Instead of enabling studies just click on this link. It installs that specific "study" (hotfix) without installing anything else.
https://storage.googleapis.com/moz-fx-normandy-prod-addons/e...
Instead of enabling studies just click on this link. It installs that specific "study" (hotfix) without installing anything else.
https://storage.googleapis.com/moz-fx-normandy-prod-addons/e...
Hold up there. Before people start clicking and installing random add-on links, how about linking to something official (either from a FF dev, or in a soure repository) that references this URL?
So, I just got this url from this HN comment:
https://news.ycombinator.com/item?id=19825921
I'm not clear if they rehosted the XPI or if that's the original mozilla url.
I'm not too worried about it either. The only reason anyone is clicking on this fine link is because firefox only lets you install addons signed by Mozilla. And since the typical signing process gives addons signed by the broken intermediary we can be pretty confident that this wasn't just signed by mozilla, but is the original study.
In general caution about installing software from random links is definitely a good idea though.
Edit: Looks to me like it's an original mozilla url (judging by github comments on mozilla/normandy - I haven't found an official source saying it is official due to lack of continuing to search: https://github.com/mozilla/normandy/pull/1697)
>I'm not too worried about it either. The only reason anyone is clicking on this fine link is because firefox only lets you install addons signed by Mozilla.
unzip *.xpi
nano META-INF/manifest.mf
gives me
Manifest-Version: 1.0
Name: background.js Digest-Algorithms: MD5 SHA1 MD5-Digest: pcBRGwbuhPz06VrGWmAitQ== SHA1-Digest: szDd6YcB3bpF+NusZhEHhmMDi5U=
Name: content.js Digest-Algorithms: MD5 SHA1 MD5-Digest: CGOATrflEiq+QEu1IZlFvQ== SHA1-Digest: ps2bMGGRQdb4E7VOakqQEhJ8M5c=
Name: content.js.map Digest-Algorithms: MD5 SHA1 MD5-Digest: FY98a5hwQKH3g1fKcGK04A== SHA1-Digest: bAzZBP+YQ3EDWUXpqzKcTUw35Y0=
Name: manifest.json Digest-Algorithms: MD5 SHA1 MD5-Digest: eEm4sDKemttFN7G7JeLo0g== SHA1-Digest: 5W8OY1mk3QjECHzHna00iNXo9mM=
Name: experiments/skeleton/api.js Digest-Algorithms: MD5 SHA1 MD5-Digest: 0RBtD2TRmeE30v9+4TxXYA== SHA1-Digest: 2Uq9PO2H1iks/Cb7VAkfGrrD6hA=
Name: experiments/skeleton/schema.json Digest-Algorithms: MD5 SHA1 MD5-Digest: nSzuviuP+VtUvjE4IyIVhQ== SHA1-Digest: W311W+MXcHSsHIVFP15zxGUmQS8=
===
The hashes that certify the integrity of the files are under rigorous protection of ... MD5 and SHA1 (!)
What's your point?
There might be a very difficult preimage attack on MD5.
There's no evidence of a preimage attack on SHA1.
There is absolutely no way you're doing both at once.
This is true. However it is signed by moz and looking at the source it seems safe enough (the cert is legit). It's just a normal wrapper with the following code added:
Out of interest, what's special about this add-on that allows it to install intermediate certificates like this vs. an add-on that any random dev could write?
It's installed as a study addon, only Mozilla could install these.
> It's installed as a study addon, only Mozilla could install these.
And that gives it access to use `Cc`/Components.classes?
Not familiar with the specifics, just know that Mozilla uses this mechanism to sometimes ship experimental features to a select group of Firefox users that have it enabled and they used it today to issue this hotfix to anyone who has field studies enabled.
In the manifest it has a special "experiment_apis":
Only Mozilla can use these on release versions of Firefox. If you want some more details then try here: https://firefox-source-docs.mozilla.org/toolkit/components/e...
Where does it say specifically on that page you linked that only Mozilla can use these apis?
Also how can I verify that intermediate certificate? Is that a base64 encoded string?
Why can't they just release that certificate for everyone to install on all affected non-recent and derivative builds (like Tor Browser)? Or is the internal certificate storage different from the one that is configurable in settings? Then tell us straight away what file to change, and the community (everyone likes to mention so much) comes up with the ways to patch it much faster than you think.
Thanks to this script, I think I just managed to apply the patch to an old Firefox 56 install, whereas the .xpi had no effect.
There are other people here who I think would really appreciate details if you still have them.
https://www.reddit.com/r/firefox/comments/bkspmk/addons_fix_...
