With help from Google, impersonated Brave.com website pushes malware

With a valid TLS certificate, faux Bravė.com could fool even security-savvy people.

Read the whole story

 

[DigitalHodgepodge]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

Explain and contribute positively. Because I honestly feel my analogy is significantly closer to the real world than prior examples here.

It appears as though you're not being intellectually honest. But I can't be certain.

Your web browser requests content & code from the internet, and you have the right to refuse anything that is malicious, creepy, or otherwise risky from happening on your computer. Few people would knowingly agree to being stalked, in the physical world or digital.

This matters! One day, human brains could be very tightly coupled to computers, and it will become a matter of my body(computer), my decision. As things are now, computers augment our brains more than we appreciate.

 

[SplatMan_DK]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

The fundamental difference between our respective viewpoints is that you view "visiting a website" as analogous to going somewhere, while I see "visiting a website" as inviting content into my private space. I see no issue with restrictions on what I let into my private space.

Also, "visiting" is really a misnomer; I rarely leave my couch! All the content is really coming to me.

Edit: if you are OK with restrictions on opting out of what to admit in your private space, you essentially give up the notion of a private space altogether.

You are right, that is an interesting difference. And I accept that we see things differently.

But you're still the initiator of the visit even if what you're doing is inviting someone over for a visit. If you pay for their visit (subscribing) then you have a greater say in the terms for that visit. However, when you demand that someone visits you for free, and deliver services or content to you for free, they usually have an opinion about the terms of the visit. Like saying they will visit you for free if you accept getting a couple of brochures from their sales partners.

When you ask for a visit AND dictate the terms of the visit (ie demanding that the visitor doesn't get to leave brochures behind, or give you a pitch about something else) then you're screwing the visitor over. Because the only reason he could visit you for free is because SOMEONE ELSE WAS PAYING for his visit to your place.

At the end of the day, you want him to visit you while paying nothing and accepting no other action that allows the visitor to recoup the cost.

 

[SplatMan_DK]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

Explain and contribute positively. Because I honestly feel my analogy is significantly closer to the real world than prior examples here.

It appears as though you're not being intellectually honest. But I can't be certain.

Apologies. I will work to regain your trust. I assure you, it's just a case of different opinions. I don't know what I have done to make you feel otherwise.

Your web browser requests content & code from the internet, and you have the right to refuse anything that is malicious, creepy, or otherwise risky from happening on your computer. Few people would knowingly agree to being stalked, in the physical world or digital.

This matters! One day, human brains could be very tightly coupled to computers, and it will become a matter of my body(computer), my decision. As things are now, computers augment our brains more than we appreciate.

I agree.

But your action should be to not visit sites you disagree with. I don't see how you ethically can demand to visit them AND dictate the terms of that visit.

If you disagree with their business model, stop using their service. I think it's quite entitled to think you somehow have a right to consume services from companies where you don't like their business model, and as a response you just take it for free on your own terms. That's taking their labour for free while offering nothing in return.

The ethical contract should be to consume their services on the terms they offer you, or not consume them at all.

 

[Photon_plumber]

The advice from your mother still holds; be careful what you click on.

 

[DigitalHodgepodge]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

Explain and contribute positively. Because I honestly feel my analogy is significantly closer to the real world than prior examples here.

It appears as though you're not being intellectually honest. But I can't be certain.

Apologies. I will work to regain your trust. I assure you, it's just a case of different opinions. I don't know what I have done to make you feel otherwise.

Your web browser requests content & code from the internet, and you have the right to refuse anything that is malicious, creepy, or otherwise risky from happening on your computer. Few people would knowingly agree to being stalked, in the physical world or digital.

This matters! One day, human brains could be very tightly coupled to computers, and it will become a matter of my body(computer), my decision. As things are now, computers augment our brains more than we appreciate.

I agree.

But your action should be to not visit sites you disagree with. I don't see how you ethically can demand to visit them AND dictate the terms of that visit.

If you disagree with their business model, stop using their service. I think it's quite entitled to think you somehow have a right to consume services from companies where you don't like their business model, and as a response you just take it for free on your own terms. That's taking their labour for free while offering nothing in return.

The ethical contract should be to consume their services on the terms they offer you, or not consume them at all.

Your version of "ethical" is for users to either accept the terms websites dictate ("offer") or not at all? A contract should allow both parties to negotiate the terms, and if acceptable to both, then proceed. Or not. Neither party is required to enter into an unacceptable contract, and both have the right to refuse and the right to negotiate terms.

They agree to serve the content, despite my ad blocker. They are not required to do so. Nowhere did I claim to have a /right/ to consume services for free. Having the ability, and having the right are two different things.

Have a good day. Bye.

 

[J.King]

`

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

The fundamental difference between our respective viewpoints is that you view "visiting a website" as analogous to going somewhere, while I see "visiting a website" as inviting content into my private space. I see no issue with restrictions on what I let into my private space.

Also, "visiting" is really a misnomer; I rarely leave my couch! All the content is really coming to me.

Edit: if you are OK with restrictions on opting out of what to admit in your private space, you essentially give up the notion of a private space altogether.

You are right, that is an interesting difference. And I accept that we see things differently.

But you're still the initiator of the visit even if what you're doing is inviting someone over for a visit.

