NoScript vs. AdBlock Plus in a Match to the Death!
May 4, 2009 1:10 PM   Subscribe

Recently, the Mozilla FireFox community encountered a bit of a hacking showdown between two of the more popular extensions, AdBlock Plus and NoScript. In a series of escalating updates, the two software packages fought a battle over the ability to display ads by default on NoScript developer Giorgio Maone's homepages for users who have installed the EasyList blacklist filters for AdBlock Plus.

Things heated up when Maone inadvertently disabled some Adblock Plus features when trying to circumvent its code and was publicly called out by AdBlock developer Wladimir Palant.

For his part, Maone has profusely apologized, giving explicit details on wrongdoing and his train of thought when releasing his updates. He has also removed the workaround in his latest updates.

full disclaimer: I use both extensions, and I have donated to NoScript in the past.
posted by onalark (37 comments total) 4 users marked this as a favorite
 
Good link, but maybe a mod should move all but the first paragraph into the "more inside"?
posted by slater at 1:17 PM on May 4, 2009 [2 favorites]


Oh damn. My two favorite extensions at odds! No me gusta!
posted by EatTheWeak at 1:21 PM on May 4, 2009


i was glad to see this resolved. my ff add-ons need to co-operate with each other to keep me safe from advertisers. i refuse to go out in the wild without at least these two add-ons.
posted by the aloha at 1:21 PM on May 4, 2009


Interesting, and possibly explains that really, really annoying span of time where both extensions were updating at least once a day, which for some reason is much more irritating than you'd think.

Why does Firefox prompt a "continue" button after updating extensions? What else would I possibly choose to do? Install the extension updates and then turn my computer off, cackling madly, never to use Firefox again?
posted by Shepherd at 1:22 PM on May 4, 2009 [22 favorites]


If you had only told me 15 years ago plug-in drama would be news...
posted by Avelwood at 1:23 PM on May 4, 2009


Tempest in a popup.
posted by dersins at 1:24 PM on May 4, 2009 [7 favorites]


I'm not a big fan of Firefox anymore, so I prefer privoxy.org to get rid of ads.
posted by chunking express at 1:34 PM on May 4, 2009


I've used ABP for years now, but never tried NoScript.

I wonder if Opera widget developers get into similar battles. "What? You've created a virtual fishtank widget, too? Well, I'm raising the stakes ... mine now comes with a dancing baby!"
posted by Marisa Stole the Precious Thing at 1:36 PM on May 4, 2009 [2 favorites]


Is this something I'd have to use a computer to understand?
posted by abc123xyzinfinity at 1:37 PM on May 4, 2009


Despite claims to the contrary, open source projects suffer from pretty much every ill that traditional projects do, including competing feature teams. Except the feuds occur in the public eye and everything management does to try to deal with them is criticized by pundits across the globe.
posted by tommasz at 1:46 PM on May 4, 2009


This kind of software battle is going on inside your computer all the time. The worst case is viruses vs. antivirus software, but you've also got dueling search engine preferences, alternate home pages, alternate Quicktime decoders, etc. At least in this case both parties have started acting transparently.
posted by Nelson at 1:46 PM on May 4, 2009


Things heated up when Maone inadvertently disabled some Adblock Plus features when trying to circumvent its code and was publicly called out by AdBlock developer Wladimir Palant.

So presumably Maone makes his corn every time NoScript updates and takes you to his homepage, thereby ensuring umpteen hits for everybody who has got a copy of NoScript included?

That must explain why NoScript seems to update to a new version every single time I restart Firefox.
posted by PeterMcDermott at 2:02 PM on May 4, 2009 [4 favorites]


Transparency should be there from day one on the part of security software. Competition for users is one thing, but intentionally exploiting bugs and attacking the functionality of other security software for no legitimate security reason, but merely to display ads? That's just low.

I don't see an apology for what was done wrong (Exploiting the bug in the first place), just for attempting to subvert AdBlock Plus when the filter set upgrade started aggressive blocking against a site which was exploiting a bug.

This is disgusting. Perhaps I really should just migrate to Chrome. I've enjoyed AdBlock from the start, so I'd hate to abandon it, but Chrome's sanbdox seems to be the only alternative to NoScript. Overreaction much? Maybe. I'm not terribly keen on trusting security software that circumvents other security software just to make a buck. I'm also not too keen on this half-assed apology that I see.
posted by Saydur at 2:02 PM on May 4, 2009 [1 favorite]


Are there any other extensions which do the same thing as NoScript?
posted by box at 2:12 PM on May 4, 2009


The worst case is viruses vs. antivirus software

I'm pretty sure that the worst case is the epic struggle for supremacy between Quicktime and Windows Media player. They've been at war for countless generations, which is pretty stupid when you consider that one of them actually works.
posted by dersins at 2:17 PM on May 4, 2009


I'm pretty sure that the worst case is the epic struggle for supremacy between Quicktime and Windows Media player. They've been at war for countless generations, which is pretty stupid when you consider that one of them actually works.

