, twitter, google etc etc spyware they install. Think i got a load of blank certs for sale, prob got lots of their files n crap too. Oh yes i have.