Monday, May 4th, 2009

Extension wars – NoScript vs. AdBlockPlus

Category: JavaScript, Security

<p>One of the dirtiest secrets of the Internet is that it runs on ads for monetization. All of us who surf the web and use systems had lots and lots of free lunches because of advertisements being shown on web sites. The only difference to TV is that they are less obtrusive and you can choose to ignore or skip them (for now).

Self-righteous developers who do not quite grasp this dirty secret use all kind of tricks to remove adversiting from web sites they surf. This could be because of not wanting to support the corporate machine but also because of security reasons. Ad code on the internet is dire – it is built to support every possible imaginable environment and work around restrictions of setups – the ads need to show, no matter what.

Basically there are two extensions for Firefox that allow you to get rid of this potentially dangerous but definitely annoying code. Ad Block Plus specifically targets advertising and removes it and NoScript goes much further by blacklisting all scripts and asking you as a user to allow what you want to allow.

From a paranoid, security-aware point of view NoScript is a great idea – you cannot trust any JavaScript until we have sandboxed scripting environments.

However, as mentioned in a discussion on SlashDot and commented in detail by Scott Schiller there has been a – quite ironic – incident lately.

NoScript had ads on their homepage (which gets loaded in your browser every time it gets upgraded, which is quite often) and the problem was that AdBlock Plus would block these – after all this is what it was built for. What people found out is that a build of NoScript actually detected the presence of AdBlock Plus and added its own homepage to the whitelist of AdBlock Plus programatically (the code that did this was obfuscated).

This poses some interesting questions:

Is AdBlock Plus a useful tool, if it can be changed that easily? On the other hand, seeing that the community found out the change this fast is a good sign.
Are changes to other installed software OK if the software that does it is free and makes the web a safer place?
Are free extensions a safe and useful way to battle unsafe advertising or is this the job of browser vendors?
Is the time of ads on web sites injected with JavaScript over?

What do you do about malware and ads on web sites?

Related Content:

Posted by Chris Heilmann at 11:04 am

3.1 rating from 31 votes


Comments feed TrackBack URI

“Self-righteous developers who do not quite grasp this dirty secret use all kind of tricks to remove adversiting from web sites they surf.”

What kind of yellow journalism is this? Are you (Chris Heilmann) advocating that the NoScript maker was completely in the right to modify ABP without announcing the change to either ABP or the NoScript users? Granted that blocking ads is a decision of conscience. Which side a internet consumer takes is not something an unbiased news site should weigh in on…oh wait. Ajaxian is ad-based…right…I forgot. Please, root by box with ads.

(Notice I’m posting this is a browser that does not have any form of ad-blocking enabled.)

Comment by tercero12 — May 4, 2009

I would gladly allow all ads to load if they didn’t block page loading. I don’t pay obscene ISP bills to have ads remind me what 1999 was like.

Comment by eyelidlessness — May 4, 2009

@tercero12 If I were to support this kind of behaviour, would I have posted this? I am just throwing out the question here what could be done about this. Personally I am very tempted to pull the ads of all my sites as the few bucks coming in these days are not worth the hassle of slowing down the site.

Comment by Chris Heilmann — May 4, 2009

I must admit I rolled my eyes at “self-righteous” and the presumption that developers who run ad-stopping plug-ins don’t understand that the web is ad-supported. Is the fact that the web is ad-supported really a “dirty little secret?”

The reason I run NoScript has nothing to do with ads. And it’s not because I hate JS or Flash. It’s simply that I want to decide for myself when I care enough about a site to turn on its goodies.

Comment by Nosredna — May 4, 2009

In general, I think it’s bad form for app A to edit the config of app B by hitting the data directly. How the heck is the developer of app A supposed to do QA now? If I had a database that tweaked httpd.conf I could seriously break the way the user wanted apache to work. For me ads vs blocking here is academic, the real injury is that noscript is endangering the safety of the user by making under the hood edits to other things running in the browser. For security software this is troubling because now I no longer trust the developers of noscript and all security is based on trust.

Comment by tack — May 4, 2009

Something like AdBlock has been available for TV for a while now – it’s called a DVR plus a fast forward button.

