Depending upon your system, you may need to terporarily disable Windows Defender and use a non-Microsoft browser to obtain the download. You can put it on a thumb drive to transfer it to another machine. Then just run THAT new instance of #66. It will see that IT is newer than what that machine has and will update the machine. From then on, you'll be okay.
I posted a reply to my own thread over at grc.sqrl about the need for manual update, but maybe you want to do that yourself, so that everyone finds out, as there are still a couple people who report the error over there.
I think they way expiration of certificates are done is rather stupid to be honest, it would be better if revocation worked, and that certs did not expire at all. Then websites could survive their admins getting busy with other things, and programs could avoid hard failing. You could have old programs, signed by a developer, who then stops developing for some reason, I have a feeling those will stop working, even if they are useful. Maybe I am wrong about that, but I like being able to use old things.
The biggest problem with the firefox issue is that you used to be able to bypass and manually approve an addon, but they removed that feature in order to make users more secure, so of course when the cert died, all the security addons such as ublock origin and noscript and others failed... thus making users less secure, not more secure, very dumb to remove that capability from users.
I think it's clearly important for one non-revoked certificate to be able to confer its trust onto another. Since "reputation" has become SO crucial -- and I'm not suggesting that's wrong -- I think that's a good thing -- we need some means for the earned reputation from a certificate approaching its end-of-life to kickstart the reputation of its replacement.
You can do it, but it's not straightforward; you have to go to about:debugging. At the top you'll see the button "Load Temporary Add-on." I think any extensions you install only last until you restart the browser.
I agree Steve, would be nice if there was a mechanism for a trusted cert to sign its replacement saying as much, perhaps have the new cert sign off on that too, so one can't force ones reputation on a different person's cert without their permission, that also gives one a historic certificate chain.
As for mozilla firefox they should have left the about:config option to enable the optional overriding the signing requirement for users to use, if they want to. Regular users do not go into about:config to mess around anyway, only techies do.
Also I think a better mechanism would be you sign something saying it is okay, and even if the cert expires that okay is okay since it is still the same file, it only becomes not okay if you revoke the okay, at least that is how I see it. I think the whole expiration thing is mostly there to allow certificate authorities to limit how long a cert is valid for, so they can earn more money, issuing renewed certs. Of course to rely on revocation means it must actually be reliably used.