Adblock Plus for MicroB - great, but... · 2007-12-28 00:20 by Wladimir Palant

Today I looked at my logs and noticed lots of unusual referrer spam. For example, I saw people coming to adblockplus.org from wikipedia.org — not a particular article but the main site. Adblock Plus is not that famous yet so I investigated a little.

xxx.xxx.xxx.x – - [10/Dec/2007:11:14:59 +0100] “GET /favicon.ico HTTP/1.1” 200 708 “http://www.wikipedia.org/” “Mozilla/5.0 (X11; U; Linux armv6l; en-GB; rv:1.9a6pre) Gecko/20071128 Firefox/3.0a1 Tablet browser 0.2.2 RX-34+RX-44_2008SE_2.2007.48-9”

That’s a typical log entry. Now I read the news about Adblock Plus being available for MicroB and it wasn’t difficult to make a connection. So I downloaded this Adblock Plus version and soon it was obvious that it is inserting an Adblock Plus button into all web pages the user visits — using my favicon as the image on the button. Which makes me the lucky guy who can track every move MicroB users do on the Internet (at least if I decide to send HTTP headers preventing caching).

Well, what should I say… Generally, I am happy with Adblock Plus being brought to more users and more platforms. But I thought that somebody making such extensive changes (it seems that MicroB doesn’t support XUL) would at least consult me. Yet I never heard about MicroB before, looking briefly over the news article I was mistakenly assuming that it referred to MidBrowser (the makers of this browser actually asked me to support it in Adblock Plus). And I certainly would be against using the same name for this extension — e.g. because I am trying hard to provide proper support to my users and Adblock Plus for MicroB is so fundamentally different. And because I don’t like being associated with security holes like this one. It is much too easy to suspect that this is a backdoor and I am the one who planted it.

Dear Afonso Costa, whoever you are. I am waiting eagerly for you to respond. I hope that you will at least fix the security hole as soon as possible (or maybe even sooner). And I hope that you will be more careful with what you release in future. And if you are really serious about maintaining an Adblock Plus port for MicroB — please consider renaming your extension and providing support for it. People will come to my forums otherwise, and they will get no help there (and you will never learn about bugs).

Tags:

Comment [10]

  1. BenoitRen · 2007-12-28 00:50 · #

    You have a favicon? I didn’t know about it, because SeaMonkey respects the ‘favicon’ standard (unlike Firefox and IE). You should use a link tag in your documents to point to the favicon.

    Web browsers picking up favicons by sniffing every website for favicon.ico in their root directory is bad practice and clogs up logs with errors of a file not being found for websites that don’t have it there.

    Reply from Wladimir Palant:

    I don’t care enough about favicons to add a tag to each page here. And I simply put up an icon because it is smaller than a 404 page (thus waisting less of my traffic).

  2. chewey · 2007-12-28 02:57 · #

    BenoitRen: Completely agreed. That’s one of the most annoying WONTFIX bugs in Firefox. I’m really glad KaiRo has a “over my dead body” attitude on that one :-)

  3. Antonio Gomes · 2008-01-02 16:06 · #

    code is not much changed. we just provided a not xul based UI, using a chrome window.

    the favicon problem has been solved for next release. thank you very much for that ;)

    Reply from Wladimir Palant:

    Good to hear that. Yet I still consider this a major change since at least 50% of the code in Adblock Plus is either XUL or communicates with XUL in some way. Which is why I emulated the XUL user interface for K-Meleon rather than implementing something new – that’s the only way to provide consistent user experience across browsers.

  4. Afonso Costa · 2008-01-02 21:14 · #

    Hi,

    we have fixed the problem related to the favicon and we have done a new package, which is available in our repository (just an update in Application Manager is necessary).

    About the support, we have two mailing lists (developers and users), which are our communication way with the general community. Our mistake was not to add this kind of information in our post avoiding the users to go in your blog/forum asking for some help.

    Anyway, thanks for your advice and my apologizes for any inconvenience.

    Reply from Wladimir Palant:

    Thanks for fixing this issue. Looking at the code, you now use text rather than using an icon. Still, it makes your variant of Adblock Plus easily detectable – but I will let you worry about it.

  5. Antonio Gomes · 2008-01-05 19:05 · #

    hi,

    “Still, it makes your variant of Adblock Plus easily detectable”

    how it is still vulnerable here ? what do you suggest ?

    Reply from Wladimir Palant:

    You are always inserting some known HTML code into a web page – the web page only need to run some JavaScript that will look for it and it will be able to detect your Adblock Plus port. The only way to prevent this is to keep your user interface outside of the web page. Now I don’t know how the user interface of MicroB works of course…

  6. ar · 2008-01-08 15:15 · #

    Wladimir, is it ok for you if we support it under name ‘Adblock Plus port for MicroB’?

    Reply from Wladimir Palant:

    Yes, that’s ok. Thank you.

  7. Krish · 2008-01-21 09:18 · #

    Is there anything like this piece of software for Opera browswer?

    Reply from Wladimir Palant:

    Opera is not a Gecko-based browser meaning that Adblock Plus cannot ported there (not even theoretically). Also, I don’t know of any kind of extension mechanism in Opera. Opera has a built-in content blocking feature however, you can search for it on Google.

  8. Ranga · 2008-01-22 17:10 · #

    Of Late (esp, after google acquired feedburnuer), the images from feedburner have tricky filenames & no *.gif / *.png extensions. This makes it difficult to ad-block them. I guess this is FB’s workaround. Eg. visit: lifehack.org & look out for the ads (images) from FB.
    Do something,pl!

    Thanks,
    Ranga

    Reply from Wladimir Palant:

    These ads are still blocked by EasyList – so I doubt the change had anything to do with Adblock Plus. In general, since their addresses obviously don’t have anything to do with actual files, the decision to remove the file extension makes sense.

  9. Sergey · 2008-07-21 22:34 · #

    After upgrade to Diablo adblockplus eat too much memory ~150Mb.

  10. Gourmand · 2008-12-28 12:42 · #

    After latest Diablo upgrade at this fall ABP doesn’t work at all. Me tried remove and istall it but without success. Same reported by many people around the world.

Commenting is closed for this article.