Online adverts aren’t just annoying: They open up a number of technical issues too, says’s security expert.

„Trust us, our adservers are secure“
Keine Kommentare

Many people wholeheartedly hate them: Advertisements. Be it a commercial break in their favorite TV show, in-game ads or classical print campaigns in newspapers and magazines. Despite the serious dislikes, advertising works in many occasions, be it by directly sparking an interest in the shown product or by shaping a new image for the brand in question. Bigger posters, interactive bus-stop commercials or split-screen spots during sport events – there seems to be no end to new and more aggressive types of marketing which sometimes even push the actual main content into the background. And of course what worked for the so-called real world was soon adapted to the internet.

There is just one tiny problem: The users found a way to fight back! Almost all modern browsers now come with popup suppression enabled by default, support the blocking of cookies or have plugins like Adblock or Ghostery to fully cleanse the website from any type of tracking or advertising. And it seems to work, as a recent campaign by various german online publishers reveals. These publishers asked their readers to disable the adblocking software, arguing they would cause more harm than good and result in serious losses of income.

Feedback to that campaign was, as to be expected, mixed. Many people explained they merely use adblocking as a means of self defense: adverts, they said, were too aggressive in color, distracting, badly placed or too fat for mobile devices on a low bandwidth connection. Quite valid reasons to my taste – and even the publishers admitted they made sense. A shockingly small amount of people replied that they do not explicitly block ads, but merely do not allow JavaScript to be executed by default; and, as a side-effect, are killing pretty much all those tags that require JavaScript to adjust the HTML DOM within the browser to display the ad or do the statistical tracking.

So why would those users – originally being only a relatively small group anyway – disable JavaScript? The easy answer would be to simply name them paranoid geeks. But then, as another side-effect of the campaign, adblock plugin downloads doubled or even tripled during said campaign, and donations to the developers went up too. So maybe some of the people are just fed up with commercials taking over their browser, and the lack of privacy because of all the tracking and data mining? Or perhaps, the truth is that they are – like me to some extent – paranoid enough to not trust these ads to execute JavaScript (or worse, fire up the Flash plugin). Because, what many don’t know is that ad serving is quite often a recursive process: While the webmaster may have only embedded the ad-tag from his adserver of choice, the actual content delivered may have been served by a completely unrelated machine to download additional code from or after the spot on the website had been re-sold various times. The latter happens because, in case there is no current booking for a slot, an adserver is not expected to deliver a blank image, but merely fall back to some other ad used instead.

While this might still create some small revenue for the website owner, the recursive lookup of hostnames as well as downloads of additional JavaScript and media files is quite a performance drain for the enduser’s device. And it reduces the trustworthiness of the actual content, as nobody can really tell where the script has come from by the time it made its way to the browser. So even if the company running the adserver you are embedding into your website can claim – hopefully correctly – that their servers are safe, they hardly have any say in the content they deliver.

A related – though not necessarily obvious – problem is the actual embedding of the ad tag. While it simply won’t work with JavaScript disabled on the browser level, there are some other technical issues as well. People claim the fact that the XML version of HTML (aka XHTML) was not exactly successful in terms of market share as well as browser support is partly related to the way advertisements had to be embedded into websites. Most services require adding a

Of course, as with pretty much all solutions that try to fix things at the wrong place, the protection won't be 100%: I can come up with multiple ways to work around these "limitations" already and I bet the bad guys will come up with even more in almost no time. But at least the adserver vendors are going to be forced to finally fix their adtags to work without inline scripting and without downloading additional code from unknown sources. Better than nothing.

Arne Blankerts consults for, solving IT problems long before many companies realize that they even exist. IT security is his passion, which he pursues with almost magical intuition, creating solutions that always bear his hallmark. Companies around the world rely on his concepts and Linux-based system architectures.

Unsere Redaktion empfiehlt:

Relevante Beiträge

Benachrichtige mich bei
Inline Feedbacks
View all comments
- Gib Deinen Standort ein -
- or -