back to article Maverick internet cop Chrome 64 breaks rules to thwart malvert scum

The largest malvertising campaign in 2017 involved 28 fake ad agencies, which were used to generate about one billion ad views across 62 per cent of ad-supported websites, according to publishing security biz Confiant. By malvertising, we mean ads that try to trick people into installing fake Adobe Flash updates, bogus …

  1. frank ly

    A good thing

    "Chrome is actually breaking the web standards by blocking forced redirects,"

    I'd want a browser to block forced redirects.

    1. Anonymous Coward
      Anonymous Coward

      Re: A good thing

      Obviously, the web standards are broken. They are so slow, they fail to keep pace with the fast paced changes of the internet.

      I'm sure some other idiot will bring up the Do No Evil nonsense, but I think Google are 100% right here.

      1. Anonymous Coward
        Anonymous Coward

        Re: A good thing

        Just most of the s**t added to browsers today is Made in Google...

    2. Charlie Clark Silver badge

      Re: A good thing

      I'd like to see iFrame's phased out altogether but they do have their uses (mainly when you want to embed video in a page).

      1. Jonathan 27

        Re: A good thing

        I was just about to post the same thing. There hasn't been a legitimate need for iFrames since XHR (AKA Ajax) requests were developed. At the moment they only seem to be be used for nefarious purposes. Yes, there will be a cost associated with getting rid of them for some legacy applications. But that's pretty much par for the course when it comes to web applications.

  2. Dan 55 Silver badge

    Advertisers sort your shit out

    This is why people adblock.

    If there must be advertising platforms and brokers, they should:

    1. use simple text and images, no JS.

    2. transfer the ads to be shown to the website showing them so the website is in control of serving them.

    Because at the moment for a few quid anyone can fling any script which does anything at the browser and when there is malvertising it's impossible to trace.

    1. Jonathan 27

      Re: Advertisers sort your shit out

      Agreed, why do ads need JS and why do sites allow 3rd party code? The liability alone could sink your website.

  3. Anonymous Coward
    Anonymous Coward

    I keep getting those

    When I visit google.co.uk it tries to make me install something called "Chrome", making false claims about being better than what I am currently using.

    1. Martin 47

      Re: I keep getting those

      But it is better ............

      ........for google

    2. Not also known as SC
      Thumb Down

      Re: I keep getting those

      Microsoft do the same thing when you change the Windows 10 default browser from Edge to anything else - a stupid little message about how Edge is designed for Windows 10 and do you really want to change.

  4. Anonymous Coward
    Devil

    How far will Google to protect...

    .... its lucrative ads business? Someone at Google must be really scared of the damage brought by those evil AD BLOCKERS!

    Anyway Google is also one of the culprits that bloated browsers of too many useless and risky features to run as much as possible withing a browser because it's easier to steal user data that way (unless, of course, you have a whole OS to do it like Android or Windows 10).

    "Who lives by the browser...."

    1. Aitor 1

      Re: How far will Google to protect...

      The problem is the ad platforms, they dont check anything, only that they can charge money, and they are happy with that.

      Non verified humans should not be able to post javascript, only html. That wont saves us completely, but it is a start.

      1. Anonymous Coward
        Anonymous Coward

        Re: How far will Google to protect...

        Isn't Google itself the biggest ad platform? It can be written "DoubleClick" but it's read "Google". So, instead of starting to fix the ad platform itself, and pave the way towards "responsible ads", Google just tries to put some weak defenses inside its browser, because it's cheaper than having to vet ads, or make them less "responsive" forbidding features that can be exploited to attack whoever display them.

        In any ways, the very idea of "ad platforms" is broken - I have to display contents from third party sites I never requested, and which nobody really controls.

        Think what would happen if ordering food at the restaurant, while it's being brought to you, an unknown someone else would be free to add things into your dish, just because the restaurant gets paid by some platform for it. Even if the food was free, I'd be very worried about eating it...

        1. ArrZarr Silver badge
          Boffin

          Re: How far will Google to protect...

          "Isn't Google itself the biggest ad platform?"

          Different kind of ads - The paid search ads that appear at the top of your search pages aren't affected by ad blockers and are plain text. Google is the biggest cheese in that context. For simplicity, I'm including Google Shopping in this category.

          Youtube video ads are affected by adblockers but are HTML5 videos as opposed to flash or Java and as such, I'm not aware of any exploits that will get you screwed over. Because of youtube, Google is probably the biggest provider of video ads.

