More and more people find online adverts to be annoying, invasive, dangerous, insulting and/or distracting and have decided to install an ad blocker. In fact, the number of people using ad blockers is skyrocketing. According to PageFair’s 2015 Ad Blocking Report, there are now 198 million active ad blocker users around the world, with a growth rate of 41% in the last 12 months. Publishers and marketers are visibly feeling the pain and fighting back against ad blockers. A recent high profile example of this conflict was Yahoo Mail’s reported attempt to prevent ad blocker users from accessing their email.
Advertising technology, known commonly as ad tech, encompasses the technology, software and services used for delivering, controlling and targeting online adverts. The key to the conflict between ad tech and ad blockers is the Document Object Model, or DOM. Whenever you view a web page, your browser creates a DOM, or a model of the page. This is a programmatic representation of the page that lets JavaScript convert the static content into something more dynamic. Whatever is in control of the DOM will control what you see – including whether or not you see ads. Ad blockers are designed to prevent the DOM from including advertisements, while the ad tech that controls the page is designed to display them. The fight for control over the DOM is where the Ad Blockers vs. Ad Tech war is waged.
So let’s see how this technological escalation plays out, and who eventually wins…
- Ad Tech: Deliver ads to user’s browser.
- User: Decides to install an ad blocker.
- Ad Blocker: Creates a black list of fully qualified domain names or URLs that are known to serve ads. Blocks the browser from making connections to those locations.
- Ad Tech: Create new fully qualified domain names or URLs that are not on black lists so their ads are not blocked
- Ad Blocker: Crowd-source information to keep black list up to date and continue effectively blocking. Allow certain ‘safe’ ads through, as outlined in Acceptable Ads initiatives
- Ad Tech: Load third-party JavaScript on to web pages that detects if and when ads have been blocked. If ads have been blocked, deny the user the content or service they wanted.
Current stage of the Ad Blocking Wars
- Ad Blocker: Maintain a black list of fully qualified domain names or URLs where ad blocking detection code is hosted and block the browser from making connections to those locations.
- Ad Tech: Relocate ad or ad blocking detection code to first-party website location. Ad blockers cannot block this code without also blocking the web page the user wanted use
- Ad Blocker: Detect the presence of ads, but not block them. Instead, make the ads invisible. Do not send tracking cookies back to hosting server to help preserve privacy.
- Ad Tech: Detect when ads are hidden in the DOM. If ads are hidden, deny the user the content or service they wanted.
- Ad Blocker: Allow ads to be visible, but move them to a location where they cannot be seen. Do not send tracking cookies back to hosting server to help preserve privacy.
- Ad Tech: Deliver JavaScript code that detects any unauthorised modification to the browser DOM that changes where the ad is to be displayed. If the DOM is modified, deny the user the content or service they wanted.
- Ad Blocker: Detect the presence of first-party ad blocking detection code. Block the browser from loading that code.
- Ad Tech: Move ad blocking detection code to a location that cannot be safely blocked without negatively impact the user experience, such as AWS or other Cloud service
- Ad Blocker: Crawl the DOM looking for ad blocking detection code, on all domains, both first and third party. Remove the JavaScript code or do not let it execute in the browser.
- Ad Tech: Implement code minimisation and polymorphism techniques designed to hinder isolation and removal of ad blocking detection code.
- Ad Blocker: Crawl the DOM looking for ad blocking detection code, reverse code obfuscation techniques on all domains, first and third-party. Remove the offending JavaScript code or do not let it execute in the browser.
- Ad Tech: Integrate ad blocking detection code inside the core website JavaScript functionality. If the JavaScript code fails to run, the web page is designed to be unusable.
GAME OVER. Ad Tech Wins.
Although the steps above will not necessarily play out exactly in this order, what matters is how the war always ends. No matter how you slice it – and believe me we sliced it a number of ways – ad tech eventually wins. Its control and access over the DOM appears dominant.
Security lessons to be learnt?
If you look at it closely, the ad tech industry behaves quite similarly to the malware industry, with both the techniques and delivery consistent across both. Ad tech wants to deliver and execute code that users don’t want and it will bypass the user’s security controls to do exactly that! So it really should come as no surprise that malware purveyors heavily utilise online advertising channels to infect millions of users. And if this is the way the war plays out, where users and their ad blockers eventually lose, it could well be the case that anti-virus is the only option left – and we all know that anti-virus is effective at the flip of the coin.
The only recourse left is not a technical one, but one that ends in regulations and the courts.
[su_box title=”About Jeremiah Grossman” style=”noise” box_color=”#336588″]Jeremiah Grossman is the founder of WhiteHat Security. Jeremiah possesses a unique combination of technology savvy, customer advocacy and personal passion for application security. A world-renowned web security expert, sought-after speaker and influential blogger, Jeremiah brings a literal lifetime of information security experience, both homegrown and from his days as Yahoo!’s information security engineer, to the role. The ultimate “WhiteHat,” Jeremiah is also founder of the Web Application Security Consortium. In his spare time, Jeremiah practices Brazilian Jiu jitsu and has earned a black belt.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.