Add Real Player and all hell breaks loose. No media player will be spared.
posted by ALongDecember at 2:23 PM on May 4, 2009 [1 favorite]


Meanwhile, VLC watches from a mountaintop, chuckling wryly, shaking her head.
posted by Marisa Stole the Precious Thing at 2:25 PM on May 4, 2009 [3 favorites]


Which one?
posted by bz at 2:28 PM on May 4, 2009 [2 favorites]


Why does Firefox prompt a "continue" button after updating extensions? What else would I possibly choose to do? Install the extension updates and then turn my computer off, cackling madly, never to use Firefox again?

Entirely OT, but this reminds me of the time recently when, for reasons passing understanding, I downloaded Microsoft's .NET Framework and it cheerily informed me, upon completion of its download, that I [might] now disconnect from the Internet. Because OBVIOUSLY the ONLY POSSIBLE use of the Internet is to download Microsoft software packages.

Also: the Vista 'are you sure you want to do this' button that pops up when trying to disable the 'are you sure you want to do this' button. Argh.

posted by aihal at 2:37 PM on May 4, 2009 [2 favorites]


Why does Firefox prompt a "continue" button after updating extensions?

I don't do Windows programming so I'm not as well-versed in how the OS handles closing individual windows, but I can say the Mac version does not do this -- it closes the add-ons window and then launches the main browser window as soon as update is complete. Which indicates to me that either Windows requires user interaction to close the window (which smells unlikely to me), or else they've got a really stupid UI inconsistency there.
posted by middleclasstool at 2:53 PM on May 4, 2009


Why does Firefox prompt a "continue" button after updating extensions?

Because you need one more extension! If you use the Update Notifier extension you can configure it to silently update extensions in the background.
posted by twoleftfeet at 3:26 PM on May 4, 2009


I apologize for the poor formatting of the FPP. I was trying to draw attention to the last link, which is Giorgio Maone's apology. He took a pretty serious PR beating this week, and I appreciated his candor and actions in Making Things Right.
posted by onalark at 3:28 PM on May 4, 2009


Why does Firefox prompt a "continue" button after updating extensions?

Sometimes the new version of an extension can break features. I know I've skipped updates for a certain extension, and only selectively updated.
posted by desiderandus at 3:38 PM on May 4, 2009


I always thought it was kind of funny that the NoScript page that comes up after every update has scripts on it...that I block by default.

That being said, Maone seems to be sincerely contrite. The AdBlock guy is also culpable, though evidently not forthcoming with an apology.

In this case, it would appear both authors put personal grievances ahead of their users. Palant has yet to admit that it was probably a bad idea for Adblock Plus to disrupt NoScript updates, so we'll say it for him. For his part, Maone has bent over backward to apologize.
posted by Xoebe at 3:39 PM on May 4, 2009


What Xoebe said. EasyList is a separate thing from ABP except that the maintainer of that list was picked by the programmer of ABP. And Palant, the programmer, asked Ares2, the list maintainer, to specifically block NoScript's exploit on an existing hack.

Craziness. Looks like Mozilla is looking into a policy to stop all this nonsense in the future.

My FAVORITE part of any of these molehill explosions is the scare language: EasyList's malicious attacks. NoScript is malware. MARTHA BRING ME MY SHOOTING HAT!
posted by mrmorgan at 3:52 PM on May 4, 2009 [2 favorites]


Opinions probably lie more with whichever extension you find more useful, but reading the thread on the noscript board (which seems to have been 'cleaned up' since I read it the other day, but I could be wrong), I came away with a different take:

* Adblock plus was doing it's job, blocking ads. Some of these were on the NoScript update landing page

* Giorgio & Ares2 (maintainer of the main Adblock filter list) had a running battle over this, culminating in Giorgio inserting ads in such a fashion that page functionality was broken for Adblock users.

* Giorgio complains that Adblock is unfairly targetting NoScript

* Giorgio then adds some extra code - obfuscated, so its purpose is hidden, and possibly in violation of the Mozilla plugin developer guidelines - to NoScript, to take advantage of an update mechanism in Adblock and add his own sites to Adblock's whitelist. His whitelist entries are cheekily called "NoScript development support filterset". This causes some compatibility issues between NoScript & Adblock.

* Users complain, Giorgio releases a fix. Extra Adblock add-on functionality (e.g. the Element Hider Helper) are still broken.

* Ares2 changes his filter expressions so that the Noscript page works again (but ads are still blocked)

* A whole lot of back and forth, starting with Giorgio adding a rather inflammatory entry to his FAQ to explain what's going on, trying various methods of reluctantly giving Noscript users the bare minimum of ability to turn off his Adblock-modifying code, and eventually removing it altogether.

I wouldn't call that particularly apologetic or contrite. Looks more like he got caught out underestimating his user's anger at the whole stupid mess...
posted by Pinback at 4:15 PM on May 4, 2009


Pinback, I would only add two things:

First, Giorgio's first step was to write a .js file that interfered directly with AdBlock's function. According to him, this is because he was not aware that other extensions could add their own (perfectly legitimate) filters. This second update had a bug in it where you could not remove the new filterset in AdBlock Plus you could only disable it. Initially Giorgia was going to leave the filterset in place and let the user delete it, but after the huballoo he decided to just delete it all together.

