Mozilla's mea culpa for breaking Firefox

Mozilla has issued an apology for the issue with its Firefox web browser which broke existing add-ons from working and prevented new ones from being installed.

The incident, which occurred earlier this month, has been traced to the expiration of a digital certificate used to sign add-ons. Mozilla CTO Eric Rescorla shared details of the gaffe in a blog post.

The expired certificate acted as an intermediate certificate for the digital signing process used to verify new add-ons or ensure add-ons loaded into Firefox are legitimate.

This meant that the vast majority of the more than 15,000 Firefox add-ons that are available stopped working, and the browser rejected attempts to install new add-ons due to the expired certificate. The effect was delayed because Firefox only checks add-ons about every 24 hours, and the time of these checks is different for each user.

Once Mozilla became aware of the issue, the company initially temporarily disabled signing of new add-ons, and pushed a hotfix designed to suppress re-validating the signatures on add-ons, in an attempt to prevent disruption for users who had not re-validated yet and encountered the issue.

As a more long-term solution, Mozilla developed a new certificate with the same subject name and public key as the old certificate, and then set about developing and pushing an update to Firefox to install the new certificate and force the browser to re-verify every add-on.

“We strive to make Firefox a great experience. Last weekend we failed, and we’re sorry,” new Mozilla Head of Engineering Joe Hildebrand said.

“You deserve a full accounting, but we didn’t want to wait until that process was complete to tell you what we knew so far. We let you down and what happened might have shaken your confidence in us a bit, but we hope that you’ll give us a chance to earn it back.”

Image credit: ©stock.adobe.com/au/Mila Gligoric