Hacker News new | past | comments | ask | show | jobs | submit login

No release for android yet, at least not on [1], where I am getting the apk files from. As of now, latest release uploaded there is 66.0.2 from March.

[1]: https://archive.mozilla.org/pub/mobile/releases/

EDIT it's up: https://archive.mozilla.org/pub/mobile/releases/66.0.4/




xpinstall.signatures.required = false worked for me on android


Yeah, this also worked for me on Android. Not sure why the downvotes.


Probably because this workaround consists in deactivating add-on security.


No, it does not. David, this is just wrong. Existing add-ons do not become suddenly insecure.

What it does is allow you to install add-ons not signed by mozilla. Essentially the same thing as installing software not originating from the iOS and/or Mac AppStore, or the Ubuntu/Fedora/etc distro repositories, or the Windows Store, or the Play Store.

The signing stuff might protect some less tech-savvy users from installing "You need this codec to play this porn video" malware add-ons, same as the other walled gardens I listed do too (tho most I listed have still a door in the wall that you can unlock and open yourself, unlike Firefox Desktop).

But that's it. It is a "seal of approval" scheme saying that mozilla reviewers decided something is secure enough and has an OK quality (and wasn't forced to remove by US laws/authorities courts yet), implemented using DRM. It reduces the chances that users will install something malicious by accident/incompetence.

If users still run their add-ons from AMO, then there is no difference. Unless a bad actor can either MITM AMO connections or compromise the AMO servers. At which point the users has a lot more problems already than potentially malicious browser add-ons.


And what's the problem with not having that? Does it suddenly make my installed extensions insecure?

I (somewhat) get it for the standard windows user who gives admin rights to everything, but I think this crowd is a bit more aware of what they install.


Because it's not working right now..


Worked on my 2 android devices. Did not work on windows desktop. That needed the nightly or probably this build.


Referring to plugin security.


Last I checked Firefox still gives at least a warning + confirmation dialog if you try to install an unsigned / improperly signed extension with xpinstall.signatures.required = false, no?


I haven't installed an add-on in years.


Then you're not affected. What's the matter?


That means: the installation is a while old, installation security is not useful now because the add-ons were installed ages ago, but using them is.


Precisely.


It works on the main branch now too, so quickfix or not try to update from the play store asap (or whatever repo you use)


You're better off waiting a few more hours that disabling important security features.


Given that all my extensions are privacy and/or adblocking features -- that seems unlikely. I can re-activate it when the Mozilla fixes the issue.


Disabling all add-ons doesn't help security either.

So far I have neither an update on ubuntu-desktop nor on android (with default package managers) so without this option I'm supposed to use the internet without adblock & umatrix? lol no thx


The only "security" it provided was to prevent people from installing add-ons that Mozilla didn't approve of, ostensibly ones it thinks are malicious, and I'd bet that on Android (which has its own app isolation features anyway) that's even less of a problem.


Not exactly. You can install add-ons from outside of Mozilla add-ons site. The extra certificate is more of Mozilla's seal of approval.

This is why quite a few of my add-ons were not disabled - they were installed with trust from another site and this intermediate certificate was never in chain.

You could even manually sign these add-ons you trust with custom imported CA key for your personal or corporare vetting.


Disabling noscript is a bigger security issue.


It only got disabled if you installed the version from addons.mozilla.org and not the noscript.net.

Some sort of pinning mechanism would be nice though without having to rely on manual installs and signing.

It's a trade-off, you could end up with a version having a gaping security hole.


My add-ons are more important security features, that are needed right now, whereas the signing thing only protects when you install a new add-on from an unreliable source. (EDIT: it actually only applies for add-ons installed from the Mozilla add-on store website ... silly me for trusting that place)

Come to think of it, why did my add-ons get disabled, given that they already had been checked against the signing key when they got installed? Why is this (literally, it seems) being checked constantly instead of only when something about the add-ons changes?


We've lived without the walled garden for more than 10 years, I'm sure we can manage a few more days.


This did NOT work for me with the Windows version.

Had to install that .xpi from the previous HN thread on the subject.


Have been polling https://download.mozilla.org/?product=fennec-latest&os=andro...

Still getting 66.0.2... :-/ And yes, my addons were disabled on 66.0.2.


Gives 66.0.4 now


When will it appear in the Play store?


Well, at least you didn't get hit with 66.0.3.


My addons were disabled on 66.0.2.


What did 66.0.3 break?


66.0.3 didn't break anything, but it was the last version to ship with certs that expired on Friday.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: