The Firefox extension war [LWN.net]

By Jake Edge
May 6, 2009

By now, the escalating battle between the NoScript and Adblock Plus Firefox extensions is fairly well-publicized. In fact, the LWN comment thread on the topic has attracted an enormous number of comments—though many are rather tangential to the actual issue. While the original dispute has been settled, there are still a few issues to ponder from that incident.

For those who didn't follow the dispute, a review is probably in order. Both NoScript and Adblock Plus are meant to assist users in controlling the content that their browsers display. As their names imply, NoScript is focused on blocking things like Javascript, Flash, and the like, whereas Adblock Plus blocks advertisements. There is some overlap between the two, of course, because much of the advertising on the web is served via Javascript and/or contains Flash content.

NoScript's author, Giorgio Maone, uses advertising on the NoScript web pages to help fund development of the extension, which is part of why the frequently-updated extension opens a tab on the release notes page after an update. This particular feature—which can be disabled fairly easily—is quite annoying to some. Part of that annoyance may be because of the ads on that page. In late April, Adblock Plus added the NoScript site to its filter list so that its users would no longer see the ads. That led to an arms race.

The NoScript and Adblock Plus developers went back and forth, with NoScript circumventing the filters and Adblock Plus adding new filters to block the ads. This continued until the Adblock Plus filter fundamentally broke the NoScript site so that users could no longer even see the links to download NoScript. This sent Maone around the bend, evidently, as his next step was to add obfuscated code—though the extent of the obfuscation is disputed—to NoScript that disabled the Adblock Plus filter for his site.

At that point, Adblock Plus author Wladimir Palant wrote a blistering blog post about the dispute, which brought it to the attention of many. Maone quickly backed down, offering a detailed and seemingly heartfelt apology. In the meantime, though, the folks at addons.mozilla.org (AMO) noticed the problem and are considering changes to their policy on legitimate extension behavior.

It should be noted that AMO did not review the NoScript changes (or, presumably, the Adblock Plus filter changes) before the updates were made available to users. As Maone explains, once an extension reaches a certain level of trust, the AMO reviewers do not check updates—they are approved automatically. It is unclear how that process works exactly, but given the number of escalating changes both extensions were making over a short period of time, some kind of minimal oversight might have noticed that something was amiss.

For someone of malicious intent, as opposed to someone just exhibiting some incredibly bad judgment, a Firefox extension makes a pretty tempting target. Much of what goes on inside the browser involves sensitive information which users do not wish to have exposed (passwords, browsing history, etc.). If an extension can get to the point where it can push out "trusted" updates, without any review, that seems rather troubling.

Some distributions—Debian at least—package Firefox extensions for their users. Though it isn't a foolproof solution, it does add a level of review to the code before it gets installed. It probably makes sense for other distributions to consider doing that as well. Changing the AMO policy is certainly a good idea, but it will hardly protect against attackers of various sorts.

While there is nothing wrong with supporting development via advertising, clearly Maone crossed the line. Adblock Plus users specifically want ad blocking, so turning that functionality off, even "just" for one site, is plain wrong. Maone seems to recognize that now and this dispute will hopefully serve as a warning to other extension authors before they allow their anger to get in the way of their good sense. For the rest of us, though, it serves as a reminder that we are sometimes, perhaps even frequently, installing software in our browsers that has had little or no oversight.

(Log in to post comments)

The Firefox extension war

Posted May 7, 2009 2:08 UTC (Thu) by joey (subscriber, #328) [Link]

I'm glad you included the bit about distributions packaging extensions. As I noted in the big thread, Debian's package of noscript disabled the annoying open-a-tab behavior long ago -- without precipitating an arms race.

It is worth noting, though, that few distributions could keep up with the constant release churn of noscript. From its FAQ:

Q: Yes, I love NoScript, but releasing new versions every few days is getting tedious, can't you limit updates to once a month?!
A: NoScript is a security software, hence its users expect it to do every effort to keep their browsing experience as safe as it can be, always. This means that every time a new browser weakness is reported, a new kind of web threat is discovered or a bug is found in NoScript itself (hey, no software is perfect!), NoScript is immediately updated to react as needed.

In contrast, the Debian packages of noscript have never been updated more frequently than monthly, and generally less often.

I wonder, though, if needing constant code releases to deal with issues is a symptom of noscript not being very well designed. Compare with things like adblock and clamav, which do not require frequent code releases, and rely on frequently updated blacklists and virus signatures, which can be downloaded periodically. Alternatively, perhaps the set of issues that noscript is dealing with are so varied (due to the insane web programming mess) that it really does need new code to deal with new issues. I'd be curious if someone knows.

The Firefox extension war

Posted May 7, 2009 20:21 UTC (Thu) by rahvin (subscriber, #16953) [Link]

The beauty of noscript is that they stay up in the arms race with the black hats. The worst security software is one that provides a sense of security while not providing the security. I love that Noscript updates so frequently because I KNOW the blackhats are updating their attacks daily.

The fact is without the frequent updates the Blackhats would be able to exploit their tricks for much longer and that's worth the hassle. It's a credit to the noscript development that they work so hard to stay up to date on the latest blackhat operations.

The Firefox extension war

Posted May 7, 2009 21:52 UTC (Thu) by pflugstad (subscriber, #224) [Link]

Well, given that many of the exploits depend on JavaScript being enable to function, one would think that after a certain point, NoScript would basically be future proofed - most exploits would already be covered by the fundamental disabling of Javascript.

Also think about this: as this whole saga points out, NoScript is funded by ad's, so that pop-up page every time NoScript updates actually puts money in the Maone's pocket. So I would tend to think that there's a conflict of interest there - the more he updates, the more money he gets. So to a degree, he may have a vested interest in NOT improving NoScript to the point described above. I'm obviously conjecturing here.

Also, I obviously didn't look very hard, but I did NOT actually find the link on how to disable the pop-up page (thanks for the link Jon), even though I went looking for it when it was mentioned in the original article - I was thinking it would be a check-box on the NoScript prefs panel. My bad I guess.