Adblock Plus and (a little) more

Extension security 101 · 2014-02-24 17:42 by Archive

We’ve received a couple of questions from users worried that Adblock Plus might be compromised lately. Don’t worry, it’s not. But that alone doesn’t warrant a blog post, does it? So here’s me talking about extension security a bit:

Any software you install, browser extensions are no exception, can do things against your will and without your knowledge. That’s commonly called malware or spyware. It’s a real problem, which is why there’s a filter list that blocks sites known for distributing malware.

But the most important thing is to be careful about the software you install. It’s ultimately your decision, and you should make it based on whether you trust the person or site you got it from.

In the case of Firefox extensions, I strongly suggest that you only install them from addons.mozilla.org. They’re quite trustworthy: Anything that’s for download there has passed their review process, and you can be quite sure that no shady code makes it past that. You don’t have to worry about automatic updates either, because updates need to be reviewed as well (that’s why Firefox users didn’t get Adblock Plus 2.5.1 yet). And they’re keeping a particularly close eye on popular extensions that would affect many users, like Adblock Plus.

For Chrome extensions, the most reliable source is the Chrome Web Store. To install extensions from other sources you have to jump through some hoops, and on Windows it’s not even possible anymore. While Google doesn’t review the code of every extension, they do keep an eye on them (particularly the popular ones) and take anything down that’s known to be malware. With Opera it’s similar.

Internet Explorer extensions are probably the ones to be most worried about. They’re installed by installers, which can generally do things to your system malware extensions couldn’t do in their wildest dreams. Installers can replace applications you trust (including browser extensions) with malware, install new malware, do anything really. And there’s no third party you can trust on this, you have to trust the site you’re getting it from.

When it comes to trusting us: Everything we make is open source, we have mandatory code reviews for every change, and we’re doing our best to keep our download servers well secured. So you can rest assured that we won’t let malicious code make it into any version of Adblock Plus you can download from adblockplus.org.

Tags:

Comment [4]

  1. Wladimir Palant · 2014-02-25 10:15 · #

    There are necessarily quite a few simplifications here, so I wrote up a more extensive blog post under http://palant.de/2014/02/25/extension-security-and-add-on-stores.

  2. coffee_in_the_morning · 2014-02-26 08:52 · #

    A question regarding this new “feature” in 2.5.1:
    Added a dialog that shows up the first time a user visits a website which shows an anti adblock message, asking whether these should be blocked

    Can this behaviour be disabled?
    I don’t want to see anti adblock messages begging to allow ads.

    Reply from Wladimir Palant:

    Just accept the prompt and anti-adblock messages will be blocked.

  3. Debashisa Jena · 2014-02-27 21:36 · #

    This is not a feature! Websites detect adblockers, especially in Chrome and IE. the 2.5.1 update added the abilty to block those messages! You can add a filter from Easylist to get rid of those antiadblock messages

  4. jimmy Jones · 2014-03-19 17:59 · #

    Running adblock 1.2 build no.307 on android 4.2.2. There always seems to be a notification that it needs updating but when I attempt an update adblock crashes. When i uninstall adblock and reinstall from online its the same build version. Not sure if it is android or just a glitch in the adblock version but I keep worrying that a hidden virus has got into my system.

Commenting is closed for this article.