Chris Dzombak

Ad-light, Malware-heavy

Since December 17, Forbes has been running an experiment wherein some fraction of visitors who are running ad blockers are blocked from accessing Forbes articles until they disable their ad blocker. In exchange, Forbes promises an “ad-light experience”:

Forbes interstitial promising an “ad-light experience”

A Forbes article published yesterday claims that this interstitial resulted in 42.4% of visitors turning off their ad blockers, and says the net result was monetizing “15 million ad impressions that would otherwise have been blocked”. Other media companies are publicly (and, one assumes, privately) considering similar approaches, bolstered by the Forbes experiment.

As you might expect, there were other results, too.

First, the Forbes “ad-light” experience still contains a large number of privacy-violating trackers (20, when I checked, depending on which page you visit):

Ghostery report on the previously-linked Forbes article

More importantly, the “ad-light” experience resolves none of the technical, security, performance, or privacy problems I wrote about previously. Ads are still served from random servers over non-secure HTTP, with little or no oversight and review, and as a consequence users who disable their ad blockers are exposed to danger even on an “ad-light” site:

This isn’t the first time this has happened. In 2014, the Forbes “thought of the day” interstitial ad was compromised by Chinese hackers and used to install malware via Flash and Internet Explorer 0-day vulnerabilities. Given that the attackers targeted US defense and financial institutions, there’s a decent chance that those actors were somehow state-sponsored.

This happens all the time. ​Every ad platform ever​ has been used to deliver state-sponsored malware at some point. (We just don’t hear about it every time it happens.)

There are two reasons for this. Ad networks serve content from random sites with no real oversight or review. And they typically serve that content over plain old insecure HTTP, so anyone in the middle of the network—could be the NSA, or some script kiddie in your local café—can hijack the connection and serve whatever malware they want.

Sure, serving content over HTTPS has been cheap and easy for years. But adtech companies don’t care even a little bit about your security.

The Forbes experiment completely misses the point. Light, taseful ads are not the problem. Rather, as I wrote previously, the problem is that

Ad networks are actually slow, bloated, privacy-invading, insecure malware delivery mechanisms.

Forbes’ “ad-light experience” fails to resolve any of those problems and in fact has proven that thesis. And so my adblocker remains enabled on their site.

…And on most others. Until the adtech industry reverses their reckless technical decisions, strikes a reasonable privacy compromise, and figures out how to stop serving malware, they don’t get to run code on my computer.


As always, I welcome discussion and feedback; I’m @cdzombak on Twitter.