The UI knob is
Options -> Privacy & Security > Allow Firefox to install and run studies
They're using the studies system to push this hotfix faster for those that have it enabled.
Edit: Source:
See: https://discourse.mozilla.org/t/certificate-issue-causing-ad...
> In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.
Normandy seems to be the internal name for this system: https://github.com/mozilla/normandy
Why is it supposed to be reassuring that their “studies” can override the cryptographic infrastructure?
Edit: rephrase for clarity
Thank you.
I happen to be one of the users with Normandy disabled, so I'm foobar'd anyway. That said, the reason I disabled it is because it is a security hole you could drive a semi-truck through. And now they want us to enable it to provide a "fix" for the secure way in?
I thought I was the only one who saw a problem with that. Your post is evidence that I'm not completely off in my thinking.
And thank you for assuring me I wasn’t alone in worrying about that!
The studies system is also code-signed, but with a different certificate chain, hence why it wasn't affected. What security hole do you think this opens in Firefox?
If you don't trust your software provider, "studies" don't matter. The same but could come through a regular update. If you don't want to be on bleeding edge, that's fine, and if the UI for Normandy is bad, that's an issue, but it's nonsense to accept updates and then say you don't want updates.
No, it's not. This Normandy nonsense and stories are two separate, yet creepy features. I've already disabled stories but it looks like Mozilla still retains control of my preferences (without disclosing it).
I sure wonder how people so suspicious of Mozilla dare use their browser.
Setting preferences really should not be shocking, given that they have the capacity to run automatic updates. I'm more surprised that they can push code without certificates.
> I'm more surprised that they can push code without certificates.
Where are you getting this from? AFAIK all Mozilla code / prefs they can push should be signed -- this very issue seems to stem from the cert used to sign AMO extensions expired.
The expires certificate seems to be in a chain concerning extensions. Not necessarily the same chain concerning core browser updates...
Easy: There's a difference between static, shipped code and a capability to modify software at a distance (which could even by hijacked by an attacker who infiltrates Mozilla's infrastructure.)
If your threat model includes the hijacking of Mozilla's infrastructure, I assume you read and verify the entirety of the Firefox source with every new version before using it, right?
Obviously not?
But there are trustworthy people working with and integrating that code, there's a good chance they'll notice a hinky commit, and they're very close to having completely reproducible builds—which means that there can be verification that the shipped binary matches the inspected source.
https://gregoryszorc.com/blog/2018/06/20/deterministic-firef...
Because Mozilla is easier to lock down than Chrome.
I guess "easier" isn't the word really, because Chrome can't really ever be locked down. It's pretty much always, effectively, an open book to Google.
You can lock down everything in Firefox. The drawback being, of course, times like this, when you can't get the fix unless you leave Normandy enabled. (Which I didn't.)
>:-(
Grrrr.
They are using the Studies system in a complete violation of the way they said they would use the studies system for when it was announced. This is not surprising since Mozilla is becoming about as Trust Worthily as Google or Facebook
>The UI knob is > Options -> Privacy & Security > Allow Firefox to install and run studies
Well it's a half-assed knob then, because it was unchecked and still I had app.normandy.enabled = true somehow.