Adblock Plus and (a little) more

adblockplus.org - now with SSL protection · 2009-06-26 13:47 by Wladimir Palant

I enabled SSL on adblockplus.org and easylist.adblockplus.org so that these can be accessed via a secure connection. I also checked that all pages keep you on an encrypted connection once you are there (if you get redirected from HTTPS to plain HTTP somewhere — let me know). Only known problem is the video on the main page (embedding YouTube via SSL doesn’t seem possible) and images in forum posts (these typically come from plain HTTP as well). Oh, and I am using a StartCom certificate which means that only Gecko-based browsers and Safari will recognize it (given the audience of this site, this shouldn’t be a problem).

Why do all that? Sure, nobody enters his credit card info on this site — but you don’t want anybody to manipulate your extension downloads either. In particular, development build downloads should only be possible via SSL in future (probably with automatic updates then). As to single-language builds, I will likely remove those because SeaMonkey’s problematic extension installation mechanism was the main reason to have those — but starting with Adblock Plus 1.1 only SeaMonkey 2.0 will be supported.

Finally, we will probably start serving EasyList via SSL in future. While the introduction of checksums made sure that nobody gets corrupt filters any more, some people simply cannot get filters because their proxy/firewall/whatever manipulates the response. This kind of manipulation will no longer be possible with SSL which will hopefully result in more reliable downloads.

Tags:

Comment [6]

  1. Fowl · 2009-06-26 16:44 · #

    Is there a reason the install extension prompt says “Author not verified”?

    Reply from Wladimir Palant:

    Yes, the extension isn’t signed. Unlike SSL certificates, certificates for code signing are pretty expensive and unaffordable for most extension developers. Which isn’t really a big issue as long as you install from SSL.

  2. jason · 2009-06-26 19:08 · #

    First off, good job on going with SSL. It’s too bad that StartCom (or some other company) doesn’t offer free or cheap code signing certs. The best that I could find was TUCOWS which offers them at $80/year or I think $200/3years (most are $200+/year). Regardless, that is still too much (in my opinion) for developers such as yourself and really kinda limits them to developers that are making a bunch of money on their software. But thus is life in this oddly controlled cert market…

    I tried this a while ago, but I forgot the results. What happens if you use a self signed cert to sign the extension? I assume you would still get the “Author not verified” message since the trust chain could not be built?

    Reply from Wladimir Palant:

    The interesting thing is that I checked StartCom after replying to the comment above – and apparently they offer code signing certificates for what boils down to $30 per year. That’s good enough for me so I might give it a try later. StartCom has been cleared for code signing in Firefox 3.5 so in a few months that certificate could actually be seen by a significant number of users.

  3. jason · 2009-06-26 19:41 · #

    Ahh, good call. I just read a little closer and I noticed “…and signing of object code and macros” in the description for their $30/year cert. That is pretty cool.

    Anyways, back on topic, didn’t Mozilla recently require that extensions use SSL for their update checking URL (or am I thinking of something else?)? Was that part of the motivation for this change?

    Reply from Wladimir Palant:

    Yes, that was one reason – if I want a separate update channel for development builds I need SSL.

    Reply from Wladimir Palant:

    Actually, it seems that StartCom’s code signing certificate is more like $15 per year. You need to pay $30 to validate your identity. But StartCom doesn’t limit the number of certificates – so you can get a new one shortly before your identity validation expires. That one would be valid for one more year and only then you would need to validate your identity again.

  4. iNsuRRecTiON · 2009-07-01 12:46 · #

    Hi there,

    cool news, cool new upgrade =)

    But hopefully you won’t remove those single language builds, because I don’t want to download the huge full extension file download with all languages..!

    And it matters if you compare a rough 100 kb vs 200 kb extension..

    I only want german :-P

    regards,

    iNsuRRecTiON

    Reply from Wladimir Palant:

    Does the difference of 100 kB really matter that much for you? That’s less than 20 seconds even on a 56k modem. For me it is a significant effort to create these builds however and I see that people are confused by too much choice on the installation page (by now both Adblock Plus and Element Hiding Helper have more than 40 translations).

  5. iNsuRRecTiON · 2009-07-01 17:56 · #

    Hmm, ok, I see, that’s much effort, you’re right.

    But I prefer small addons and 100kb is already a big extension..but 200 kb is double that.. .

    I think then I have to use the german offer from www.erweiterungen.de which offer this adblockplus extension as german only download..

    regards,

    iNsuRRecTiON

    PS: Hope to see version 1.1 soon =)

    Reply from Wladimir Palant:

    Yeah, 43 translations that are sitting around on your disk and not hurting anybody are going to make a big difference… I would definitely not recommend using erweiterungen.de – at least not if you care a little about security.

    I hope to see version 1.1 soon as well but right now Babelzilla isn’t coming along, that’s quite an issue. The idea was to release around 14th but if they don’t fix the issue within the next few days I won’t be able to release in July.

  6. iNsuRRecTiON · 2009-07-01 22:15 · #

    Hmm, why is erweiterungen.de not recommended?

    They use SSL, too.

    Reply from Wladimir Palant:

    1) They only use SSL for the actual download. The page linking to it can be easily manipulated however. Do you check for each download that it is coming via an SSL connection, from the right server and that it is the extension you requested? I doubt it (even if you do, you are a rare exception). There is a reason why AMO uses SSL for the entire site.

    2) They change extension packages without asking authors for permission and without listing their changes. Adblock Plus source code license is MPL and what they are doing is a violation of that license, similarly with other extensions (some of them aren’t even distributed under an open source license). What’s worse – if the author signs the extension they will invalidate the signature so that it won’t be possible to verify whether the extension has been manipulated (because, well, it was).

    3) There is a very practical aspect here: they add their own updateURL to all extensions meaning that you will get updates delayed. Also, extension authors can change the compatibility range on AMO without uploading a new version – but these changes won’t make their way to erweiterungen.de of course.

Commenting is closed for this article.