We’re in the process of updating the documentation for Zotero 5.0. Some documentation may be outdated in the meantime. Thanks for your understanding.
If you're not receiving automatic updates to the Zotero Firefox extensions but you can find updates manually in the Firefox add-ons window, go to the Firefox preferences → Advanced → Update and make sure that Firefox is set to automatically install updates.
If new versions of the Zotero Firefox extensions aren't being installed automatically and aren't showing up in the Firefox add-ons window when you manually check for updates, something on your system or network may be intercepting secure (HTTPS) connections to zotero.org. To determine whether your connection is being intercepted, check the site certificate info.
If the site certificate information points to security software on your system (Bitdefender, Avast), disable the SSL/TLS/HTTPS scanning feature of that software. The exact name of the feature will vary. Consult the software's documentation for help. Read on for more details.
To ensure the security and privacy of its users, Zotero requires all connections to be made over HTTPS, which ensures that you're connecting directly to a remote website and that your connection is encrypted. However, software installed on your system, or your network administrator, can override the security protections of HTTPS, essentially masquerading as any website. Some security software does this in an attempt to provide additional security: it intercepts HTTPS connections, scans the contents itself, and then reencrypts the data and sends it to the original website in a new connection. While the makers of such software would argue that they're protecting you with this feature by searching for malware served over HTTPS, this behavior breaks a fundamental security feature built into web browsers. You can think of it as someone going through all your postal mail, reading every letter, and warning you if they find any junk mail: while what they're doing is potentially useful, they really have no business snooping around in your mail. (And in some cases, antivirus vendors have even stuck their own ads into the envelopes before resealing them.)
While such behavior is usually undetectable without manually inspecting the site security information, Firefox provides additional protections when installing add-ons and rejects installation attempts from connections that aren't truly secure.
As a temporary fix, you can manually install the updated extension from zotero.org. (Normally Firefox prevents manual installations over such connections as well, but we have implemented a workaround to allow them.) Without automatic updates, however, you may run into compatibility issues or bugs later that have already been fixed.
To receive updates automatically, you have two options:
1) Disable the SSL/TLS/HTTPS scanning feature in the security software and try the update again. If the certificate information identifies your institution as the intercepting party, you'll need to speak to your network administrator and request that they stop intercepting your secure connections to websites, though it may be a condition of your use of the network.
2) If you trust the software or institution that is intercepting your connection, you can force Firefox to download add-on updates over intercepted connections. Enter “about:config” in the Firefox address bar, right-click on the list of settings that appears, select New → Boolean, enter “extensions.update.requireBuiltInCerts” for the property name, and choose “true” for the value. Be aware that there will no longer be a guarantee that you are receiving legitimate versions of Zotero and other add-ons unless you return to about:config and disable that preference.
Mozilla is in the process of switching to a new add-on framework, WebExtensions, so automatic updates over intercepted connections may begin to work in future versions of Firefox.