> it is within their (the website) responsibility to ensure that ads and/or content should not cause harm to a visitor.
I don't think that's been established. With the current state of advertising on the internet, it's not even possible to do this.
In general, websites use advertising networks which do not allow them to proactively vet the content. Even if they did, no amount of vetting can guarantee the content is benign (active content can do naughty things only some of the time or on some platforms, or things not yet recognized as naughty - this is also why antivirus isn't reliable). So, clearly the solution is to not allow Javascript or flash, right? Nope - exploits in image parsers, font parsers, video parsers, audio parsers, etc. come out fairly often.
This could maybe be dealt with by contracts between websites and advertising networks specifying that the advertising network will be liable for malicious content, but I don't see that happening.
A major security issue with probably the most popular automated image processing toolkit in existence came to light just the other day. That particular one would be used for attacking servers, but there have been client-side vulnerabilities in other common resources such as fonts before too. Assuming that just because a format is common the software processing it won't introduce any vulnerabilities is not a great idea.
In any case, the relative rarity isn't really the point. Either it's ethically and/or legally correct to assign blame for malicious advertising to the final host site that the user actually visits, or it isn't. That's the principle we're really debating, and the rest is just a degree of risk.
>A major security issue with probably the most popular automated image processing toolkit in existence came to light just the other day.
Because of all the weird formats it supports. That's why I said jpg/png, not 'images'. Any software that supports 200 formats probably has severe bugs on the rare ones. Doesn't matter for making a secure image server where you can dictate the format.
>In any case, the relative rarity isn't really the point. Either it's ethically and/or legally correct to assign blame for malicious advertising to the final host site that the user actually visits, or it isn't. That's the principle we're really debating, and the rest is just a degree of risk.
Whether they are being negligent is relevant. Allowing known-risky formats that keep failing over and over is negligent.
Allowing known-risky formats that keep failing over and over is negligent.
But if you look at this from the opposite direction, you're essentially arguing that we should only use technologies that are known, or at least reasonably expected, to be extremely safe.
Given that in general humanity hasn't yet figured out how to create such technologies, and that numerous formats we use every day on the web to great overall benefit would not qualify, that seems a tall order.
> But if you look at this from the opposite direction, you're essentially arguing that we should only use technologies that are known, or at least reasonably expected, to be extremely safe.
No I'm not. Go ahead and use a new technology. But don't use a proven-bad technology.
If you tried a reasonable amount and don't know about security holes, that's one thing. If someone shows you the security holes, and you don't fix them, that is where you're a bad actor.
Go ahead and use a new technology. But don't use a proven-bad technology.
But the "proven bad" technology you're talking about here is just incorporating any third party content in your site. Obviously that is a security risk if the third party isn't perfect about policing what they host.
On the other hand, billions of resources are served in that way every day, and the web is a much better place for it. Only a tiny fraction of those third party resources are hostile, and most of the ones that are will be closed down rapidly by the third party service themselves once discovered.
So is this really in "proven bad", "known-risky" territory, or are we actually talking about "very rare" dangers and a lot of hyperbole here?
The problem is incorporating third party content that is neither screened nor sanitized. The proportion doesn't matter as much as the fact that there is nothing stopping attacks. They only get cleaned up afterwards. You don't expose your users to attack without warning.
I think very few websites allow one person to embed arbitrary scripts that will be shown to another person.
The problem is incorporating third party content that is neither screened nor sanitized.
It is impossible to screen or sanitize third party content if the third party is hosting it and the user loads it when your page refers to it. The third party can change that content at any time, without your knowledge or consent. This is how almost all ad networks work. It is also how almost all CDNs, web font services, image hosting services, etc. work.
I think very few websites allow one person to embed arbitrary scripts that will be shown to another person.
Every single site on the web that hosts jQuery via a CDN does exactly that. This single example alone represents many millions of sites.
Why are you conflating individually-trusted CDNs with the servers of some random guy? And allowing only images, like most embeds do, is a form of sanitation.
I'll repeat myself. "I think very few websites allow one person to embed arbitrary scripts that will be shown to another person." This is not happening as a result of you using an image host. No scripts are involved there. This is not happening as a result of the site using a CDN. No user triggered that load of jQuery.
It's fine to load jQuery from a specific server that you trust. It's also fine to load ads from the ad network's server, as long as they are policing uploads properly. The problem is they usually don't.
It's fine to load jQuery from a specific server that you trust. It's also fine to load ads from the ad network's server, as long as they are policing uploads properly. The problem is they usually don't.
You keep saying they usually don't, but billions of harmless ads are served every day while only a tiny fraction of the served ads are malicious. I just don't see how it's reasonable to assume depending on a third party ad network for content is fundamentally risky yet depending on some other third party service is not. CDNs and other hosting services get hacked and serve malicious content sometimes too, but that is also very rare and also usually gets fixed very quickly if it does happen.
They don't have a system that makes malicious uploads impossible (outside of hacking, of course). They could implement such a system, without much trouble. They choose not to.
Using a third party ad network is not inherently risky. But most specific third party ad networks are risky, because of bad practices.
That most ads are harmless is enforced through social norms and after-the-fact takedowns. They could do better, but don't. