Follow

Folks, I’m seeing a lot of people recommend setting xpinstall.signatures.required to false to fix the Firefox extensions issue.

⚠️ DO NOT DO THIS! ⚠️

It disables signature checking on extensions which means that you open yourself up to malicious extensions if you install any new ones or if you have auto updates on.

Either follow the instructions here nixnet.xyz/ by @amolith

Or go the officially recommended (but less private) route: mastodon.ar.al/@aral/102039553

@aral At the very bottom, I actually list that as a fix 😅 I do make sure to tell users to set it to true again after a day or two.

@amolith I think that will do more harm than good. Even tech savvy folks could forget.

@aral @amolith Case in point: I set that earlier, and forgot to change it back!

@aral @amolith @switchingsocial Or just update Firefox to the latest version. They made a fix.

@narF @amolith @switchingsocial@mastodon.at Ah, cool. Thanks for the heads up.

@narF I run 66.0.3, which was released in april. The download site does not feature any newer version than that. Are you sure this way works?

@amenthes To be honest, I didn't do anything. Two days ago, all my extensions disappeared. Then yesterday they all came back. I did nothing, not even relaunching Firefox. I assumed it was an automatic update.

@narF The update now turned up. 66.0.4 is fine. Maybe different language versions take a little longer to be rolled out.

@aral @amolith Tor projects recommends it too, I wouldn't consider it that bad aslong as you don't install new stuff and turn it back on later.

@aral @amolith Thanks, that seems to have worked. It's surprising how uncomfortable it feels surfing naked after having NoScript and ABP on as standard.

@rosjackson @amolith ABP actually makes their money from allowing trackers by companies like Google that give them millions of dollars to not be blocked. I’d highly recommend that you get uBlock Origin if you’re using Firefox.

@aral @amolith Thanks for the recommendation. I'm blocking mostly for security, not because I hate advertising per se, but I'll give it a go.

@aral And that's the reason I didn't do that because it was obvious that it was a Very Bad Idea™️. Installing the hotfix from a reliable source was the better idea. @amolith

@aral @amolith setting xpinstall reenables everything without need to trust any link not hosted @ mozilla. then wait for official mozilla update.

after this update set xpinstall to true again. for sure nobody will install/update addons meanwhile.

@aral @amolith @carcinopithecus@xOr.be #incidentMozilla #vieprivee #firefox firefox-esr: Debian disabled 'studies' probably for security/privacy reasons. Enable it if you wish using about:config. Debian: bugs.debian.org/cgi-bin/bugrep Excellent comment there by Bill Allombert: ***"The fact that this bug allows Mozilla to disable remotely security extensions like noscript is a major security issue."*** xpinstall.signatures.required = false (and disable addon auto-updates) looks safer than allowing studies.

@aral @amolith True, I did recommend this thinking it would be obvious not to install new add ons during this period but I did not think of the auto updates...

@aral There's reasons any some poeple recommend it.

Downloading something to install on your system from a mass surveillance company's server IS NOT acceptable. Letting Mozilla collect a shitload of data, AND store it on Google servers, ijust to update an expired intermediate certificate is NOT acceptable either.

Not to mention the fact Debian's build has been compiled without "Studies" support, meaning the latter "solution" won't work on Debian.

@amolith

@aral And surfing naked on 2019's polluted shitty "web" ID not acceptable either.

On the other hand, even though it's a dirty workaroud, disabling signature check temporarily MIGHT be accepted *only if you know* what your doing:
- You have disabled auto updates for addons
- You make sure you don't install any update or new extension.
- And of course, you don't forget to to enable it again once you have a fix available/installed.

@amolith

Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.