X
Tap here to go to the mobile version of the site.

Support Forum

The extensions hotfix was not applied yesterday. How can I manually apply it?

Posted

Hi folks,

I enabled Studies last night to get the certificate hotfix, and it hasn't appeared in my list. The studies I currently have are:

(Active) prefflip-push-performance-1491171

(Completed) hotfix-reset-xpi-verification-timestamp-1548973 pref-flip-screenshots-release-1369150

hotfix-update-xpi-signing-intermediate-bug-1548973 hasn't appeared on my list. Is there a way to force Firefox to check the active studies? If not, is there a place to manually get the certificate from an official source? Should I reinstall Firefox?

Hi folks, I enabled Studies last night to get the certificate hotfix, and it hasn't appeared in my list. The studies I currently have are: (Active) prefflip-push-performance-1491171 (Completed) hotfix-reset-xpi-verification-timestamp-1548973 pref-flip-screenshots-release-1369150 hotfix-update-xpi-signing-intermediate-bug-1548973 hasn't appeared on my list. Is there a way to force Firefox to check the active studies? If not, is there a place to manually get the certificate from an official source? Should I reinstall Firefox?

Chosen solution

i *think* right-clicking and resetting the "app.normandy.first_run" preference in about:config and restarting the browser might be a way to trigger a check.

Read this answer in context 1
Quote

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

More Information

philipp
  • Top 25 Contributor
  • Moderator
5287 solutions 23361 answers

hi soylentplaid, most of the users we're seeing at this point where the hotfix didn't apply yet are using security software that's intercepting secure connections (commonly avast/avg, kaspersky, bitdefender and eset), this might prevent the hotfix from applying unfortunately.

if this is applicable to your system as well, as a workaround you could try disabling ssl-scanning in your security software or else wait until mozilla releases a general update to firefox 66.0.4 fixing the matter...

hi soylentplaid, most of the users we're seeing at this point where the hotfix didn't apply yet are using security software that's intercepting secure connections (commonly avast/avg, kaspersky, bitdefender and eset), this might prevent the hotfix from applying unfortunately. if this is applicable to your system as well, as a workaround you could try [https://support.mozilla.org/en-US/kb/error-codes-secure-websites#w_antivirus-products disabling ssl-scanning in your security software] or else wait until mozilla releases a general update to firefox 66.0.4 fixing the matter...
Was this helpful to you?
Quote

Question owner

I just need to clarify: In order to receive a security update (to fix a broken certificate) to re-enable add-ons that I consider essential for the security of my browser, I have to disable my antivirus? Doesn't that seem a little extreme to you?

I just need to clarify: In order to receive a security update (to fix a broken certificate) to re-enable add-ons that I consider essential for the security of my browser, I have to disable my antivirus? Doesn't that seem a little extreme to you?
Was this helpful to you?
Quote
philipp
  • Top 25 Contributor
  • Moderator
5287 solutions 23361 answers

hi, i am not saying you should deactivate your antivirus altogether - you *can* disable this one feature of your antivirus, which is quite questionable in the first place and often leads to more harm than good & a greater attack surface.

references: http://www.cbc.ca/news/technology/antivirus-software-1.3668746 https://blog.vpn.ac/disable-https-scanning.html https://jhalderm.com/pub/papers/interception-ndss17.pdf https://www.pcworld.com/article/3154608/https-scanning-in-kaspersky-antivirus-exposed-users-to-mitm-attacks.html (there are many more of those, but i don't have time to dig them up at the moment)

hi, i am not saying you should deactivate your antivirus altogether - you *can* disable this one feature of your antivirus, which is quite questionable in the first place and often leads to more harm than good & a greater attack surface. references: http://www.cbc.ca/news/technology/antivirus-software-1.3668746 https://blog.vpn.ac/disable-https-scanning.html https://jhalderm.com/pub/papers/interception-ndss17.pdf https://www.pcworld.com/article/3154608/https-scanning-in-kaspersky-antivirus-exposed-users-to-mitm-attacks.html (there are many more of those, but i don't have time to dig them up at the moment)
Was this helpful to you? 0
Quote

Question owner

Well, I've gone ahead and disabled SSL checking in Kaspersky (probably for the best if what I'm reading is correct). Is there a way to force another check, or will that happen sometime over the next X hours?

Well, I've gone ahead and disabled SSL checking in Kaspersky (probably for the best if what I'm reading is correct). Is there a way to force another check, or will that happen sometime over the next X hours?
Was this helpful to you?
Quote
philipp
  • Top 25 Contributor
  • Moderator
5287 solutions 23361 answers

Chosen Solution

i *think* right-clicking and resetting the "app.normandy.first_run" preference in about:config and restarting the browser might be a way to trigger a check.

i *think* right-clicking and resetting the "app.normandy.first_run" preference in about:config and restarting the browser might be a way to trigger a check.
Was this helpful to you? 1
Quote

Question owner

And so it is! (*much rejoicing*)

It's definitely good that you guys were on the problem quickly, although not letting the cert expire would have been better. As feedback, I'll say that using the Studies mechanism to push a hotfix is a bad look (forcing the browser to collect data) and this whole process was a lot more fragile than it needed to be.

Applying the hotfix, for me, involved diving into settings, enabling data collection, waiting and searching for about a day with no feedback as to why it wasn't working, disabling SSL interception in my anti-virus (and restarting my computer), setting app.normandy.first_run to true, then restarting my browser.

