Skip to main content
  1. Home
  2. Computing
  3. News

Armagadd-on explained: What Firefox learned when expired certificates made havoc

By
Mozilla in Europe/Flickr

If you used Mozilla’s Firefox browser last week, you may have noticed that add-ons stopped working all at once. Though the internet technically didn’t break, all of Firefox’s browser add-ons, the equivalent of Chrome’s extensions, stopped working all at the same time, creating a situation that’s been dubbed the “armagadd-on.”

The problem was initially caught by Firefox Ghief Technology Officer Eric Rescorla at around 6 p.m. PT on May 3 and has since been fixed. It took Firefox roughly 12 hours to rectify the situation and get add-ons functioning again. In what appears to be an embarrassing glitch for the browser, Firefox is now using the incident as a learning lesson on what it can do to not break the internet moving forward.

Recommended Videos

“With that said, obviously, this isn’t an ideal situation and it shouldn’t have happened in the first place,” Rescorla wrote in a detailed postmortem blog post about Firefox’s fix and the length of time it took to issue a patch. “We clearly need to adjust our processes both to make this and similar incidents less likely to happen and to make them easier to fix.”

Related

Firefox’s Armagadd-on

In order to protect users from bad add-ons (there are more than 15,000 third-party add-ons that serve a variety of functions, from blocking ads to managing passwords), Firefox requires the add-ons to be signed in an effort to prevent malicious code from running.

The signing process is complex and is designed to protect users, Firefox said. A pre-installed root certificate is stored in a hardware security module, or HSM, and it is used every year to sign an intermediate certificate that’s kept online. The intermediate certificate is also what is used to sign add-ons. When the add-on is presented, it is issued an end-entity certificate.

Because all the add-ons are signed with the same intermediate certificate, and that certificate was set to expire at 1 a.m. Coordinated Universal Time on May 4, all these extensions started to expire. Since Firefox checks the validity of the certificates every 24 hours, the add-ons didn’t all expire at once and different users were impacted at different times.

Firefox considered several options to remediate the expired certificate. Re-signing every add-on was not possible, Rescorla admitted, given the sheer volume of extensions available for the browser. So Firefox considered a parallel approach of patching Firefox to change the date to ensure that the certificate would be valid again, as well as generating a replacement certificate that was still valid.

Fix deployment

Though internet users were quick to criticize how long it took Firefox to deploy a fix that restored the functionality of add-ons, Rescorla defended the practice, noting that it took some time to get an intermediate certificate issued and that developing a new system add-on takes time.

“As I mentioned above, the Root certificate is in a hardware security module which is stored offline,” he said. “This is good security practice, as you use the Root very rarely and so you want it to be secure, but it’s obviously somewhat inconvenient if you want to issue a new certificate on an emergency basis. At any rate, one of our engineers had to drive to the secure location where the HSM is stored. Then there were a few false starts where we didn’t issue exactly the right certificate, and each attempt cost an hour or two of testing before we knew exactly what to do.”

Moving forward, the company is exploring steps to prevent a situation like this from happening in the future. “First, we should have a much better way of tracking the status of everything in Firefox that is a potential time bomb and making sure that we don’t find ourselves in a situation where one goes off unexpectedly,” Rescorla said. “We’re still working out the details here, but at minimum, we need to inventory everything of this nature.”

Firefox is researching mechanisms to be able to push updates out more quickly. To fix the problem that occurred earlier this month, Firefox used its Normandy Studies mechanism to get the system add-on certificate to its users, but that process has some side effects, like sending unwanted code. The company pledged that it will result more information about the incident next week.

Editors' Recommendations

Topics
Chuong Nguyen
Chuong Nguyen
Computing Writer
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
Firefox for desktop will hide those pesky notification permission pop-ups
storyblocks creative survey generations businessman working from home on laptop sitting balcony

Unless you’ve dived into your settings to deal with them, browsing the web means having to battle with those irritating notification permission requests that want to serve up site announcements or even ads.

Sure, you can deal with these requests in a click or two, but it’s still an unwelcome interruption that can prevent what should be an annoyance-free surfing experience.

Read more
Trying to buy a GPU in 2023 almost makes me miss the shortage
Two AMD Radeon RX 7000 graphics cards on a pink surface.

The days of the GPU shortage are long over, but somehow, buying a GPU is harder than ever -- and that sentiment has very little to do with stock levels. It's just that there are no obvious candidates when shopping anymore.

In a generation where no single GPU stands out as the single best graphics card, it's hard to jump on board with the latest from AMD and Nvidia. I don't want to see another GPU shortage, but the state of the graphics card market is far from where it should be.
This generation is all over the place

Read more
HP printers are heavily discounted in Best Buy’s flash sale
The HP - OfficeJet Pro 8034e Wireless All-In-One Inkjet Printer on a desk with a smartphone.

There’s good news in store if you’re looking to land a new printer at a discount this weekend. Best Buy is having a 48-hour flash sale on HP printers, with several that can compete with the best printers seeing some good prices. HP is almost always one of the best laptop brands, and it’s one of the same when it comes to printers. So if you’re looking for a new home or office printer, read onward on how to save on an HP printer at Best Buy.
HP DeskJet 2755e — $60, was $85

The HP DeskJet 2755e is a good entry-level printer. It’s got you covered if your printing needs are pretty basic, or if you don’t need to print in mass. This is a color InkJet printer, which makes it good for almost all uses. It can also make copies and scan in color, and it has mobile and wireless printing functionality. You can get set up quickly and easily with the HP Smart app that guides you through the setup process, and you can also use this app to print, scan and copy documents from your phone.

Read more