We recently discussed research showing how one of the major reasons more domain owners do not secure their websites using HTTPS (SSL/TLS) encryption is because the ads they display on their websites (and which they often rely on revenue) are themselves more often than not secured using SSL.
Given that a website is only as secure as its weakest components (in this case ads and ad trackers), many website owners not only see adopting HTTPS on their sites as rather pointless, but also worry that it would give visitors a poor impression of the website, as a warning about poorly implemented security looks worse than having no security at all!
Ever since Edward’s Snowden’s revelations about the NSA spying on Google customers (whether Google was complicit in this or not remains an open question), Google has worked to re-establish consumer trust by ‘hardening’ its network infrastructure. Last year Google made HTTPS encryption for its Gmail service mandatory (it has been the default since 2010,) and while connections to its own Google Search engine has been SSL encrypted since 2011, this year Google started to give Search priority to encrypted websites. Services such as Drive and YouTube are also similarly encrypted.
Google has now announced that it will bring SSL encryption to (most of) the hundreds of millions of ad that it serves to internet users every day,
- ‘By June 30, 2015, the vast majority of mobile, video, and desktop display ads served to the Google Display Network, AdMob and DoubleClick publishers will be encrypted.
- Also by June 30, 2015, advertisers using any of our buying platforms, including AdWords and DoubleClick, will be able to serve HTTPS-encrypted display ads to all HTTPS-enabled inventory.’
Google is, of course, hoping that this move will encourage greater efforts by the industry as a whole to secure websites and make the internet safer for everyone, and joins the Internet Advertising Bureau (IAB) in its call for industry-wide adoption of HTTPS on websites (although last week we took issue with the IAB’s claim that ‘a survey of our membership late last year showed nearly 80% of member ad delivery systems supported HTTPS.’)
As always, we recommend that readers use the HTTPS Everywhere browser add-on from the Electronic Frontier Foundation (EFF). This will force a browser to connect to a website via HTTPS if an HTTPS connection is available. If no HTTPS connection is available then the browser will connect insecurely using regular HTTP, but the extension nevertheless greatly increase the number of websites you are likely to connect securely to.
We also suggest using uBlock, which prevents you seeing most ads and blocks most ad trackers.