NoScript and AdBlock plus – Two Sides to Every Story
(If you don’t want to read too much here, check the links below)
Recently a lot of crap has been written at many places against NoScript (reddit, slashdot, the addon page on mozilla’s site, etc).
We can easily call it a flame war, but that’s not the point – the point is to have a good-working protective solution for any web-behaviour. I don’t use AdBlock plus, but a friend of mine does, and she is pretty happy with it. I’m pretty happy with NoScript, so every train has its passengers. Again – that is not the point. The point is that obviously AdBlock plus developer(s) trying to drive users away from NoScript. As you are reading this, you have probably read the blog-post in ABP site : http://adblockplus.org/blog/attention-noscript-users.
But of course, there is two sides to every story:
http://forums.informaction.com/viewtopic.php?p=2777#p2777
http://noscript.net/faq#qa3_21
https://addons.mozilla.org/en-US/firefox/addon/722 saying:
Notice to AdBlock Plus users: after a targeted attack from EasyList which broke functionality like direct links to development builds on developer’s sites, NoScript 1.9.2.3 and above configure a regular filterset whitelisting them. As any filterset, you can easily disable it with two clicks if you prefer.
And so, I saw a pile of users removing NoScript just for the reason someone has mocked it. How rational. Good luck to those in not getting infected.
“Who started the flame war” is an irrelevant question here – the question is why people are so not-quite-intelligent. I will continue using NoScript.
(If you don’t want to read too much here, check the links below)
Recently a lot of crap has been written at many places against NoScript (reddit, slashdot, the addon page on mozilla’s site, etc).
We can easily call it a flame war, but that’s not the point – the point is to have a good-working protective solution for any web-behaviour. I don’t use AdBlock plus, but a friend of mine does, and she is pretty happy with it. I’m pretty happy with NoScript, so every train has its passengers. Again – that is not the point. The point is that obviously AdBlock plus developer(s) trying to drive users away from NoScript. As you are reading this, you have probably read the blog-post in ABP site : http://adblockplus.org/blog/attention-noscript-users.
But of course, there is two sides to every story:
http://forums.informaction.com/viewtopic.php?p=2777#p2777
http://noscript.net/faq#qa3_21
https://addons.mozilla.org/en-US/firefox/addon/722 saying:
Notice to AdBlock Plus users: after a targeted attack from EasyList which broke functionality like direct links to development builds on developer’s sites, NoScript 1.9.2.3 and above configure a regular filterset whitelisting them. As any filterset, you can easily disable it with two clicks if you prefer.
And so, I saw a pile of users removing NoScript just for the reason someone has mocked it. How rational. Good luck to those in not getting infected.
“Who started the flame war” is an irrelevant question here – the question is why people are so not-quite-intelligent. I will continue using NoScript.
My main annoyance with NoScript is this: “it opens the changelog webpage (full of ads of course) on every single update of the extension”. There is no obvious to disable this behaviour while AdBlock Plus happily updates without ANY message or opening up a website. I finally figured out how to disable it but this is far from obvious.
I ignored it very successfully. And it’s not the only thing that brings up a page after updating – StumbleUpon, Firefox itself.., etc
WRT two sides: That “targeted attack from EasyList” was really just EasyList doing what it’s supposed to do: block ads. Giorgio then started trying to work around it and EasyList was adjusted accordingly to continue doing the job it’s promised its users, resulting in the arms race which got us to the place where Giorgio started directly manipulating Adblock Plus (which is what most people are annoyed with).
The question is: Can you trust somebody who will try to sneak in (obfuscated!) code for his/her own benefit – without even so much as informing the user? You apparently can…
BTW: What Wladimir points out (and repeats in the comments to his blog post) is that the question is even more to the point: Can you trust this somebody with the *security* of your browser?
Look, this is something between ABP and NoScript, and has nothing to do with overall security whatsoever. Furthermore, it is clearly stated what NoScript does with ABP (no one reads it, but it is there). So, yes, maybe a little personal mistake by Georgio, but generally no reason for disbelieve in security perspective.
“it is clearly stated what NoScript does with ABP” since version 1.9.2.3. However the obfuscated code has been introduced in version 1.9.2 and has thus been there without any comment for at least to minor revisions. What we’ll never know is how much longer it’d been there had Wladimir not discovered it and convinced Giorgio to revert the changes and go public (which of course happened a few days before Wladimir’s blog post in private).
As for having “nothing to do with overall security”, see comment 62 to http://adblockplus.org/blog/attention-noscript-users (in short: it’s not about security per se but about *trusting somebody with security*).
That was informational, thanks. Those links did not help much however. It is completely clear to me that I can not trust the NoScript author with the security of my browser. I’m sure you can see that side of the story as well?
Good luck to those in not getting infected.
hey bozhg nice Fud
Well, not much of a Fud, but rather experience – I have had no trouble with Internet threats for more than a year with NoScript (I even don’t have an AV program). In contrast with people I know who don’t use NoScript.
@Hugo – yes, I see both sides. But as the first side was exagarated around the wire, I have focused on the other side. I think it is a personal mistake of Georgio – he saw things from only one perspective and that lead perhaps to his unjustifiable actions, but this is not why I would stop trusting NoScript.
Giorgio should have just asked folks to allow his ads.
Giorgio mentions on his forum that he contacted Wladimir before all of this happened. I would be curious to know more about that?
Now did Wlad tell EasyList guy to impale him?
Did it become a little pissing match, from both sides?
this seems likely.
Giorgio mentions a bit about being pissed off, and that he did not know the easy exception was possible, so “he responded like a hacker”.
Clearly, they were not communicating.
This really is a classicand historic foodfight, high profile, many users affected, everyone running around in panicked screams, off with his head french revolution caliber attack of the outraged mob.
So for the hysterical record,
we should have all the info.
lets see the emails!
I will also continue to use NoScript for the simple fact that I believe it does a job that needs doing and that nobody else is doing (that I know of).
At the same time, I am, however, disappointed that the NS author pulled the stunt he pulled by manipulating the AdBlock Plus extension. That was a huge mistake on his part.
I noticed the NS author whitelisting his own sites, and a few others, the first time I installed NS when I went through the preferences. I deleted all the sites I don’t need – no big deal.
I also don’t mind being directed to his site after every update. I actually think that’s a good idea. I know I would not read the changelog on my own. Sometimes I read the notes, sometimes I don’t, but in any case it’s easy to close the tab with one click.
So it turns out the NS author is not perfect and that he’s not above playing the system a bit. For me, that’s a minor inconvenience, and if it helps with the maintenance of the extension, I don’t mind.
I can see how for some people this is an issue of trust and that they don’t feel comfortable with using NS anymore. For myself though I have decided that would be a shortsighted approach.