If you were using Firefox any time after midnight UTC on Star Wars Day (May the 4th), you probably noticed that all your add-ons were disabled, with the unhelpful message: "... could not be verified for use in Firefox and has been disabled". If you're reading this before 9am or so Pacific time on the 4th they may still be.
- wait for the fix to roll onto your browser (you can look for it by browsing to about:studies and looking for hotfix-update-xpi-signing-intermediate-bug-1548973) (make sure that "Firefox Options/Preferences -> Privacy & Security -> Allow Firefox to install and run studies" is checked) (it landed in my browser at 8:18 or so Pacific time)
- download and run either the Firefox nightly build, LTS, or developer
edition and set
- temporarily switch to Chrome.
This outage highlights a weakness in any security technique that involves code-signing, or indeed anything else that involves the Public Key Infrastructure and X.509 certificates (which is just about everything except SSH and PGP/GnuPG): an expired or revoked certificate can wreak wide-spread havoc. X-509 certs are used not only for code signing but for TLS/SSL (the protocol behind HTTPS). At this point there doesn't seem to be much that can be done about it in the near term.
- Firefox disabled all add-ons because a certificate expired
- Firefox add-ons disabled en masse after Mozilla certificate issue
- Update Regarding Add-ons in Firefox | Mozilla Add-ons Blog
- bug report
- 1267318 - (armagadd-on) Moving date forward to May 2nd is causing add-on signature "unrecognized issuer" errors