
Firefox 66.0.4 is out, fixes disabled add-ons - akyuu
https://ftp.mozilla.org/pub/firefox/releases/66.0.4/
======
f4stjack
Good move, congrats on surviving the second armag-add-on finally BUT I won't
be moving from chromium until Firefox (or Mozilla) explains:

\- why am I opted-in to a Studies program in Firefox's default state? (With no
explicit information about what it is)

\- what does app.normandy.enabled switch do and why is its default value is
True and doesn't change to false when I explicitly state I don't want to be in
the Studies program?

\- why can't we see any xpi's installed by studies program unless we
explicitly go to about:studies?

I don't say chromium is better, but I think we deserve an explanation
regarding these points.

~~~
napsterbr
> why am I opted-in to a Studies program in Firefox's default state? (With no
> explicit information about what it is)

I came here to mention exactly this. I don't mind the certificate issue (as
long as there is a post mortem and they learn something from it).

I was wondering how my addons came back automatically (without me having to
upgrade to 66.0.4) and I found out about this studies thing, which I never
consented to. I feel violated. And the problem is, what browser am I supposed
to use from now on? Lynx? Sigh

ETA: I am (was) a proud Firefox user since it was called Firebird, and
changing browsers never crossed my mind before (even if Chrome felt faster
some times). At this exact moment, I have zero trust on Mozilla, just like I
have zero trust on Google (Chrome). Extremely frustrated and disappointed.

~~~
sequence7
You could just turn off all studies in Firefox. It's a simple option:

[https://support.mozilla.org/en-US/kb/shield#w_to-opt-out-
of-...](https://support.mozilla.org/en-US/kb/shield#w_to-opt-out-of-all-
studies)

~~~
napsterbr
I did. The problem is:

\- I had never heard of "Studies" before; which leads to

\- I never agreed to be a part of Studies in the first place _.

_ The docs says it must be opted in, so supposedly I have to give consent to
it. I don't remember doing so. For all my life, I've always rejected any
survey, opt-in request and similar stuff. I do admit there is a small,
unlikely chance that I _did_ opt-in. Maybe I misclicked it? Maybe I thought I
was rejecting when I was actually agreeing to? Maybe someone else was using my
computer and opted-in?

If this is indeed opt-in, and this unlikely scenario did happen, then I
apologize for the rant. But I can't remember the prompt at all, and I would
never consciously opt-in, hence the feeling of betrayal.

For the record: I now know what Studies are. I acknowledge that companies need
to run A/B experiments in order to enhance their products. I just don't want
to be opted-in by default.

~~~
tripzilch
> If this is indeed opt-in, and this unlikely scenario did happen, then I
> apologize for the rant.

No need to apologize. It's not really an opt-in if you are certain you would
never opt in if you were aware of it, and somehow you accidentally "opted in"
anyway.

I'm in the same boat, I would never opt in to any of this stuff. Now I had my
"studies" setting turned off, so that's good. But when I looked at
about:studies, it seems as though it _had_ been on at some point in time
(because it lists a plugin that it used for a study, or something). So I
suppose that I actually opted _out_ of this studies thing at some point,
meaning it had been turned on without my consent either.

------
est31
No release for android yet, at least not on [1], where I am getting the apk
files from. As of now, latest release uploaded there is 66.0.2 from March.

[1]:
[https://archive.mozilla.org/pub/mobile/releases/](https://archive.mozilla.org/pub/mobile/releases/)

EDIT it's up:
[https://archive.mozilla.org/pub/mobile/releases/66.0.4/](https://archive.mozilla.org/pub/mobile/releases/66.0.4/)

~~~
jackewiehose
xpinstall.signatures.required = false worked for me on android

~~~
wvenable
Yeah, this also worked for me on Android. Not sure why the downvotes.

~~~
jopsen
You're better off waiting a few more hours that disabling important security
features.

~~~
userbinator
The only "security" it provided was to prevent people from installing add-ons
that Mozilla didn't approve of, ostensibly ones it thinks are malicious, and
I'd bet that on Android (which has its own app isolation features anyway)
that's even less of a problem.

~~~
AstralStorm
Not exactly. You can install add-ons from outside of Mozilla add-ons site. The
extra certificate is more of Mozilla's seal of approval.

This is why quite a few of my add-ons were not disabled - they were installed
with trust from another site and this intermediate certificate was never in
chain.

You could even manually sign these add-ons you trust with custom imported CA
key for your personal or corporare vetting.

------
SamWhited
I was already a bit mad at them for removing RSS support and claiming their
proprietary service that's built in is an alternative, now their proprietary
service keeps working (presumably, I didn't use it but it's not an addon so I
doubt it's signed the same way) and I can't use the RSS addon.

I know this was a mistake, but I can't help but be mad that their proprietary
built in stuff effectively gets a free pass and special treatment and
meanwhile I can't use RSS and all my containers were deleted (those didn't
come back after the study was pushed either).