Okay, so if you invite me into your home and I plant a listening device in your living room without telling you, you're okay with that? Good to know.

 

[madewokherd]

So could you. Because you have a really simple choice: don't visit that plumber, with the business practices you don't like.

That's not practical. Ad networks are sufficiently ubiquitous and the web is so important that you would lose an essential utility. Also, I'm not even sure how you would configure your browser to refuse to load pages that embed ad networks.

 

[SplatMan_DK]

`

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

The fundamental difference between our respective viewpoints is that you view "visiting a website" as analogous to going somewhere, while I see "visiting a website" as inviting content into my private space. I see no issue with restrictions on what I let into my private space.

Also, "visiting" is really a misnomer; I rarely leave my couch! All the content is really coming to me.

Edit: if you are OK with restrictions on opting out of what to admit in your private space, you essentially give up the notion of a private space altogether.

You are right, that is an interesting difference. And I accept that we see things differently.

But you're still the initiator of the visit even if what you're doing is inviting someone over for a visit.

Okay, so if you invite me into your home and I plant a listening device in your living room without telling you, you're okay with that? Good to know.

Straw man. Or arguing in bad faith. Or both. I haven't said anything like that at all, and you know it.

 

[SplatMan_DK]

Your version of "ethical" is for users to either accept the terms websites dictate ("offer") or not at all? A contract should allow both parties to negotiate the terms, and if acceptable to both, then proceed. Or not. Neither party is required to enter into an unacceptable contract, and both have the right to refuse and the right to negotiate terms.

They agree to serve the content, despite my ad blocker. They are not required to do so. Nowhere did I claim to have a /right/ to consume services for free. Having the ability, and having the right are two different things.

Have a good day. Bye.

My version of ethical is accepting that a contract or agreement requires the consent of both parties. One party doesn't get to dictate terms and force the other one to accept.

If you don't like the terms you are offered and the other party won't accept your terms, your recourse is to refuse the contract. Which also means not getting the service.

 

[scenario_dave]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

I and probably most other Ars commenters block ads and trackers on all websites. I, like you, subscribe to Ars because I value its in-depth, high-quality coverage. (Plus, the full-text RSS feeds are really nice.)

It’s the website’s job to implement technical measures to maintain its revenue stream. I have no obligation to execute some random JavaScript function from doubleclick.com just because wired.com asks my browser to do so. If a website is concerned about losing revenue from users who block ads, then it should implement some sort of account system and lock its content behind a paywall. No one has a right to make money.

Eliminate ads and put everything behind a paywall. Let the poor people get their science information from Facebook and other sites who know how to make money. /s

 

[J.King]

`

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

The fundamental difference between our respective viewpoints is that you view "visiting a website" as analogous to going somewhere, while I see "visiting a website" as inviting content into my private space. I see no issue with restrictions on what I let into my private space.

Also, "visiting" is really a misnomer; I rarely leave my couch! All the content is really coming to me.

Edit: if you are OK with restrictions on opting out of what to admit in your private space, you essentially give up the notion of a private space altogether.

You are right, that is an interesting difference. And I accept that we see things differently.

But you're still the initiator of the visit even if what you're doing is inviting someone over for a visit.

Okay, so if you invite me into your home and I plant a listening device in your living room without telling you, you're okay with that? Good to know.

Straw man. Or arguing in bad faith. Or both. I haven't said anything like that at all, and you know it.

Really? Because you said that if you "initiate a visit" by inviting someone to you, without paying them, and then dictate terms, you're screwing them over. And planting listening devices on your computer is something these ad networks are known to have done (how ever unintentionally). Seems to me like my analogy is pretty on the nose.

 

[SplatMan_DK]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

I and probably most other Ars commenters block ads and trackers on all websites. I, like you, subscribe to Ars because I value its in-depth, high-quality coverage. (Plus, the full-text RSS feeds are really nice.)

It’s the website’s job to implement technical measures to maintain its revenue stream. I have no obligation to execute some random JavaScript function from doubleclick.com just because wired.com asks my browser to do so. If a website is concerned about losing revenue from users who block ads, then it should implement some sort of account system and lock its content behind a paywall. No one has a right to make money.

Eliminate ads and put everything behind a paywall. Let the poor people get their science information from Facebook and other sites who know how to make money. /s

That's a really good point. A significant downside.

Commercials funding the flow of free information is a topic explored in several dystopian books and TV series. One of the famous ones is Max Headroom, in which TV sets with no off button exist. So poor people can get TV sets but can't turn them off, because that would stop the flow of commercials.

There is a significant downside to funding free services with commercials, but also downsides to imposing paywalls because it essentially makes information a rich mans domain. It perpetuates poverty in a sense.

It's also why some countries have license-based media channels. Free of commercial interests and supposedly unbiased (though any political minority often claims differential treatment). Reality does indeed have a well known liberal bias ... ;-)

 

[SplatMan_DK]

Really? Because you said that if you "initiate a visit" by inviting someone to you, without paying them, and then dictate terms, you're screwing them over. And planting listening devices on your computer is something these ad networks are known to have done (how ever unintentionally). Seems to me like my analogy is pretty on the nose.

You know they will ask you to accept that even before they come visiting. Because that's part of what they tell you up front.

You can choose not to ask them over, because you know what they'll do. That is your right.