Comment by WillPeavy — May 4, 2009

“Self-righteous developers who do not quite grasp this dirty secret use all kind of tricks to remove adversiting from web sites they surf.”

I already didn’t pay attention to the ads, and now I don’t have to consider whether or not to pay attention. I don’t believe I’ve ever clicked through an ad: If I’m looking for something, I search, and search ads are also inorganic results, so I ignore those too. If reducing useless visual clutter makes me self-righteous, then I am one self-righteous motherfucker.

Comment by tmallen — May 4, 2009

Are we going to have to separate you two?

Maybe this is a sign that eventually browser add-ons should be sandboxed. Each one could have an explicit whitelist of add-ons that can be notified of its existence and a message passing system to communicate. Maybe this is crazy.

Being able to have YSlow/FirePHP/etc. piggyback on Firebug is nice, e.g., but when any add-on can arbitrarily overwrite the settings of others… installer beware.

Comment by mrclay — May 4, 2009

There are a few interesting issues here between putting trust in “third-party” software, the online advertising/revenue model and security. The issue as reported on SlashDot et al was focusing on the “sneaky” modification NoScript made, but the underlying tie-in to ad revenue of course came up as part of the discussion (and the blocking of ads at large, etc.)
The author wrote a nice summary of his thoughts (thanks @bander) after I’d written the article on my site, so I’ve updated it to include a reference.

Comment by Schill — May 4, 2009

>>if you’re going to include Schiller’s account, you should also include Giorgio Maone’s account of the NoScript AdBlock hack.

Thanks, that is an EXCELLENT write up by him, I congratulate him for that, and, frankly, the guys at Adblock come across as jerks on this. Why would they even consider targeting his little site??? Who ever visits it? Why would they care if his ads display? They provide a tool for users, not clear the web of all ads everywhere for us. Adblock evidently targeted him out of petty spite and went to some lengths to do so, even ruining his site in the process. Ridiculous. I can understand noScripts initial anger and competitiveness to block Adblock’s targeting of him, even if he went about it wrong for a few days.

And I say that as a user of Adblock and not noScript. (Personally, I find noScript ruins the web experience. If I could figure out how to set it to help block xss type attacks only, nothing else at all, I would use it.)

What the guy from noScript should have done, as he clearly understands now, is simply expose what adBlock was doing in targeting him to such ridiculous lengths.

>>I already didn’t pay attention to the ads, and now I don’t have to consider whether or not to pay attention. I don’t believe I’ve ever clicked through an ad…

Perfect explanation. Exactly my case. And the other 98% of people on the web still viewing them can click if they want to.

Comment by stylo — May 4, 2009

Btw, for a tech site mostly to do with js, why the heck does the “comment by xxxxx” have a stupid http://null/ link on it?

And before, for ages, a submission used to go to a blank page. Hire someone from adBlock or Noscript to maintain the site and keep them busy ;-)

Comment by stylo — May 4, 2009

Most people intelligent enough to install AdBlock or something similar is also intelligent enough to not be influenced by ads on websites. THAT is the “dirty secret of the internet”. Ads generally don’t work anymore…
But don’t tell anyone … ;)
Read Generation X if you don’t believe me…!
(The last sentence was not an ad ;)
(Or rather if it was an ad it was the only type of ad that still “works”… ;)

Comment by ThomasHansen — May 5, 2009

Even if it can be circumvented, AdBlock Plus is still a useful tool. Apparently it would be more even useful with some kind of digital signature scheme (or something!) for the filter sets. I haven’t uncovered whether the shady deeds involved direct modification of AdBlock’s plain-text INI format. If that was the case then it should suffice to simply train the eyes of a file monitoring utility on “Data\profile\adblockplus”. From reading the posts of ABP author Wladimir Palant it seems clear that with FF, installed extensions don’t have enough security. There should at least be a way to give extensions their own private data storage. Doing silent third-party changes to files in non-system folders made the offending versions of NoScript pure malware. I’d say the same if it were Folding@home, you just don’t cross that line. No major for-proft browser vendor (all of them) will ever block ads or disable javascript with the outright zeal of the the FOSS community. So while these two extensions aren’t 100% safe or useful they’re at least better than anything else out there right now. AdBlock makes the web sane and keeps memory/cpu low. And at the very least NoScript has the most advanced Clickjacking protection available anywhere. Not installing them both is about as foolish as installing a proprietary FF extension… ok maybe not quite that foolish.

