>that some people will not be satisfied until they've submarined advertising all the way down to sponsored content
Ish.
The key problem that made me give in and start blocking is the lack of accountability/responsibility and the fact that one bad player (or hacked player) can affect many sites at once. Too many times I saw drive-by install attempts, camera/mic access attempts, pop-ups/unders, and so forth, on large popular sites via their adverts. imgur.com was one of the worst offenders at the time, and the final straw, but it was far from uncommon elsewhere too. I got tired of the official response being either "yeah, our ad partners had a problem, nothing we could do, it won't happen again, until next time" or simply complete ignorance.
At least with server-side insertion on the site/apps own servers it gives them more control (and forces them to take responsibility). If they serve a malware ridden ad from their own resources then they are responsible, no one else, and had the control to not do it. They are no longer trusting a 3rd party to be safe without having any audit rights to make sure they are. Currently they add JS/iframes/both from the ad provider and have no control over what goes in there. The ad provider is probably a "network" which farms out the content via redirects/other to yet another party, who may include content that they themselves haven't properly checked. There is no practical way to make that safe, but I'm not willing to accept the risk by not blocking the ads. Server-side insertion may be the practical alternative. It doesn't solve all the privacy/tracking issues of course, the site/app can still collect that data and forward it back to the advertiser, but current ad blocking can't stop that anyway and SSAI does take a hit at the malware & UI dark-pattern issues (from their PoV by giving them better control of what their site serves and from our PoV by meaning use of the shitty "it was someone else, our server did nothing" is even less defensible so they have to use that control to be better if they want to be trusted).
Of course there is a problem with this that I'm sure the ad industry will jump on if CSAI becomes problematical: MitM SSAI. The ad network provides a CDN which your viewers connect to instead of you directly and that inserts the advert/tracker/malware/other on the way through. I'll cost them more due to bandwidth requirements, but it would work for sites/apps that aren't massively latency sensitive, and would let them try enforce exclusivity if the method becomes a common one (by refusing to accept or make connections to other MitM SSAI providers they could reduce in-page competition). Though again, to get around SSAI blocking they still have to keep the source close to them, reducing the farming out of responsibility that we currently see.
>At least with server-side insertion on the site/apps own servers it gives them more control (and forces them to take responsibility). If they serve a malware ridden ad from their own resources then they are responsible, no one else, and had the control to not do it. They are no longer trusting a 3rd party to be safe without having any audit rights to make sure they are.
You're greatly overestimating how much publishers care about security. If they're already willing to embed arbitrary scripts from ad networks (which has full access to the page), why wouldn't they go one step further and proxy it from their servers? It's not like it's giving additional access. I also don't buy the "additional responsibility" aspect. At the end of the day, it's still an ad network, and unless they're manually approving each ad, the risk of malware/scams isn't going to change, and if they happen to display such an ad, they can still deflect blame to the ad network.
Agreed. But it is at least far easier to definitively prove that they are the reason the malware was delivered to a given user. It is perhaps a naive hope, but maybe that and the threat of potential bad publicity (or just being more likely to be included in popular "bad host" block-lists) will encourage a little more due diligence.
> You're greatly overestimating how much publishers care about security.
Oh, my expectations are low. I think more that I'm looking for/at things that might force them to care more than they currently do.
Ish.
The key problem that made me give in and start blocking is the lack of accountability/responsibility and the fact that one bad player (or hacked player) can affect many sites at once. Too many times I saw drive-by install attempts, camera/mic access attempts, pop-ups/unders, and so forth, on large popular sites via their adverts. imgur.com was one of the worst offenders at the time, and the final straw, but it was far from uncommon elsewhere too. I got tired of the official response being either "yeah, our ad partners had a problem, nothing we could do, it won't happen again, until next time" or simply complete ignorance.
At least with server-side insertion on the site/apps own servers it gives them more control (and forces them to take responsibility). If they serve a malware ridden ad from their own resources then they are responsible, no one else, and had the control to not do it. They are no longer trusting a 3rd party to be safe without having any audit rights to make sure they are. Currently they add JS/iframes/both from the ad provider and have no control over what goes in there. The ad provider is probably a "network" which farms out the content via redirects/other to yet another party, who may include content that they themselves haven't properly checked. There is no practical way to make that safe, but I'm not willing to accept the risk by not blocking the ads. Server-side insertion may be the practical alternative. It doesn't solve all the privacy/tracking issues of course, the site/app can still collect that data and forward it back to the advertiser, but current ad blocking can't stop that anyway and SSAI does take a hit at the malware & UI dark-pattern issues (from their PoV by giving them better control of what their site serves and from our PoV by meaning use of the shitty "it was someone else, our server did nothing" is even less defensible so they have to use that control to be better if they want to be trusted).
Of course there is a problem with this that I'm sure the ad industry will jump on if CSAI becomes problematical: MitM SSAI. The ad network provides a CDN which your viewers connect to instead of you directly and that inserts the advert/tracker/malware/other on the way through. I'll cost them more due to bandwidth requirements, but it would work for sites/apps that aren't massively latency sensitive, and would let them try enforce exclusivity if the method becomes a common one (by refusing to accept or make connections to other MitM SSAI providers they could reduce in-page competition). Though again, to get around SSAI blocking they still have to keep the source close to them, reducing the farming out of responsibility that we currently see.