NoScript Adds Subscriptions To Adblock Plus 408
hahiss writes "Apparently, NoScript has taken to adding its own whitelist updates to Adblock Plus — so that the ads on the NoScript page show up — without notifying users. (It is described on the NoScript addon page, however.) This was a part of the last update to NoScript. Wladimir Palant, the main developer of Adblock Plus, describes the situation in an informative blog post."
Update — 5/02 at 12:30 GMT by SS: Reader spyrochaete notes that "InformAction, makers of the NoScript extension for Firefox, have removed the recently introduced AdBlock exceptions which unblocked the revenue-producing ads on the NoScript homepage with little or no warning to the user. According to the changelog, InformAction pushed out an update specifically addressing this controversial decision 'permanently and with no questions asked.'"
Timeline of events (Score:4, Informative)
When the Easylist filter was made for Adblock Plus, it generically blocked ads for many websites, with some specific rules for other sites. Giorgio Maone (creator of NoScript) relies to a certain extent on ad revenue on his websites, without which he may spend less time working on the extension. He made a workaround on the ad blocking, and though the filter could have been updated to counter this, no attempt was made to update it.
When Rick Petnel died, they needed a new maintainer for the filter. Ares2 continued where Rick left off. He decided to fix the workaround made on Giorgio's sites.
What then followed was a game of cat-and-mouse. Giorgio would attempt a new workariound, and Ares2 would attempt to block the ads. It reached the stage where large parts of Giorgio's sites weren't working due to false positives [informaction.com].
Here, it seems clear that Ares2 has gone too far, and a compromise should have been reached. ABP and NoScript are a good pair when working together, though the people behind them have different philosophies. Unfortunately, things start to take a turn for the worse.
In an attempt to defend his site and ad revenue, he makes an update of NoScript to version 1.9.2. This version contains a file called MRD.js [adblockplus.org], which adds a CSS stylesheet rule to his websites that overrides the filter, by adding -moz-binding: none after the filter has loaded, which the filter depends upon. Furthermore, the file is obfuscated to hide what it does. No warning is given to Firefox users of what the extension has added in this tit-for-tat battle.
When this addition started breaking users ABP installations, version 1.9.2.3 instead adds his websites to the ABP whitelist, calling it a "NoScript development support filterset" [noscript.net]. The user isn't informed of what this is, and isn't given a choice on whether to accept it.
At present, the filter has removed its false positives, though leaves the ad blocking in place. The NoScript behaviour still remains in the latest version.
Ares2 was overzealous in attempting to block ads, and shouldn't have made Giorgio have to make excessive changes to his site. But the larger concern is that while Easylist is a filterset, which can be removed and updated by the user, NoScript went further and started to modify existing extensions, executing code without user's consent or awareness, and acting in a way that resembled malware, to display ads on his websites.
Extensions can be great for giving people freedom to control how they view the web. But creators of extensions need to be careful in what they do with them, especially with those with a large user-base like Adblock Plus and NoScript. If not handled correctly, Firefox extensions could become the next vector of malware, and that would be a shame for all.
Re:Links are helpful (Score:5, Informative)
First, noscript added code that disabled adblock plus if EasyList was used. Then, noscript auto-adds (no user prompting) an abp subscription whitelisting his sites. You cannot delete it (it readds upon FF restart), only disable it.
Stupid trick (Score:4, Informative)
It's a stupid trick, but the whitelist can be disabled easily. Go to Adblock preferences and disable the "NoScript Development Support" filter. It doesn't seem to re-enable the whitelist on restart. It may when it updates.
Re:Timeline of events (Score:5, Informative)
I recall in an earlier version of noscript that had Giorgio's sites whitelisted, and you couldn't remove them from the UI. You had to edit the plugin files themselves. This isn't new behavior for him.
Re:Really Smart (Score:5, Informative)
NoScript is not primarily an ad blocker. It manipulates AdBlock to allow ads on NoScript domains.
What happened: NoScript blocks scripts (which also catches some typical ad delivery scripts). NoScript exempts the domain of the NoScript authors from script blocking (bad). An AdBlock subscription list recently added entries to block ads on the NoScript domain. NoScript tried to evade that measure by manipulating the way AdBlock works. Now NoScript has changed again and only ads a visible exception subscription to the list of AdBlock subscriptions. This exception can not be removed, only deactivated, as it's added back in whenever Firefox starts.