~~~
luke-stanley
I use containers too. I didn't loose any data after I enabled dev mode and
added the extension back. Perhaps you removed the existing extension first and
lost data that way?

~~~
neogodless
It's odd - on my laptops, my multi-container settings were preserved, but I
opened firefox on my desktop last night and they had vanished. I did not
remove any add-ons myself.

~~~
nikbackm
Same here.

Only difference is that I restarted the desktop Firefox and also enabled
Shield studies to get the temporary fix. On the laptop I just upgraded to
66.0.4 and only then restarted it.

------
baalimago
About time. Embarrassing bug. The only reason i didn't permanently swap
browser is because of the lack of alternatives since none has the
functionality I apply through the addons.

~~~
nitemice
I switched to the Dev build[1] with 'xpinstall.signatures.required = false',
and now that it's fixed I don't know if I'll go back. There seems to be a
bunch of new features in Dev that I assume will arrive in Firefox eventually,
but everything else being equal, I think I'll stick with it.

I'll probably turn 'xpinstall.signatures.required' back to true though.

[1] [https://www.mozilla.org/en-
US/firefox/developer/](https://www.mozilla.org/en-US/firefox/developer/)

~~~
tsjq
Mine says Developer edition beta 16 Version 67.0b16 (64-bit) Last updated =
03May2019.

do I need to make this change? is it in the about:config ?
'xpinstall.signatures.required = false

~~~
nitemice
Yeah, so if you set 'xpinstall.signatures.required = false' in the
about:config it'll let you use your extensions, but this is just a workaround.

When a fix is fully rolled out (which should include Developer edition), then
you won't need that (and probably should re-enable signature checking).

~~~
tsjq
thanks . I have toggled that in about:config and extensions are back to
working. internally, what does this toggle turn off?

------
Perceptes
Did this issue cause all add-on data to be wiped? After updating to 66.0.4,
all of the containers I'd created with the multi-account containers add-on
were gone and replaced with what appeared to be a default set of containers. I
spent a lot of time setting that up—is there no way to get it all back if I
don't have some sort of manual backup? And if not, what files do I need to
manually back up to make sure I don't lose my data next time?

Edit: To be clear, at no point did I delete the add-ons I had installed.

~~~
lugg
Containers are notoriously finicky datawise.

I generally keep good backups of the non standard ~/.mozilla folder to
compensate.

I think it was issue 339 on GitHub. They basically explain they won't add it
to sync data because there is no containers on mobile.

[https://github.com/mozilla/multi-account-
containers/issues/3...](https://github.com/mozilla/multi-account-
containers/issues/339)

~~~
Twirrim
> I think it was issue 339 on GitHub. They basically explain they won't add it
> to sync data because there is no containers on mobile.

Makes you wonder how on earth their data sync is working with regards to
mobile. Surely if it doesn't have the components to leverage the data it just
wouldn't read it..?

~~~
lugg
Its possible to implement the concern was that people would leak their cookies
into the default container.

They should be essentially syncing but not syncing any non default container
data into mobile.

Basically they had some work to do on the server end I think.

------
GordonS
Is a more robust way around this to use a trusted timestamping service?

This is the way code-signing on Windows works, and allows you to prove that
code was signed by a valid certificate while it was in its validity date - so
even once the certificate expires, the code will still run as long as the
cryptographic timestamping signature is valid.

------
Aardwolf
What about older versions? Does this mean that older versions of firefox can
never be used with addons (even matching older versions) anymore?

~~~
testplzignore
Good question. Looks like they do have a release for 60 (the current ESR):

[https://archive.mozilla.org/pub/firefox/releases/60.6.2esr/](https://archive.mozilla.org/pub/firefox/releases/60.6.2esr/)

~~~
foofoo55
Just export the key from a current version and import it into the old version.
Worked for me.

~~~
gruez
How do you do this?

~~~
adjagu
From an updated Firefox navigate to

 _Preferences - > Privacy & Security -> Security -> Certificates -> View
Certificates_

Now find:

    
    
      Mozilla Corporation
        signingca1.addons.mozilla.org
    

Select signingca1.addons.mozilla.org and then choose export. This is what you
would import into the older version of Firefox.

~~~
ComodoHacker
BTW that certificate list if fairly long, has no scrollbar and no search box.
That's a bad UI.

