this post was submitted on 12 Mar 2025
16 points (100.0% liked)
cybersecurity
3854 readers
14 users here now
An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Community Rules
- Be kind
- Limit promotional activities
- Non-cybersecurity posts should be redirected to other communities within infosec.pub.
Enjoy!
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
What is "the right way", exactly?
There are many slightly different options I suppose, but personally I'd start with the simple and obvious approach suggested by the principle of least surprise: Check the expiry date on the extension signing cert only when an extension is installed. On subsequent startups, attempt to check for revocations.
Software should not self-destruct if it can't reach the mothership.
Is it possible for an extension to be present without it triggering Firefox's "installation" flow?
That would depend on the parameters of "possible" but it has no bearing on the topic at hand. It seems likely that you ask due to mistaking the idea of not requiring everything to be periodically re-signed by Mozilla in order to keep running for the unrelated idea of not checking the signature at all.
P.S. Okay that may be slightly wrong but I mean it's not as if two-years-old keys are automatically compromised just because they're that old. If there's reason to believe they're at risk, let them be revoked for cause.