As an extension author, I can sympathize with the NoScript authors: Firefox users are really stingy. Unless an extension is inherently intertwined with a business opportunity and not just a convenient stand-alone feature, working on a Firefox extension is a losing proposition, at least financially. However, an author should either accept that and find other motivations for continuing the work, try a transparent commercial approach or cut the extension loose. The dark side is big enough without Firefox extension authors joining it.
Re:Really Smart (Score:3, Informative)
NoScript is not primarily an ad blocker.
That may not have been its intention, but a lot of people are using it for that purpose since many forms of advertising are served up through JavaScript.
Even the advertising on NoScript's site is primarily JavaScript based.
From reading the blog, he didn't just whitelist his own domain, but also the domains where Google AdSense ads are served.
Personally, I don't see the big deal in blocking advertising. Most good sites aren't too in your face about it and it helps keep them running. I haven't run ABP in years because of it and I've found some of the ads to be useful.
The only issues seem to be in some NSFW advertising but since advertising tends to be based on the content of the site (either through contextual advertising such as AdSense or the webmaster's own good sense to put related ads on the site) NSFW ads tend to show up on NSFW sites which you shouldn't be surfing during work anyway. There are some exceptions but they seem to be infrequent.
Re:This suddenly explains a lot (Score:1, Informative)
You have no right to complain about it opening its home page if you know how to disable it. It's beneficial because it describes any changes, like THE VERY ONE BEING COMPLAINED ABOUT IN THIS ARTICLE.
"Barely use" noscript? You "use" it every single time you go to a page, unless you're dumb enough to use it as a script blacklister instead of whitelisting as you should.
I've said it many times in the past, and I'll continue to say it: people that complain about NoScript don't understand how it works.
Yes, I'm a rabid NoScript fan and will defend this awesome piece of software to my death if need be.
Re:I Would Have Allowed It (Score:5, Informative)
Currently you can't actually delete the list, only disable it. If you delete the list, it will come back the next time you load firefox. I have actually tried this myself and it is very obnoxious.
I was looking on the noscript forums, and I did find this [informaction.com]:
While I don't know if I believe this or not, it's at least the way it should have been from the start.
Re:Shhhh! (Score:5, Informative)
(which is btw. the most obnoxious plug-in I currently have installed; re: updates...)
Set noscript.firstRunRedirection to False and it won't open the homepage after every update.
Re:Its GPL licenced, someone should fork it. (Score:4, Informative)
Why is this even a nontrivial software project?
Surrogates. The arms race is going on more than one front. From what I understand, on sites that use returns from ad-tracking scripts like google-analytics or yieldmanager to block access, NoScript has the ability to run surrogate scripts that give the appropriate return without the ad-tracking. This seems non-trivial.
However, now knowing how embroiled the author of NoScript is in getting his own ads viewed, users may lose their trust in his surrogate scripts.
Re:Disabling NoScript Update Notificaions (Score:5, Informative)
Scroll down to: noscript.firstRunRedirection
Right click this value, and 'toggle' it to false.
Due credit goes to posts at http://adblockplus.org/blog/attention-noscript-users [adblockplus.org]
Fight noscript.net with NoScript (Score:3, Informative)
Just remove noscript.net and his other domains from NoScripts allow list and his own addon stops his Google adbars.
I am sure he will hard code around this in his next patch, that will be the point where I start adding firewall rules.
Re:Timeline of events (Score:2, Informative)
The practice of creating specific filters for web sites bypassing the more generic filters is long standing in Adblock Plus subscription history.
One of the more colorful incidents was Danny [adblockplus.org] Carlton [adblockplus.org] (one more [adblockplus.org]), and a quick perusal through both the ABP and EasyList [lanik.us] forums shows that site-specific filters are a fairly common practice - especially when site owners try to detect or circumvent ad blocking.
In this case, there was user requests for ad blocking on the noscript.com page, as documented in this late-March thread [lanik.us] that resulted in a bug detection - which would have resulted in additional observation of the noscript.com page.
Personally, I think that the only thing Ares2 could have done better would have been to publicly document the ways that noscript.com was circumventing ad display. This usually isn't necessary, but would have been handy.
