User: Password:
Subscribe / Log in / New account

The Firefox extension war

The Firefox extension war

Posted May 7, 2009 2:08 UTC (Thu) by joey (subscriber, #328)
Parent article: The Firefox extension war

I'm glad you included the bit about distributions packaging extensions. As I noted in the big thread, Debian's package of noscript disabled the annoying open-a-tab behavior long ago -- without precipitating an arms race.

It is worth noting, though, that few distributions could keep up with the constant release churn of noscript. From its FAQ:

Q: Yes, I love NoScript, but releasing new versions every few days is getting tedious, can't you limit updates to once a month?!
A: NoScript is a security software, hence its users expect it to do every effort to keep their browsing experience as safe as it can be, always. This means that every time a new browser weakness is reported, a new kind of web threat is discovered or a bug is found in NoScript itself (hey, no software is perfect!), NoScript is immediately updated to react as needed.
In contrast, the Debian packages of noscript have never been updated more frequently than monthly, and generally less often.

I wonder, though, if needing constant code releases to deal with issues is a symptom of noscript not being very well designed. Compare with things like adblock and clamav, which do not require frequent code releases, and rely on frequently updated blacklists and virus signatures, which can be downloaded periodically. Alternatively, perhaps the set of issues that noscript is dealing with are so varied (due to the insane web programming mess) that it really does need new code to deal with new issues. I'd be curious if someone knows.

(Log in to post comments)

The Firefox extension war

Posted May 7, 2009 20:21 UTC (Thu) by rahvin (subscriber, #16953) [Link]

The beauty of noscript is that they stay up in the arms race with the black hats. The worst security software is one that provides a sense of security while not providing the security. I love that Noscript updates so frequently because I KNOW the blackhats are updating their attacks daily.

The fact is without the frequent updates the Blackhats would be able to exploit their tricks for much longer and that's worth the hassle. It's a credit to the noscript development that they work so hard to stay up to date on the latest blackhat operations.

The Firefox extension war

Posted May 7, 2009 21:52 UTC (Thu) by pflugstad (subscriber, #224) [Link]

Well, given that many of the exploits depend on JavaScript being enable to function, one would think that after a certain point, NoScript would basically be future proofed - most exploits would already be covered by the fundamental disabling of Javascript.

Also think about this: as this whole saga points out, NoScript is funded by ad's, so that pop-up page every time NoScript updates actually puts money in the Maone's pocket. So I would tend to think that there's a conflict of interest there - the more he updates, the more money he gets. So to a degree, he may have a vested interest in NOT improving NoScript to the point described above. I'm obviously conjecturing here.

Also, I obviously didn't look very hard, but I did NOT actually find the link on how to disable the pop-up page (thanks for the link Jon), even though I went looking for it when it was mentioned in the original article - I was thinking it would be a check-box on the NoScript prefs panel. My bad I guess.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds