Get off that old Firefox or you’ll be sorry, says Moz • The Register

If you’re running an outdated version of Firefox, update by Friday or risk broken add-ons, failing DRM-protected media playback, and other errors, due to an expiring root certificate.

Users with Firefox versions earlier than 128, which was released on July 9 last year, or the extended support release earlier than version 115.13, could face the issues starting March 14. On that date, a key root security certificate used by the open source web browser to verify digitally signed content, protected media, and add-ons will expire.

“While it’s possible to use Firefox without updating, you may experience problems such as add-ons being disabled, DRM media difficulties, and other interruptions,” Mozilla advised this week.

“Skipping the update also means missing important security fixes and performance improvements. We strongly advise you to update to the latest version to avoid these issues and ensure your browser stays secure and efficient.”

Updating to a more recent version, or ideally the latest available, is required for Firefox on Windows, macOS, Linux, and Android. iOS users are unaffected as Firefox on Apple’s OS must use Cupertino’s web engine. The Tor Browser is also based on Firefox, so users of that software should ensure their installation is using a suitably recent version of Moz’s code.

The root cert at the heart of this kerfuffle is issued by Mozilla for securing its own browser and the ecosystem around it, and the certificate doesn’t affect rivals such as Chrome, Edge, and Safari. Updating to a suitable version of Firefox should be straight forward, though this support forum thread shows some folks at least are upset at having to move over to a release that their computer and operating system combination can’t handle.

According to Mozilla, failure to update as suggested won’t just potentially knacker add-ons. “Not updating Firefox … can expose you to significant security threats,” the org said. “Firefox relies on up-to-date security configurations to protect you from malicious activity. This includes blocklists for harmful add-ons, revocation lists for untrusted SSL certificates, and preloaded intermediate certificates used for secure connections.”

As such, you might unknowingly end up with an add-on that’s gone rogue or surf to a dodgy website. “Features that alert you about breached passwords may stop working,” too.

This time, Mozilla is warning users ahead of time about the upcoming root certificate expiration. That wasn’t the case in May 2019, when an expired signing certificate disabled every Firefox extension, theme, search engine plugin, and language pack – leaving users furious and Moz scrambling to fix the mess.

Meanwhile, the Mozilla Root Store Policy (MRSP) v3.0 rolls out this Saturday.

The new policy is designed to, among other things, improve how revoked security certificates are handled. Certificate authorities will also need to phase out dual-purpose root certs that handle both TLS and S/MIME, since these aren’t ideal from a security perspective, as far as Moz is concerned at least.

“Keeping these uses separate at the root certificate level ensures more focused compliance, increases CA agility, reduces complexity, and enhances security,” Mozilla said.

“Going forward, Mozilla’s Root Store will require that new root CA certificates are dedicated to either TLS or S/MIME, and CA operators with existing dual-purpose roots will need to submit a transition plan to Mozilla by April 15, 2026, and complete a full migration to separate roots by December 31, 2028.”

That’s nice. Firefox holds less than three percent of the global browser market share worldwide, a steep fall from nearly a third in 2009 before getting crushed by Chrome. ®