Couldn't they release an updated certificate? I suppose if you had some critical infrastructure that needed it, you could grab the certificate from a newer version of Firefox.
This is a certificate used to sign and verify add-ons and (I think based on the reading) some DRM features. They did, in fact, release a new one. This is a warning to the people who haven't run their browser updates and don't have the new one.
There is no point in pulling down the certificate, it's only used by Firefox and there shouldn't be any valid use case to patch an old version to use the new certificate, you would just update your whole browser (it would be easier and safer).
Edit: to whoever downvoted me. I was trying to be helpful with an actual interpretation of the article that this story linked to. I was also answering what was a question in good faith, respectfully. So if my reply is factually inaccurate I would love to know how I misinterpreted it as a matter of curiosity.
Huh? You're asking why does time pass? I mean if you were asking about like a single player video game then I guess this makes sense, but the whole point of a web browser is like browsing the web. Tim's crap hypermedia thing for the Internet?
Since it's about addons (and not https connections) the same approach as with code-signing certificates could be used. For code signing it only matters that the certificate was valid at the time of signing, not when the signed resource is used.
E.g. when the certificate expires, any resource signed with that certificate while it still was valid continues to be usable, you just can't sign any new releases with the expired certificate.
Couldn't they release an updated certificate? I suppose if you had some critical infrastructure that needed it, you could grab the certificate from a newer version of Firefox.
This is a certificate used to sign and verify add-ons and (I think based on the reading) some DRM features. They did, in fact, release a new one. This is a warning to the people who haven't run their browser updates and don't have the new one.
There is no point in pulling down the certificate, it's only used by Firefox and there shouldn't be any valid use case to patch an old version to use the new certificate, you would just update your whole browser (it would be easier and safer).
Edit: to whoever downvoted me. I was trying to be helpful with an actual interpretation of the article that this story linked to. I was also answering what was a question in good faith, respectfully. So if my reply is factually inaccurate I would love to know how I misinterpreted it as a matter of curiosity.
ESR 128 and 115.13 was released 8 months ago, so if you had auto-updates enabled in all likelihood you don't need to do anything.
Why does a remote resource disappearing mean I can no longer use my local software? Fuck mozilla and their DRM.
Huh? You're asking why does time pass? I mean if you were asking about like a single player video game then I guess this makes sense, but the whole point of a web browser is like browsing the web. Tim's crap hypermedia thing for the Internet?
Since it's about addons (and not https connections) the same approach as with code-signing certificates could be used. For code signing it only matters that the certificate was valid at the time of signing, not when the signed resource is used.
E.g. when the certificate expires, any resource signed with that certificate while it still was valid continues to be usable, you just can't sign any new releases with the expired certificate.
That only works with a timestamp service
A "cunning plan" to force upgrades? :-)
This requires a trusted timestamp, which is possible, you just have to think of it when you are designing the system.