The extensions hotfix was not applied yesterday. How can I manually apply it?
Hi folks,
I enabled Studies last night to get the certificate hotfix, and it hasn't appeared in my list. The studies I currently have are:
(Active) prefflip-push-performance-1491171
(Completed) hotfix-reset-xpi-verification-timestamp-1548973 pref-flip-screenshots-release-1369150
hotfix-update-xpi-signing-intermediate-bug-1548973 hasn't appeared on my list. Is there a way to force Firefox to check the active studies? If not, is there a place to manually get the certificate from an official source? Should I reinstall Firefox?
Isisombulu esikhethiweyo
i *think* right-clicking and resetting the "app.normandy.first_run" preference in about:config and restarting the browser might be a way to trigger a check.
Funda le mpendulo kwimeko leyo 👍 1All Replies (12)
hi soylentplaid, most of the users we're seeing at this point where the hotfix didn't apply yet are using security software that's intercepting secure connections (commonly avast/avg, kaspersky, bitdefender and eset), this might prevent the hotfix from applying unfortunately.
if this is applicable to your system as well, as a workaround you could try disabling ssl-scanning in your security software or else wait until mozilla releases a general update to firefox 66.0.4 fixing the matter...
I just need to clarify: In order to receive a security update (to fix a broken certificate) to re-enable add-ons that I consider essential for the security of my browser, I have to disable my antivirus? Doesn't that seem a little extreme to you?
hi, i am not saying you should deactivate your antivirus altogether - you *can* disable this one feature of your antivirus, which is quite questionable in the first place and often leads to more harm than good & a greater attack surface.
references: http://www.cbc.ca/news/technology/antivirus-software-1.3668746 https://blog.vpn.ac/disable-https-scanning.html https://jhalderm.com/pub/papers/interception-ndss17.pdf https://www.pcworld.com/article/3154608/https-scanning-in-kaspersky-antivirus-exposed-users-to-mitm-attacks.html (there are many more of those, but i don't have time to dig them up at the moment)
Well, I've gone ahead and disabled SSL checking in Kaspersky (probably for the best if what I'm reading is correct). Is there a way to force another check, or will that happen sometime over the next X hours?
Isisombululo esiKhethiweyo
i *think* right-clicking and resetting the "app.normandy.first_run" preference in about:config and restarting the browser might be a way to trigger a check.
And so it is! (*much rejoicing*)
It's definitely good that you guys were on the problem quickly, although not letting the cert expire would have been better. As feedback, I'll say that using the Studies mechanism to push a hotfix is a bad look (forcing the browser to collect data) and this whole process was a lot more fragile than it needed to be.
Applying the hotfix, for me, involved diving into settings, enabling data collection, waiting and searching for about a day with no feedback as to why it wasn't working, disabling SSL interception in my anti-virus (and restarting my computer), setting app.normandy.first_run to true, then restarting my browser.
I believe in Firefox and Mozilla's mission, I really do. I intend to keep using it. But this sort of screw-up will make people switch to Chrome, and they'd be completely justified in doing so. You really need to be far more diligent about your certificates.
oh great, thanks for reporting back & sorry for all the hassle this was causing!
you can be sure that after this whole incident is dealt with, there will be a diligent post mortem and review of actions that need to be taken at mozilla, so something like this is not gonna happen again.
soylentplaid said
I believe in Firefox and Mozilla's mission, I really do. I intend to keep using it. But this sort of screw-up will make people switch to Chrome, and they'd be completely justified in doing so. You really need to be far more diligent about your certificates.
This was caused by an unforeseen technical problem …..
My Kaspersky doesn't list a SSL thing.When is the fix coming
philipp said
hi, i am not saying you should deactivate your antivirus altogether - you *can* disable this one feature of your antivirus, which is quite questionable in the first place and often leads to more harm than good & a greater attack surface. references: http://www.cbc.ca/news/technology/antivirus-software-1.3668746 https://blog.vpn.ac/disable-https-scanning.html https://jhalderm.com/pub/papers/interception-ndss17.pdf https://www.pcworld.com/article/3154608/https-scanning-in-kaspersky-antivirus-exposed-users-to-mitm-attacks.html (there are many more of those, but i don't have time to dig them up at the moment)
Firefox 66.0.4 was just released for both desktop Firefox and Android Firefox, which should fix the expired certificate problem. An updated Firefox 60 ESR (60.6.2esr) was also released.
- Desktop: Update Firefox to the latest release
- Android: Probably in Google Play?
Sometimes the auto-updater doesn't see an update right away, either because it isn't scheduled to check yet or when you click Check for Updates, because the server is limiting the rate of installations "just in case" it creates a new problem.
At some point, we should get the 66.0.4 and 60.6.2esr full installers through the usual pages, but I currently get the older version:
- Regular release: https://www.mozilla.org/firefox/all/
- ESR release: https://www.mozilla.org/firefox/organizations/all/
You could try opening Help > About Firefox and see it tells you that Firefox 66.0.4 is available and to Update Now.
I just tried that and was able to update to 66.0.4 .
Just finished updating. Thanks for jumping on this issue everyone, it's been a weird couple of days in browser-land.