The next step is for browsers to get their ads pipelined via secured video overlays tied to CPU keys. Instead of extensions we’ll need whitehat crackers to keep the web safe.

Comment by Nonymous — May 5, 2009


Hear hear. I don’t run NoScript to block ads — I run NoScript because *I* get to decide what runs on my computer, not a website. (I find it amazing how many people don’t understand that JavaScript, be it ad scripts or tracking scripts, runs on *your* computer, not a server.)


Did you try “allowing all JavaScript” and just enabling XSS protection (and clearjack protection)? I actually advise a lot of people to do this with noscript since handling individual javascript sources is sadly beyond most novice users’ ability, but the XSS and clearjack protection is passive.

Comment by mdmadph — May 5, 2009

>>Did you try “allowing all JavaScript” and just enabling XSS protection (and clearjack protection)?

I would if I could figure it out. I searched before but gave up. Please tell me how. Numerous tabs with about 50 confusing checkboxes in there, no idea which options to uncheck or check to get that, or what overrides what, nothing that says “allow all JavaScript” and ignore all these other checkboxes except…, etc.

Noscript badly needs a simple first dialogue box with a basic protection mode (xss/clearjack?), medium mode, total mode. 3 options or go to advanced config. It’s a usability nightmare in there as-is. Be nice if some usability guru out there could support his project with a redesigned GUI.

(On the flip side, I still think the adBlock guys were very wrong to deliberately target his little site to prevent him from supporting his project, as they well knew they were doing. Where is any discussion of why they did such a nasty thing to another add-on developer, and to the point even of ruining his site’s links and such as he says?)

Comment by stylo — May 6, 2009

Speaking well of adBlock now, scrolling Ajaxian in Firefox is a horrible jerky experience because of fixed background images. I blocked the 2 images below with adBlock and the site now works perfectly and seems to look the same.

Until Ajaxian fixes this, add this filter:*

It blocks:

html {
background: #000 url(“images/bg_main.gif”) repeat 0 1px fixed;
body {
background: transparent url(“images/bg_wrapper.gif”) repeat-y 50% 0 fixed;
color: #333;
font: 0.7em/160% Verdana, Arial, Helvetica, sans-serif;

Comment by stylo — May 6, 2009

@stylo Not sure why yours is jerky. I’m using Firefox 3.0.10. I have AdBlock turned off on this site, and it’s not jerky for me.

Comment by stacye — May 7, 2009

Internet is not not add-supported. It’s commerce-supported.

Let’s be honest. US is the nation of consumers who love shopping and purchase much more than necessary. Whoever has good product, only needs to make it available. Put up a website, create good customer service, don’t cheat, and you will be successful. Submit your pricelist to pricewatch and 1,000 other shopping engines, and the customers will come. Newegg does not need popups and flashing ads.

With rare exceptions, flashing ads are misleading and deceptive. The more it pops up into your eye, the more surely you can bet that business model is based not on good product and competitive price but on hope that you won’t notice fine print. Like calling card for “only” 3 cents per minute plus 50 cents connection fee and $1/week maintenance fee. And that is the real reason why people avoid them. People love to shop, but they don’t like to be cheated. The same folks who spend hours on shopping around in shopping mall, and whose garage has turned into the warehouse of useless junk long ago, will block ads because they know that practically each one will cheat on them.

Comment by xresha — March 2, 2010

1) My processor my choice. No one except for me has the right to choose what my processor will do. Not a single bit.

If and only when I enter a contract to exchange ads for content / service will I willfully allow my ram to be occupied by crap that I do not want.

If you don’t like it and if you think your content is good enough to not offer for free, then please step up. The truth is that if I had to log in to read this article I would not have read it.

2) The extension review process is at fault, one extension should not be able to affect another unless that is the specific purpose.

Really your article consists of a rant about ads provided content and a real news item one extension eats another. The real story is over at the forums in firefox extensions.

Comment by wefdscxz — March 3, 2010

Leave a comment

You must be logged in to post a comment.