Ads are largely to blame for insecure websites -

Ads are largely to blame for insecure websites

Douglas Crawford

Douglas Crawford

April 23, 2015

As security protocols go, SSL is not perfect, but it is currently the best guarantee both that the website you connect to is the website you think you are connecting too, and that the connection is encrypted so that no-one can spy on what you get up to on that website.

bestvpn https

You can tell whether a website uses SSL encryption by the closed padlock icon in the taskbar, and the fact that the displayed URL starts with https://)*

Unfortunately, and despite the many security issues it brings (and that the more websites which are secured, the more secure the whole web is for everybody, as secure websites will no longer be obvious targets for criminals and governments, etc.), the majority of websites do not employ SSL (although there is increasing push for websites to adopt the security standard).

According to a security researcher at Citizen Lab, Andrew Hilts, one of the primary culprits for this is insecure ads on webpages. A webpage page is only as secure as the content (such as ads) hosted on it, and despite claims by the Internet Advertising Bureau (IAB) that ‘nearly 80% of member ad delivery systems supported HTTPS’, Hilts concludes his study on the subject by saying that,

We found a significant disparity between the level of HTTPS support in the ad industry referred to on the IAB’s blog and what we measured with our tests. We furthermore found that more than half of the ad trackers found on popular news websites that use cookie-based tracking mechanisms have no security measures in place to stop bad actors from collecting and correlating these unique identifiers with other browsing data.

In fact, Hilts found that only 38 percent of sampled members of the Digital Advertising Alliance (a regulatory organization of which the AIB is a member) actually used SSL encryption, and that of 2000 known (supplied by Disconnect) ad trackers, only 14.3 percent used SSL.


Given that many websites host up to hundreds of ad trackers, this is clearly a major problem, and one that is dissuading website owners from adopting SSL, as not only do insecure ads largely invalidate any security advantages adopting SSL brings, but a poorly secured site gives a worse impression to visitors than one with no SSL security at all!

In a letter to Motherboard defending its figures, the AIB appears to effectively admit this fact,

Our blog post calls out that there’s a long way yet to go to provide broad HTTPS coverage—a position echoed by the research, which indicates: “Overall the results show that news websites are slightly beyond the midway point of getting their third party dependencies secured before they themselves can reliably implement HTTPS.

Our survey asked if our member systems “currently supported HTTPS for delivery of content (ad tags, creative, beacons, etc)”. The largest group of respondents self-identified as publishers, a core part of our membership, and included a significant amount of respondents from elsewhere in the supply chain. Given the complexity of the supply chain, many of our members are unable to deliver HTTPS experience to visitors due to the downstream, campaign- and partner-specific dependencies on HTTP.

So why don’t advertisers simply adopt SSL? Hilts explained his theory to Motherboard,

Perceptions around security in the business world need to catch up to tech savvy consumers. Surveys have shown that consumers are changing their behaviour due to the Snowden revelations and an increased awareness of how state surveillance works. Some businesses are stuck in the pre-Snowden way of doing things.

This last at least sounds somewhat positive, and we can only hope that consumer pressure will indeed encourage both websites and the ad firms they are in hock with to tighten up their security.

In the meantime, internet users can at least use the HTTPS Everywhere browser add-on from the Electronic Frontier Foundation (EFF). This will force a browser to connect to a website via HTTPS (SSL) if an HTTPS connection is available. If no HTTPS connection is available then the browser will connect insecurely using regular HTTP, but the extension nevertheless greatly increase the number of websites you are likely to connect securely to.