The blog post linked by this HN post is the official URL for the patch. Any installation method not described there is unofficial DIY, no matter how Mozilla-signed any given version of the XPI is.
Sir, this is Hacker News.
Yes, we are all quite advanced enough to footgun ourselves with abandon :) For everyone else, the fix is magically healing their browser without any intervention at all, and some of my high-skilled tech friends haven’t even noticed yet because they’re weekending and this all resolved itself before they realized it. Never underestimate the burden that being an “expert” places on your future time spend.
That hadn't occurred to me, but the fact that this is occurring on a weekend probably mitigates the impact to organizations that operate Monday-through-Friday.
Sucks for the Mozillans who are scrambling right now though. Hope they get a long weekend to compensate.
I have to assume that’s why they focused on releasing a fix first and communicating second, because there was still hope to save everyone before the impact worsened. I hope they’re able to get at least a few hours of rest before Monday.
> Sucks for the Mozillans who are scrambling right now though.
I have little sympathy for people who ruined my own life - they push a fix and get feet up, while I'm left to reconfigure all my addons and containers for days.
OMG. "Don't trust Mozilla to install something on your machine. Click this link instead!"
Has the "privacy" community finally jumped the shark?
To be perfectly clear I trust Mozilla... this link is a link to code signed by Mozilla that I personally didn't even bother to audit because it was signed by Mozilla.
I just don't want to enable shield studies, because it looks to me like they haven't disabled the other shield studies while distributing this fix, and I don't want to install the other shield studies.
I think what they're saying is "don't trust someone to push software to your machine that you can't see. Instead, download and study this binary!"
Yep. Or even if it's not being actively studied, it's being consciously obtained rather than pushed in the background. And I feel relatively safe because of the community's discussion here.
it's "install known-good software from mozilla"
vs
"whenever mozilla has crazy marketing or security ideas in the future, let them immediately and randomly install whatever, which maybe seems like a good idea for the mythical average user but is probably terrible for you"
Anybody have any hints for someone who tries to install this and gets a connection error?
EDIT: Thanks to HN User gpm for suggesting a possible fix for this [1]. Right-click, save-as the XPI to somewhere on your computer (or use curl, wget or whatever tool of you choice), and then run it within Firefox. That might work (it did in my case).
EDIT 2: Also, interstingly, the blog post does have an update saying "There are a number of work-arounds being discussed in the community. These are not recommended as they may conflict with fixes we are deploying.", so, use at your own caution I guess.
[1]: https://news.ycombinator.com/item?id=19828669
You would think they could have linked to that in their blog post, since people who have disabled "studies" have probably done so for a reason. Telemetry is bad enough; even without the "Mr. Robot" thing, there's no way I would let Mozilla randomly push changes to my browser just to see what happens.
What’s bad about telemetry?
It's just another database collecting unknown information about me ("anonymized" in some way that may be reversible), stored for an unknown length of time, and enabled by default. Just ask. Plenty of people will beta test software for a $20 gift certificate, or even for free, but they should be given a choice.
Mozilla does ask.
Do they? I seem to remember a great kerfuffle somewhat recently over telemetry being opt-out.
Studies _must_ be opt-out given the amount of users Mozilla says the fix covers, and they're basically a form of telemetry, in their intended use anyway.
How do I uninstall this? It doesn't show up anywhere after installation.
That's a good question. I'm not sure if there is a better way but I would just delete it from <profile>/extensions. You can find <profile> by going to about:support and looking for "Profile Directory" (6th from the top for me).
`about:studies` will show active studies and allow you to remove
I am not sure on others, but it does not show in "about:studies" on mine since I manually added it.
Same.
http://kb.mozillazine.org/Uninstalling_extensions#Uninstalli...
Knowledge Base info of uninstalling xpi http://kb.mozillazine.org/Uninstalling_extensions#Uninstalli...
I unistalled it and my add ons are still working!
This works for Firefox on Android too.
Thank you. I can also verify this works on FF for Android.
Install the official beta. This solved the issue for me https://www.mozilla.org/en-US/firefox/beta/all/
Thanks. That was easy.
Please, don't tell people to do this. This way computers get infected. People should know that clicking in a random link posted by an anonymous guy on a forum page is one of the worst things they can ever do.
I addressed above (will probably stay above, it's the top reply) about why I felt safe clicking this link myself and think others should too.
You're right that in general training them to listen to anonymous forum posts is less than ideal, but all in all I'd rather they have a working browser. As a side benefit they get to see posts like this that rightly point out you shouldn't trust strangers on the internet too much.
Great idea!
Install from a random web link to file on a "cloud" server.
What could possibly go wrong!