• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Is NoScript in the wrong?

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
Enablingwolf

Enablingwolf

Senior Member overclocking at t
Joined
Jun 14, 2004
If you use NoScript and/or AdBlock Plus, which I assume a lot of Firefox users do. Please read this post. I normally do not ask folks to read my long winded posts. This time I believe you are about to make a choice, and should know what went down.


For those who do not know what the extension is. In simple terms. NoScript is a Firefox extension(sort of a security thing.) That blocks scripts on websites. In case you did not know or never used it before. Simply put, it stops crap from running in your browser unless you ok it. Which enhances the security of Firefox.
"NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality... "

If you haven't caught the news yet. It appears NoScript has been at odds with another Firefox extension called, Adblock Plus. Which in the end broke it and changed other extensions functionality. Pretty much NoScript made unauthorized changes on users machines. Simply for self serving monetary reasons. For ad revenue on the extensions home pages.

http://adblockplus.org/blog/attention-noscript-users
Yes it is a bit long, but describes what went on. From the Adblock Plus side. Which forced the NoScript developer. Via the AMO, to stop the crap they were doing and breaking other extensions and modifying them without users consent.

........

Is the developer of Noscript in the wrong? He did violate the Mozilla AMO. <--Link to AMO
Plus he changed setting and other extensions on users machines without notification or permission for his own purpose.

Short rundown of the adblock side of the issue. In case you would not rather take a 5-10 minute read.
This is going to be about the popular NoScript extension which happens to make its money from ads. And to make sure that somebody sees these ads it goes pretty far. For example, it opens the changelog webpage (full of ads of course) on every single update of the extension, even though the NoScript FAQ claim that it happens only on major updates (yes, if you dig into it you will find the preference to disable this behavior – but how many people do that?). And updates coming roughly each week ensure that this page is opened fairly often. A problem is of course that NoScript will usually disable scripting and consequently also most advertising. That problem is being worked around by putting NoScript’s domains, Google AdSense and a few others on NoScript’s default whitelist (again, the overwhelming majority of users won’t go hunting for bogus entries in their whitelist). Given that NoScript proudly calls itself a security extension this means putting users at risk — for example, a while ago I demonstrated how an XSS vulnerability on a NoScript domain can be used to run JavaScript from any website, despite NoScript. This was countered by implementing anti-XSS measures rather than removing anything unnecessary from the whitelist.
Click to expand...
From slashdot.org:

Reader spyrochaete notes that "InformAction, makers of the NoScript extension for Firefox, have removed the recently introduced AdBlock exceptions which unblocked the revenue-producing ads on the NoScript homepage with little or no warning to the user. According to the changelog, InformAction pushed out an update specifically addressing this controversial decision 'permanently and with no questions asked.'"
Click to expand...
Does this effect your opinion of NoScript making unauthorized changes to other extension's settings it had no reason to do so? Except to protect thier revenue stream.. Was NoScript in the wrong, or really bad, not so bad.. Or who cares - they fixed it... And came around.. Or was it not important web soap opera?
/Discuss
 
Yeah, it was sleazy of the noscript author to do so. If there had been a pop up asking me if I would like to have his site's ad's to be unblocked, I probably would have done so. Otherwise, altering the functionality of an entirely separate extension is unacceptable. It definitely makes me less trusting of his extension. It is important to note that noscript has almost daily updates, and after each one the noscript website loads. Now it is obvious that those updates are superficial, and the majority of their function is to simply ad page views for his site. Gauging from the slashdot responses, I think it is safe to say that the community will shortly create an alternative, and his extension will lose market share. I sure will be looking for alternatives. You just can't trust his work anymore. And apparently this isn't the first time he has injected his website into the ad block whitelist.
 
I guess this just shows you can't implicitly trust anyone, regardless of even what the majority says.
I'm definitely guilty of installing both NoScript and Adblock Plus, and then just ignoring both rather than checking to see if anything fishy was going on. I hope I remember to be more careful in the future. :rolleyes:
 
burningcpu said:
It is important to note that noscript has almost daily updates, and after each one the noscript website loads. Now it is obvious that those updates are superficial, and the majority of their function is to simply ad page views for his site.
Click to expand...


Yeah it is hard to figure out what was legit updates for threat responses. Or him wanting some funding for Taco Bell trips.
I do believe he was entitled to get revenue. He had some good work and was IMO an important extension for Firefox.
Just do not do it behind my back and take liberties on my machine.
Since NoScript is GPL. He can be pushed out of the way. :( Which I think is going to happen. He lost the trust of many folks. At least it is open source. Which is why that concept is so amazing and benefits everyone! Issues can be corrected, and benefit all users.

He would have to be good to regain the trust of the community again. Not sure how he can do that.. About the only way he can avoid being forked out of the way. Is to regain the community trust again.

Aslan said:
I guess this just shows you can't implicitly trust anyone, regardless of even what the majority says.
I'm definitely guilty of installing both NoScript and Adblock Plus, and then just ignoring both rather than checking to see if anything fishy was going on. I hope I remember to be more careful in the future. :rolleyes:
Click to expand...

Well at least it was peer reviewed and the issue found out. It is up to each user to review the code running on his or her machine. But I do totally get your post though. It is a wake up call of sorst. Since most of us, just expect Firefox stuff to be trustworthy. I think this is the first time something like this happened to the Firefox platform. So it is easy to be lured into an, without thinking much, sense of security.
When you have a trusted user saying... Hey install this extension.. It is for your best interest.. Then all the sudden. It turns out the guy who runs the project is doing cheesy things.. Hard to explain that one.

At one time.. That extension was recommended by DHS and many many other 'trusted' entities. I use trusted loosely. :rolleyes:

Adblock Plus was doing what it did best.. And was not doing anything out of the ordinary or hidden. It actually kept fighting the changes and trying to thwart the stuff NoScript dude was doing.. It was a back and forth for a while actually. If I read it right. It was stopped, once he actually broke Adblock Plus.. With his shenz.
 
Last edited:
You must log in or register to reply here.

Similar threads

Kenrou
Microsoft's killing script used to avoid Microsoft Account in Windows 11
Replies
16
Views
614
=XAF=AfterShock
=XAF=AfterShock
Kenrou
NVIDIA Fixes High-Risk GPU Driver Vulnerabilities That Allow Code Execution and Data Theft
Replies
8
Views
776
Kenrou
Kenrou
Kenrou
KB5058405 might fail to install with recovery error 0xc0000098 in ACPI.sys
Replies
10
Views
528
EarthDog
EarthDog
Dusnoetos
Surveillance Software for wired cameras?
Replies
10
Views
355
Dusnoetos
Dusnoetos
G
There are games i can't play on facebook using chrome
Replies
2
Views
567
gasolin
G
Back