You can remove the listening device after they visit, because they do in fact leave it on the coffee table, they don't insert it into your butt. Your browser has a standard function to remove it.

You can block tracking without blocking ads. Many tools will allow you to do that. I am sure you're already aware of that.

You can temporarily allow the listening device, in a perfect and clean copy of your house (incognito tab) and then make that whole copied house disappear into thin air when you're done (close the incognito tab).

 

[scenario_dave]

I wonder if there is a business opportunity here. Companies don't want scammers hurting their customers. So a company charges for all variations on a name.

Add a service like that to subscription based virus protection programs for business. So a company named MyBusiness.com would get a report every month listing similar business names. MyBusiness.org etc.

 

[madewokherd]

So could you. Because you have a really simple choice: don't visit that plumber, with the business practices you don't like.

That's not practical. Ad networks are sufficiently ubiquitous and the web is so important that you would lose an essential utility. Also, I'm not even sure how you would configure your browser to refuse to load pages that embed ad networks.

It may be disingenuous of me to continue arguing along these lines, because I've realized since starting that none of the moral or ethical arguments hold any weight for me. I think that capitalism is an amoral system and no one has a moral or ethical obligation to engage with it on its own terms. Whether loading ads actually does good in the world is super murky: yes, someone makes money, but is it really rewarding people who make good content? It rewards people who get clicks, which can also be done effectively by creating outrage and making the world worse. The amount of money I'd contribute as an individual with ad views is insignificant compared to the amount I could easily spare by directly supporting people who I think are doing good things (and I have to if I want creators with smaller audiences to survive, they can't do it on ad revenue). I also know that ads do harm by connecting scammers to victims. Even the inconvenience of greater page load times and an increased performance footprint has to be accounted for (the impact of which is significant for me because I do my web browsing on a low-power device and a slow DSL connection). All of these effects are negligible, so you'd have to demonstrate that the actual benefit in terms of supporting people who make good content (which I already do to a much greater extent via direct contributions, so those who would benefit most already have my money) has a greater positive impact than the negatives.

But since you clearly think that I have some sort of moral or ethical obligation from an agreement (but not a binding contract, I recognize you've acknowledged many times that a website TOS is not binding) made implicitly because I loaded a URL, none of that is going to matter to you, so I can only argue in terms of a weird legal framework that doesn't matter to me. I'm actually not sure how to navigate this, do we just agree that we are working from different frameworks and can't productively discuss the question?

 

[madewokherd]

I should also have noted that, while the impact of scammers on my own risk profile would be small, I know it's a more significant risk for others who just aren't as interested in tech. So it'd be much easier to argue that I, personally, should not run an ad blocker than that I shouldn't advise my friends to run an ad blocker for security reasons.

 

[scenario_dave]

I make a distinction between the concept of using advertisements to generate revenue for a website and how the advertisements are actually implemented.

I use an ad blocker because of the security risk and because ads slow sites way down. I don't have any issue with the ads themselves.

If they were implemented well, I wouldn't have any problem with paying for my content by seeing a few ads rather than paying a monthly fee, especially for things I don't access often.

$2,$3, $5 a month isn't much if you are only paying for a handful of sites. But if you had to pay for every site you visited, it could quickly add up to hundreds of dollars a month. Not everyone is lucky enough to have a high paying job. If you are living paycheck to paycheck, you can't afford that.

 

[mikecee]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

Explain and contribute positively. Because I honestly feel my analogy is significantly closer to the real world than prior examples here.

OK, I'll chip in. It's like there's a one in a thousand chance that just looking at the plumber's posters would make your eyeballs explode, so you wear special glasses that prevent you from seeing them.

 

[fknuckles]

Mandatory "Firefox has addressed this" note:
https://ma.ttias.be/show-idn-punycode-f ... hing-urls/

It's a terrible solution though. Unless you assume that international audiences don't care about usability. Something less subtle, such as a background colour for any accented latin character (e.g yellow background) would do a better job of letting you know that it's not dirt on your screen without totally disabling a useful feature.

Agree. Use of mixed alphabets should be a red flag. You're either using special characters for a reason, or you're a scammer.

Not sure how easy it is to detect though.

The core of the problem is that the internet was never designed for trust. It was designed for flexibility and resilience. Trust was slapped on top of everything, with duct tape and hair nails. At the beginning this worked because trust had a price I'm the form of certificates from somewhat reputable authorities. Now it's cheap and takes mere minutes. Trust has been reduced to facilitating encryption between endpoints, but the party offering encryption is no longer a known quantity and your browser doesn't show that.

At some point we will need a new form of trust system. I don't have a solution, but certificates issued by authorities to registered companies could be part of it.

Browser knows my preferred language, and it can be built up from there. If my language is English then highlight any characters that aren't in the English alphabet.

Might just highlight every non-English character anyway (a relatively short allow-list), and flip it for users in other scripts (for them you highlight english alphabet).

That doesn't really help for languages with both accented and unaccented Lation letters, like Castillian (one example given earlier) and Lithuanian (the subject of the article itself). Even if you assume the system locale reflects the preference of the user, lots of people out there are bilingual or trying to learn a language, and as IDNs become more common, warning fatigue will just cause people to ignore it.

