The conversation about web advertising security was recently invigorated by a blog post on the Internet Advertising Bureau’s website that called for the industry to broadly implement the HTTPS secure data transmission standard. The IAB post referred to a survey of its members in which “nearly 80%” of responding companies claimed to support HTTPS delivery of their services.
In our blog post, we describe the results of tests we conducted to measure HTTPS support on the advertisers found on a sample of news websites as well as two sample lists of advertisers. We find a large disparity between our results and the figure referred to on the IAB post.
Background: HTTPS, surveillance, and the Internet ad industry
Users of the web benefit from the security provided to them by encrypted HTTPS data transmissions. As we’ve written about elsewhere, HTTPS masks the content of communications sent over the wire, making web browsing surveillance more difficult. It also provides a degree of identity verification, so people can be confident that the data they receive comes from who they think it does.
Unfortunately, many of the sites from where we get our news and information do not support HTTPS. It’s difficult for those sites to secure their readers when the advertisers they rely on do not secure the delivery of ads themselves. Everything on a webpage, including the advertisements and behavioural tracking scripts, needs to be served through HTTPS for the protocol to provide much security.
A 2013 report published in the Washington Post and based on disclosures by former NSA contractor Edward Snowden describes how surveillance programs “piggyback” on ad tracking networks in order to relate the web traffic they collect to real-world identities.
For instance, Google stores an identifier string called a prefid in a cookie that is sent back and forth on every page you visit that serves ads through Google’s ad exchange. By doing this, Google can build a profile of your interests and know what ads to show you.
When this prefid is transmitted insecurely along with the rest of your browsing activity, it is not just Google that can build a profile. Actors with control on the network transmitting your browsing activity can correlate that prefid with the pages you visited, with identifiers from other ad networks, usernames or other information in order to assign an identity to the browsing activity. HTTPS obfuscates data in transit, making this sort of snooping much more difficult.
HTTPS also protects people from “man-in-the-middle” attacks, where an actor with control over part of the network can insert or replace content sent from a website before it arrives at the reader’s computer. This technique makes it easier for attackers to infect computers with malware, or otherwise impersonate trusted websites. HTTPS verifies the origin of received data through a complex certification system and will reject data that appears to be tampered with.
The Internet Advertising Bureau’s announcement
For these reasons, it is welcome news for the web that the Internet Advertising Bureau (IAB) seems to be starting to throw its weight behind encrypting the Internet advertising ecosystem. Last week, the IAB’s Director of Technical Standards Brendan Riordan-Butterworth published a blog post titled Adopting Encryption: The Need for HTTPS. In his post, Riordan-Butterworth states the ad industry needs to “finish catching up” to technology companies and the US government, the latter of which has just recently published a policy proposal for all public Federal websites to be served through HTTPS. He goes on to call the adoption of HTTPS an “important step” in protecting the public’s privacy and security.
While the position taken by the blog post advocates for a more secure ad industry, the post claims that a majority of ad delivery systems are already supporting HTTPS. Specifically, Riordan-Butterworth refers to an IAB membership survey, in which 80% of respondents stated their systems support HTTPS. However, the post notes the figure “doesn’t reflect the interconnectedness of the industry”, and the complexity of actually implementing HTTPS in the real word. Additionally, a post on Techdirt, a news website that was an early adopter of HTTPS by default, raised doubts about the accuracy of the 80% figure.
To investigate the current state of HTTPS support in the advertising industry we asked two questions. First, in a context where online advertising is highly prominent — online news websites — on a given site, how many of the third party connections support HTTPS? Second, given a list of popular advertising trackers, how many of them support HTTPS?
HTTPS support levels for ad trackers on news websites
Our first test looked at what third party connections occur when loading the global top 100 news websites as measured by Alexa. We used TrackerSSL, a Chrome extension developed at Open Effect, to measure which of those third parties (many of which are advertisers) support HTTPS encryption, which are transmitting identifiers in cookies, and the overall percentage of third parties that support HTTPS on each website.
Of the 98 sites that loaded in our test, an average of 47 different third parties transmitted data to/from the web browser. 19 of those third parties (41%) transmitted data that included a cookie file that contained a unique identifier, suggesting the occurrence of detailed user tracking. The St. Louis Post-Dispatch’s website had the most trackers of the sample, with 168 unique third party hostnames engaging in data transmissions on a single page load. The distribution across all top 100 websites is shown below in Figure 1.
Turning to security, an average of 53% of the third party hosts transmitting data on top news websites support HTTPS. News websites, on average, initiated communications with 10 different third parties that led to transmissions of uniquely identifying cookies that could not be secured with HTTPS. An average of 9 unique ID transmissions were to servers that support HTTPS. In other words, network snoops can take advantage of many insecurely-transmitted unique identifiers to help them identify just who is reading what news.
Overall the results show that news websites are slightly beyond the midway point of getting their third party dependencies secured before they themselves can reliably implement HTTPS.
HTTPS support among popular ad trackers
To more broadly assess the rate of HTTPS support for advertisers in the IAB and beyond, we looked at two lists of advertising trackers. First, we visited the the Digital Advertising Alliance’s opt-out page for receiving targeted advertising (which does not opt you out of the behavioural tracking), which loaded resources from 123 different advertisers at test time. The Digital Advertising Alliance is an association focused on digital advertising industry self-regulation, of which the IAB is a member. Once we loaded the DAA’s tool, we then used TrackerSSL to examine how many of those Digital Advertising Alliance member advertisers support HTTPS.
As shown in the above screenshot (Figure 2), only 38% of the 123 advertisers in the Digital Advertising Alliance’s own database support HTTPS, less than half of the 80% figure referred to by Mr. Riordan-Butterworth in his post.
We ran a similar test on the 2,156 advertiser hostnames contained in the Disconnect privacy company’s public list of known ad trackers, which is not limited to Digital Advertising Alliance members. We found that just under 11% of ad trackers in this list supported HTTPS in practice, as shown in Figure 3 below. Another 3.8% did support HTTPS but used server configurations to actively redirect users away from a secure to an insecure connection. The remaining 85.7% of advertising trackers did not support HTTPS at all.
To assess HTTPS support, TrackerSSL and the other analysis scripts we ran each issued an HTTPS HEAD request to the hostname of an advertiser or third party connection on a web page. We additionally checked for a record in the Electronic Frontier Foundation’s (EFF) HTTPS Everywhere list of redirects in case the host communicates through HTTPS at a different hostname. The EFF’s list of redirects is finite, however, and so there is a chance that a small number of advertisers that support HTTPS on a different hostname than they serve regular HTTP will be missed by our analysis. Therefore, it is likely that the actual support for HTTPS is slightly, though not significantly, greater than we report.
We found a significant disparity between the level of HTTPS support in the ad industry referred to on the IAB’s blog and what we measured with our tests. We furthermore found that more than half of the ad trackers found on popular news websites that use cookie-based tracking mechanisms have no security measures in place to stop bad actors from collecting and correlating these unique identifiers with other browsing data. An important area of future work will be to repeat these tests in six months, and again in a year’s time to determine the relative success of the IAB’s call to security.