NoScript's shady actions

[Tarun]

It seems NoScript can no longer be trusted at all. It is recommended that users of NoScript promptly uninstall the extension.

Recently I wrote about how not giving extension developers a good way to earn money might lead to very undesirable effects. The recent events give an impression of the kind of effects we should expect here. This is going to be about the popular NoScript extension which happens to make its money from ads. And to make sure that somebody sees these ads it goes pretty far. For example, it opens the changelog webpage (full of ads of course) on every single update of the extension, even though the NoScript FAQ claim that it happens only on major updates (yes, if you dig into it you will find the preference to disable this behavior – but how many people do that?). And updates coming roughly each week ensure that this page is opened fairly often. A problem is of course that NoScript will usually disable scripting and consequently also most advertising. That problem is being worked around by putting NoScript’s domains, Google AdSense and a few others on NoScript’s default whitelist (again, the overwhelming majority of users won’t go hunting for bogus entries in their whitelist). Given that NoScript proudly calls itself a security extension this means putting users at risk — for example, a while ago I demonstrated how an XSS vulnerability on a NoScript domain can be used to run JavaScript from any website, despite NoScript. This was countered by implementing anti-XSS measures rather than removing anything unnecessary from the whitelist.

You get an impression for the business model here. Of course, this approach brings NoScript in conflict with another popular extension — Adblock Plus. For years, NoScript has been using a trick to prevent Adblock Plus from working on its domains. Fixing this issue was never particularly high on my list of priorities (though I finally came around and fixed it after the recent events) so at some point I suggested that EasyList should be extended by a filter to block ads specifically on NoScript’s domains. This finally happened two weeks ago.

What followed was a small war — the website would add various tricks to prevent Adblock Plus with EasyList from blocking ads, EasyList kept adjusting filters. Then, a week ago a new NoScript version was released. A few days later I noticed first bug reports — apparently, Adblock Plus “glitches” were observed with this NoScript version, especially around NoScript’s domains (but not only those). When I investigated this issue I couldn’t believe my eyes. NoScript was extended by a piece of obfuscated (!) code to specifically target Adblock Plus and disable parts of its functionality. The issues caused by this manipulation were declared as “compatibility issues” in the NoScript forum, even now I still didn’t see any official admission of crippling Adblock Plus. Clearly, NoScript is moving from the gray area of adware into dark black area of scareware, making money at user’s expense at any cost.

Confronted with the facts and with the AMO policy NoScript author agreed to revert the changes. However, he put a different “solution” in place — the new NoScript version released yesterday adds a “filter subscription” to Adblock Plus meant to whitelist NoScript’s domains. A note about this “feature” has been added to extension description on AMO (I insisted), not without misrepresenting the cause of course. Supposedly, this is because of a “targeted attack from EasyList which broke functionality.” Which fails to mention that EasyList was just doing what it was created for (block ads) and the broken functionality is the result of attempts to avoid ads from being blocked (originally the filters didn’t break anything). So the real reason is not broken functionality, it is the ads on these sites.

Of course, adding a note to the description that almost nobody will read anyway wasn’t the only change I wanted to see. Adblock Plus allows other extensions to add filter subscriptions but that wasn’t supposed to happen without user’s consent. In case of NoScript, asking the user whether this filter subscription should be added was clearly required. But that would probably make too many people notice that something fishy is going on and decline. Note also that this filter subscription cannot be removed (will be re-added on next Firefox start), only disabled. Also, it stays there even after NoScript is uninstalled. Should I now make it harder for all extensions to integrate with Adblock Plus just because NoScript is misbehaving? I doubt that this will help much, any installed extension has the privileges to do anything and trying to stop it from misbehaving after installation is a lost cause.

While the current state of affairs (NoScript’s manipulation of Adblock Plus is visible to the user if he knows where to look, it is documented and even reversible) is better than what we had before I still think that extensions manipulating other extensions to prevent them from doing their job is not where we want to be. NoScript might be somewhat extreme but the “business offer” emails I occasionally see in my inbox make me think that we will see more of this. Companies start to recognize the potential of Firefox extensions and push extension authors into monetizing their extensions by questionable means — at the expense of the users.

