Rick's b.log - 2019/05/06
You are 3.133.147.252, pleased to meet you!
|
Rick's b.log - 2019/05/06 |
| It is the 27th of April 2024 You are 3.133.147.252, pleased to meet you! |
|
mailto: blog -at- heyrick -dot- eu
I looked up the lyrics to a song I'd been listening to, and suddenly tabs and redirects opened all over the place. Most of them telling me my phone had a virus (ir doesn't), or that I'd won an iPhone (I haven't). WTF? I'm running both Ghostery and U-Block origin.
After swiping away all the unwanted junk, I went to the add-ons manager to find that most of the privacy related add-ons had suddenly been disabled. Attempting to install new copies resulted in the same error:
Trying older versions, same problem.
A few moments of Googling showed that it was a fault on the server. Some complicated crypto authentication issue that basically meant that Firefox was unable to trust stuff on its own repository.
Luckily, there is a fix.
You'll see a long list of options, with a little search thingy to the upper right. The setting you want is called
Now understand carefully - with this setting turned OFF, you can install any compatible Firefox add-on from anywhere and Firefox will not attempt to check that it is a legitimate add-on. As it happens, this is exactly what we want (as the legitimacy check is broken), but I just wanted to make this clear.
So, to turn off automatic add-on updates. This really ought to be an option in the Settings UI and not buried in Firefox's "registry", but there you go.
Finally, close that tab, you're done with the settings. Go into add-ons and tap to enable everything that Firefox disabled. Thankfully the add-on has simply been ignored by Firefox, you don't need to reconfigure stuff.
Once all that has been done, you might want to force stop Firefox, and restart it, just to be sure. It's the "nuke it from orbit" approach.
I get it, I do. Things should be kept up to date to deal with the latest known security issues, and things should be signed to verify that it's a trusted thing. Unfortunately that model is quite broken (as Google's app store demonstrates, Apple's too to a lesser degree) in that nobody is actually auditing the code. It is a basic check that the update came from a registered user, but as you can see in the blocklist, it's pretty easy to get a bad add-on authenticated and distributed until such time as somebody calls foul. In other words, repositories can be gamed, and the fact that something is signed means nothing more than that it is really the one the repository gave you and it wasn't intercepted/modified along the way. That it's any good, that it's not malware, that it's not sending your every keystroke to the KGB or CIA (or both)... signing guarantees exactly nothing in that respect.
Couple this with the fact that nobody (Android apps nor Firefox both) seem to understand the concept of rollback. Okay, fine, the server is acting up and making all of the installations seem invalid. Fair enough, simply accept that it is invalid, flag it for user intervention (to stop it repeatedly trying to update) and roll back to the version that was previously installed and working.
Nice one, Mozilla.
Nice one, Mozilla
I woke up this morning to find my installation of Firefox (version 60, I think - I don't upgrade religiously because I'm sick of things being messed around with) reporting that an add-on could not be installed because the archive was corrupt. That seemed odd, but I didn't pay too much attention to it as I was tired last night and might have suffered a fat finger moment. I just paused long enough to note that, in typical modern snowflake fashion, the message tells you why something is wrong, but not what. Which add-on was the cause of this?
Step one - get those add-ons working again
In the URL bar, enter the special address "about:config". If it warns you about dragons, just go ahead anyway. Firefox peed in its pants, you're here to apply some gaffer tape.
xpinstall.signatures.required - luckily you only have to tap in the first few letters and it'll show up. Tap on Toggle to set it to false.
Step two - turn off add-on updates
That's the first part of the fix. The second, and optional part, is to disable automatic updates of the add-ons. This may seem like a strange thing to want to do, however:
And given that what 'failed' was the tracking, filtering, and ability to control what crap third party sites get to run on my browser (default nothing became default everything), I think I'm actually being quite polite to Mozilla for this enormous ballsup.
Search for extensions.update.enabled and toggle it to false.
Why didn't this happen?
Piss-poor programming that clearly never considered the possibility that the server itself would flake out. Piss-poor programming that decided the best way to deal with an installation problem would be to disable the add-on - doing so without even bothering to notify the user for each and every add-on thus affected. And piss-poor programming that made a supposed security/safety feature actually result in a dramatic decrease in security and safety for the end user.
Mick, 14th May 2019, 01:44
| © 2019 Rick Murray |
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted. RIPA notice: No consent is given for interception of page transmission. |