I believe in Firefox and Mozilla's mission, I really do. I intend to keep using it. But this sort of screw-up will make people switch to Chrome, and they'd be completely justified in doing so. You really need to be far more diligent about your certificates.

And so it is! (*much rejoicing*) It's definitely good that you guys were on the problem quickly, although not letting the cert expire would have been better. As feedback, I'll say that using the Studies mechanism to push a hotfix is a bad look (forcing the browser to collect data) and this whole process was a lot more fragile than it needed to be. Applying the hotfix, for me, involved diving into settings, enabling data collection, waiting and searching for about a day with no feedback as to why it wasn't working, disabling SSL interception in my anti-virus (and restarting my computer), setting app.normandy.first_run to true, then restarting my browser. I believe in Firefox and Mozilla's mission, I really do. I intend to keep using it. But this sort of screw-up will make people switch to Chrome, and they'd be completely justified in doing so. You really need to be far more diligent about your certificates.
Was this helpful to you?
Quote
philipp
  • Top 25 Contributor
  • Moderator
5287 solutions 23361 answers

oh great, thanks for reporting back & sorry for all the hassle this was causing!

you can be sure that after this whole incident is dealt with, there will be a diligent post mortem and review of actions that need to be taken at mozilla, so something like this is not gonna happen again.

oh great, thanks for reporting back & sorry for all the hassle this was causing! you can be sure that after this whole incident is dealt with, there will be a diligent post mortem and review of actions that need to be taken at mozilla, so something like this is not gonna happen again.
Was this helpful to you?
Quote
McCoy
  • Top 10 Contributor
520 solutions 4863 answers

soylentplaid said

I believe in Firefox and Mozilla's mission, I really do. I intend to keep using it. But this sort of screw-up will make people switch to Chrome, and they'd be completely justified in doing so. You really need to be far more diligent about your certificates.

This was caused by an unforeseen technical problem …..

''soylentplaid [[#answer-1219424|said]]'' <blockquote> I believe in Firefox and Mozilla's mission, I really do. I intend to keep using it. But this sort of screw-up will make people switch to Chrome, and they'd be completely justified in doing so. You really need to be far more diligent about your certificates. </blockquote> This was caused by an unforeseen technical problem …..
Was this helpful to you?
Quote
tfinniii 4 solutions 125 answers

My Kaspersky doesn't list a SSL thing.When is the fix coming

philipp said

hi, i am not saying you should deactivate your antivirus altogether - you *can* disable this one feature of your antivirus, which is quite questionable in the first place and often leads to more harm than good & a greater attack surface. references: http://www.cbc.ca/news/technology/antivirus-software-1.3668746 https://blog.vpn.ac/disable-https-scanning.html https://jhalderm.com/pub/papers/interception-ndss17.pdf https://www.pcworld.com/article/3154608/https-scanning-in-kaspersky-antivirus-exposed-users-to-mitm-attacks.html (there are many more of those, but i don't have time to dig them up at the moment)
My Kaspersky doesn't list a SSL thing.When is the fix coming ''philipp [[#answer-1219381|said]]'' <blockquote> hi, i am not saying you should deactivate your antivirus altogether - you *can* disable this one feature of your antivirus, which is quite questionable in the first place and often leads to more harm than good & a greater attack surface. references: http://www.cbc.ca/news/technology/antivirus-software-1.3668746 https://blog.vpn.ac/disable-https-scanning.html https://jhalderm.com/pub/papers/interception-ndss17.pdf https://www.pcworld.com/article/3154608/https-scanning-in-kaspersky-antivirus-exposed-users-to-mitm-attacks.html (there are many more of those, but i don't have time to dig them up at the moment) </blockquote>
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8632 solutions 70600 answers

Helpful Reply

Firefox 66.0.4 was just released for both desktop Firefox and Android Firefox, which should fix the expired certificate problem. An updated Firefox 60 ESR (60.6.2esr) was also released.

Sometimes the auto-updater doesn't see an update right away, either because it isn't scheduled to check yet or when you click Check for Updates, because the server is limiting the rate of installations "just in case" it creates a new problem.

At some point, we should get the 66.0.4 and 60.6.2esr full installers through the usual pages, but I currently get the older version:

Firefox 66.0.4 was just released for both desktop Firefox and Android Firefox, which should fix the expired certificate problem. An updated Firefox 60 ESR (60.6.2esr) was also released. * Desktop: [[Update Firefox to the latest release]] * Android: Probably in Google Play? Sometimes the auto-updater doesn't see an update right away, either because it isn't scheduled to check yet or when you click Check for Updates, because the server is limiting the rate of installations "just in case" it creates a new problem. At some point, we should get the 66.0.4 and 60.6.2esr full installers through the usual pages, but I currently get the older version: * Regular release: https://www.mozilla.org/firefox/all/ * ESR release: https://www.mozilla.org/firefox/organizations/all/
Was this helpful to you? 1
Quote
the-edmeister
  • Top 25 Contributor
  • Moderator
5395 solutions 40083 answers

You could try opening Help > About Firefox and see it tells you that Firefox 66.0.4 is available and to Update Now.

I just tried that and was able to update to 66.0.4 .

You could try opening '''Help''' > '''About Firefox''' and see it tells you that Firefox 66.0.4 is available and to '''Update Now'''. I just tried that and was able to update to 66.0.4 .
Was this helpful to you? 1
Quote

Question owner

Just finished updating. Thanks for jumping on this issue everyone, it's been a weird couple of days in browser-land.

Just finished updating. Thanks for jumping on this issue everyone, it's been a weird couple of days in browser-land.
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.