Google Angling to Make Ads Encrypted – Experts Warn It Comes with a Downside

Google is at the forefront of switching to HTTPS over all of its online products and users are already on the secure, encrypted channels when using multiple popular Google products.

Encryption is a major selling point for technology giants and Google is at the forefront of big companies embracing encryption to protect its users. Proactively and even admirably, Google sets the standard by gradually moving all of its online services to use strong HTTPS (HTTP Secure) encryption.

Essentially, HTTPS allows web communication over an encrypted channel by using the TLS (Transport Layer Security) Protocol. The main benefit of this is that it prevents traffic from being read or modified by someone in a position to intercept it. This includes hackers in control of a router or prowling about an insecure wireless network, hackers as rogues pretending to be ISP employees, or even a government agency set out to spy.

Google has been one of the main mainstream proponents of the idea of ‘HTTPS Everywhere’, encouraging webmasters and admins to prevent and fix security breaches on their websites.

Google’s initiatives and milestones in this regard recently included:

  • Moving all YouTube ads to HTTPS as of the end of 2014.
  • Search on the popular is already encrypted for a huge majority of the users.
  • By June 30, 2015, the majority of ads on mobile, video and desktop served to the Google Display Network, AdMob and DoubleClick platforms will be encrypted.
  • Also by the same day, advertisers using any of Google’s buying platforms including AdWords and Double click will be able to serve and highlight HTTPS-encrypted display ads to all HTTPS-enabled inventory.

All of the above makes for good reading, as it will be geared for enhanced security for all their users.

The downside

Experts warn however, malicious advertising attacks that lure users to web-based exploits will still be possible over HTTPS enabled ads and due to the new encryption, it’ll be harder for security researchers and experts to pinpoint the source of the malware.

Google for its part accounted recently that it will be friendlier to HTTPS-enabled website in its search rankings, pushing forward in its drive to encourage and foster the adoption of HTTPS across the internet.

The problem arises when webmasters whose websites load resources – primarily advertisements, is from third parties that don’t serve them over HTTPS. Loading non-encrypted resources into HTTPS websites will result in mixed content warnings in browsers and negates the security benefits of employing HTTPS in the first place. This defeats the entire purpose of enabling HTTPS.

“That ad server will sometimes need to include tags from brand safety, audience and viewability measurement, and other tools — all of which also need to support encryption,” explained IAB’s Director of Technical Standards Brendan Riordan-Butterworth in a blog post in March.

The publisher’s ad server is programmed to revert to one of the several agency ad servers, each of those will also need to serve over HTTPS. “Each agency ad server also may include a variety of beacons or tags, depending on how the deal was set up, all of which similarly need to have encrypted versions available,” he wrote.

A big step forward for mobile security

Encrypting advertising traffic for mobile devices will go a long way in preventing the ‘man-in-the-middle’ attacks that researchers have cautioned about for years. In such a circumstance, an attacker could inject rogue code into advertising traffic, to abuse and manipulate the permissions of the apps displaying the ads.