Is there a way to report this without spending hours to register at Bugzilla
and file a proper bug report?

~~~
adjagu
Not sure why you don't have a scrollbar. On my version of Firefox (Firefox
Developer Edition 67-0b16) the certificate list does have a scroll bar and can
be navigated using the mousewheel. Can't speak for stable Firefox since I
don't use that version.

No, not that I am aware of. In my own experience it actually took me longer to
find alternative ways of bringing awareness to a bug I was having than it did
to signup to Bugzilla and report it there.

------
wdr1
This is pretty bad for Firefox. I wonder how much people straight up & left
for Chrome as a result of it.

~~~
fraudsyndrome
I was on the reddit thread when it happened - was super confused as I just
updated my firefox and it happened at a very similar time frame so I assumed
it was from the update

I personally found the issue trivial, my main addon is ublock origin. There
was a workaround using about:debugging and installing UBO on there which
worked so it's not like the fix was a long process.

Being committed to a single browser, if anyone was using firefox for as long
as me, I can't fathom someone leaving their main browser over something like
this. I haven't been using it for THAT long but what if Chrome did something
like this too? Then they'd move to another browser that's not FF/Chrome?

~~~
Santosh83
I too use only two extensions, uBlock Origin and HTTPS Everywhere and the
hotfix pushed by Mozilla re-enabled them within half an hour of disabling. I
do sympathise with those who apparently lost the settings of certain addons,
notably Container based ones. Fortunately I always found the UX of Containers
so clunky that I never bothered.

Sticking with Firefox as an open competition to the browser monopoly is
critical now more than ever before.

~~~
ntp85
> Sticking with Firefox as an open competition to the browser monopoly is
> critical now more than ever before.

I think this fact cannot be emphasized enough. Or we'll have the 90s
monopolized web again: "Optimized for Chrome" \- not that there'd be a lack of
websites already doing that as of now.

------
fock
I have to say I was very pleased that the Debian-ESR package a) disables
telemetry in the build and b) ESR still allows you to override the extension
signing for now...

------
omeid2
Lost my containers _yet_ again, I am now on the last straws with Firefox, this
whole Normandy thing is not helping the case. Firefox never asked me to opt
in!

------
ufo
Link where the release notes will be posted:

[https://www.mozilla.org/en-
US/firefox/66.0.4/releasenotes/](https://www.mozilla.org/en-
US/firefox/66.0.4/releasenotes/)

~~~
sciurus
They're published now.

~~~
yabatopia
Right now, the Firefox for Android version is still not available in the
Google Play Store.

~~~
lucb1e
Surprising no one. The real question is whether the apk is available somewhere
so people don't have to wait for our favorite walled garden to mercifully pass
the update.

------
alskdj21
I'm really worried about the average users not knowing what happened here. At
least an email should be sent informing about the issue. But I guess many of
those average users don't have a single extension installed, no problems for
them.

~~~
bald42
Why would Mozilla have my/average users email-address?

~~~
genghizkhan
Firefox Sync?

------
mrmondo
The fix doesn't seem to work if you've been using Firefox Beta (67.0b16), or
if you then install Stable (66.0.4) and sign in to sync - all addons are still
marked as "legacy" and not enabled.

However, if you find each one in the store and (re-)install them - they work
again and their data is back intact as expected.

~~~
jaipilot747
Just in case someone misread this like I did, you need to reinstall each add-
on. Not FF Beta itself.

~~~
mrmondo
Indeed, I meant re-install the addons.

------
BuckRogers
I've always been a fan of native browsers, and have been using Chromium-based
Edge[0] as my daily driver at work. While I wasn't one who was impacted by the
extensions change, The removal of Live Bookmarks really stung for me, as I've
used that feature since 2002.

Container support (with Containerise), a dedicated search bar to use with DDG
bangs, and easy 'send tab to device' is what has me holding on today.

But I have to admit that Microsoft's eventual offering is pretty appealing, a
Chromium-based browser with the advantages of Chrome's compatibility and
Edge's conservative battery sipping. I'm one who has always liked and even
preferred Microsoft's products and their integration on as objective of a
basis as a human can muster. Even if it's in different aspects, I think
they're going to probably have Edge become a package equally appealing to the
things I love about Firefox. Edge/Safari are definitely where I'll go if
Firefox really starts circling the drain, but having been on FF since it was
Phoenix, it'll take more than this debacle.

[0][https://www.microsoftedgeinsider.com/en-
us/download/](https://www.microsoftedgeinsider.com/en-us/download/)

------
rasmussondk
Our extension sets [https://www.givero.com](https://www.givero.com) as the
default search engine. After the extension got disabled and re-enabled,
searches now default to Google.

So this fix is not complete.

Our efforts in getting Firefox users to install our extension has been in
vain. "Luckily" we didn't have many users yet but imagine the amount of money
this will cost bigger search engines like DDG, Qwant, etc.

