Firefox 33 broke our enterprise application. What to use instead of window.crypto.signText or how to downgrade to FireFox 32?
There is nothing suitable to sign content in your current implementation of webcrypto specification. Firefox 33 total breaks signing content with client certificates and leaves us with few options: either tell thousands of clients to switch to IE or downgrade to Firefox 32. How can we download to Firefox 32? How do we sign text with new/future webcrypto api?
All Replies (4)
There is a bug on file to address this that you can vote to get fixed:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1083118
- https://bugzilla.mozilla.org/page.cgi?id=voting.html
I don't know of any short-term workarounds, but you could consider using the extended support release (ESR) designed for corporate environments. It is the Firefox 31 code base with additional security patches.
I found a background article on this change: https://wiki.mozilla.org/SecurityEngineering/Removing_Proprietary_window.crypto_Functions
Thank you! I'll upvote it, but I'd rather see this change rolled back or at least some quick fix to temporarily enable the lost functionality should be made available. We are offering a service to many individual customers who now should just uninstall 33, install Firefox 32 and disable the auto-update. Using ESR makes no difference. I understand you want to remove legacy code, but that cleaning should have been made after there is an alternative running.
From a security perspective, it would be better advice to your customers to use the latest version of IE for your application rather that install a known vulnerable version of Firefox and potentially block updates for the rest of time. I think that's a level of potential liability you wouldn't want to take on.
Also, I'm surprised that the ESR version doesn't work. Usually this kind of change would not be included until the next major release.