Bitcoin Forum

Bitcoin => Wallet software => Topic started by: DaveF on May 04, 2019, 12:12:09 PM



Title: 4-May-2019 Web Wallet USERS who use FireFox READ THIS
Post by: DaveF on May 04, 2019, 12:12:09 PM
1) To mods if you think this goes elsewhere please move it.
2) To everyone else. Read below.

Mozilla (the people who make FireFox) did not renew one of their SSLs yesterday. This broke / forced disable almost all extensions.
A fix is in the works.

IF YOU ARE USING A WEB WALLET WITH ANY EXTENSION FOR SECURITY OR SAVING PASSWORDS OR BLOCKING MALWARE SITES.
PLEASE BE EXTRA EXTRA CAREFUL.
YOU SHOULD NOT BE USING A WEB WALLET ANYWAY, BUT THIS JUST MAKES IT WORSE.

Read more here:

(you of course checked the link before clinking....Right???)

https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047/14 (https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047/14)

-Dave


Title: Re: 4-May-2019 Web Wallet USERS who use FireFox READ THIS
Post by: o_e_l_e_o on May 04, 2019, 04:04:55 PM
There is a workaround for this to make your browser at least usable again until Mozilla fix it.

First click Help -> Troubleshooting Information, and copy the location of your Profile Folder.
Next, open a new tab and type "about:debugging" without quotes in to the URL, and hit enter.
Then, click on "Load Temporary Add-on" and paste in the location of your Profile Folder to the navigation bar.
Open the "extensions" folder inside your Profile Folder, and be met with a bunch of .xpi files. These are all your add-ons.
Open each one in turn to reload all your add-ons.

This is temporary, and will need to be done each time you close and re-open your browser.


Title: Re: 4-May-2019 Web Wallet USERS who use FireFox READ THIS
Post by: ETFbitcoin on May 04, 2019, 04:34:38 PM
You also can disable xpinstall.signatures.required on about:config page on some version/build of Firefox.
It's more convenient than o_e_l_e_o, but have few security implication and you should make sure to enable it again once the problem has been resolved.

On a side note, for those who use AdBlock, uBlock or NoScript, make sure you're not fooled with advertising, pop-up or fake button :P


Title: Re: 4-May-2019 Web Wallet USERS who use FireFox READ THIS
Post by: 100bitcoin on May 04, 2019, 05:32:47 PM
Does SSL encryption works because someone pays licensing fee? Sorry for being ignorant, but is this really how web security works?


Title: Re: 4-May-2019 Web Wallet USERS who use FireFox READ THIS
Post by: DaveF on May 04, 2019, 05:42:22 PM
Does SSL encryption works because someone pays licensing fee? Sorry for being ignorant, but is this really how web security works?
Short version:
No. But SSL certificates have valid from and to dates. They do have to be renewed / updated

Longer version, probably wrong on some things, and missing *a lot* of detail but generally covering the situation.

What happened here is Firefox will verify that the addons you have are legitimate and safe.
It talks back to the servers that know this over SSL.
In order to avoid certain compromises it knows certain things about the SSLs, (call it a serial number, not 100% the same but close enough) and does not just assume they are good. Unlike what happens when you just use https: which will take just about any SSL cert as good unless it has been specifically revoked.

One of those expired this AM at 00:00 UTC

Unlike getting an SSL for a website for free or $10.00 there are more checks that have to go into these certs.
Also since certain things are coded into the browser for safety that has to be updated also.

-Dave


Title: Re: 4-May-2019 Web Wallet USERS who use FireFox READ THIS
Post by: o_e_l_e_o on May 04, 2019, 07:07:29 PM
You also can disable xpinstall.signatures.required on about:config page on some version/build of Firefox.
It's more convenient than o_e_l_e_o, but have few security implication and you should make sure to enable it again once the problem has been resolved.
This works for Dev and Nightly builds, but unfortunately not for standard Firefox builds, which the majority of users are using. Here's a better workaround than the one I previous posted, which will work on all versions of Firefox. (Disclaimer: Don't trust anonymous strangers and go pasting random pieces of code from the internet in to your browser without first understanding what they do.) Taken from this reddit post. (https://www.reddit.com/r/firefox/comments/bkcjoa/all_of_my_addons_got_disabled_and_they_are_all/emggvbx/)

First, go to about:config and set devtools.chrome.enabled to "True".
Then, open your browser console by going Tools -> Web Developer -> Browser Console or hitting Ctrl+Shift+J.
Paste the following code and hit enter
Code:
async function set_addons_as_signed() {
    Components.utils.import("resource://gre/modules/addons/XPIDatabase.jsm");
    Components.utils.import("resource://gre/modules/AddonManager.jsm");
    let addons = await XPIDatabase.getAddonList(a => true);

    for (let addon of addons) {
        // The add-on might have vanished, we'll catch that on the next startup
        if (!addon._sourceBundle.exists())
            continue;

        if( addon.signedState != AddonManager.SIGNEDSTATE_UNKNOWN )
            continue;

        addon.signedState = AddonManager.SIGNEDSTATE_NOT_REQUIRED;
        AddonManagerPrivate.callAddonListeners("onPropertyChanged",
                                                addon.wrapper,
                                                ["signedState"]);

        await XPIDatabase.updateAddonDisabledState(addon);

    }
    XPIDatabase.saveChanges();
}

set_addons_as_signed();
You may then need to restart Firefox for all add-ons to load properly.
You will need to redo this every 24 hours until Mozilla release a fix.


Title: Re: 4-May-2019 Web Wallet USERS who use FireFox READ THIS
Post by: ETFbitcoin on May 04, 2019, 07:21:23 PM
You also can disable xpinstall.signatures.required on about:config page on some version/build of Firefox.
It's more convenient than o_e_l_e_o, but have few security implication and you should make sure to enable it again once the problem has been resolved.
This works for Dev and Nightly builds, but unfortunately not for standard Firefox builds, which the majority of users are using.

Actually, it also works on Firefox ESR, even though it's usually only available by default on some linux distro or organization (business, academic, government, etc.).

Also, download Firefox ESR is safer than execute script from stranger, especially for regular users.


Title: Re: 4-May-2019 Web Wallet USERS who use FireFox READ THIS
Post by: klaaas on May 04, 2019, 09:39:30 PM
Didnt expected firefox failing to fix this way before this date. Pretty sure they will keep an eye on it now.
More info can be found here https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/


Title: Re: 4-May-2019 Web Wallet USERS who use FireFox READ THIS
Post by: o_e_l_e_o on May 05, 2019, 10:50:37 AM
Looks like Mozilla have released a temporary fix via the studies system until they can work out a permanent fix. This should download automatically in the background, provided you haven't turned off studies. Studies will be turned off if you have turned off allowing Firefox to send data back to Mozilla. You can check by going to Tools -> Options -> Privacy & Security and scrolling down to near the bottom. You will need to turn studies back on and wait for a few hours for the fix to automatically activate. You can check whether the fix is active by looking in about:studies for hotfix-update-xpi-signing-intermediate-bug-1548973. Once it is either listed under Active or Completed, you can turn studies back off in Options if you want.

More info here: https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/#workarounds


Title: Re: 4-May-2019 Web Wallet USERS who use FireFox READ THIS
Post by: Pmalek on May 06, 2019, 08:44:30 AM
There was a new Firefox update yesterday and according to Mozilla the issue has now been fixed.
Quote
Repaired certificate chain to re-enable web extensions that had been disabled
https://www.mozilla.org/en-US/firefox/66.0.4/releasenotes/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=whatsnew