It's not a warning, it's a highlight. Just like some fonts have a Zero that looks distinct from an O. The idea isto make it so that characters that aren't part of your language look distinct. So a Cyrillic e would be highlighted on a french locale, but not an accented e.

This was just like back of napkin idea... The thinking is that if the industry really wants to solve it in a less half-assed way than Firefox, some thought has to be put in.

 

[leonwid]

I wonder if there is a business opportunity here. Companies don't want scammers hurting their customers. So a company charges for all variations on a name.

Add a service like that to subscription based virus protection programs for business. So a company named MyBusiness.com would get a report every month listing similar business names. MyBusiness.org etc.

And just when you’ve done all that ICANN sees the sales figures for non-dot-com domains and thinks - we’ll have to add infinitely more top level domains so we earn more money.

https://www.theregister.com/2008/06/26/ ... l_domains/

The advice you give is correct, but it is not cheap and also not a one-time action.

 

[scottro]

In order to download this malware, you'd have to see an ad, which means you'd have to not have AdBlock/uBlock installed. Who browses the internet without an ad blocker? lol

Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?

Truly it is a mystery for the ages.

I thought it was just a security focused browser?

I seldom turn off ads. I want to support the sites I visit. I have used an ad blocker just once this year when browsing a site that had auto-play video ads. I uninstalled the adblocker again when I was done.

If you're visiting reputable sites that provide you value, while blocking ads and not subscribing, you're depriving the site if crucial income. Or in simpler words: you're leeching on other people's good work.

I have to respectfully disagree, because of things like this. Even if I support a site, they have no control over what ads appear on the page, and any of those ads may contain malware. Is the site responsible for any damage done to me by ads on their site?
I think it's too bad that the web developed this way, rather than the way of print journals, where companies paid site A to have ad for their product B. If it were that way, and there were no video ads, I'd allow ads on all sites I support. As it is, when I see please disable your adblocker, my though is, please control your ads.
I remember a cracked.com article when one of the early writers talked about how they had no control over the ads that appear on the site. If that's the case, I don't think it's worth disabling my adblocker.

 

[J.King]

So could you. Because you have a really simple choice: don't visit that plumber, with the business practices you don't like.

That's not practical. Ad networks are sufficiently ubiquitous and the web is so important that you would lose an essential utility. Also, I'm not even sure how you would configure your browser to refuse to load pages that embed ad networks.

I guess as a workaround we can at least try to block the advertisers with which the plumber contracts, so that we at least filter out the truly objectionable material. It wouldn't be perfect, but at least we could browse in safety, right? An ugly hack, to be sure, but it's the best we can do under the circumstances, I suppose...

As a historical footnote, I've been filtering out advertising using one technical method or another for 18 years now. It started with pop-up blocking (because pop-ups were a usability nightmare), and escalated to general URL filtering. I applied a URL filter not because ads are annoying, but because throughput in 2003 wasn't what it is today, and DNS queries make up a significant portion of request time. This is less of a concern today, but as advertising became more complex and script-driver, power efficiency comes into play, and now as criminals seek to exploit that which advertisers have normalized, we must also consider safety. There are compounding reasons to excise advertising from your browsing, none of it to do with the advertising itself.

If advertising were implemented more reasonably, efficiently, and safely, with the user in mind, there would be no reason to suppress them.

 

[scenario_dave]

I wonder if there is a business opportunity here. Companies don't want scammers hurting their customers. So a company charges for all variations on a name.

Add a service like that to subscription based virus protection programs for business. So a company named MyBusiness.com would get a report every month listing similar business names. MyBusiness.org etc.

And just when you’ve done all that ICANN sees the sales figures for non-dot-com domains and thinks - we’ll have to add infinitely more top level domains so we earn more money.

https://www.theregister.com/2008/06/26/ ... l_domains/

The advice you give is correct, but it is not cheap and also not a one-time action.

It seems like a computer program looking for domain names that appear similar but aren't the same shouldn't be that hard to automate. D0main name vs DOmain name type stuff. It wouldn't be perfect but it would catch some of them. Smaller companies which don't have a huge security department might be interested to know about a new site whose a minor misspelling away from their site's name.

 

[scenario_dave]

If they were implemented well, I wouldn't have any problem with paying for my content by seeing a few ads rather than paying a monthly fee, especially for things I don't access often.

Ads used to be a single banner no larger than 500x80 pixels...that was until ads became the way to make billions. Back in 1995 seeing more than a single ad on any page was quite rare. Now it's dangerous to browse with no ad-blocking. I dug up one of my banners from 1998 and it is 468x60. Just floats on the bottom and nothing more.

I agree. That's why I stipulated that for me its more how ads are being implemented on websites that worry me more than the ads themselves.

It's like commercials on TV. When I was a kid, commercials were 8 minutes and shows were 52 minutes. Ten years ago it was 42 minutes show and 18 minutes commercials. Now there's even more commercials on some channels. On some shows its getting to the point where the amount of time spent on commercials is more than the amount of time spent on the show. To me the cut off point is somewhere around 3/4 show and 1/4 commercial. If I'm watching it on my laptop I just switch to a different tab during the commercials.

 

[panton41]

They still haven't responded to the umteen links showing that malicious ads are a common problem, which is why people have been saying that ad blockers are a security measure. Their talking points from the ad industry probably doesn't have a response to that.