NoScript's side of the story (Score:5, Informative)
Here's a post where the NoScript guy asserts his reasoning for it: http://forums.informaction.com/viewtopic.php?p=2777#p2777 [informaction.com] basically he says that the update to the filterset broke noscript.net making things like the menus unusable.
In this post http://forums.informaction.com/viewtopic.php?f=7&t=877&start=90#p3162 [informaction.com] he claims that the inability to remove the noscript filterset is a bug and that the next update to noscript will fix that and prompt users beforehand.
Re:Links are helpful (Score:5, Informative)
about:config
set noscript.firstRunRedirection to false
Re:Links are helpful (Score:1, Informative)
Alternative extension (Score:2, Informative)
Re:Ad Supported Ad blockers (Score:3, Informative)
I find it incredibly ironic that two ad blockers are at war with each other over blocking ads that support their service.
They aren't. Adblock Plus isn't ad-supported (Wladimir doesn't even want donations),
and NoScript isn't (primarily) an ad blocker.
Re:Really Smart (Score:4, Informative)
There is is. I do not find it sufficient:
v 1.9.2.3
======
+ A "NoScript development support filterset" gets added to AdBlock
Plus, whitelisting the noscript.net, flashgot.net, informaction.com
and hackademix.net web sites recently broken by an aggressive
EasyList campaign against sites sponsoring NoScript development.
ABP users are informed both on the install and on the release notes
pages, so they can easily disable the filterset if they whish to.
A word from a NoScript Forum Moderator (Score:5, Informative)
First, I'm not an anonymous coward, I'm Tom T., a Moderator at the NoScript Support forum. Just didn't need one more U/P login as probably a
one-time poster here. Having read only the top pages, just wanted to make sure that these points were covered:
1) Giorgio Maone himself has pointed out repeatedly, including at the thread in question, that anyone can disable his pages' ads with NoScript just by blocking the Google-Syndication scripts. NoScript itself cannot be circumvented in this blocking, even by NoScript. :)
2) For those who think the updates are a revenue-(ad-viewing)-generator, aside from the fact that the NS FAQ includes simple instructions for turning off the home-page redirect for each update (try reading the FAQ before criticizing), please look at the complete history and at how many times some new attack, e. g., XSS etc., has surfaced, and Giorgio has dropped everything -- wife, new baby -- and rushed to protect NS users with an update. Some of these updates turned out to prevent future attacks that weren't even known at the time of the update. Go to the Changelog, see the number of feature requests/bug reports, and tell us which ones were unnecessary. Go to the blog of world-class hakker Sirdarckhat, http://sirdarckcat.blogspot.com/2008/06/hacking-noscript.html, who has responsibly and privately reported his discovered vulnerabilities, and note his comment on Giorgio's response to such reports:
"Is important to say, that Giorgio fixes stuff in "hours", (or minutes in some cases), and he has done some crazy stuff, just so NoScript users can be safe, so if you dont use it, go get it."
Straight from the hakker's mouth there, peeps.
3) As a personal opinion only, and not speaking for Mr. Maone, NoScript, or the NS Support Forum, I have repeatedly recommended AdBlock Original, in which only I can set blocks or permissions, no one else, and with which I can affect or hose only my own machine, not anyone's else, nor can I affect anyone's web site. That is why NS does not offer "blacklists", despite repeated requests from users who don't want to be bothered with making their own decisions (the whole point of NS), and why, despite my great respect for Wladimir Palant and his product, I don't use ABPlus. True, I don't "have" to subscribe; I just don't want to open that door. The only exception would be the Hosts file, offered by http://www.mvps.org/winhelp2002/hosts.htm ,which has *specific criteria*: a site must drop tracking cookies or drive-by adware, spyware, or other malware; and the file is plain-text readable and editable by any user to remove any block-entry that they feel is unnecessary. I never have. They're all there for a good reason and are sites I don't want to allow my browser to connect to.
4) Anyone who thinks that scripting or other web executables are without danger and require no user attention probably shouldn't be using a computer, or is already pwned. Do some research. "If you aren't worried, you just don't understand the situation." Cheers!
Uninstalled it but... (Score:2, Informative)
This was one of the reasons I just uninstalled NoScript a few hours ago, but the main reason I did it is because this story made me check the NoScript source code, and it is a mess.