~~~
TeMPOraL
> _but imagine the amount of money this will cost bigger search engines like
> DDG, Qwant, etc._

People use _extensions_ to change the default search engine in their browsers?
I honestly thought only malware does that; regular people use the Settings
menu.

------
tmaly
Is there a little more background to what is happening here? The link is to an
ftp, so I have no idea what is broken, fixed or why it matters.

~~~
sciurus
See [https://blog.mozilla.org/addons/2019/05/04/update-
regarding-...](https://blog.mozilla.org/addons/2019/05/04/update-regarding-
add-ons-in-firefox/)

------
V-2
I'm still on 66.0.3 and the issue resolved itself, I believe, yesterday...

~~~
NullPrefix
Resolved as in you're opted in to studies?

~~~
V-2
I never did opt in. SO if it's not the default setting, it must have been off.

~~~
NullPrefix
They made it default. It's called Normandy.

~~~
JorgeGT
A place most people associate with the largest amphibious invasion in history
seems a curious choice of codeword.

~~~
Skunkleton
The name fits the feature imo.

~~~
yellowapple
That'd mean all Firefox users are Nazis.

Which may or may not be true.

------
fourier_mode
New version doesn't show up while following the instructions on:
<[https://support.mozilla.org/en-US/kb/update-firefox-
latest-r...](https://support.mozilla.org/en-US/kb/update-firefox-latest-
release?redirectlocale=en-US&redirectslug=update-firefox-latest-version>)

------
johnchristopher
I don't understand why renewing the certificate wouldn't fix the issue ?

How does the 66.0.4 fix the problem exactly ?

~~~
kam
It's a signing certificate that is built into the browser to verify add-ons,
not a normal TLS certificate that they can just update on a web server.

The change basically just imports the new certificate into the database:
[https://hg.mozilla.org/releases/mozilla-
release/rev/848b1502...](https://hg.mozilla.org/releases/mozilla-
release/rev/848b15028562c6757748070f637e0e4f0bbb5f65)

~~~
johnchristopher
> It's a signing certificate that is built into the browser to verify add-ons,
> not a normal TLS certificate that they can just update on a web server.

Ah, so that's why. Thanks.

What was the signing certificate validity period ?

~~~
acqq
Don't know about the old one, but the new one from the patch is:

    
    
        Not Before: Apr  4 00:00:00 2015 GMT
        Not After : Apr  4 00:00:00 2025 GMT

------
staticassertion
Not seeing any updates in `apt`.

~~~
ajross
This is the Mozilla release. It will take a bit for the Linux distros to get
it packaged and into the repos. Even the Firefox install on my windows machine
here doesn't see it as an automatic update yet.

------
tinus_hn
Yet the official download on download.mozilla.org is still the old, broken
version.

~~~
kbirkeland
AFAICT still no update out for the android version either

~~~
mintplant
Installing the hotfix package directly worked on Firefox for Android for me.

[https://storage.googleapis.com/moz-fx-normandy-prod-
addons/e...](https://storage.googleapis.com/moz-fx-normandy-prod-
addons/extensions/hotfix-update-xpi-intermediate@mozilla.com-1.0.2-signed.xpi)

~~~
vorticalbox
This is how I fixed it too

------
pbhjpbhj
We need a new Phoenix, I feel.

From Wikipedia:

>They [the original Phoenix devs] believed the commercial requirements of
Netscape's sponsorship and developer-driven feature creep compromised the
utility of the Mozilla browser.

------
tux1968
Probably less important given the type (and number) of users who are on
Firefox Nightly, but it's still at "68.0a1 (2019-05-03)" without an update
available yet.

~~~
sciurus
Nightly updates are currently frozen until we have a fix for
[https://bugzilla.mozilla.org/1549075](https://bugzilla.mozilla.org/1549075)

[https://t.co/etOWyG4aqh](https://t.co/etOWyG4aqh)

------
ChrisSD
Is the TOR browser update out soon?

------
whatamidoingyo
I've been waiting to see this. Just updated from 65.0 to 66.0.3. My addons are
still disabled. Tried to install ublock origin, and it's not letting me. I'm
getting a "Download failed. Please check your connection."

This is crazy, and I'm really disappointed with Mozilla. I'd leave firefox
right now, but I don't want to contribute to the destruction of one of the
last good pieces of software not owned by Google.

