Firefox Disables All Add-Ons Due to Expired Certificate
It is a right of passage in the tech world where an organization has not “truly” made it until they have had a critical certificate expire on a production system. Last December, millions of smartphones were taken offline when a certificate expired for a supplier of equipment to phone carriers O2 and Softbank. Dozens of SSL certificates expired during the recent US Federal Government shutdown making some US government websites unreachable. Certificate expiration proved to be a costly problem for IoT device makers when hard-coded certificates blocked devices from the internet to obtain an update. These devices had to be returned and replaced. Mozilla is the latest company to demonstrate just how reliant our modern IT-connected society is on SSL certificates and why proper planning is becoming essential.
SSL certificates serve many purposes in today’s connected society. They ensure data transmitted to and from our financial institutions is encrypted and secure, verifies the identity of an e-mail sender, proves that software that’s installed on a system is genuine and came from the actual developer, and were even abused for data exfiltration. A few days ago, some clever researchers noticed that all of their Firefox add-ons had been disabled. These researchers had their system clocks set forward by a day to perform some testing. They became the canary in the coal mine and after reporting their findings to Mozilla, the parent company that develops the Firefox browser discovered that an intermediate code signing certificate was about to expire. Once that certificate expires, all Firefox add-ons would cease working.
A recent survey of almost 1 million endpoints shows that the average user has approximately 13 browser add-ons installed. For many individuals, this may not be too big a deal since they only use extensions like Amazon browsing assistant or Spotify playlist controller. However, there is a subset of individuals that rely on their add-ons for their very safety. The popular anonymity tool the TOR browser’s code base is based on the Firefox browser with very powerful add-ons to protect the user’s identity. TOR is used to help circumvent censorship in countries where it is present and to allow individuals to browse anonymously. Political dissidents and whistleblowers use TOR to communicate with media outlets and watchdog groups while protecting their identity. TOR is a popular tool used by law enforcement for undercover investigations. If these privacy protections were suddenly removed without warning, the consequences would be dire. This was the case with the expiration of Mozilla’s intermediate signing certificate. TOR published an urgent blog notifying its users that privacy protections such as the Firefox add-on NoScript are currently disabled and to exercise extreme caution when browsing the internet since their identity could no longer be protected. On the evening go May 3, Mozilla was not able to replace the expiring certificate in time and users began reporting that their add-ons were disabling themselves without warning. Since then, Mozilla developers have acknowledged the problem and rolled out a hotfix to address it for browsers that, but not before shaking the confidence of Firefox users, who just pushed the browser past 5% market share.
In addition to privacy protections, browser add-ons also provide security protections. Many standalone add-ons perform security functions such as NoCoin, which blocks crypto mining malware from being run on the system. Many popular antivirus software vendors bundle in browser add-ons to provide additional protections when browsing the internet. Disabling these security-focused extensions opens users up to threats such s crypto mining malware, malicious third-party advertisements, and malicious drive-by downloads. While security should always be a defense-in-depth strategy, taking out the security-focused browser add-on makes systems less secure.
The majority of user-based threats come from the internet: phishing, malicious e-mail attachments, and infected webpages. Rather than moving security to the browser and trusting that the browsers do not disable extensions without warning, using an always-on security solution can protect users no matter where they go and what browser they use. Cloud-based security solutions always ensure that users are protected against the latest threats without the need to perform manual patching or updating. With the prevalence and the sheer number of extensions in use by users today, it is essential that users remain protected in the event their browser extensions fail.