cybersecurity

3854 readers

14 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

[email protected]

Mozilla warns users to update Firefox before certificate expires (www.bleepingcomputer.com)

submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/[email protected]

8 comments fedilink hide all child comments

Mozilla is warning Firefox users to update their browsers to the latest version to avoid facing disruption and security risks caused by the upcoming expiration of one of the company's root certificates. [...] Users need to update their browsers to Firefox 128 (released in July 2024) or later and ESR 115.13 or later for 'Extended Support Release' (ESR) users.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 1 week ago (1 children)

Signing certs should be expected to expire. Already-installed browser extensions signed by them should not, when the user doesn't want them to.

Doing it the right way would prevent, for one thing, any possible repeat of the problem they had a couple years ago when they simply forgot to renew the cert and one day everyone's browsers unexpectedly stopped working with no way to fix them short of making a new build. The debate was had then, you can go back and read what was said. A thorough review was promised. Presumably Mozilla came came to the wrong conclusion and decided it would be best not to publicise it much.

[–] [email protected] 2 points 1 week ago (1 children)

What is "the right way", exactly?

[–] [email protected] 2 points 1 week ago (1 children)

There are many slightly different options I suppose, but personally I'd start with the simple and obvious approach suggested by the principle of least surprise: Check the expiry date on the extension signing cert only when an extension is installed. On subsequent startups, attempt to check for revocations.

Software should not self-destruct if it can't reach the mothership.

[–] [email protected] 2 points 1 week ago (1 children)

Is it possible for an extension to be present without it triggering Firefox's "installation" flow?

[–] [email protected] 1 points 1 week ago

That would depend on the parameters of "possible" but it has no bearing on the topic at hand. It seems likely that you ask due to mistaking the idea of not requiring everything to be periodically re-signed by Mozilla in order to keep running for the unrelated idea of not checking the signature at all.

P.S. Okay that may be slightly wrong but I mean it's not as if two-years-old keys are automatically compromised just because they're that old. If there's reason to believe they're at risk, let them be revoked for cause.