Comments on: Security & ad serving http://yardley.ca/2008/01/28/security-ad-serving/ greg yardley on internet and mobile marketing Fri, 16 Jul 2010 21:30:24 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: admin http://yardley.ca/2008/01/28/security-ad-serving/comment-page-1/#comment-1101 admin Mon, 28 Jan 2008 18:54:07 +0000 http://yardley.ca/merge/2008/01/28/security-ad-serving/#comment-1101 Yes, it's not just an ad serving problem -- ad serving's just one of the systems with the broadest reach and therefore the most attractive target. My personal opinion - not speaking on behalf of anyone else here - is that JS from all but the absolutely most-trusted party belongs in an IFRAME, not directly injected into your page's DOM. This wouldn't have stopped an attacker from serving an obscene image, but I believe it would've stopped the redirect. Yes, it’s not just an ad serving problem — ad serving’s just one of the systems with the broadest reach and therefore the most attractive target.

My personal opinion – not speaking on behalf of anyone else here – is that JS from all but the absolutely most-trusted party belongs in an IFRAME, not directly injected into your page’s DOM. This wouldn’t have stopped an attacker from serving an obscene image, but I believe it would’ve stopped the redirect.

]]> By: Scott Switzer http://yardley.ca/2008/01/28/security-ad-serving/comment-page-1/#comment-1102 Scott Switzer Mon, 28 Jan 2008 16:50:54 +0000 http://yardley.ca/merge/2008/01/28/security-ad-serving/#comment-1102 Greg - Thanks for the comments. One reason that I brought this up is that it is not just an ad serving problem. Any domain which hosts Javascript is at issue, and thus the industry needs to be aware of the potential security problems associated with 3rd party code. The industry is moving in this direction - I am trying to make sure that we build in the appropriate security measures (both social and technical). We host a huge number of 3rd party scripts via our downloadable version of Openads, and have the responsibility to notify our users of the potential risks, and implement technical solutions if possible. Any additional feedback would be very much appreciated - the original story is at http://blog.openads.org. Cheers, Scott Switzer Openads Community Leader Greg -

Thanks for the comments. One reason that I brought this up is that it is not just an ad serving problem. Any domain which hosts Javascript is at issue, and thus the industry needs to be aware of the potential security problems associated with 3rd party code.

The industry is moving in this direction – I am trying to make sure that we build in the appropriate security measures (both social and technical). We host a huge number of 3rd party scripts via our downloadable version of Openads, and have the responsibility to notify our users of the potential risks, and implement technical solutions if possible.

Any additional feedback would be very much appreciated – the original story is at http://blog.openads.org.

Cheers,
Scott Switzer
Openads Community Leader

]]>