If you were using Firefox any time after midnight UTC on Star Wars Day (May the 4th), you probably noticed that all your add-ons were disabled, with the unhelpful message: "... could not be verified for use in Firefox and has been disabled". If you're reading this before 9am or so Pacific time on the 4th they may still be.

This happened because a certificate in the code-signing certificate chain expired at midnight UTC. The same thing happened three years ago, causing today's version to be dubbed "Armagadd-On-2.0".

  • wait for the fix to roll onto your browser (you can look for it by browsing to about:studies and looking for hotfix-update-xpi-signing-intermediate-bug-1548973) (make sure that "Firefox Options/Preferences -> Privacy & Security -> Allow Firefox to install and run studies" is checked) (it landed in my browser at 8:18 or so Pacific time)
  • download and run either the Firefox nightly build, LTS, or developer edition and set xpinstall.signatures.required to false in about:config
  • temporarily switch to Chrome.

This outage highlights a weakness in any security technique that involves code-signing, or indeed anything else that involves the Public Key Infrastructure and X.509 certificates (which is just about everything except SSH and PGP/GnuPG): an expired or revoked certificate can wreak wide-spread havoc. X-509 certs are used not only for code signing but for TLS/SSL (the protocol behind HTTPS). At this point there doesn't seem to be much that can be done about it in the near term.

Resources