Recently Mozilla made a statement in which it warned of massive problems with add-ons for Firefox. Well, in a matter of hours, many users began to perceive that the browser add-ons were blocked.
This is because as explained by Mozilla in its statement upon expiration of the certificate used to generate digital signatures. In addition, the impossibility of installing new add-ons from the official AMO catalog (addons.mozilla.org).
Faced with the great problem that arose, the Mozilla developers began to work considering possible solutionss and so far have been limited to general confirmation of the situation.
It is only mentioned that Plugins became inactive after the start of 0 hours (UTC) on May 4. The certificate should have been updated a week ago, but for some reason this did not happen and this fact went unnoticed.
Now, a few minutes after the browser starts, a warning about disabling plugins is displayed due to digital signature issues and add-ons disappear from the list.
Digital signatures are verified once a day or after the browser starts, so add-ons cannot be immediately disabled on long-lived Firefox instances.
Why is a Mozilla certificate needed?
All this problem arose because mandatory plug-in verification Firefox using digital signatures was introduced in April 2016.
According to Mozilla, a check digital signature allows you to block the distribution of malicious add-ons and spyware.
Some plugin developers disagree with this position and believe that the mandatory digital signature verification mechanism only creates difficulties for developers and leads to an increase in communication time of corrective versions to users without affecting security.
There are many trivial and obvious techniques for bypassing the automated plugin verification system that allow you to seamlessly insert a malicious person injecting malicious code, for example by performing an on-the-fly operation by connecting multiple lines and then executing the line. resulting by calling eval.
Yet Mozilla's position comes down to the fact that most malicious add-on authors are lazy and will not resort to similar techniques to hide malicious activity.
Possible solutions?
As a workaround to renew access to add-ons for Linux usersThese can disable digital signature verification setting the variable "Xpinstall.signatures.requiredon about:config to 'false«.
This method for stable and beta versions only works on Linux and Android, for Windows and macOS, such manipulation it is possible only in firefox nightly versions and in the version for developers (Developer Edition).
Alternatively, you can also change the value of the system clock for a time before the certificate expires, then the option to install plugins from the AMO catalog will be returned, but the disconnect tag already set will not be removed.
Reports on Mozilla Report Tracking
During the period of time in which the problem was generated, the Mozilla developers announced the start of one of the many tests, in which it could be a possible solution that, if verified successfully, will soon be communicated to users ( a decision to apply the proposed solution has not yet been made).
Digital signature generation for new add-ins is disabled until the fix is applied.
At 13:50 (MSK), the distribution of the solution began, on the user side that returns the disabled plugins. The solution will be automatically downloaded through the update delivery system and applied within a few hours.
To speed up the delivery of the patch, it is also designed as a "research" carried out among users to activate this, the user has to go to the section "Firefox Preferences -> Privacy and security -> Allow Firefox to install and run studies ”(" Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies ").
This solution worked for me right away. The patch must be downloaded with another browser. Then it is dragged to the Firefox add-ons window and the problem is solved.
https://www.youtube.com/watch?v=wJqiUb9WriM