Browser-maker Mozilla has apologised for a gaffe that saw all extensions disabled in Firefox installations worldwide after a security certificate was allowed to expire.
Like the majority of modern browsers, Mozilla's Firefox allows for customisation through the installation of extensions or add-ons - additional software bundles that do anything from change the colour scheme to block adverts or scan links for viruses. In recent years, the organisation has been working to lock down the extension ecosystem by requiring the use of a particular design framework and insisting that all extensions are signed so their authenticity can be validated - and it's this latter feature that is responsible for a worldwide outage of Firefox's extensions system that occurred over the weekend.
'Late on Friday May 3rd, we became aware of an issue with Firefox that prevented existing and new add-ons from running or being installed,' Mozilla's Kev Needham explains in a blog post from the Mozilla Add-Ons team. 'We are very sorry for the inconvenience caused to people who use Firefox.'
The issue came from the expiration of an intermediary certificate, used to validate signed extensions. With the certificate expired, and thus invalid, all extensions' own signatures were also deemed invalid - triggering Firefox's protections against unsigned or invalidly-signed extensions and automatically disabling them from running.
The company's response was swift: A temporary patch was issued through the Studies system, traditionally used to add functionality to only a subset of Firefox users for A-B testing purposes, and was followed by the release of Firefox 66.0.4 and Firefox ESR 60.6.2 with a repaired certificate chain. While Needham admits that 'there are remaining issues that we are actively working to resolve,' the updates should get the majority of Firefox users back on track - and anyone affected by the issue should update to the latest release.
Thus far, Mozilla has not commented on exactly how a key security certificate was allowed to expire - especially given the organisation's part in founding Let's Encrypt, the free and open certificate authority whose Certbot system is specifically designed to automatically renew certificates before they expire.
September 18 2020 | 18:30