          The ads this change affects are known as display ads. Google is a major player in this space but have nowhere near the dominance in the search and video channels.

          1. Anonymous Coward
            Anonymous Coward

            "Different kind of ads" - are you sure?

            It looks people know Google (Alphabet) very little.... and still believe it's still just a search engine with some free nice apps and now a browser.

            Do you know DoubleClick, probably the largest ads platform around, is wholly owned by Google/Alphabet? And DoubleClick delivers ads made by others?

            Google doesn't live of the "paid search ads" on its search page only, or Youtube, it does live of ads pushed by DoubleClick on many other sites that have nothing to do with Google but using DoubleClick to get paid to show ads.

            Google, through its own sites, YouTube and DoubleClick, dominates the ads market, with the only competitor, still behind, being Facebook.

            http://fortune.com/2017/07/28/google-facebook-digital-advertising/

            http://fortune.com/2017/01/04/google-facebook-ad-industry/

            Any decline in ads revenues if people start to block ads in their browsers would impact Google/Alphabet a lot....

            1. ArrZarr Silver badge

              Re: "Different kind of ads" - are you sure?

              Believe me, working in digital marketing (Before you get your pitchforks out, this is mostly paid search and Google Shopping), I am painfully aware how Google works. Yes, All of DoubleClick is owned by Google but only part of DoubleClick is relevant to display ads. It's also a bid management platform for all the other types of ad that Google show.

              My original post was intended to highlight that while, yes, overall, Google is the biggest marketing platform out there, it doesn't have the unquestionable dominance that it does in Search and would be much less affected proportionally than pure display providers.

              1. Anonymous Coward
                Anonymous Coward

                "it doesn't have the unquestionable dominance that it does in Search"

                Did you read the links above? Google *is* dominating ads services. Facebook is second, at some distance. Just look at the revenues:

                https://www.theregister.co.uk/2017/07/25/alphabet_q2_fy2017/

                Do you believe they come just from the Search Page and YouTube?

                "but only part of DoubleClick is relevant to display ads."

                Of course, but that's what allows the other parts of the business run - like setting targets (thanks to Alphabets slurping operations), and analyzing ad campaign results. The advertising exchange of DoubleClick is surely a risk to display malware-ads.

                Do you believe advertiser would buy the services if their ads are not displayed? Google has more to lose than others, if ad-blocking becomes widespread. Its whole business is built on them.

                1. ArrZarr Silver badge

                  Re: "it doesn't have the unquestionable dominance that it does in Search"

                  "Do you believe they come just from the Search Page and YouTube?"

                  No, not just from the search page and YouTube. I do believe that they are worth more to Google. The proportion of people that click the paid search ads is at least two orders of magnitude higher than display in my experience. Bear in mind that Paid search and Google Shopping are much much easier to make relevant for the search due to systems like dynamic keyword insertion and inventory management tools than display ads, even remarketing display ads. Also consider that if you're searching to buy something, there are potentially over ten paid links taking up the most valuable screen real estate above the fold.

                  And yes, in absolute terms, Google will lose more revenue from adblockers than other providers. In relative terms, they are propped up by the unaffected channels.

            2. Anonymous Coward
              Anonymous Coward

              Re: "Different kind of ads" - are you sure?

              I think most DO know that here.

      2. JohnFen

        Re: How far will Google to protect...

        "Non verified humans should not be able to post javascript, only html."

        Ads should not include javascript (or any other executable code) at all.

  5. Anonymous Coward
    Anonymous Coward

    This is why you should use adblockers

    Everyone knows about malicious problems like these yet no one bothers to address the consequences, and many website would rather see that you turn off your adblocker in order for them to get their revenue. Now, I understand the motive, I really do, but when will people finally realize that adblockers aren't a convenience anymore but should be recognized as essential protection?

    What I'm saying is that an adblocker should be getting the same treatment as an anti-virus tool on your computer. Websites wouldn't ask that you turn off your anti-virus so why make the exception for an adblocker?

    See: the problem with ads is that you'll never know for sure where the junk is coming from. And even if you do know the source (Google ads comes to mind) then it's still no guarantee what so ever that everything people throw at you will be fully harmless. Heck; this article proofs as much!

    In this day and age the use of adblockers has seriously evolved and should be considered a mandatory protection scheme. Yes, I feel for all those websites who try to make a bit of a profit but sorry: you got yourselves to blame for it in the first place. Instead of being satisfied with the target audience many companies strived for more and better coverage, even up to a point where malware became a thing.

