NoScript Controversy
May 2nd, 2009 by ComputerBob
I’ve mentioned before that two of the Firefox add-ons that I always add to my browser are NoScript and AdBlock Plus.
NoScript is a browser security add-on that stops JavaScripts and Java from executing on all web sites that I visit, except for those that I have specifically given permission to run. Its slogan is “JavaScript/Java/Flash blocker for a safer Firefox experience!”
AdBlock Plus is a browser add-on that allows users to blocks advertisements on the web sites that they visit.
Regular readers of this Journal know that, in the past, I’ve been annoyed by NoScript’s default behavior of redirecting my browser to the NoScript web site every single time NoScript received even the tiniest update — sometimes several times in a week. That’s why, a few months ago, I told you about a simple browser tweak that ends that NoScript annoyance.
While I was simply annoyed by the constant redirects to the NoScript web site, many people have long suspected that NoScript’s constant “updates” may not have been necessary at all, and that the main reason for them was to constantly drive NoScript users to the NoScript web site to view paid advertisements, to make money for NoScript’s author.
Fortunately, those of us who used AdBlock Plus along with NoScript were spared from having to see those paid advertisements.
But now it appears that those who suspected shenanigans on the part of the NoScript author were probably right: Yesterday, the author of AdBlock Plus reported in his blog that all recent versions of the NoScript browser security add-on have intentionally and secretly changed users’ AdBlock Plus settings without users’ permission, to force users to view NoScript ads every time NoScript redirected them to the NoScript web site. And while those few users who knew enough to discover the changes for themselves could find and manually disable NoScript’s unwanted changes to their AdBlock Plus browser add-on settings, if they deleted those unwanted changes, NoScript changed them again the next time they opened their browsers.
As a result, hundreds of NoScript users have complained bitterly on the NoScript site itself, on Slashdot, on Reddit, and on other web sites and blogs like this one.
If you read all of the comments on the AdBlock Plus author’s site, it is very clear that, even after he was caught in the act, the NoScript author released one or more quick NoScript “fixes” — and at least one of those fixes tried to confuse and fool users into allowing NoScript to make changes to their AdBlock Plus configuration. After that continuing betrayal of NoScript users’ trust was also made public a few hours ago, he supposedly released a new version of NoScript that removes the changes that were made by the recent, “sleazy” versions of NoScript.
But trust — once betrayed — is very difficult to rebuild. Like many other users, I’m unwilling to trust NoScript’s author any more.
All of that evidence makes it very clear to me that the author of NoScript betrayed the trust of every NoScript user in the world — and the only reason he stopped betraying their trust was because there was a huge outcry against him after everyone found out what he had been doing with NoScript behind their backs.
NoScript is a security add-on. People trust it to help protect their computes. NoScript has no business making secret, unwanted changes to users’ computers and the configurations of other browser add-ons in order to make more money for its creator. The creator of NoScript has clearly demonstrated that his financial concerns outweigh his users’ security concerns.
Whether or not he “fixes” NoScript, and whether or not he apologizes for his behavior, the simple truth is that he made no effort to do either of those things until he was forced to.
And I suspect that he is really, reallly sorry — that he was caught.
We can’t trust him any more.
Hundreds of users have declared that they have already uninstalled NoScript from their browsers — but it’s a mistake to do that because it puts their computers at a far greater risk of being compromised by malicious web sites.
The simple fact is that users really need something that does what NoScript does. Unfortunately, because everyone has trusted NoScript for so long, and it is hugely popular, there are currently no viable alternatives that provide the same functionality.
So I join the growing mass of users who are calling for the Open Source community to offer users a viable alternative to NoScript — by either adding NoScript-type capabilities to the Firefox browser itself, or by forking the existing NoScript browser security add-on into a new add-on that users can trust to secure their computers.
Permalink:
http://www.computerbob.com/wp/noscript-controversy.php
Tags:
Consumer Info, Dubious, Ethics, Internet, Security, Software
March 1st, 2010 at 3:42 am
Let it be known that the truth will always come to light.
May 7th, 2010 at 3:26 am
Yes, right, becouse like you could see by example of the author of NoSript writing extensions for firefox (even popular ones) is really sustainable source of income.
No one will put hours and hours of work into creating alternative, for free.
Unfortunately tech crowd that uses no script usually uses adblock also, so there’s no chance to raise money through ads, and when was the last time You donated to support NoScript?
July 31st, 2010 at 3:00 pm
Since the 3.6.8 i have had BSOD errors when using FF. For two days I was sure it was FF that was the issue, and began using Chrome with no issues.
However today I decided to give FF a go again (frankly I missed my plugins) - I first installed FF4beta2 clean (I had previously tried it at it did cause a BSOD) and used it with no ill affect. I did disable all plugins except Shockwave, silverlight and the facebook picture upload plugin. I have since installed adblock again. But after doing some research into the errors and finding out I am not the only person having issues, I did notice that we all had something in common. We used Noscript. So far FF has been fine, no crashes and no BSOD and no Noscript either.
Now I can’t say for sure that Noscript is the culprit and not one of the plugins I turned off when first opening FF. But I do find it interesting that my problems seem to have disappeared at the same time. So far FF has been running for 8hrs in total today and no issues. NoScript maybe innocent in this case, I honestly don’t know. But until someone tells me what did cause the problem and that it’s been resolved, I won’t be installing NoScript again.
July 31st, 2010 at 5:30 pm
Chris,
The main cause of your Blue Screen Of Death errors is the fact that you’re using Microsoft Windows. If you really want maximum stability without any BSODs, then start using a Linux distro instead of Windows, and stop running beta versions of software. And if you’re truly concerned about the privacy and security of your data, then stop using Facebook. To me, it doesn’t make any sense for you to run Windows, run beta software, use Facebook, and then complain that your PC isn’t running the way that you’d like it to run.
November 18th, 2011 at 6:55 pm
I have not seen a web page advertisement in over 15 years. I block them all and no I do not care if developers are losing money. It’s our browser and our choice, freedom baby is never having to say your sorry…