More and more people find online adverts to be annoying, invasive, dangerous, insulting and/or distracting and have decided to install an ad blocker. In fact, the number of people using ad blockers is skyrocketing. According to PageFair’s 2015 Ad Blocking Report, there are now 198 million active ad blocker users around the world, with a growth rate of 41% in the last 12 months. Publishers and marketers are visibly feeling the pain and fighting back against ad blockers. A recent high profile example of this conflict was Yahoo Mail’s reported attempt to prevent ad blocker users from accessing their email.
So let’s see how this technological escalation plays out, and who eventually wins…
- Ad Tech: Deliver ads to user’s browser.
- User: Decides to install an ad blocker.
- Ad Blocker: Creates a black list of fully qualified domain names or URLs that are known to serve ads. Blocks the browser from making connections to those locations.
- Ad Tech: Create new fully qualified domain names or URLs that are not on black lists so their ads are not blocked
- Ad Blocker: Crowd-source information to keep black list up to date and continue effectively blocking. Allow certain ‘safe’ ads through, as outlined in Acceptable Ads initiatives
Current stage of the Ad Blocking Wars
- Ad Blocker: Maintain a black list of fully qualified domain names or URLs where ad blocking detection code is hosted and block the browser from making connections to those locations.
- Ad Tech: Relocate ad or ad blocking detection code to first-party website location. Ad blockers cannot block this code without also blocking the web page the user wanted use
- Ad Blocker: Detect the presence of ads, but not block them. Instead, make the ads invisible. Do not send tracking cookies back to hosting server to help preserve privacy.
- Ad Tech: Detect when ads are hidden in the DOM. If ads are hidden, deny the user the content or service they wanted.
- Ad Blocker: Allow ads to be visible, but move them to a location where they cannot be seen. Do not send tracking cookies back to hosting server to help preserve privacy.
- Ad Blocker: Detect the presence of first-party ad blocking detection code. Block the browser from loading that code.
- Ad Tech: Move ad blocking detection code to a location that cannot be safely blocked without negatively impact the user experience, such as AWS or other Cloud service
- Ad Tech: Implement code minimisation and polymorphism techniques designed to hinder isolation and removal of ad blocking detection code.
GAME OVER. Ad Tech Wins.
Although the steps above will not necessarily play out exactly in this order, what matters is how the war always ends. No matter how you slice it – and believe me we sliced it a number of ways – ad tech eventually wins. Its control and access over the DOM appears dominant.
Security lessons to be learnt?
If you look at it closely, the ad tech industry behaves quite similarly to the malware industry, with both the techniques and delivery consistent across both. Ad tech wants to deliver and execute code that users don’t want and it will bypass the user’s security controls to do exactly that! So it really should come as no surprise that malware purveyors heavily utilise online advertising channels to infect millions of users. And if this is the way the war plays out, where users and their ad blockers eventually lose, it could well be the case that anti-virus is the only option left – and we all know that anti-virus is effective at the flip of the coin.
The only recourse left is not a technical one, but one that ends in regulations and the courts.
[su_box title=”About Jeremiah Grossman” style=”noise” box_color=”#336588″]Jeremiah Grossman is the founder of WhiteHat Security. Jeremiah possesses a unique combination of technology savvy, customer advocacy and personal passion for application security. A world-renowned web security expert, sought-after speaker and influential blogger, Jeremiah brings a literal lifetime of information security experience, both homegrown and from his days as Yahoo!’s information security engineer, to the role. The ultimate “WhiteHat,” Jeremiah is also founder of the Web Application Security Consortium. In his spare time, Jeremiah practices Brazilian Jiu jitsu and has earned a black belt.[/su_box]