Submitted by bea in just_post

TL;DR: copy [this] link into a new tab ( because only clicking on it might be blocked as jstpst trying to install the addon )
it installs the official hotfix that Mozilla made but is only pushing out through their terrible studies program.

To clarify why I'm posting this even though fixes are already being rolled out:
In case you're on a GNU/Linux system fixes for that won't be availible for a while:

Clarified that the Studies fix applies only to Desktop users of Firefox distributed by Mozilla. Firefox ESR, Firefox for Android, and some versions of Firefox included with Linux distributions will require separate updates. (May 4, 12:03 EST)

and a non-studies fix isn't made yet either:

We are working on a general fix that doesn’t use the Studies system and will keep this blog post updated accordingly.

so this might be your only fix for now
source for the quotes

7

Comments

You must log in or register to comment.

bea OP wrote

if you're concerned about this addon's security:

The only thing it's doing is adding a bundled base64 encoded certificate and forcing a re-verification:

async doTheThing() {
  // first inject the new cert
  try {
    let intermediate = "[[BASE64 ENCODED CERT OMITTED]]";
    let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
    certDB.addCertFromBase64(intermediate, ",,");
    console.log("new intermediate certificate added");
  } catch (e) {
    console.error("failed to add new intermediate certificate:", e);
  }

  // Second, force a re-verify of signatures
  try {
    XPIDatabase.verifySignatures();
    console.log("signatures re-verified");
  } catch (e) {
    console.error("failed to re-verify signatures:", e);
  }
}

and the addon itself was signed by Mozilla and is distributed by them in their studies program which is avoided by installing it manually ( so I wouldn't doubt it's legitimacy )

2