Good News: Internet Ad Industry Realizes It Needs To Embrace HTTPS

(Mis)Uses of Technology

from the about-time... dept

Fri, Mar 27th 2015 1:09am — Mike Masnick

About a year ago, when we switched to default HTTPS, we pointed out that one of the major reasons why other news sites refused to do the same was that most ad networks would not support HTTPS. In fact, we had to end a number of relationships with ad partners in order to make the move (but we felt it was worth it). In fact, the really crazy part was that many of the ad network partners we spoke to clearly had absolutely no clue about HTTPS, what it was and why it's important. But, over the past year, more and more attention has been placed on the value and importance of encrypting web traffic, so it's great to see that the internet ad industry is starting to wake up to this, even if it's pretty late in the process.

The Internet Advertising Bureau -- the IAB -- the main standards-setting board for the internet ad industry has released a statement saying that it's time for the internet advertising world to embrace HTTPS:

It’s time to talk about security.

In fact, last year was the time to talk about security. From The New York Times to Google, the call went out for websites to encrypt communications with their users, protecting the integrity and privacy of information exchanged in both directions. Even the U.S. government heard this call, and is working to require HTTPS delivery of all publicly accessible Federal websites and web services.

This year, the advertising industry needs to finish catching up. Many ad systems are already supporting HTTPS - a survey of our membership late last year showed nearly 80% of member ad delivery systems supported HTTPS. That’s a good start, but doesn’t reflect the interconnectedness of the industry. A publisher moving to HTTPS delivery needs every tag on page, whether included directly or indirectly, to support HTTPS. That means that in addition to their ad server, the agency ad server, beacons from any data partners, scripts from verification and brand safety tools, and any other system required by the supply chain also needs to support HTTPS.

Let’s break that down a bit more - once a website decides to support HTTPS, they need to make sure that their primary ad server supports encryption. That ad server will sometimes need to include tags from brand safety, audience and viewability measurement, and other tools - all of which also need to support encryption. The publisher’s ad server will often direct to one of several agency ad servers, each of which will also need to serve over HTTPS. Each agency ad server also may include a variety of beacons or tags, depending on how the deal was set up, all of which similarly need to have encrypted versions available. That’s a lot of dependencies - and when one fails to support HTTPS, the website visitor’s experience is impacted, initiating a costly search for the failure point by the publisher.

While I question that 80% number -- given that we had difficulty finding many ad providers who supported HTTPS a year ago -- it's good to see the industry finally recognizing how important this is.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ads, encryption, https, privacy, security
Companies: iab

10 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 27 Mar 2015 @ 2:08am

Yes, let's do that.
It’s time to talk about security.

Yes. It is. And the best course of action for any user concerned about security and privacy is to block all advertising. It should be crystal-clear to everyone that advertisers will use spam and spyware, that they'll invade privacy as much and as often as possible, that they'll attack security measures, and that they'll do anything in order to make a buck, no matter how much damage it does.

Advertisers are the enemy.
[ link to this | view in chronology ]
- Anonymous Coward, 27 Mar 2015 @ 3:37am
  
  Re: Yes, let's do that.
  And web sites that use 3rd party banner ads rarely monitor them, making it easy for an unscrupulous character to shove malignant code into hundreds, thousands or even millions of computers, and by the time the site owner learns about it and takes action, the damage is already done.
  
  Those that operate on the margins of legitimacy, such as torrent sites, seem to be especially at risk.
  [ link to this | view in chronology ]
Anonymous Coward, 27 Mar 2015 @ 4:20am

Security
Great, now malware will be delivered straight to my computer protected with TLS 1.2! Sure feels great to be secure!
[ link to this | view in chronology ]
Anonymous Coward, 27 Mar 2015 @ 4:21am

Beyond security
Forgive me if this information is rather antiquated.

Isn't a secure connection rather slow to establish compared to plain http? So instead of just querying who knows how many servers for content and being redirected to who knows how many others, people who don't block ads will now have to establish a secure connection to each one?
[ link to this | view in chronology ]
- Keroberos (profile), 27 Mar 2015 @ 6:05am
  
  Re: Beyond security
  Yes it does. But unless you're on a ridiculously high latency connection the transmission and cpu overhead is trivial. I would rather wait the extra 60 to 80 milliseconds that https requires to gain the extra security.
  [ link to this | view in chronology ]
Anonymous Coward, 27 Mar 2015 @ 8:20am

80% supported
Perhaps that's like U.S. broadband coverage - nominally 80%, until you actually want service at all 80% of those providers. Or it could be that 80% of the providers have the backend support to run it, but only a small portion of them have adequately informed the account representatives that talk to the site operators, so most account reps say it is unsupported, without knowing whether they are right. It wouldn't be the first time marketers were wrong.
[ link to this | view in chronology ]
John Fenderson (profile), 27 Mar 2015 @ 9:22am

It's good news
But my enthusiasm is tempered by the fact that the IAB is one of the groups who feel that the advertising "opt-out" mechanism they support is actually effective and useful. That alone makes me question their judgement in all things.
[ link to this | view in chronology ]
- Anonymous Coward, 6 Apr 2015 @ 10:47am
  
  Re: It's good news
  Can't go wrong with AdBlock Plus and an iron-clad Hosts file.
  [ link to this | view in chronology ]
Anonymous Coward, 27 Mar 2015 @ 9:41am

I now worry about https
Why the sudden change? Two possibilities: https is secure and the companies have had a change of heart, or it is insecure and they are being pressured into adopting it (likely by the NSA) or know the bug and intend to exploit it.
[ link to this | view in chronology ]
- John Fenderson (profile), 27 Mar 2015 @ 10:52am
  
  Re: I now worry about https
  Even if HTTPS is compromised (which, technically speaking, it's not -- the issues are around certificate authentication and are not specific to HTTPS), it's still better to use it than not. Some protection is better than no protection.
  [ link to this | view in chronology ]