Hacker News new | past | comments | ask | show | jobs | submit login

I wonder if there is someone out there in the middle of the ocean with a browser extension based communication and navagation system which is dead in the water?

It sounds to me that the real headline here is that every copy of firefox out there was timebombed and we only noticed because someone forgot to elongate the fuse.




Could other code signing systems like macOS gatekeeper also be vulnerable to problems like this?

IMO this seems like just plain bad design. The Firefox addon certificate should never have had an expiry date. If they ever needed to revoke it, they could distribute an updated version of the browser with the previous intermediate explicitly marked as revoked.


That is my biggest complaint. Only the Firefox Linux team of included a about:config option to turn it off. Android, Windows and mac have no way to do so. It's still broken on my phone. Wtf were they thinking?


Try

xpinstall.signatures.required

Works on Fennec version of Firefox.

Also IceCat version of Firefox wasn't affected AFAIK.


As far as I know that does not work on Mac and windows stable and not at all on android.


The browser itself continued working fine. Are you aware of any life-depending extension? Leaving this particular issue aside, your hypothetical "browser extension for people in the middle of the ocean" was doomed from its inception if it was designed to run as a browser extension (though it opens the door for an interesting discussion about similar scenarios that are happenning, like pilots relying on ipads)


> your hypothetical "browser extension for people in the middle of the ocean" was doomed from its inception if it was designed to run as a browser extension

Why? You haven't backed up that statement at all. Especially before they killed XUL it was easy to make a non-doomed app that runs as a browser extension, and it's still plenty possible.

No (non-demo) program should brick itself if it can't connect home.


There are _many_ applications that exist as browser extensions, including critical communications applications.

I don't personally know of any obviously life critical application done this way, mostly because I try to stay as far away from that sort of insanity.

If you don't think it's at least a plausible thing that could eventually happen you haven't been paying attention.

I personally got stuck stranded because of signals stupid built in timebombing when I was relying on a device with no untrusted third party ability to shove silent software updates for communication.


No but what about people who use password managers, that were locked out of not being able to access bank accounts, credit cards, and reddit.


That's a Debian free software principal, correct? The desert island rule?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: