Mozilla is warning Firefox users to update their browsers to the latest version to avoid facing disruption and security risks caused by the upcoming expiration of one of the company’s root certificates. […] Users need to update their browsers to Firefox 128 (released in July 2024) or later and ESR 115.13 or later for ‘Extended Support Release’ (ESR) users.
What is “the right way”, exactly?
There are many slightly different options I suppose, but personally I’d start with the simple and obvious approach suggested by the principle of least surprise: Check the expiry date on the extension signing cert only when an extension is installed. On subsequent startups, attempt to check for revocations.
Software should not self-destruct if it can’t reach the mothership.
Is it possible for an extension to be present without it triggering Firefox’s “installation” flow?