[nothing to worry about now]-Disturbing-- NoScript, ad-revenue, and AdBlock Plus

[Happy-Dude]

EDIT::
As a sign of goodwill, NoScript author has removed the filter set in order to keep relations between users good.
------

This sounds bad, guys...

http://adblockplus.org/blog/attention-noscript-users

I understand the need for revenue, but the very point that things are being added without my consent bothers me ... Well, I love the combination of both; I'ma disable that NoScript filter now (>.>)...

I hope the addon writers can work things out. AdBlock for making the filterset a little more protected (consent when something new is being added?) and NoScript for asking us when its gonna do something unexpected [-_-]...

Attention NoScript users · 2009-05-01 19:54 by Wladimir Palant

Recently I wrote about how not giving extension developers a good way to earn money might lead to very undesirable effects. The recent events give an impression of the kind of effects we should expect here. This is going to be about the popular NoScript extension which happens to make its money from ads. And to make sure that somebody sees these ads it goes pretty far. For example, it opens the changelog webpage (full of ads of course) on every single update of the extension, even though the NoScript FAQ claim that it happens only on major updates (yes, if you dig into it you will find the preference to disable this behavior – but how many people do that?). And updates coming roughly each week ensure that this page is opened fairly often. A problem is of course that NoScript will usually disable scripting and consequently also most advertising. That problem is being worked around by putting NoScript’s domains, Google AdSense and a few others on NoScript’s default whitelist (again, the overwhelming majority of users won’t go hunting for bogus entries in their whitelist). Given that NoScript proudly calls itself a security extension this means putting users at risk — for example, a while ago I demonstrated how an XSS vulnerability on a NoScript domain can be used to run JavaScript from any website, despite NoScript. This was countered by implementing anti-XSS measures rather than removing anything unnecessary from the whitelist.

You get an impression for the business model here. Of course, this approach brings NoScript in conflict with another popular extension — Adblock Plus. For years, NoScript has been using a trick to prevent Adblock Plus from working on its domains. Fixing this issue was never particularly high on my list of priorities (though I finally came around and fixed it after the recent events) so at some point I suggested that EasyList should be extended by a filter to block ads specifically on NoScript’s domains. This finally happened two weeks ago.

What followed was a small war — the website would add various tricks to prevent Adblock Plus with EasyList from blocking ads, EasyList kept adjusting filters. Then, a week ago a new NoScript version was released. A few days later I noticed first bug reports — apparently, Adblock Plus “glitches” were observed with this NoScript version, especially around NoScript’s domains (but not only those). When I investigated this issue I couldn’t believe my eyes. NoScript was extended by a piece of obfuscated (!) code to specifically target Adblock Plus and disable parts of its functionality. The issues caused by this manipulation were declared as “compatibility issues” in the NoScript forum, even now I still didn’t see any official admission of crippling Adblock Plus. Clearly, NoScript is moving from the gray area of adware into dark black area of scareware, making money at user’s expense at any cost.

Confronted with the facts and with the AMO policy NoScript author agreed to revert the changes. However, he put a different “solution” in place — the new NoScript version released yesterday adds a “filter subscription” to Adblock Plus meant to whitelist NoScript’s domains. A note about this “feature” has been added to extension description on AMO (I insisted), not without misrepresenting the cause of course. Supposedly, this is because of a “targeted attack from EasyList which broke functionality.” Which fails to mention that EasyList was just doing what it was created for (block ads) and the broken functionality is the result of attempts to avoid ads from being blocked (originally the filters didn’t break anything). So the real reason is not broken functionality, it is the ads on these sites.

Of course, adding a note to the description that almost nobody will read anyway wasn’t the only change I wanted to see. Adblock Plus allows other extensions to add filter subscriptions but that wasn’t supposed to happen without user’s consent. In case of NoScript, asking the user whether this filter subscription should be added was clearly required. But that would probably make too many people notice that something fishy is going on and decline. Note also that this filter subscription cannot be removed (will be re-added on next Firefox start), only disabled. Also, it stays there even after NoScript is uninstalled. Should I now make it harder for all extensions to integrate with Adblock Plus just because NoScript is misbehaving? I doubt that this will help much, any installed extension has the privileges to do anything and trying to stop it from misbehaving after installation is a lost cause.

