Mozilla has released an update today for Firefox that fixes the issue with an expired signing certificate that disabled add-ons for the vast majority of its userbase over the weekend.
"A Firefox release has been pushed - version 66.0.4 on Desktop and Android, and version 60.6.2 for ESR. This release repairs the certificate chain to re-enable web extensions, themes, search engines, and language packs that had been disabled," Kev Needham, a member of the Firefox Add-ons team, said today.
"There are remaining issues that we are actively working to resolve, but we wanted to get this fix out before Monday to lessen the impact of disabled add-ons before the start of the week," Needham added.
Expired certificate snafu
If you're not a Firefox user and you're wondering what is this all about, the update comes to address Mozilla's biggest epic fail in the organization's history.
On the night between Friday and Saturday, at May 4, 12:00 am UTC, the digital certificate that Mozilla was using to sign Firefox add-ons (also called extensions) expired. Mozilla was using this certificate to verify that extensions installed in the user's browsers are the same extensions that are hosted on the official Mozilla Add-ons portal.
Once the certificate expired, Firefox browsers couldn't verify the authenticity of locally-installed extensions, and immediately disabled all add-ons in users' browsers.
Additionally, users couldn't re-enable extensions, nor could they install new ones from scratch for the same reason --the signing certificate having expired-- leaving most of Mozilla's 100+ million users without a simple way to re-enable extensions.
The Tor Browser, a Firefox-based off-shoot that also relies on Mozilla's Add-ons site for extensions, also had a crucial extension disabled, weakening the privacy-first browser's overall security posture.
Temporary patch came under criticism
Users came up with various hacks to re-enable extensions, and so did Mozilla, which a few hours after the certificate expired, rolled out a temporary patch.
This temporary patch used the built-in Firefox Studies feature to ship a "study" that added support for a new signing certificate.
However, this temporary solution didn't reach all users. This was because "Firefox Studies" was disabled for users who didn't agree to send telemetry data back to Mozilla.
The good news is that Mozilla doesn't anticipate new problems after the update to Firefox 66.0.4, which should fix the "disabled add-ons" issue for all users.