 

[SplatMan_DK]

They still haven't responded to the umteen links showing that malicious ads are a common problem, which is why people have been saying that ad blockers are a security measure. Their talking points from the ad industry probably doesn't have a response to that.

I will get to it when I am at my PC. I am in CET so please understand that with time difference, kids, dinner, and various responsibilities there is a limit to the amount of data analysis I can do before time and location allows it, and that time may not be what feels natural to you. The links were there for me when I got up this morning and I don't get to my PC before around 20 ish.

 

[panton41]

They still haven't responded to the umteen links showing that malicious ads are a common problem, which is why people have been saying that ad blockers are a security measure. Their talking points from the ad industry probably doesn't have a response to that.

I will get to it when I am at my PC. I am in CET so please understand that with time difference, kids, dinner, and various responsibilities there is a limit to the amount of data analysis I can do before time and location allows it, and that time may not be what feels natural to you. The links were there for me when I got up this morning and I don't get to my PC before around 20 ish.

Meanwhile you wrote a half-dozen posts with about 5,000 words between them...

 

[SplatMan_DK]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

Explain and contribute positively. Because I honestly feel my analogy is significantly closer to the real world than prior examples here.

OK, I'll chip in. It's like there's a one in a thousand chance that just looking at the plumber's posters would make your eyeballs explode, so you wear special glasses that prevent you from seeing them.

I like the way you think, and I accept that we need to come up with an analogy for malicious ads if we're sticking with the plumber-thing.

It's not an eyeballs-exploding kind of thing though. You won't be permanently blind from being served malware. Best case your local endpoint protection software catches it (and surely you are running one, because there are many other threats than ads, right?). Worst case you get ransomware or something that steals your credit card details. In both cases you might incur a minor loss and sole inconvenience, but you won't be losing limbs or your vision.

Perhaps a better analogy is that the ads spray manoeuvre on your clothes and you have to take them to the cleaners?

And in any case: if this risk is present, why do you continue to seek out this plumber at all? Why not stop coming there?

(I think the answer is: because you can screw him over and continue to get his services for free while using your special glasses to never see his ads, so he pays the loss out of his own pocket and he has no realistic way of changing that, and you have zero incentive to change your behaviour...)

 

[SplatMan_DK]

They still haven't responded to the umteen links showing that malicious ads are a common problem, which is why people have been saying that ad blockers are a security measure. Their talking points from the ad industry probably doesn't have a response to that.

I will get to it when I am at my PC. I am in CET so please understand that with time difference, kids, dinner, and various responsibilities there is a limit to the amount of data analysis I can do before time and location allows it, and that time may not be what feels natural to you. The links were there for me when I got up this morning and I don't get to my PC before around 20 ish.

Meanwhile you wrote a half-dozen posts with about 5,000 words between them...

Now you're just being obtuse. Surely you understand that a text field on a mobile phone is workable for posting, but a mobile phone is not very good for evaluating and analyzing the myriads of data you have asked that I look at?

 

[T018]

Perhaps I'm getting the wrong lesson here but I'm taking away to continue to never ever click any of the ad results on google.

 

[panton41]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

Explain and contribute positively. Because I honestly feel my analogy is significantly closer to the real world than prior examples here.

OK, I'll chip in. It's like there's a one in a thousand chance that just looking at the plumber's posters would make your eyeballs explode, so you wear special glasses that prevent you from seeing them.

I like the way you think, and I accept that we need to come up with an analogy for malicious ads if we're sticking with the plumber-thing.

It's not an eyeballs-exploding kind of thing though. You won't be permanently blind from being served malware. Best case your local endpoint protection software catches it (and surely you are running one, because there are many other threats than ads, right?). Worst case you get ransomware or something that steals your credit card details. In both cases you might incur a minor loss and sole inconvenience, but you won't be losing limbs or your vision.

Perhaps a better analogy is that the ads spray manoeuvre on your clothes and you have to take them to the cleaners?

And in any case: if this risk is present, why do you continue to seek out this plumber at all? Why not stop coming there?

(I think the answer is: because you can screw him over and continue to get his services for free while using your special glasses to never see his ads, so he pays the loss out of his own pocket and he has no realistic way of changing that, and you have zero incentive to change your behaviour...)

There is no analogy to be made with plumpers. None. Zero. Nada. Zilch.

Plumbing is an extremely capital intensive industry to be in with tools, vehicles and parts that all cost a small fortune at the professional level and that's not getting into the fact most area to be a professional plumber you need formal training involving an apprenticeship and in some cases your work is life-and-death. (Plumbers often deal with natural gas pipes as well.)

Websites costs vary wildly from "Supporting a multibillion dollar media empire" down to "a few extra bucks on my free hosting blog." I'd have no issue if the ads weren't intrusive, but even Ars will have full-page ads served from God knows where and written by anyone with enough money and pushing out with more megabytes of third-party tracking javascript than the content itself. (Seriously, the Brave browser actually tracks that info and displays it if you ask for it.)

In the case of metered connections those ads cost the users money to cram in from of their eyeballs. In some cases with a crappy cellular plan a busy website can cost the users $0.10-0.25 out of their pockets just to load all the ads.