While the current state of affairs (NoScript’s manipulation of Adblock Plus is visible to the user if he knows where to look, it is documented and even reversible) is better than what we had before I still think that extensions manipulating other extensions to prevent them from doing their job is not where we want to be. NoScript might be somewhat extreme but the “business offer” emails I occasionally see in my inbox make me think that we will see more of this. Companies start to recognize the potential of Firefox extensions and push extension authors into monetizing their extensions by questionable means — at the expense of the users.

[DavidR]

NoScript pop-up its changelog web page every time, am I concerned, not in the slightest and I probably have more to be pi**ed at than most being a dial-up user. I don't even notice the ads, in fact had you not mentioned it I wouldn't have noticed.

So no revenue earned from me there and I would imagine that the ads would probably be more of a click through rather than impressions.

Though for what is after all a security add-on, it is somewhat devious/underhand to alter other add-ons functionality.

However for the benefit gained by using NoScript would make it a very hard ask for me to remove it, I just ignore any ads (for any site) that happen to get past adblock plus.

[Avastfan1]

Hello,

Thank you for the post. I use both AdBlock Plus and Noscript.

Could somebody please explain the key implications of this article for a layman?

I am not great with computers. Are we at risk?

Many thanks!

Avastsfan1

[Happy-Dude]

Hello,

Thank you for the post. I use both AdBlock Plus and Noscript.

Could somebody please explain the key implications of this article for a layman?

I am not great with computers. Are we at risk?

Many thanks!

Avastsfan1

I do not believe that you are at risk for any such thing... It's just that things are being added onto preferences without our consent. Let's just say its like installing a music player program without a no OPT-OUT option for a toolbar it is bundled with.

If you still want AdBlock without NoScripts filter, check out the AdBlock Preferences and disable the filters.

It's unfortunate that the author has gone the route that's similar to the "Installers Hall of Shame" -- http://www.calendarofupdates.com/updates/calendar44514 ...

I just really want consent. That is the only thing that bothers me-- don't change my system without notification ...

(Now I wonder, since addons can manipulate other addons, how tight is their security? How tight is FF from addons of malware?)

[polonus]

Hi Happy Dude,

The response to this, you can find here: http://forums.informaction.com/viewtopic.php?p=3140#p3140
and to my question: http://forums.informaction.com/viewtopic.php?f=8&t=1081#p3184

Personally I think all of fx generates revenues through googlesyndication, and what to think of the privacy concerns with bringing in geolocation by default in the coming version of Fx (IE8 has something similar for MS) which is a much bigger issue than this one,

It is elementary to block ads on the noscript.net site.
All you do is block javascript via noscript’s own tool for googlesyndication.com.
Voila! All the ads on the sidebar are now gone.

Others are more upfront about these issues and that is why Flock discontinued cooperation with Mozilla and with the following version of the browser will join the GoogleChrome camp, where I hope the makers of SRWare's Iron can also come up with a Flock version without these privacy concerns.

So I agree with you a browser by default is a dangerous and insecure app, so might be an extension by default, as the going gets narrow,

polonus

[Avastfan1]

Hi Happy-Dude,

Thank you for the response. When I look at the AdBlock Plus filters (red AdBlock Plus button - preferences) I see only the one filters which I installed:

- EasyElement+EasyList

1. Am I looking in the right place? Am I missing something which I am not seeing?

When I look in the NoScript Whitelist I only see filters which I added in addition to:
- about:
- about:certerror
- about:config
- about:credits
- about:neterror
- about:plugins
- about:privatebrowsing
- about:sessionstore
- chrome:
- http://127.0.0.1:1025
- resource:

XSS Exceptions are:

- ^http://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
- ^http://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
- ^http://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$

JAR Exceptions are:
- ^jar:https://samples\.noscript\.net/sample_apps.jar!.*\.xul$

2. Again - am I looking in the right place? Am I missing something which I am not seeing?

Thank you again for your help. I look forward to your (or anybody else's) reply!

Avastfan1

[Wheresthelove]

If you ask me, this matter has gotten me a little paranoid... I mean, how can i trust No script now without looking into the code myself??
I am a little disappointed in myself for not noticing it at all.
Once the breach of trust happens, it's going to take a lot of work to repair it.....

