This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

The extensions hotfix was not applied yesterday. How can I manually apply it?

more options

Hi folks,

I enabled Studies last night to get the certificate hotfix, and it hasn't appeared in my list. The studies I currently have are:

(Active) prefflip-push-performance-1491171

(Completed) hotfix-reset-xpi-verification-timestamp-1548973 pref-flip-screenshots-release-1369150

hotfix-update-xpi-signing-intermediate-bug-1548973 hasn't appeared on my list. Is there a way to force Firefox to check the active studies? If not, is there a place to manually get the certificate from an official source? Should I reinstall Firefox?

Hi folks, I enabled Studies last night to get the certificate hotfix, and it hasn't appeared in my list. The studies I currently have are: (Active) prefflip-push-performance-1491171 (Completed) hotfix-reset-xpi-verification-timestamp-1548973 pref-flip-screenshots-release-1369150 hotfix-update-xpi-signing-intermediate-bug-1548973 hasn't appeared on my list. Is there a way to force Firefox to check the active studies? If not, is there a place to manually get the certificate from an official source? Should I reinstall Firefox?

Chosen solution

i *think* right-clicking and resetting the "app.normandy.first_run" preference in about:config and restarting the browser might be a way to trigger a check.

Read this answer in context 👍 1

All Replies (12)

more options

hi soylentplaid, most of the users we're seeing at this point where the hotfix didn't apply yet are using security software that's intercepting secure connections (commonly avast/avg, kaspersky, bitdefender and eset), this might prevent the hotfix from applying unfortunately.

if this is applicable to your system as well, as a workaround you could try disabling ssl-scanning in your security software or else wait until mozilla releases a general update to firefox 66.0.4 fixing the matter...

more options

I just need to clarify: In order to receive a security update (to fix a broken certificate) to re-enable add-ons that I consider essential for the security of my browser, I have to disable my antivirus? Doesn't that seem a little extreme to you?

more options

hi, i am not saying you should deactivate your antivirus altogether - you *can* disable this one feature of your antivirus, which is quite questionable in the first place and often leads to more harm than good & a greater attack surface.

references: http://www.cbc.ca/news/technology/antivirus-software-1.3668746 https://blog.vpn.ac/disable-https-scanning.html https://jhalderm.com/pub/papers/interception-ndss17.pdf https://www.pcworld.com/article/3154608/https-scanning-in-kaspersky-antivirus-exposed-users-to-mitm-attacks.html (there are many more of those, but i don't have time to dig them up at the moment)

more options

Well, I've gone ahead and disabled SSL checking in Kaspersky (probably for the best if what I'm reading is correct). Is there a way to force another check, or will that happen sometime over the next X hours?

more options

Chosen Solution

i *think* right-clicking and resetting the "app.normandy.first_run" preference in about:config and restarting the browser might be a way to trigger a check.

more options

And so it is! (*much rejoicing*)

It's definitely good that you guys were on the problem quickly, although not letting the cert expire would have been better. As feedback, I'll say that using the Studies mechanism to push a hotfix is a bad look (forcing the browser to collect data) and this whole process was a lot more fragile than it needed to be.

Applying the hotfix, for me, involved diving into settings, enabling data collection, waiting and searching for about a day with no feedback as to why it wasn't working, disabling SSL interception in my anti-virus (and restarting my computer), setting app.normandy.first_run to true, then restarting my browser.

I believe in Firefox and Mozilla's mission, I really do. I intend to keep using it. But this sort of screw-up will make people switch to Chrome, and they'd be completely justified in doing so. You really need to be far more diligent about your certificates.

more options

oh great, thanks for reporting back & sorry for all the hassle this was causing!

you can be sure that after this whole incident is dealt with, there will be a diligent post mortem and review of actions that need to be taken at mozilla, so something like this is not gonna happen again.

more options

soylentplaid said

I believe in Firefox and Mozilla's mission, I really do. I intend to keep using it. But this sort of screw-up will make people switch to Chrome, and they'd be completely justified in doing so. You really need to be far more diligent about your certificates.

This was caused by an unforeseen technical problem …..

more options

My Kaspersky doesn't list a SSL thing.When is the fix coming

philipp said

hi, i am not saying you should deactivate your antivirus altogether - you *can* disable this one feature of your antivirus, which is quite questionable in the first place and often leads to more harm than good & a greater attack surface. references: http://www.cbc.ca/news/technology/antivirus-software-1.3668746 https://blog.vpn.ac/disable-https-scanning.html https://jhalderm.com/pub/papers/interception-ndss17.pdf https://www.pcworld.com/article/3154608/https-scanning-in-kaspersky-antivirus-exposed-users-to-mitm-attacks.html (there are many more of those, but i don't have time to dig them up at the moment)
more options

Firefox 66.0.4 was just released for both desktop Firefox and Android Firefox, which should fix the expired certificate problem. An updated Firefox 60 ESR (60.6.2esr) was also released.

Sometimes the auto-updater doesn't see an update right away, either because it isn't scheduled to check yet or when you click Check for Updates, because the server is limiting the rate of installations "just in case" it creates a new problem.

At some point, we should get the 66.0.4 and 60.6.2esr full installers through the usual pages, but I currently get the older version:

more options

You could try opening Help > About Firefox and see it tells you that Firefox 66.0.4 is available and to Update Now.

I just tried that and was able to update to 66.0.4 .

more options

Just finished updating. Thanks for jumping on this issue everyone, it's been a weird couple of days in browser-land.