 

[SplatMan_DK]

Perhaps not a legal right. I am unsure how easy it is to enforce a website TOS (but most I have bothered to read actually prohibit and blockers or altering the source of the rendered page). But surely they do have a moral and ethical right though. It is their content, so it's their decision how to monetize it.

I might grudgingly accept this if ads weren't so high on the list of information security threats to the average person browsing the Internet (up there with password database leaks). I could not advise anyone to browse the web without an ad blocker. Scams are simply too common, and there is nothing I can tell a less tech savvy individual that would really help them identify malicious ads. Maybe some of them are harder to detect now, but that doesn't matter, because being less good at identifying bad ads than I am doesn't mean you deserve to get scammed.

Then again, another way of looking at what's happening is that a website is auctioning your attention to some unknown third party, even to them. Unlike an ad in a newspaper, this is done on an individual level for everyone who visits the page. Surely you should have the ability to negotiate this arrangement, or at least an opportunity to evaluate it before consenting to it, since they are selling something that belongs to you. In fact, the most practical way to make that happen right now is to run an ad blocker, and let them refuse to serve you content if they think it's sufficiently valuable to entice you to reconsider (or to pay for it directly).

Malicious ads aren't very common where I live. As I see things the threat exist but is greatly exaggerated in order to justify blocking. Things may be different where you live.

I don't run a blocker and my endpoint protection suites has reported nothing for over a year (work PC uses Fortinet, private PC has Kaspersky).

I disagree any online media is selling something that's yours. They are selling ad space on their pages, exactly the same as if it was a printed edition. It's just brokered in milliseconds and served in new ways to optimize targeting. It's their space and they're not selling anything of yous. To do so would imply they could sell your eyeballs even if you didn't visit their site - but clearly that's not the case.

.

Ad networks aren't safe, Splatman. They just aren't. They're stacked multiple layers deep, and website operators may end up exposing their clients to dozens of different networks with completely different security standards. No matter how fantastic they might be locally, just one compromised system anywhere in the ad infrastructure is an attack vector against their clients.

It would be different if the ads were entirely hosted locally. If, say, Ars sold its own ads and hosted them on Ars' own servers, then customers wouldn't be at any more risk. But it's easier and requires very little effort to use ad networks, and companies just ignore the risk, because they don't run any particular risk themselves. Their customers bear the entire burden of their bad behavior.

Profiting by putting people at risk is flat out unethical. Ads could be done safely, but they never are, because companies would rather keep the dollars in their pockets than keep their readers safe.

I won't claim that ad networks are perfect. I am not in the industry so I don't have a dog in that race anyway. I also won't deny that breaches have happened. And I hate the way they track people and do micro-segmentation. I dumped most social media because of it.

But as this is Ars, I think it's time we get some hard facts and data to support your position. We're a scienc-and-facts bunch after all. I therefore suggest you get some sources that support your position that ad networks are a substantial threat - bigger or at least on par with other cyberthreats. Data should be in percentage of infected users (Vs total served users) or something similar. I don't think it's unfair to ask you to substantiate the claim.

In the absence of hard data I am going to stick to my experience that the threat is greatly exaggerated and mostly used as an excuse to block.

Ad network uses advanced malware technique to conceal CPU-draining mining ads

Big-name sites hit by rash of malicious ads spreading crypto ransomware

Millions of web surfers are being targeted by a single malvertising group

Millions exposed to malvertising that hid attack code in banner pixels

Here’s why the epidemic of malicious ads grew so much worse last year

Advertising firms struggle to kill malvertisements

Google stops malicious advertising campaign that could have reached millions

Honestly, I was hoping for something much better.

Of all the links you posted only a single one is from 2021. All the other ones are more than 3½ years old, and as much as 8+ years old (2014). It looks to me like you didn't search for facts, but searched for links that supported your position. That's just ... not very productive. Debating is about uncovering truth, not about convincing others of your position.

None of the links contained a source of hard data on the prevalence of malicious ads. I accept that they exist, but remain unconvinced that it is as widespread a problem as you claim. None of the links support the claim.

Link 1:
Link is 3½ years old. And it's clearly an edge case (literally, the article says that the in-browser coin mining might have nettet only approx 36 cents/day). Technically interesting but not showing a widespread problem.

Link 2:
Link is 5½ years old. Vector was discovered and mitigated in malware products inside 24 hours. It happened a very long time ago and I can't see this as supporting the position that there is currently a widespread problem.

Link 3:
Only interesting link in this context, dated 2021. But not an example that supports the argument very well, since it specifically targeted self-hosted ad server product "Revive". The infections were driven by classic fake update files (Flash) that would have been caught by any contemporary endpoint protection suite (users like you would never be hit) and the article is perhaps more an argument to use major advertising networks than "roll your own".

Link 4:
Link is from 2018, so is about 3½ years old. Vector has been mitigated. Source was fake agencies and attacks relied on social engineering (Microsoft support scam etc). Users like you, and I suspect adblocker users in general, would never be fooled by something like this.

Link 5:
Link is, again, from 2018. Same properties as link 4. Vector has been mitigated. Source was fake agencies. Attacks relied on social engineering (Microsoft support scam etc) and fake updates to flash player.

Link 6:
This one is from 2014. I did read it to be sure that I didn't miss anything important. But honestly, you need to vet your source material better. The claim is that malicious ads are a contemporary problem, and you're serving me links that are 8 years old? That's a disrespectful waste of my time.

