Wow. No mention in this history/hagiography of the 2019 global add-on outage where (after banning unsigned add-ons even if you enabled them in about:config) they forgot to update their certs?
I doubt there's proof (much like how China harvesting organs from certain races and religions didn't have solid proof till recently), but it's in the right ballpark. 50+ journalists are killed (and documented as such) each year, for their journalism, despite their attempts to maintain privacy. Privacy measures being suddenly dropped wouldn't make those numbers better.
Toss in another 150+ human rights activist murders per year, dozens of whistleblowers, 60+ transgender people, and any number of other at-risk groups who tend to rely on technical measures to preserve their privacy and safety abroad.
Did that info being leaked definitely get them killed? No clue. Did it "probably [get] people killed"? I don't know how those people are typically uncovered, so it's hard to say if a few privacy extensions actually mattered. It doesn't seem like an outlandish claim though (and with a prior that those extensions do matter, it's a likely claim).
We didn't think that the intermediate CA expiring would break the signatures, because code signing generally doesn't care about expiration, but we never tested the code path until the intermediate expired and the signatures broke. That was a hard lesson to learn...
I've seen the idea floated for combatting non signing related time-based bugs, but I'm a firm believer in having at least one machine run tests with its time set artificially far in the future (e.g. 1 year) to catch these ahead of time where possible.
Some of the HN threads:
https://news.ycombinator.com/item?id=20421948
https://news.ycombinator.com/item?id=19871989
Edit: removed speculation if consequences of privacy loss, but come on … that’s still pretty serious.