Mozilla曝出大乌龙 证书过期导致全球Firefox用户无法使用扩展【Mozilla推出了针对Firefox扩展证书问题的修复程序】
本帖最后由 3DM超级玩家 于 2019-5-5 12:38 编辑今天早上Mozilla和全球的Firefox用户开了个不大不小的玩笑,许多人一大早起来打开浏览器发现所有的扩展都无法使用,就连手机版也是如此。
重装Firefox或者重装所有的插件都无济于事,在Bugzilla上提交的报告中我们了解到,这是由于Mozilla的官方证书没有及时续期所致。
Mozilla向来在管理证书的方式上与其它友商不太一样,更倾向于自行管理证书或者是自带一套证书系统,这样一来无论是线上服务,还是用户端都提供了更大的自由度,而一旦在管理证书上出现意外,就会导致今天这样尴尬的局面。
无法使用扩展对于Firefox浏览器而言是一大噩梦,尤其是依赖于它开发和调试网页代码的程序员来说更是令人寸步难行。
在Mozilla为他们的证书续期之前,临时的解决方法是打开about:config 页面,搜索xpinstall.signatures.required,将它的值改为false,但这样一来会降低浏览器的安全级别。
目前Reddit和Mozilla的bugzilla社区已经炸锅。
由于Mozilla忘记更新用于签署Firefox附加组件的安全证书,导致全球Firefox用户的扩展报错而无法使用的问题现在已经有了解决方案。Mozilla现已证实此问题,过期的证书导致扩展安装失败,并阻止现有的扩展工作。作为临时解决方案,Mozilla宣布推出了一个修复程序。
我们的团队已经确定并推出了针对Release,Beta和Nightly的所有Firefox桌面用户的修复程序,修复程序将在接下来的几个小时内自动应用。不需要采取任何步骤就可以令附加组件再次起作用。
因此,大多数用户不需要采取任何行动。
但如果您已禁用“Studies”(研究)特性,则需要重新启用才可以恢复正常,Mozilla的这一特性用于对新功能进行A/B测试。
Firefox用户可以通过访问以下内容来检查他们是否启用了“Studies”:
Firefox选项/首选项->隐私和安全->允许Firefox安装和运行“Studies”;
重新启用加载项后,可以再次禁用“Studies”。
这个修复程序需要几个小时才能收到,要检查您是否已经修复该问题,您可以在位置栏中输入“about:studies”。如果修复程序处于活动状态,您将看到“hotfix-update-xpi-signing-intermediate-bug-1548973”或“hotfix-reset-xpi-verification-timestamp-1548973”。
Mozilla正在为未来的更新开发一个更加集成的修复程序,它将不再使用“Studies”。
Mozilla的博客可以找到更多有关这次故障的内容。
官方提供的全扩展被禁解决办法
1. 官方解决办法
官方博客写的很清楚https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/
Our team has identified and rolled-out a fix for all Firefox Desktop users on Release, Beta and Nightly. The fix will be automatically applied in the background within the next few hours. No active steps need to be taken to make add-ons work again. In particular, please do not delete and/or re-install any add-ons as an attempt to fix the issue. Deleting an add-on removes any data associated with it, where disabling and re-enabling does not.
Please note: The fix does not apply to Firefox ESR or Firefox for Android. We’re working on releasing a fix for both, and will provide updates here and on social media.
To provide this fix on short notice, we are using the Studies system. This system is enabled by default, and no action is needed unless Studies have been disabled. Firefox users can check if they have Studies enabled by going to:
Firefox Options/Preferences -> Privacy & Security -> Allow Firefox to install and run studies (scroll down to find the setting)
汉译过来就是
在隐私和安全界面允许安装研究
然后慢慢等。。
另外bugzilla也有民间的各种解决办法https://bugzilla.mozilla.org/show_bug.cgi?id=1549017。 但官方很明确的说There are a number of work-arounds being discussed in the community. These are not recommended as they may conflict with fixes we are deploying. We’ll let you know when further updates are available that we recommend, and appreciate your patience. (May 4, 15:01 EST)
2.准官方办法
等了好久依然没收到这个补丁,然后往下翻了翻。。一个大神直接给了补丁的下载地址
所以直接安装这个xpi就好了
https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi
但这个地址来源看起来并不是火狐的官方mozilla.org,所以安全性上,各位就自己考量。 不过鉴于xpi本身就是源代码,解开补丁后看到实际就是添加了新的证书验证
[*]var skeleton = class extends ExtensionAPI {
[*]getAPI(/* context */) {
[*] return {
[*] experiments: {
[*] skeleton: {
[*] async doTheThing() {
[*] // first inject the new cert
[*] try {