It's not quite as evergreen of a story as "Google kills another product" or "Play store malware" but several times a year is pretty typical.

I have been unable to confirm that. We have a single Ars story from 2021, and links that are 3½ - 8 years old. I haven't seen anything to support the "several times a year".

Those links aren't getting into stuff like dubious quality porn sites where malvertising is the norm, not the exception.

I think it's safe to ignore those. They're generally (for good reason) not participating in reputable advertising networks. The existence of such sites cannot justify blocking ads on Ars, The Guardian, etc.

You claim you don't work in the ad industry and yet you keep regurgitating ad industry talking points and trying to claim "ethics" and "morals" to force a pathos argument on a technical subject which are best argued with logos.

i am not sure what you mean about logos. But the ethical perspectives are pretty clear, even if they are inconvenient for you.

I'll take a look at some of the links provided by other posters. They might have some more interesting data (I think I spotted the word "statistics" in one of the URLs).

 

[SplatMan_DK]

There is no analogy to be made with plumpers. None. Zero. Nada. Zilch.

Plumbing is an extremely capital intensive industry to be in with tools, vehicles and parts that all cost a small fortune at the professional level and that's not getting into the fact most area to be a professional plumber you need formal training involving an apprenticeship and in some cases your work is life-and-death. (Plumbers often deal with natural gas pipes as well.)

Websites costs vary wildly from "Supporting a multibillion dollar media empire" down to "a few extra bucks on my free hosting blog." I'd have no issue if the ads weren't intrusive, but even Ars will have full-page ads served from God knows where and written by anyone with enough money and pushing out with more megabytes of third-party tracking javascript than the content itself. (Seriously, the Brave browser actually tracks that info and displays it if you ask for it.)

So we are back to the "I disagree with the business model, so I will take the content for free because it gives me value, and I refuse to pay or give anything in return." That is definitely an option, since the site has little recourse, but it is an undeniably selfish and entitled point of view.

At least you dumped the malware claim, and reduced it to "it's inconvenient so I won't bother". That's a much less murky position - albeit not one I agree with.

On top of that may I remind you that quality journalism is expensive. Likely more expensive per employee than a plumber. The education is as long (or longer in some countries), more people are involved, wages are higher, etc. We're not talking about a private blog with kitten photos or pancake recipes here.

In the case of metered connections those ads cost the users money to cram in from of their eyeballs. In some cases with a crappy cellular plan a busy website can cost the users $0.10-0.25 out of their pockets just to load all the ads.

Why the hell would that be relevant at all? Why do you even discuss the "losses" incurred by end users (who CHOOSE to download said content - it DOES NOT happen automatically), but completely ignore the costs that the content publisher has?

I reject that completely. You either include the economies of both sides, or of neither. You don't get to cherry-pick whatever suits you. Take your pick and let me know.

 

[SplatMan_DK]

The RiteAid analogy above is wrong. Visiting a website is not like visiting a store. It is more like having tradespeople visit your house (given how private our computers and phones are). If I make an appointment with a plumber for a quote to fix the toilet and he brings anther guy who only wants to have a look in my bedroom, I am legally and morally in my right to refuse. It's a security risk and I want to have none of it.

A more correct analogy is: you visit the plumbers premises on your own accord, to use their services or get a quote on something. While there, you demand control over what posters and supplier advertisement is hanging on the walls.

But that's still a bit off. Because in the world we're living, the plumbers only income is actually the revenue he gets from those posters. You get his services for free, which is why you visited THAT plumber, and not another one which demanded payment up front. While visiting the plumber that gives free services in exchange for posters on the wall you STILL demand control over the wall space while you're in the shop, and you feel entitled to get his services free even though you somehow managed to remove all the posters before you entered the shop.

That is the reality of things.

And most plumbers still help you because they have little choice. And while you consume their services for free, you complain about their evil posters.

The fundamental difference between our respective viewpoints is that you view "visiting a website" as analogous to going somewhere, while I see "visiting a website" as inviting content into my private space. I see no issue with restrictions on what I let into my private space.

Also, "visiting" is really a misnomer; I rarely leave my couch! All the content is really coming to me.

I find it telling that SplatMan asked in one post "Is malware in ads really a problem" and after several people (myself included) throw up about 20 different link showing different aspects of the problem and naming individual high-profile cases suddenly there's crickets.

I'm sorry, but when The New York Times is serving malware because of bad ads I'm inclined to think it's a problem. And, again, among sites like porn malvertising is the norm, not the exception.

I find it telling that after spending more than an hour diligently studying the links you provided, there is bubkis in support of your position.

The NYT served malware in, what, 2016? Five years ago? Or did it happen more recently and I missed it?

 

[J.King]

The NYT served malware in, what, 2016? Five years ago? Or did it happen more recently and I missed it?

You do realize the subject of the article, right? The point is that it can happen even with reputable publications because they don't have complete editorial control over their advertising. You don't know ahead of time whether the ads any given site will serve are malicious. The only safe course of action is ti block any and all adversing from third parties with a history either of abuse or having been abused.

 

[malor]

You are not engaging in good faith, Splatman. You ignored the provided Wikipedia link completely. And the things that panton41 linked were just the high profile attacks, the ones that actually made the news. You asked for examples, and you got a bunch of them, and then proceeded to ignore them for frivolous reasons.

