What should have probably been an uneventful weekend, or a weekend spent watching Avengers: Endgame, turned out to be a mini-nightmare for the folks at Mozilla. The developers of the Firefox web browser spent the past two days feverishly working to re-enable users’ add-ons that suddenly became unusable on Friday night. All because Mozilla forgot that a critical security certificate would be expiring that day and wasn’t able to renew it in time.
Running a software store isn’t easy as one basically has to be responsible for the software that’s found there. A mere word of promise isn’t enough so the idea of certificates was born. In theory, a security certificate would ensure that software, in this case, Firefox browser add-ons, would have some semblance of authenticity if they were digitally signed using Mozilla’s certificate. In practice, it also meant that Mozilla’s certificate could become a single point of failure.
That’s certainly what happened when the clock struck midnight on May 4, 2019 UTC (GMT). That was the time when the signature for that particular certificate would expire. Someone at Mozilla forgot about that and didn’t prepare to renew it beforehand, in effect, caused most but not all add-ons to suddenly appear broken.
The good news is that Mozilla has already fixed the issue by now. The band-aid fix requires no user action but if and only if the user has enabled the Studies program in the browser’s privacy setting. You can enable that temporarily, get the “study” that applies the hotfix, and then disable it again. Alternatively, you can also update to the latest version of Firefox, v66.0.4, for a more permanent fix.
Lapses and mistakes do happen and, to its credit, Mozilla did spring into action immediately. But when you’re a web browser developer promoting security and have been bitten by the exact same mistake before, it can be pretty embarrassing.