Firefox disabling all extensions and add-ons automatically and Firefox backdoor is on by default?

Firefox add-ons automatically removed

It is May 4, 2019 and all your extensions, themes, and add-ons installed with Firefox are gone. What happen? Firefox developer’s side has some certificate issue. So the end result is a majority (if not all) Firefox users are experiencing this issue right now.

Firefox disables my add-ons and extensions

The bugzilla that was opened to address this issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
This is a major inconvenience for many regular users and is also a major security lapse for corporate users that have different security add-ons installed.

Fix is underway:

We rolled-out a fix for release, beta and nightly users on Desktop. The fix will be automatically applied in the background within the next few hours, you don’t need to take active steps.

In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

You can disable studies again after your add-ons have been re-enabled.

We are working on a general fix that doesn’t need to rely on this and will keep you updated.

The above statement is from the Mozilla discourse discussion.

Is Normandy/Studies system a built-in backdoor from Mozilla?

Reading the ycombinator discussion. It sure looks like Mozilla has a built-in backdoor called Normandy that allows them to override and change settings on their users system.

They have another feature called Studies that can be disabled. The following option can be located from Preferences -> Privacy & Security -> Firefox Data Collection & Use is for disabling the Studies feature.
Firefox Normandy/Studies backdoor
If the “Allow Firefox to install and run studies” is checked. The developers of Firefox can send and change a lot of things with your Firefox installation whenever they want.

Mozilla developers are telling users to enable the Studies feature to receive the bug fix. The issue with this Studies system is how can they push certificate fixes with it.

Normandy is on by default with no off option in your preferences

Taken from the Mozilla Wiki:

Normandy Pref Rollout is a feature that allows Mozilla to change the default value of a preference for a targeted set of users, without deploying an update to Firefox. This document focuses on the use of Pref Rollout as a mechanism to enable feature flagging in Firefox.

From reading that ycombinator thread. One will either leave assuming Normandy is the same as the Studies feature (with an option to disable). Or you will go to about:config and find out Normandy is on by default even after you already have the Studies feature disabled. Normandy is still on according to the about:config value.
Firefox Backdoor Normandy

  • Quick summary:
    Firefox developers had a security certificate expired that caused a lot of people to have their add-ons removed automatically by Firefox.
  • Users learned about a studies feature that can be used to fix this bug until they roll out the fix with a traditional new release
  • Users also learned that there is a backdoor called Normandy that is on by default and with no way to disable from within your preferences

UPDATE: Mozilla now has a blog post about this issue out.

FINAL UPDATE: Mozilla has released a new version of Firefox that should fix this issue. Version 66.0.4 contains a fix for the add-on and theme issues. If you are a user of Firefox ESR, Firefox for Android, and certain Firefox versions included with different Linux distributions will require separate updates from your respective software vendors.