As I said in a comment to another article the other day, I don’t trust “acceptable ads,” the program that some ad-blockers use to let them pick up some extra cash from advertisers in return for permitting their “acceptable” ads through the gate. On the face of it, it sounds like a reasonable idea, if the advertisers can prove they’re on the level and their ads aren’t annoying—but you run into the little problems that, first of all, what they consider “acceptable” might not be the same thing you do, and second, even if the advertiser is trustworthy, he may also be vulnerable.
Internet ads are a favorite vehicle for malware, after all, and a significant part of the reason many people block ads is that it’s better for security, not just annoyance factor. A case in point came to light last week. PageFair, the anti-ad-block service about five hundred sites use to bypass ad-blocking with “acceptable ads,” was hijacked to serve malware for about an hour and a half. Those sites included The Economist, which posted a message warning subscribers they might have been affected. (We first mentioned PageFair back in September.)
PageFair has posted a lengthy explanation to its blog of how the breach occurred—a cleverly-constructed spear phishing attack that counterfeited a message from the CEO, linking to a site with a faked Google URL that counterfeited an authentic Google interface. They’re taking steps to improve security to make sure it can’t happen again—which is all very well and good, but it shouldn’t have happened a first time.
Ironically, even PageFair has acknowledged that ad-distributed malware is a problem, and the number of attacks rose by 260% in the first half of 2015. With anti-virus software lagging behind, ad-blocking is one of the only sure ways to make sure you don’t get exposed. The company comes right out and admits it:
PageFair is opposed to adblocking because we believe that it could ultimately lead to the demise of publishers and death of the open web. But we can find no valid alternative to blocking malvertising until the situation changes. The surge in malvertising attacks so far in 2015 suggest that more consumers will embrace adblocking. And that’s bad news for publishers.
You know what else is bad news for publishers? Malware creators using spear phishing attacks on purveyors of “acceptable ads” to sneak their payloads past ad-blockers that permit such ads, to the computers of people who read and trust those publishers’ sites. It’s hard to see how that benefits anyone—except the creators of the malware, of course.
In a blog post made just a couple of days before the breach, PageFair explained that it was part of AdBlock Plus’s “Acceptable Ads” program—and that the other program named AdBlock, which had just been sold to an unknown purchaser, was also joining in implementing that program. Which meant that anyone who blocked ads with those programs but permitted “acceptable” ones through could have gotten saddled with malware. That should cast some serious doubt on the efficacy and desirability of block-bypassing “acceptable ads” right there.
I’m not exactly a prude when it comes to ad-blocking; I block them myself, largely for the annoyance factor but I’ll admit security is a major consideration, too. I even dumped AdBlock after it was sold to an unknown purchaser—if you don’t know who owns it, how can you be sure they’re even trustworthy? (And for that matter, it’s a favorite tactic of malware creators to buy browser extensions with an established user base in order to use those extensions to push their malware.) I use uBlock Origin on my browser now. Who would ever have thought that blocking ads could become a part of the same store of common sense that tells you not to visit warez sites or run suspicious programs you download from BitTorrent?
But still, I’ve come to realize it can be important to unblock ads for sites I really support and that have proven they’re good at weeding out obnoxious ads. For example, TeleRead does a great job of cutting out animated ads, and ads for things like dating services that don’t have much to do with e-books. I browse it with ads on, and haven’t been annoyed yet. (I’ll admit the guilt-trip pop-up we use asking people not to block might be annoying, but why not try turning blocking off for TeleRead and see how it looks?)
Happily, most ad-blockers permit whitelisting sites on a site-by-site basis, so you can try a site out with ads and see if it works for you. That seems like a better alternative than permitting your ad-blocker to take money from advertisers to expose you to ads—and possibly malware.
That being said, it seems to me we might want to look at some kind of better solution than just advertising. The amount of revenue ads bring in is pretty small, probably due in part to how many people block ads now, but I’m not sure that even without ad-blocking they’d be all that lucrative. Might there be some better way of getting funding? If, for example, we were to throw up a Patreon tip/subscription jar, would enough people kick in some money so to keep the site going? Are there other alternatives we should explore?
This has to be a question that a lot of other site operators are asking themselves, as I find it hard to imagine ads are working terribly well for any site anymore. What is the future of content on the Internet if advertising fizzles? Something tells me it might not be too long before we start to find out.