Wandering Thoughts archives

Web ads considered as a security exposure

One of the things that reading Twitter has exposed me to is a number of people who deploy browser adblockers as part of their security precautions. This isn't because they're the kind of person who's strongly opposed to ads, and it's not even because they don't want their users (and themselves) to be tagged and tracked around the web (although that is a potential concern in places). It's because they see web ads themselves as a security risk, or more specifically a point of infection.

The problem with web ads is web ad networks. It's a fact that every so often web ad networks have been compromised by attackers and used to serve up 'ads' that are actually exploits. This doesn't just affect secondary or sketchy websites; major mainstream websites use ad networks, which means that visiting sites normally considered quite trustworthy and secure (like major media organizations) can expose you to this.

(As an extra risk, almost all ad networks use HTTP instead of HTTPS so you're vulnerable to man in the middle attacks on exposed networks like your usual random coffee shop wifi.)

Based on my understanding of modern sophisticated ad networks and the process of targeting ads, they also offer great opportunities for highly targeted attacks. At least some networks offer realtime bidding on individual ad impressions and as part of this they pass significant amounts of information about the person behind the request to the bidders. Want to target your malware against people in a narrow geographical area with certain demographics? You can do that, either by winning bids or by hijacking the same information processes from within a compromised ad network. You might even be able to do very specific 'watering hole' style attacks against people who operate from a restricted IP address range, such as a company's outgoing firewall.

(The great thing about winning bids is that you may not even be playing with your own money. After all, it's probably not too difficult to compromise one of the companies that's bidding to put its ads in front of people.)

If you're thinking about the risks here, web ad blockers make a lot of sense. They don't even have to be deeply comprehensive; just blocking the big popular web ad networks that are used by major sites probably takes out a lot of the exposure for most people.

I don't think about ad blockers this way myself, partly because I already consider myself low risk (I'm a Linux user with JavaScript and Flash blocked by default), but this is certainly something I'm going to think about this for people at work. Maybe we should join the places that do this as a standard recommendation or configuration.

My current views on Firefox adblocker addons

I normally do my web browsing through a filtering proxy that strips out many ads and other bad stuff, and on top of that I use NoScript so basically all JavaScript based things drop out. However this proxy only does http, so I've known for a while that as the web moved more and more to https my current anti-ad solution would be less and less effective. This led to me playing around with various options in my testing browser but never pushed me to putting anything in my main browser. What pushed me over the edge to do this relatively recently was reaching my tolerance limit for Youtube ads and discovering that AdBlock Plus would reliably block them. Adding ABP made YouTube a drastically nicer experience for me; I consider its additional ad-blocking features to basically be a nice side effect.

(The popup ads are only slightly irritating, but then YT started feeding me more and more long, unskippable ads. At that point it was either stop watching YT videos or do something about it.)

What makes a bunch of people twitchy about AdBlock Plus is that it's run by a company plus their business model of allowing some ads through. Although ABP is open source, this means that its development is subject to changes in business model and we've seen that cause problems before. Eventually various things made me uncomfortable and unhappy enough to switch to AdBlock Edge (also), which is a fork of ABP with a bunch of things removed. In my 'basically use the defaults' setup, AdBlock Edge works the same as AdBlock Plus. It certainly removes the YouTube ads, which is what I really care about right now.

(My honest opinion is that AdBlock Plus is probably not going to go bad, partly because a fair number of people are paying attention to it since it's a quite popular Firefox extension. Still, I feel a bit better with AdBlock Edge, perhaps because I've been burned by changing extension business models before.)

Both AdBlock Plus and AdBlock Edge don't appear to have made my Firefox either particularly slow or particularly memory consuming. It's possible that I simply haven't noticed the impact because it's mild enough to not be visible for me, especially given my already filtered non-JavaScript browser environment. People certainly do report that these extensions cause them problems.

Recently µBlock has been in the information sources that I follow, so I gave it a try. Sadly, the results for me aren't positive in that µBlock did nothing to stop YouTube ads. Since this is the most important thing for me, I'm willing to forgive ABP and ABE a certain amount of resource consumption in order to get it. I do like the general µBlock pitch of being leaner and more efficient, so someday I hope it picks up this ability.

(As far as I know there's nothing else that blocks YouTube ads. I'd obviously be happy with a standalone extension for this plus µBlock for general blocking, but as far as I know no such thing exists.)

PS: I use other technology to block the scourge of YouTube autoplay. It's possible that this pile of hacks is interacting badly with µBlock.