Attacks that are high profile, in many cases, are failures, because they can be neutralized. It's the attacks that aren't detected quickly that are really successful. Attackers use mutating malware that only infects a couple hundred PCs per variant to make detection more difficult. These attacks are constant and ongoing, although one source claims that they've declined in frequency somewhat over the last couple years. The ongoing spread of https is probably helping there.

Regardless, the fundamental assertion remains true: if your PC is forced to contact more networks, it is at more risk. You may think you're visiting Ars, but in fact you could be visiting a dozen networks or more, most of which probably won't be run as well. They have different threat models, and Ars has no control over them. Blocking ads removes this threat entirely. If you contact only Ars servers, then only Ars can easily attack you. (short of someone running an implant on a router or something, but https links foil those pretty thoroughly.)

One of the fundamentals of security is defense-in-depth. You do many things to protect yourself, not just one. Talking to as few Internet servers as possible is one of many layers of protection. It's part of the Swiss cheese security model; if you've got multiple layers, then the bad guys only get through if all the holes line up perfectly.

 

[malor]

The NYT served malware in, what, 2016? Five years ago? Or did it happen more recently and I missed it?

You do realize the subject of the article, right? The point is that it can happen even with reputable publications because they don't have complete editorial control over their advertising. You don't know ahead of time whether the ads any given site will serve are malicious. The only safe course of action is ti block any and all adversing from third parties with a history either of abuse or having been abused.

And, note, reputable publications with huge budgets and security best practices. Ad networks are a scourge.

 

[Zapitron]

As long as you can demonstrate .. that you control the domain .. you can get a certificate. All a certificate does is secure the connection between the client and the server. It says nothing about the trustworthiness of either party.

More fundamentally: it says nothing about the identity of the party. The whole question of trustworthiness comes after you know whom you're considering trusting.

It's not merely that you lack reason to trust that other party; it's that you don't even have reason to suspect that the other party is someone you might trust, because you don't even have the faintest notion who they are.

Extended Validation SSL Certificates were intended to address this, but it probably wasn't used here, and more importantly, users don't really understand it. Yet the entire point of EV certs is to communicate something to the user, so it simply can't work—unless users change (which they don't) or browsers change (which is what got us into this mess).

 

[SplatMan_DK]

... But here is the thing: I have never been served malicious ads from any reputable site I frequent, like Ars, The Guardian, or my local news organisations. I am betting that you have not either. The threat is so negligible that browsing the web for things without ads is likely more of a threat than ads themselves. ...

I have a library of about two thousand of links like these:

https://www.theregister.com/2017/11/20/ ... b_bank_ad/

https://www.theregister.com/2018/07/30/ ... wordpress/

https://meincmagazine.com/information-tec ... -porn-ads/

https://www.bbc.co.uk/news/technology-56886957

https://www.bbc.co.uk/news/technology-56888693

https://www.bbc.co.uk/news/technology-58001205

If you have such an extensive list, can you please get some relevant ones? Here is what I found after diligently reading each and every one of your links:

Link 1:
Link is from 2017 (est. 4 years old). Volume was very low, and does not represent anything "widespread".

Link 2:
Link is from 2018, 3+ years old. Not executable malicious ads but social engineering (fake flash updates and Windows Support scams). Estimates are 40K clicks. It's a little hard to find estimated number of clicks per day on the internet, but using a 2012 reputable source and (conservatively, for the sake of argument) progressing the number with the increase in internet traffic up to 2018 when this case was relevant, the number would be around 52 billion clicks per day only for Google. I am ok assuming they're the only game in town for the sake or agument and easy of calculations (they're not). Even if every one of the 40K clicks were in a single day (they were not) they would amount to 0,00013% of daily clicks.

I don't accept that as "widespread" and the threat was not direct (required social engineering).

Link 3:
Apps on Android. Why is this link included?

Link 4:
Not malvertising. Why is this link included?

Link 5:
Not malvertising. Why is this link included?

Link 6:
Not malvertising. Why is this link included?

There is nothing in the links you offered that supports the claim that malicious ads are a contemporary widespread problem. There just isn't.

You guys need to get serious, because otherwise this is just a waste of time.

 

[J.King]

The NYT served malware in, what, 2016? Five years ago? Or did it happen more recently and I missed it?

You do realize the subject of the article, right? The point is that it can happen even with reputable publications because they don't have complete editorial control over their advertising. You don't know ahead of time whether the ads any given site will serve are malicious. The only safe course of action is ti block any and all adversing from third parties with a history either of abuse or having been abused.

And, note, reputable publications with huge budgets and security best practices. Ad networks are a scourge.

Indeed. It was Google today and could be NYT again tomorrow, and we have only one way to protect ourselves. It's a systemic problem requiring a systemic solution. If publishers don't like our technical solution, then the onus is on them to get advertisers to reform their technology.

For me the problem is solved. It's up to businesses to make money; I am under no obligation to make it easy for them. Ars provides excellent value, and I have responded accordingly. Same with LWN, which someone else mentioned yesterday.

My conscience is clear, thank you. I will not submit to abuse, and will not be guilted by the likes of SplatMan_DK into doing something against my own interest.