Understanding the ad blocking wars: why there can only be one winner
Short of time?
More and more people find online adverts to be annoying, invasive, dangerous, insulting and/or distracting and have decided to install an ad blocker. In fact, the number of people using ad blockers is skyrocketing.
According to PageFair’s 2015 Ad Blocking Report, there are now 198 million active ad blocker users around the world, with a growth rate of 41% in the last 12 months. Publishers and marketers are visibly feeling the pain and fighting back against ad blockers.
A recent high profile example of this conflict was Yahoo Mail’s reported attempt to prevent ad blocker users from accessing their email.
Advertising technology, known commonly as ad tech, encompasses the technology, software and services used for delivering, controlling and targeting online adverts. The key to the conflict between ad tech and ad blockers is the Document Object Model, or DOM.
Ad blockers are designed to prevent the DOM from including advertisements, while the ad tech that controls the page is designed to display them. The fight for control over the DOM is where the Ad Blockers vs. Ad Tech war is waged.
So let’s see how this technological escalation plays out, and who eventually wins…
Ad Tech: Deliver ads to user’s browser.
User: Decides to install an ad blocker.
Ad Blocker: Creates a black list of fully qualified domain names or URLs that are known to serve ads. Blocks the browser from making connections to those locations.
Ad Tech: Create new fully qualified domain names or URLs that are not on black lists so their ads are not blocked
Ad Blocker: Crowd-source information to keep black list up to date and continue effectively blocking. Allow certain ‘safe’ ads through, as outlined in Acceptable Ads initiatives
Current stage of the Ad Blocking Wars
Ad Blocker: Maintain a black list of fully qualified domain names or URLs where ad blocking detection code is hosted and block the browser from making connections to those locations.
Ad Tech: Relocate ad or ad blocking detection code to first-party website location. Ad blockers cannot block this code without also blocking the web page the user wanted use
Ad Blocker: Detect the presence of ads, but not block them. Instead, make the ads invisible. Do not send tracking cookies back to hosting server to help preserve privacy.
Ad Tech: Detect when ads are hidden in the DOM. If ads are hidden, deny the user the content or service they wanted.
Ad Blocker: Allow ads to be visible, but move them to a location where they cannot be seen. Do not send tracking cookies back to hosting server to help preserve privacy.
Ad Blocker: Detect the presence of first-party ad blocking detection code. Block the browser from loading that code.
Ad Tech: Move ad blocking detection code to a location that cannot be safely blocked without negatively impact the user experience, such as AWS or other Cloud service
Ad Tech: Implement code minimisation and polymorphism techniques designed to hinder isolation and removal of ad blocking detection code.
GAME OVER. Ad Tech Wins.
Although the steps above will not necessarily play out exactly in this order, what matters is how the war always ends. No matter how you slice it - and believe me we sliced it a number of ways - ad tech eventually wins. Its control and access over the DOM appears dominant.
Security lessons to be learnt?
If you look at it closely, the ad tech industry behaves quite similarly to the malware industry, with both the techniques and delivery consistent across both. Ad tech wants to deliver and execute code that users don’t want and it will bypass the user’s security controls to do exactly that!
> See also: Why ad blocking won't dent the mobile ad economy
So it really should come as no surprise that malware purveyors heavily utilise online advertising channels to infect millions of users. And if this is the way the war plays out, where users and their ad blockers eventually lose, it could well be the case that anti-virus is the only option left - and we all know that anti-virus is effective at the flip of the coin.
The only recourse left is not a technical one, but one that ends in regulations and the courts.
Sourced from Jeremiah Grossman, Founder, WhiteHat Security