mailto: blog -at- heyrick -dot- eu

Nice one, Mozilla

I woke up this morning to find my installation of Firefox (version 60, I think - I don't upgrade religiously because I'm sick of things being messed around with) reporting that an add-on could not be installed because the archive was corrupt. That seemed odd, but I didn't pay too much attention to it as I was tired last night and might have suffered a fat finger moment. I just paused long enough to note that, in typical modern snowflake fashion, the message tells you why something is wrong, but not what. Which add-on was the cause of this?

I looked up the lyrics to a song I'd been listening to, and suddenly tabs and redirects opened all over the place. Most of them telling me my phone had a virus (ir doesn't), or that I'd won an iPhone (I haven't). WTF? I'm running both Ghostery and U-Block origin.

After swiping away all the unwanted junk, I went to the add-ons manager to find that most of the privacy related add-ons had suddenly been disabled. Attempting to install new copies resulted in the same error:

Trying older versions, same problem.

A few moments of Googling showed that it was a fault on the server. Some complicated crypto authentication issue that basically meant that Firefox was unable to trust stuff on its own repository.

Luckily, there is a fix.

Step one - get those add-ons working again

In the URL bar, enter the special address "about:config". If it warns you about dragons, just go ahead anyway. Firefox peed in its pants, you're here to apply some gaffer tape.

You'll see a long list of options, with a little search thingy to the upper right. The setting you want is called xpinstall.signatures.required - luckily you only have to tap in the first few letters and it'll show up. Tap on Toggle to set it to false.

Now understand carefully - with this setting turned OFF, you can install any compatible Firefox add-on from anywhere and Firefox will not attempt to check that it is a legitimate add-on. As it happens, this is exactly what we want (as the legitimacy check is broken), but I just wanted to make this clear.

Step two - turn off add-on updates

That's the first part of the fix. The second, and optional part, is to disable automatic updates of the add-ons. This may seem like a strange thing to want to do, however:
  • I've had more of my fair share of bait and switch with add-ons and apps, where something you use gets popular and suddenly the things you rely upon vanish to become paid extras, or some company takes over the add-on/app and adds a bunch of things you aren't happy about (like spyware or "let's whitelist preferred advertisers").
  • You have everything set up the way you like it, kindly leave it the ***k alone. It's not a hardship to periodically check updates and install them at my discretion.
  • And, as this episode has demonstrated, if I had disabled automatic add-on updates then I'd be entirely blissfully unaware that anything was wrong.
    And given that what 'failed' was the tracking, filtering, and ability to control what crap third party sites get to run on my browser (default nothing became default everything), I think I'm actually being quite polite to Mozilla for this enormous ballsup.

So, to turn off automatic add-on updates. This really ought to be an option in the Settings UI and not buried in Firefox's "registry", but there you go.
Search for extensions.update.enabled and toggle it to false.


Finally, close that tab, you're done with the settings. Go into add-ons and tap to enable everything that Firefox disabled. Thankfully the add-on has simply been ignored by Firefox, you don't need to reconfigure stuff.

Once all that has been done, you might want to force stop Firefox, and restart it, just to be sure. It's the "nuke it from orbit" approach.


I get it, I do. Things should be kept up to date to deal with the latest known security issues, and things should be signed to verify that it's a trusted thing. Unfortunately that model is quite broken (as Google's app store demonstrates, Apple's too to a lesser degree) in that nobody is actually auditing the code. It is a basic check that the update came from a registered user, but as you can see in the blocklist, it's pretty easy to get a bad add-on authenticated and distributed until such time as somebody calls foul. In other words, repositories can be gamed, and the fact that something is signed means nothing more than that it is really the one the repository gave you and it wasn't intercepted/modified along the way. That it's any good, that it's not malware, that it's not sending your every keystroke to the KGB or CIA (or both)... signing guarantees exactly nothing in that respect.

Couple this with the fact that nobody (Android apps nor Firefox both) seem to understand the concept of rollback. Okay, fine, the server is acting up and making all of the installations seem invalid. Fair enough, simply accept that it is invalid, flag it for user intervention (to stop it repeatedly trying to update) and roll back to the version that was previously installed and working.
Why didn't this happen?
Piss-poor programming that clearly never considered the possibility that the server itself would flake out. Piss-poor programming that decided the best way to deal with an installation problem would be to disable the add-on - doing so without even bothering to notify the user for each and every add-on thus affected. And piss-poor programming that made a supposed security/safety feature actually result in a dramatic decrease in security and safety for the end user.


Nice one, Mozilla.



Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

Mick, 14th May 2019, 01:44
Finally Mozilla have released a fix for versions 52-56. Sorry, Rick, they haven't gone back as far as 4

Add a comment (v0.11) [help?] . . . try the comment feed!
Your name
Your email (optional)
Validation Are you real? Please type 47014 backwards.
Your comment
French flagSpanish flagJapanese flag
«   May 2019   »

(Felicity? Marte? Find out!)

Last 5 entries

List all b.log entries

Return to the site index



Search Rick's b.log!

PS: Don't try to be clever.
It's a simple substring match.


Last read at 09:12 on 2024/04/22.

QR code

Valid HTML 4.01 Transitional
Valid CSS
Valid RSS 2.0


© 2019 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.


Have you noticed the watermarks on pictures?
Next entry - 2019/05/08
Return to top of page