I decided to look for a replacement and found YesScript (it works as a sites blacklist), after looking the code I found that it uses Mozilla Configurable Security Policies [mozilla.org]. Too bad CSPs only allow or disallow javascripts by site, and the sameOrigin policy does not works for "*.javascript.enabled"
Re:Alternative extension (Score:2, Informative)
[Note: I'm the RequestPolicy author.]
Thanks for letting people know about RequestPolicy. I would like to stress, however, that RequestPolicy is not a replacement for NoScript. I actually keep a FAQ entry about the high-level differences between the two extensions as this is a not uncommon misunderstanding:
http://www.requestpolicy.com/faq#faq-noscript [requestpolicy.com]
Re:Its GPL licenced, someone should fork it. (Score:4, Informative)
If you haven't been following web security (or reading the changelog) these guys are extremely cutting edge when it comes to blocking various XSS based exploitation techniques.
Clickjacking, cross domain keyloggers, and javascript connect-back proxies, etc are all out there now. Even if you have a given site whitelisted, noscript will still filter out known attack methods. It will even detect heap spray attempts etc if someone is trying to break out of a browser plugin.
Re:I Would Have Allowed It (Score:3, Informative)
http://noscript.net/changelog [noscript.net]
Minutes after the suggestion, and it is already in the new version that was just pushed out.
Re:Its GPL licenced, someone should fork it. (Score:3, Informative)
user_pref("noscript.firstRunRedirection", false);
Fully removed in 1.9.2.6 (Score:1, Informative)
http://forums.informaction.com/viewtopic.php?f=7&t=877&start=105#p3223
He went through a couple versions, but this one just removes the whitelist item once and for all, no questions asked, fixing the result of any previous install. AdBlock is now unaffected. (And it also doesn't put the default whitelist back into NoScript, something that happened recently - I recently went back through and cleared out msn, googlesyndication, etc etc - this stayed clean through the update)
Optional in 1.9.2.5 and removed in 1.9.2.6 (Score:2, Informative)
+ NoScript now automatically removes the controversial "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above on startup, permanently and with no questions asked.
v 1.9.2.5
+ One-time startup prompt to ask users if they wants to install/keep the AdBlock Plus "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above
While I'll most likely check the changelog before applying new NoScript version, I doubt I'll stop using it. I have mixed feelings about this situation but at least author warned us about what he was doing and broke nothing. Some of you may remember what happened with Fast Dial - it added some spam links, which completely broke user bookmarks. While its author also informed about this change in changelog, he forgot to mention that it will totally break your bookmarks.
NoScript 1.9.2.6 fixes it (Score:5, Informative)
Giorgio released version 1.9.2.6 which disables the filter. I quote from http://noscript.net/?ver=1.9.2.6&prev=1.9.2.5 [noscript.net]
It seems that he eventually got it right.
Re:Indicative of more serious problem? (Score:2, Informative)
A Firefox extension can modify the browser in almost regard.
And not just the browser. You can write a binary add-on that will execute arbitrary code. It's no different from running a regular executable.
Firefox add-ons aren't any more secure than ActiveX on IE.
Re:Really Smart (Score:2, Informative)
Re:Really Smart (Score:3, Informative)
Copyright law says you don't have that right.
I know of no law, anywhere, that says that I can't legally obtain a copy of a copyrighted work then modify said copy as I see fit as long as it stays in my possession. If you do, please enlighten us all. Please be as specific as possible.
This is no more illegal than purchasing a copy of a book, writing notes in the margins, and crossing out sections you disagree with.
The issue is similar to that of mod chips for game consoles: contributory infringement.
Contributory infringement applies where there is an (actual or potential) infringement to connect it to. If an ISP offered an Adblock-filtered web as a service to its customers and the Adblock makers recommended it for this purpose then maybe you'd have a point. But they don't. All filtering is performed by the end-user, so no transfer of the copyrighted material takes place.
By the way, it's "tailored" not "taylored".
Re:Really Smart (Score:3, Informative)
So if I buy a newspaper I don't have a right to cut out the articles I like and post them on the wall and discard the ads? Don't be ridiculous. Copyright law absolutely allows me to manipulate content and long as I don't distribute it.
Re:Really Smart (Score:3, Informative)
It is a difficult task to discriminate legally between the mode of display of a rendering means [browser] incapable of displaying visual ads /versus/ a mode of display of a rendering means modified so as not to display ads.
Stop making up law. It's well established that the user has fair use rights to do with content as they see fit, as long as they don't redistribute.