    What was that saying again? You reap what you sow?

    1. Yavoy

      Re: This is why you should use adblockers

      So how are websites meant to generate revenue?

      Without a business model, there won't be any good quality stuff on the Web.

      1. find users who cut cat tail

        Re: This is why you should use adblockers

        > So how are websites meant to generate revenue?

        Do they have to?

        1) You want to publish something -- so you pay the web hosting costs (that is BTW what I do).

        2) Your web thingy does something others want -- so they pay for it.

        Why is throwing ads at people as the sole business model fine, good, not at all crazy and everyone should be doing it? You just assume it, despite ads being one of the major reason why the web is the shithole it is nowadays.

        1. Anonymous Coward
          Anonymous Coward

          "despite ads being one of the major reason why the web is the shithole"

          Right. Ads are the main reason for the stupid and ugly clickbaits too many sites employ, even those that once were reputable publishers.

        2. Anonymous Coward
          Joke

          Re: This is why you should use adblockers

          "So how are websites meant to generate revenue?"

          Bitcoin miners...Duurrr.

          1. MonkeyCee

            Re: This is why you should use adblockers

            "Bitcoin miners...Duurrr."

            I know you meant it as a joke, but it's quite effective as a micropayment mechanism.

            Want to read my articles on improving your mining performance? Then hash me some Monero :)

            It's a few cents per visit, and no need to serve up ads that I've got no real control over.

            Most of the crypto community is fine with the concept of a dev fee being paid somewhere.

        3. Aitor 1

          Re: This is why you should use adblockers

          I used to provide forums, and there people could interchange ideas, opinions, whatever.

          That has some costs, including my time.

          Naturally, I was keen on having ads. Using ad platforms.

          As the adblockers went mainstream, I had to close the forums.. I was not only not being paid, but I was losing money.

          I was providing these services as a service to ppl.. for fun mostly.. but people dont want to put their money... they would rather have a facebook group than a proper forum with subforums, etc

          1. JohnFen

            Re: This is why you should use adblockers

            Fair enough. But then there are people like me, who run a number of such sites. I pay out of pocket (hosting is really cheap, so it's affordable), have never run ads aside from my own for products I sell myself, and never will.

            I don't mind adblockers (since I have no ads to block), and my sites are unlikely to go away in my lifetime. And there's nothing unique about me -- I am one amongst thousands who do the same thing.

      2. Anonymous Coward
        Anonymous Coward

        Re: This is why you should use adblockers

        There's good stuff on the internet at the moment? I think not. You have websites shoveling clickbait shit AND adverts.

        Without adverts, there would be no clickbait, but you would have to pay for internet content, which users won#'t do

        It's an unsolvable conundrum, which means essentially the internet is fucked.

      3. JohnFen

        Re: This is why you should use adblockers

        1) Ads are not the only way to generate revenue, they're just the most convenient for website operators.

        2) Ads don't have to use Javascript.

        3) The web had lots of quality content before ads were a thing. I'm deeply skeptical of the notion that without ads, there'd be no quality content.

    2. FIA Silver badge

      Re: This is why you should use adblockers

      What was that saying again? You reap what you sow?

      Sure it's not 'You get what you pay for'??

  6. Anonymous Coward
    Anonymous Coward

    The question is, are there any sites making legitimate use of this?

    If not it is an easy decision, standards or not. If there are, then Chrome's market share dominance will probably end up forcing those sites to change how they work. Basically Google would be exercising the exact same control over the web that everyone (including Google's founders) rightly castigated Microsoft for.

    Basically Microsoft doesn't want people using REAL ad blockers, so they figure if they can block the worst malware type spam advertising there will be less incentive for people to block all ads including all the ones Google makes money from!

    1. Brewster's Angle Grinder Silver badge

      Re: The question is, are there any sites making legitimate use of this?

      This is just one of a whole suite of "interventions" backed by the "Web Incubator Community Group", which is part of the World Wide Web Consortium (W3C). Such tweaks are intended to become part of the standard, although the relevant standards aren't controlled by the W3C.

      This particular change has been under discussion for two years with multiple attempts at implementation. And even this version only hits the beta channel on the next Chrome update.

      1. Anonymous Coward
        Devil

        Re: The question is, are there any sites making legitimate use of this?

        Just noticed I said "Microsoft" in the second paragraph instead of Google. Guess I was mentally transported back a decade and a half when Microsoft was the evil company, instead of being the tech equivalent of the old Nazi with Alzheimer's you used to hate but now just looks pathetic.

