A Website Is Only as Secure as Its Ads

Internet advertisers are holding back widespread HTTPS adoption.

|
Mar 31 2015, 5:13pm

​When it comes to cyber security, even one weak link can break the strongest chain. And when a web page is using dozens of online ad trackers that send unencrypted data over the internet, well, that's a lot of weak links. Security is impossible to guarantee.

HTTPS is a web protocol that encrypts your browser's connection to the servers of the site you're visiting. Many sites, including WhiteHouse.gov, are making the move to the encrypted protocol to protect their visitors. But not everyone's on board yet; namely, advertising companies that track your activity across the web.

Ad companies that don't support HTTPS are holding back everyone else from adopting the protocol, according to Andrew Hilts, a cyber security researcher for Canadian digital rights think tank Citizen Lab. Basically, if advertisers are making a site vulnerable anyway, there's no point in trying to fight it for most companies.

"HTTPS is, for most large online publishers, partially a branding thing," said Hilts. "When you're on a relatively secure site, you'll see a green lock icon. That can convey a sense of reassurance. However, that icon only appears if all of the [ads] loaded on the page use HTTPS; if they don't, you'll see a warning yellow lock."

                                                            Screengrab: popsci.com

"From a perception point of view, it's worse to see that warning lock than no lock at all," he added. "They don't want to implement HTTPS unless they can present themselves as totally secure."

In case you're wondering—no, Motherboard does not use HTTPS encryption just yet, but we're working on it.

There is some evidence that the online ad industry is trying to obfuscate the issue. A recent blog post by the Interactive Advertising Bureau, a research and legal assistance group that represents online advertising companies, called for wider HTTPS adoption and stated that "nearly 80 percent" of their members self-reported supporting HTTPS. To an observer, that might indicate that the majority of online advertisers are jumping on the HTTPS bandwagon. Not so.

Hilts and other Citizen Lab researchers investigated this claim and found that only 38 percent of a sample of 123 members of the Digital Advertising Alliance, a regulatory oversight organization of which IAB is a member, actually use HTTPS in practice. When they looked at a wider sample of more than 2,000 known ad trackers, the researchers found that a mere 14.3 percent use the encrypted protocol.

IAB has not yet responded to Motherboard's request for comment.

This is a huge issue in terms of your security. Many sites have dozens, sometimes hundreds, of third party ad trackers transmitting data on every page load—some of which is personally identifiable. This opens users up to a host of cyber attacks and surveillance efforts from governments. That the NSA uses unsecured ad trackers to eavesdrop on user connections is well documented, for example.

"Anyone in between you and the party you're communicating with that has a position of power on the network—like a network administrator, internet service provider, or state surveillance agency—they can easily scoop up unencrypted data and do what ad trackers do," Hilts said. "That is, understanding who you are and what you're interested in."

Given these concerns, why don't advertisers just adopt HTTPS? "Perceptions around security in the business world need to catch up to tech savvy consumers," Hilts said. "Surveys have shown that consumers are changing their behaviour due to the Snowden revelations and an increased awareness of how state surveillance works. Some businesses are stuck in the pre-Snowden way of doing things."

Whatever the reason, in an environment where hackers and governments are running amok—even stooping to thievery—securing the web is more important than ever, and advertisers need to do their part.

UPDATE: The Interactive Advertising Bureau responded to Motherboard with the following comment:

​"Our blog post calls out that there's a long way yet to go to provide broad HTTPS coverage—a position echoed by the research, which indicates: "Overall the results show that news websites are slightly beyond the midway point of getting their third party dependencies secured before they themselves can reliably implement HTTPS."

Our survey asked if our member systems "currently supported HTTPS for delivery of content (ad tags, creative, beacons, etc)". The largest group of respondents self-identified as publishers, a core part of our membership, and included a significant amount of respondents from elsewhere in the supply chain. Given the complexity of the supply chain, many of our members are unable to deliver HTTPS experience to visitors due to the downstream, campaign- and partner-specific dependencies on HTTP."