~~~
bo1024
I installed Opera yesterday. So far so good. Hope others will chime in with
more alternatives

~~~
chii
opera is now just the chrome engine. I don't think there's any alternative to
chrome but firefox now-a-days, as even microsoft gave in and started using
chrome's blink engine.

~~~
aerique
Safari or any Webkit browser maybe? I don't know how far Blink has diverged
from Webkit.

------
silversconfused
GNU icecat is a very nicely modified firefox that respects the users. I highly
suggest giving it a try if firefox has been bothering you lately.

------
raxxorrax
studies, normandy, looking glass, forced signing of addons... Mozilla is
giving away a lot of good-will lately. Still my favorite browser, but I don't
like the general direction. Privacy should always default to true.

I hope for Mozilla to find a source of income that isn't Google, because they
did a lot for the web. Let us just hope they don't need to make too many
compromises.

------
Elect2
Why I still can not install addons after upgrading? On the addon page it shows
"only with firefox - get firefox now".

------
beezle
So nothing for those of us still running 56 beause Quantum trashed our
extensions (and there are still not equivalent availale)?

~~~
roblabla
Why on earth are you running such a massively outdated browser? You should at
least switch to pale moon, basilisk, or another maintained browser. God knows
how many vulnerabilities in the wild there are in 56.

~~~
millstone
Is security the new motor powering the upgrade treadmill?

God knows how many vulnerabilities there are in the massively outdated Windows
7, why don't you upgrade to Windows 10...

~~~
roblabla
Win7 gets security updates until somewhere in 2020. After that point, anyone
still using 7 will be better off upgrading to 8/8.1/10.

Firefox 56 is not an ESR. It does not get security patches. From a quick look,
there are public CVEs[0] that allow for ROP code execution almost
effortlessly.

Security was always one of the big reasons behind keeping browsers up to date
(the other reason being propagating new standard faster).

Besides, I wasn’t suggesting updating to latest firefox. I specifically
mentioned pale moon and basilisk because they support old style extensions,
while hopefully keeping up with the security fixes and other improvements to
the engine going in mainline.

[0] [https://www.cvedetails.com/vulnerability-
list/vendor_id-452/...](https://www.cvedetails.com/vulnerability-
list/vendor_id-452/product_id-3264/year-2019/opov-1/Mozilla-Firefox.html)

------
whoopdedo
What about ESR?

~~~
LinuxBender
ESR has been updated to fix this [1]

[1]
[https://ftp.mozilla.org/pub/firefox/releases/60.6.2esr/](https://ftp.mozilla.org/pub/firefox/releases/60.6.2esr/)

------
karavelov
What about updating also the beta channel, I am using 67.0b16 and I still
think I am affected because, not updates since and all the addons are shown as
"ALLOWED IN PRIVATE WINDOWS"

------
bmay
installing and running this version did not resolve the issue for me

is there something else I need to do?

------
jags-v
Mine says : Firefox Developer Edition 67.0b16 (64-bit). No fix yet there...

------
terrycody
thanks for the heads up, now alive!

------
joe44
how about windows xp. still don't work. you going fix it for us please?

~~~
slig
I'm very curious - why are you still on XP?

~~~
codedokode
Why would anyone want to upgrade from XP? New versions of Windows have no
improvements (the only improvement is search in Start Menu), but they cost
money, they work slower and require new expensive hardware. They have spyware
and updates that cannot be disabled. You pay for the product and then you are
used as a free tester of new versions of Windows. Microsoft wants everyone to
upgrade to earn more money and to upsell to users new "cloud" features they
don't really need. But for me it would be better if MS would drop newer
Windows versions and returned to improving XP without increasing resources
comsumption, without HTML apps, telemetry and "cloud" features.

This is an example when the interests of users and the manufacturer are
opposite. If the user uses an OS for many years and everything works, why
upgrade? Looks like a waste of time and money.

Imagine if you bought a car and several years later you are told that you need
to upgrade it, because, you know, car factory workers need higher salaries and
if you don't buy the new one, then there is no way to pay them.

This explains why MS and independent developers (that drop XP support to help
MS) forces users to upgrade. Because it is MS who wants an upgrade, not the
user.

~~~
bwat49
> Why would anyone want to upgrade from XP?

Is that a serious question?

Security?

Compatibility with Modern hardware?

If you want to use a car analogy, what you're asking is 'why would anyone want
to upgrade from a Model T?

~~~
codedokode
Microsoft could drop newer Windows versions and instead focus on improving
Windows XP.

~~~
slig
That ship has sailed many years ago.

------
metaprotocol
Switched to Chrome and Brave.

~~~
OrgNet
I wish I could switch to something else, but I still trust Mozilla the most.