[*] let intermediate = "MIIHLTCCBRWgAwIBAgIDEAAIMA0GCSqGSIb3DQEBDAUAMH0xCzAJBgNVBAYTAlVTMRwwGgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMS8wLQYDVQQLEyZNb3ppbGxhIEFNTyBQcm9kdWN0aW9uIFNpZ25pbmcgU2VydmljZTEfMB0GA1UEAxMWcm9vdC1jYS1wcm9kdWN0aW9uLWFtbzAeFw0xNTA0MDQwMDAwMDBaFw0yNTA0MDQwMDAwMDBaMIGnMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTTW96aWxsYSBDb3Jwb3JhdGlvbjEvMC0GA1UECxMmTW96aWxsYSBBTU8gUHJvZHVjdGlvbiBTaWduaW5nIFNlcnZpY2UxJjAkBgNVBAMTHXNpZ25pbmdjYTEuYWRkb25zLm1vemlsbGEub3JnMSEwHwYJKoZIhvcNAQkBFhJmb3hzZWNAbW96aWxsYS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/qluiiI+wO6qGA4vH7cHvWvXpdju9JnvbwnrbYmxhtUpfS68LbdjGGtv7RP6F1XhHT4MU3v4GuMulH0E4Wfalm8evsb3tBJRMJPICJX5UCLi6VJ6J2vipXSWBf8xbcOB+PY5Kk6L+EZiWaepiM23CdaZjNOJCAB6wFHlGe+zUk87whpLa7GrtrHjTb8u9TSS+mwjhvgfP8ILZrWhzb5H/ybgmD7jYaJGIDY/WDmq1gVe03fShxD09Ml1P7H38o5kbFLnbbqpqC6n8SfUI31MiJAXAN2e6rAOM8EmocAY0EC5KUooXKRsYvHzhwwHkwIbbe6QpTUlIqvw1MPlQPs7Zu/MBnVmyGTSqJxtYoklr0MaEXnJNY3g3FDf1R0Opp2/BEY9Vh3Fc9Pq6qWIhGoMyWdueoSYa+GURqDbsuYnk7ZkysxK+yRoFJu4x3TUBmMKM14jQKLgxvuIzWVn6qg6cw7ye/DYNufc+DSPSTSakSsWJ9IPxiAU7xJ+GCMzaZ10Y3VGOybGLuPxDlSd6KALAoMcl9ghB2mvfB0N3wv6uWnbKuxihq/qDps+FjliNvr7C66mIVH+9rkyHIy6GgIUlwr7E88Qqw+SQeNeph6NIY85PL4p0Y8KivKP4J928tpp18wLuHNbIG+YaUk5WUDZ6/2621pi19UZQ8iiHxN/XKQIDAQABo4IBiTCCAYUwDAYDVR0TBAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFBY++xz/DCuT+JsV1y2jwuZ4YdztMIGoBgNVHSMEgaAwgZ2AFLO86lh0q+FueCqyq5wjHqhjLJe3oYGBpH8wfTELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE01vemlsbGEgQ29ycG9yYXRpb24xLzAtBgNVBAsTJk1vemlsbGEgQU1PIFByb2R1Y3Rpb24gU2lnbmluZyBTZXJ2aWNlMR8wHQYDVQQDExZyb290LWNhLXByb2R1Y3Rpb24tYW1vggEBMDMGCWCGSAGG+EIBBAQmFiRodHRwOi8vYWRkb25zLm1vemlsbGEub3JnL2NhL2NybC5wZW0wTgYDVR0eBEcwRaFDMCCCHi5jb250ZW50LXNpZ25hdHVyZS5tb3ppbGxhLm9yZzAfgh1jb250ZW50LXNpZ25hdHVyZS5tb3ppbGxhLm9yZzANBgkqhkiG9w0BAQwFAAOCAgEAX1PNli/zErw3tK3S9Bv803RV4tHkrMa5xztxzlWja0VAUJKEQx7f1yM8vmcQJ9g5RE8WFc43IePwzbAoum5F4BTM7tqM//+e476F1YUgB7SnkDTVpBOnV5vRLz1Si4iJ/U0HUvMUvNJEweXvKg/DNbXuCreSvTEAawmRIxqNYoaigQD8x4hCzGcVtIi5Xk2aMCJW2K/6JqkN50pnLBNkPx6FeiYMJCP8z0FIz3fv53FHgu3oeDhi2u3VdONjK3aaFWTlKNiGeDU0/lr0suWfQLsNyphTMbYKyTqQYHxXYJno9PuNi7e1903PvM47fKB5bFmSLyzB1hB1YIVLj0/YqD4nz3lADDB91gMBB7vR2h5bRjFqLOxuOutNNcNRnv7UPqtVCtLF2jVb4/AmdJU78jpfDs+BgY/t2bnGBVFBuwqS2Kult/2kth4YMrL5DrURIM8oXWVQRBKxzr843yDmHo8+2rqxLnZcmWoe8yQ41srZ4IB+V3w2TIAd4gxZAB0Xa6KfnR4D8RgE5sgmgQoK7Y/hdvd9Ahu0WEZI8Eg+mDeCeojWcyjF+dt6c2oERiTmFTIFUoojEjJwLyIqHKt+eApEYpF7imaWcumFN1jR+iUjE4ZSUoVxGtZ/Jdnkf8VVQMhiBA+i7r5PsfrHq+lqTTGOg+GzYx7OmoeJAT0zo4c=";
[*] let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
[*] certDB.addCertFromBase64(intermediate, ",,");
[*] console.log("new intermediate certificate added");
[*] } catch (e) {
[*] console.error("failed to add new intermediate certificate:", e);
[*] }
[*]
[*] // Second, force a re-verify of signatures
[*] try {
[*] XPIDatabase.verifySignatures();
[*] console.log("signatures re-verified");
[*] } catch (e) {
[*] console.error("failed to re-verify signatures:", e);
[*] }
[*] }
[*] }
[*] }
[*] };
[*]}
[*]};
[*]
复制代码
所以应该没问题。附件是这个补丁,以供没有{fq}能力的同学用
Name:[email protected]
Size: 9545 bytes (9 KiB)
SHA1: 4F0B44DB0A5E99C94415BEB2D9E3ED66C0D95576
页:
[1]