Mozilla Forgot To Renew Certificate, Auto-disabled All Firefox Addons
Mozilla has released an out-of-cycle update for their regular channel Firefox 66 (66.0.4) and Extended Support channel Firefox 60 (60.06.2). This is to address an issue regarding all supported Firefox add-ons rendered disabled as the expired certificate that authenticates them to the browser expired. With the emergency update, Mozilla fixed the broken certificate chain that brought the takedown of affected language packs, web extensions, themes and search engines within the Firefox browser.
“A Firefox release has been pushed — version 66.0.4 on Desktop and Android, and version 60.6.2 for ESR. This release repairs the certificate chain to re-enable web extensions, themes, search engines, and language packs that had been disabled (Bug 1549061). There are remaining issues that we are actively working to resolve, but we wanted to get this fix out before Monday to lessen the impact of disabled add-ons before the start of the week,” explained Mozilla’s Kev Needham in the company’s official blog.
The issue of disabled add-ons was due to Mozilla’s negligence of letting the digital certificate it uses for signing extensions to expire last May 4, 2019. Mozilla started using a digital certificate in order to enforce the use of official extensions from https://addons.mozilla.org/en-US/firefox/extensions/, as the browser prevents add-ons from outside of the official extension site from being installed to Firefox. Last May 4, as soon as the certificate expired, the browser assumed the add-ons installed by the user on their browsers to be from a 3rd party, hence those were automatically disabled.
Another side effect of the certificate expiration failed to be renewed on time is the https://addons.mozilla.org/en-US/firefox/extensions/ itself cannot be used to download add-ons as expected. All extensions hosted on the site were deemed by Firefox 66.0.3 and Firefox 60.06.1 to be invalid, hence installation was disabled since May 4.
The quick and dirty hack used by clever users was the use “Firefox Studies” to enable the use of a new digital certificate, hence authenticating the add-ons installed and available for download as genuine. Unfortunately, as “Firefox Studies” is embedded as part of the Mozilla Telemetry system, those privacy-sensitive users who disable telemetry remain to have their add-ons disabled.
All users of Mozilla Firefox need to download their respective patched updates, in order for the browser to have the valid digital certificate for signing add-ons.