[DavidR]

Hi Happy-Dude,

Thank you for the response. When I look at the AdBlock Plus filters (red AdBlock Plus button - preferences) I see only the one filters which I installed:

- EasyElement+EasyList
<snip>

What you don't mention is what version of NoScript you are using as that is crucial to all the rumpus. I have 1.9.244, the latest version, Yesterday, I deleted the Filter subscription for NoScript Developement Support Filterset, Today I check and it is back, so deletion isn't a one off but a daily occurrence if it bothers you that much.

Me it doesn't bother in the slightest as I take no notice of any ads, be they on noscript.net or any other ad supported site (assuming they manage to get past adblock plus.

Now if you read it (as and when it gets added, you can also uncheck the Enable check box opposite the filterset sites (See image), I have just done that today and I will see if they are set back to enabled tomorrow.

Edit: I have just noticed there is another NoScript update today 1.9.2.6, so lets see what that brings

[DavidR]

Update on the update

After the 1.9.2.6 update there is no "NoScript Development Support Filterset," so it looks like the rumpus has resulted in a change of heart in NoScript. I guess it is now watch this space to see if they come up with a different strategy

[Alan Baxter]

Wladimir's blog post slanderously misrepresents the situation.  I hope you didn't accept it as factual.  Giorgio, the NoScript developer, discussed what he was planning to do with Wladimir before making the change which added some Adblock Plus filters.  I knew about the change shortly before it was made, and argued against it.  The change was a big mistake -- which Giorgio painfully knows now -- and was completely reversed in the current NoScript version.

I'm keeping an eye out for a public response from Giorgio on his blog: http://hackademix.net/.  I'll try to remember to post back here when he does.

[DavidR]

Whilst the facts of if they discussed the changes or not may be a very grey area. This doesn't get round the fact that the user was blissfully unaware of these changes to an add-on they installed to block ads being subverted by another add-on without their knowledge or consent.

[Alan Baxter]

My post wasn't directed at you, David.  I suppose you already know that, but I want to be sure you do.

Giorgio put a notice about the change in the change log, the release notes, the NoScript site's installation page, and on the AMO installation page.  He did a crappy job at that.  Hardly anybody saw his notice of the change, but I bet most people don't want to read any of the yady-yada about what's changed in a software update before they install it anyway.  Present company excepted, of course.

It was a bad idea all the way around, with a lousy implementation to boot.  He should have included an explicit opt-in choice for this change instead of doing it automatically and relying on the user to read about the changes first.  Better yet, he shouldn't have done it at all.  He plans to apologize in his blog.

[DavidR]

I didn't take it as it was, just commenting that the side issue of the who told who what, etc. doesn't excuse what was done.

I can't recall the last time I checked the noscript change log and I doubt I'm alone in that regard.

The problem with an opt-in would still mean making changes to another add-on and that to me seems strange as the other add-on would really have to formally agree, but this it seems is where the bun fight started I guess.

We all make bad decisions from time to time and this one is right up there as it taints what is an excellent security add-on. Something which he can regret at leisure.

[polonus]

Hi malware fighters and user of NoScript in firefox and flock,

Why Wladimir Palant, the developer of ABP immediately had to take this issue into the public theater and out in the open is beyond me, as the two security extension developers (he and NoScript's Giorgio Maone) had discussed this prior to implementation. A better methodology would be as they had solved their differences prior to implementation, the users' interests should come first under all circumstances, not two security giants watching closely each others every move...
I personally was never bothered by this NoScript-ABP cross-code-issue, because I have RequestPolicy add-on installed and that extensions will police all my requests, no matter hence they come! And I have understood well in advance the importance of this experimental but absolutely vital security add-on: https://addons.mozilla.org/en-US/firefox/addon/9727/
I work it now for several months both in firefox and flock and it works beautifully in accordance with both NoScript and ABP, ABP Watcher and ABP Element Hiding Helper,

polonus

[Alan Baxter]

Keep it up, polonus.  I already have security software coming out my ears, but if you continue giving examples of its practical value, you might get me to try RequestPolicy yet.  I