Freedombone Blog

Freedom in the Cloud

The Disappearing Firefox Addons

If you are a Firefox user or use one of its derivatives such as Tor browser then it may not have escaped your attention that all your addons disappeared, including even the default ones such as NoScript.

This appears to have been just a mistake with someone at Mozilla not renewing a certificate. Although LetsEncrypt exists TLS certificate expiry is still not all that uncommon even sometimes on well known sites. Disappearing addons has been a big problem with a relatively mundane cause, but it's a problem which reveals the underlying centralized architecture.

In a decentralized or distributed web one person forgetting to renew a certificate wouldn't be a big deal. It would only affect them or anyone accessing their server or peer. But in the web we've actually got one person at Mozilla forgetting something can render all Firefox browsers effectively useless - or at least a lot less secure. If you're relying upon NoScript in Tor browser to defend you then you could suddenly find that your defenses vanish. Welcome to the totalized web.

Checking signatures on installed software is normal. However, Firefox goes beyond this and repeatedly checks signatures every 24 hours even if addon code has not changed. It does this with a hardcoded constant called XPI_SIGNATURE_CHECK_PERIOD and there's also another constant called MOZ_REQUIRE_SIGNING which indicates that at some point the ability to manually turn off signature checking in about:config is going to go away.

Like most people, I was unaware of all this until NoScript disappeared and couldn't be re-enabled, resulting in the inevitable WTF moment. Apparently there was a minor scandal about addon signing a few years ago, but I must have missed that bandwagon and was probably busy with other things.

So how can this be improved? Within the current paradigm I think that signatures should only be checked when the source code changes. This means creating a hash of the code and storing that. If the hash doesn't match only then should the signature check take place. This would have made yesterday's debacle a lot less acute. In most cases things would have continued to work and Mozilla would have had time to update their certificate without any big fuss. Hashes could be stored natively such that they can't be spuriously modified by other addons.

It may also be worth considering whether addons such as NoScript are so essential that they should be built into the browser codebase, rather than being something separate. In the longer term I think that's a better way to go. Mozilla is unlikely to do it, but Tor browser developers could.

Going beyond the current paradigm, the web needs to actually be decentralized or distributed. One company shouldn't be deciding what browser addons people can run and have the ability to turn them off either through malice or oversight. There has been a lot of browser consolidation such that there are now really only two web engines, and this space could do with some disruption - especially with regard to ad blocking. A new browser which has ad blocking as a core feature I think could get quite a lot of traction quite quickly.

Tags: browsers, web, mozilla, addons, signing