The silent update to my AdBlock Plus filters did not make me happy, even if the NoScript page announced it. But it was a least better than the custom .js file that the NoScript file injected into AdBlock Plus.

Second, Ares2 updated EasyList specifically after the AdBlock developer asked him to. Rather, than, fixing the exploit. Not the greatest decision by either Ares2 or the AdBlock guy.
posted by mrmorgan at 4:23 PM on May 4, 2009


Thanks for that, mrmorgan - I'm not a Noscript user, and only got the info about the whole thing from the thread above (which I saw in the /. 'discussion' ;-).

I wasn't aware that the first step was to specifically interfere with Adblock functioning; that's not clear from the thread. To my mind that alone is damn near unforgivable, let alone anything that happened after that.

And, yes, W. asked Ares2 to update EasyList rather than fixing the 'exploit'. From what I can see about Giorgio's first step, it's a function of Mozilla's security model - he added something to the user's default .css or .js to disable Adblock; something any rogue plugin could do (which is why they're allegedly vetted before being posted on Mozilla's plugin site). And the other 'exploit'; allowing 3rd-party plugins to update Adblock's list - that's (arguably stupid) functionality which was put in for a specific purpose a while ago, to enable other addons to work with Adblock's lists.

Aside: If you look at EasyList, it's quite often got a bunch of site-specific filters. Sometime's that's necessary, in the first instance at least, to block ads; often they're later tweaked into general-purpose regexps as the Adblock-circumventing technique becomes more widespread. It wasn't 'targetting' Giorgio's sites any more than it 'targets' other sites trying to get ads past its filters. The main difference here is Giorgio was responding so quickly to it in changing his own pages that the site-specific filters never got tweaked into more general filter expressions.

Anyway, to my mind that's all somewhat moot. Even if it was specifically targetting Giorgio's site, Adblock was doing what it says on the tin - blocking ads. Noscript was deliberately interfering with another plugin to give advantage to the Noscript developer.
posted by Pinback at 5:29 PM on May 4, 2009 [1 favorite]


So presumably Maone makes his corn every time NoScript updates and takes you to his homepage, thereby ensuring umpteen hits for everybody who has got a copy of NoScript included?

There is a setting to disable it. It's hidden in about:config, and mention of the setting itself is buried somewhere in the NoScript website, and I always forget what it's called, but it's there.

But now I guess I know why a plugin who's only real functionality is to block Javascript (and some other plugins) needs to update every other day.
posted by dirigibleman at 8:47 PM on May 4, 2009


whose
posted by dirigibleman at 8:47 PM on May 4, 2009


>From what I can see about Giorgio's first step, it's a function of Mozilla's security model - he added something to the user's default .css or .js..."

Just a minor correction: the first thing Giorgio did was hide his ads behind some sort of redirect; he did not start modifying the other extension directly until Easylist countermoved by blocking just about evrything on Noscript's updates page.

I love these sorts of minor net dramas--can we get Boing Boing to silently delete all their posts about Noscript next?
posted by mrmorgan at 9:46 PM on May 4, 2009


More news: The NoScript author also disabled another extension on his site - Ghostery, which:
alerts you about the web bugs, ad networks and widgets on every page on the web. Web bugs are hidden scripts that track your behavior and are used by the sites you visit to understand their own audience.
Ghostery is disabled on the NoScript site with some css. NoScript isn't used to do that, at least - he's doing something any site could do, instead of taking advantage of having a popular plugin.
posted by Pronoiac at 12:00 AM on May 5, 2009


I've enjoyed AdBlock from the start, so I'd hate to abandon it, but Chrome's sanbdox seems to be the only alternative to NoScript.

I bet that's about to change. It's not like NoScript is rocket science. It just takes an existing feature (disable javascript) and parameterizes it by website. Firefox itself already parameterizes other features by website, so they could even make a NoScript replacement as a feature in 3.1. In any case, NoScript is GPL'd, so anyone can just fork it into a non- (or less-) commercial version.
posted by DU at 4:49 AM on May 5, 2009


That must explain why NoScript seems to update to a new version every single time I restart Firefox.

You can disable this feature by opening about:config and toggling off the noscript.firstRunRedirection preference.
posted by srt19170 at 10:42 AM on May 5, 2009 [2 favorites]


I went through a phase of blocking stuff with Firefox add-ins and then realised that if a site is throwing popup ads and annoying flash animations all over the place, then thats a pretty good sign you have stumbled across a dubious website worth avoiding. Why turn off that useful warning signal?
posted by Lanark at 12:21 PM on May 5, 2009


"You can disable this feature by opening about:config and toggling off the noscript.firstRunRedirection preference."

Sweet! I've been closing the tab before anything loads (an advantage of slow link +60 odd tabs loading) but this'll be better.
posted by Mitheral at 7:59 PM on May 5, 2009


60+ tabs?! I thought I was crazy when I had 10.
posted by DU at 5:20 AM on May 6, 2009


« Older Like cult films, but without all that filming   |   The SNARC Effect Newer »


This thread has been archived and is closed to new comments