  7. Anonymous Coward
    Anonymous Coward

    The basic problem is

    That there will always be a way to subvert legitimate functionality in some way.

    Ads are a problem because they will never be server by the originating website, the ad company works it out. Ultimately ads should probably be in a non-trusted page element without all the rich (and destabilising) content. This would not be great even for the googleopoly.

    It is also a relatively straightforward vector to exploit, not just for malware, for any other type of scam, all you need is a front company and some up-front cash.

    Google are unilaterally deciding to change their delivery approach to web standards, but given the lengthy negotiations needed to change or replace them formally with entrenched and violently defended positions its not likely to happen any time soon.

    Although in this case, I hope at least a proposal for a standards change is made in conjunction with this...Otherwise we are at the thin end of standards anarchy...

  8. Anonymous Coward
    Anonymous Coward

    No single point of solution

    The problem (IMHO) is that you need protection in several places. Not just the browser, but DNS (pi-hole), as well as blacklists and script blocking.

  9. pmb00cs

    Legal liability?

    This is why websites should be held legally liable for the third party content they choose to include on their pages. The excuse "oh but it was a third party advert that screwed you over" should simply not be tolerated. Whilst the websites can claim that their active inclusion of untrusted third party content isn't their responsibility there is no incentive to clean up the cesspit that is the online advertising market.

    Once a couple of good lawsuits bring down a few major websites caught including dodgy adds there will be calls to do something about the dodgy adds that the add brokers simply will not be able to ignore. Websites will start using add platforms that offer financial guarantees, and/or indemnity against lawsuits. This will force the add platforms to vet the adds they include or face bankruptcy when a dodgy add hits the wrong person.

    1. Anonymous Coward
      Anonymous Coward

      Re: Legal liability?

      Sure, they should be held liable together the third party provider. So, say, if site X and DoubleClick serve s**t, both should be held liable....

      1. pmb00cs

        Re: Legal liability?

        Sounds great, but also complicates the matter, and allows both to wring their hands while blaming the other.

        No as far as the end user is concerned the Website should be held solely liable.

        If the website then wants to sue the Add platform as per their mutual contract, that is a matter for the owners of the website. And if the add platform wants to sue the next party down the chain ... etc.

  10. druck Silver badge
    Happy

    Be a bot

    The goal of fingerprinting is to separate potential victims from security researchers and bots and other automated systems trying to detect malicious activity.

    Why don't we make all browsers look like malicious activity detectors?

  11. Florida1920
    Pint

    Installed update with Zircon-encrusted tweezers

    El Reg and all my sites still work, so it meets my standards.

  12. Baldrickk

    What would it take for me to remove my adblocker?

    I do whitelist sites who I want to support, and who haven't (yet) served me anything offensive.

    What would it take to make my adblocker go away for good though - being as I'm not against advertising as a way to generate revenue for sites.

    No scripts - that's most of any threat gone.

    Images - fine

    links - fine

    animated images (gif, apng) fine

    html5 video with nixed audio - fine assuming file sizes are limited

    html + css? fine - as long as these can't be used to "break out" of the advertising panel (might need to subset what is allowed)

    99.9% of all legitimate ads wouldn't be impacted by this - at least in terms of making an imprint on the viewer. If some fingerprinting capability is lost, then that's only a good thing.

  13. Tim99 Silver badge
    Big Brother

    This El Reg page.

    I have been using DuckDuckGo Privacy Essentials (and their search engine as a default) and find it works well for me. This article shows an "Enhanced B" Privacy Grade and the following trackers:-

    Google: googletagservices.com; google-analytics.com - Analytics: Twitter - platform.twitter.com - Microsoft: atdmt.com - Tracker network unknown: s.dpmsrv.com (Whois shows this as VeriSign Global Registry Services)

    This Comments page only shows googletagservices.com; google-analytics.com; and s.dpmsrv.com

    Looking at the Extension in Safari, it is described as: "DuckDuckGo Privacy Essentials" can red, modify and transmit content from all webpages. This could include sensitive information like passwords, phone numbers, and credit cards.

    What, me paranoid? Certainly not! Even if I am, it does not mean that they are not after me. I always ensure that I am not logged in to any Google product (and check that I am not); funnily enough I see no targeted website and email advertising and only a very small amount of random crap. A couple of small simple text ads on a page is OK; and, If I find that I get value from a site, I do actually try and pay them...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like