Update (2009-05-02): Apparently, thanks to some pushing from AMO yet another NoScript version was released. This one supposedly no longer adds a filter subscription to Adblock Plus and also removes the one added by the previous versions. Also, a change to AMO policy is under discussion. Big thanks to everybody who made that happen!

Update 2 (2009-05-04): Sorry, I have to close the comments. I made the effort of reading each single comment but that’s getting too much for me. Especially now it seems that most commenters come from other articles misrepresenting the whole issue and don’t even bother to read my blog post.

Update 3 (2009-05-04): NoScript author made an official statement on the events.

Source: AdBlockPlus Blog

[Eldmannen]

I've spoken to the author of NoScript, he used bad judgment, and apologized.

The adblock list had specially targeted his site, which perhaps isn't so nice. He tried to undo it, and it ended in a cat-and-mouse game, and it ended up with him doing a bad call.

I accept his apologizes. Everyone make bad calls sometimes. He realized his mistake, accepted it, and reverted it.

[Tarun]

Not sure where you're getting that information from but that's false. rick's EasyList blocks items like /counter and many others. This isn't the first time the author of NoScript has done shady things either.

You can always read his list here.

[Eldmannen]

Like what other shady things have he done?

He used some bad judgement, and he really shouldn't have tried to obfuscate the code.

[Tarun]

Other shady things he has done is whitelisting known bad sites. A lot of people have spoken out against what he has done.

...but pushing updates to add his website to ABP's (another program) whitelist is a complete no-no and that is the issue that crosses the line. Software that do this are usually termed "malware", or to put it lightly, adware.

Even worse - yes the adblock fix has been made, but noscript left the sites in question whitelisted. So the noscript "filter adjustment" is gone....but those same sites in question remain whitelisted in noscript. (Yes you can manually removed them).

I don't care who started what - this extension was about not trusting sites and blocking potentially harmful content. Now this extension's integrity itself is put into question by the motives of the developer. With the recent "whoops" of facebook for example, you would have thought that upfront disclosure would have been a no-brainer; but once again someone hoped that no one would notice the change.

I myself don't use flashgot (another extension by the same author) because there are way too many attempts to read / change the registry that can't be explained by normal operation, and the number of advertising related IP addresses attempting an inbound request increase dramatically with the extension installed. I haven't noticed this on noscript (yet) but seems to be where the extension was being taken.

It is also interesting that an older version of noscript allowed you to block references (for ads) - and now it doesn't because of "performance issues". I'll put money on it (or rather someone put money into someone's pocket) to take this feature out. This action a year ago is congruent with this attempt at advertising money.

There are other extensions that are clear from these intentions and are open-source so that you can review what is going on (if you either have the ability or time).

Now I will also add that I am not opposed to having the developer being paid in some manner for the work - noscript was a great product; however, getting paid by backdoor tactics just isn't good business - and even just wrong.

I have removed noscript as an extension, and highly encourage all to do the same.

It's one thing to try to hide what you've done when it's bad and you know, but to flat out lie about the problem is even worse.

[Eldmannen]

If he have whitelisted known bad sites, then that is horrible.

Which sites have he whitelisted (I thought, it was only his own domains).

Also, I didn't know about this references thing. Is it like moo.php?ref=12345 ?

I don't feel like he have lied and tried to hide anything, as he did apologize on the frontpage of his website, and informed his users about this.

I think what he has done is bad (hence, I've personally emailed and bashed him about it), but I do appreciate the apology.

I think NoScript is invaluable, and I will continue it.

The great thing about open source is that people can find out about such things, in proprietary software, it is much more difficult. And that people can fork it and create a derivative version.

If someone forked it, then perhaps I would consider using the fork instead.

[Tarun]

He did flat out lie about the AdBlock things he did. Saying things such as it was due to performance issues.

[James_A]

Without in any way condoning what Giorgio did, I don't think Wladimir and/or Ares2 are exactly blameless either.

The specific targeted blocking of NoScript development build downloads was inexcusable.

It is significant that all this has blown up after Rick Petnel's death.

I don't think Rick himself would have taken EasyList in such an aggressive direction.

.