Wow, so failed renewing signing certificates for add-ons (for the second time actually, first one being bugzil.la/armagadd-on). And there I was thinking that made a terrible mess, with add-on signatures becoming invalid if there were no updates lately...

Follow

Of course, signatures of add-ons should be validated against the date of signing rather than the current date, similarly to how it happens for emails. But it seems that no browser managed to implement this. went without any date checks whatsoever, maybe a better choice.

Just great, even my Google Search link fix extension got a one star rating because of these issue. I feel really sorry for the people at Adblock Plus working overtime this weekend.

@WPalant Wait, what the fuck?

So hypothetically, if I installed Firefox and some add-ons and then went offline indefinitely, those addons would just stop working within a year or two?

@varx Yes, exactly. The certificates will eventually expire and the add-ons will stop working. It seems that Addons.Mozilla.Org will repackage add-ons that are rarely updated, just to update the signature.

@WPalant I didn't get that: how are signatures validated against a date, exactly? 😕

@badrihippo The add-ons are signed with a certificate (even a certificate chain to be exact). It's pretty much the same as with HTTPS. The difference: if the certificate expires, the only way to update it is to release a new version of the add-on. Here Mozilla messed up and an intermediate certificate used for all add-ons expired, so all signatures turned invalid as of today.

@badrihippo Signing binaries on Windows works very similarly, except that this issue has been solved. Rather than checking certificates against the current date, certificates are checked against the date when the binary was signed. Time servers are being used to ensure that signing time cannot be forged.

@WPalant ohh I get it now.

So in the second setup, certificates have to be valid at the time the addon was signed (as opposed to at the current time).

So if the certificate was valid *then* the addon would still be valid *now*. As opposed to the certificate having to stay valid for as long as the addon is in circulation.

@badrihippo Exactly. And sometimes you already get issues with people who cannot install your add-on because their system time is set incorrectly. Which is sort of ok because these people probably cannot browse the web either (HTTPS errors).

@WPalant right, I've had that happen to me too! HTTPS errors, I mean.

Thanks for the clarifications 🙂

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.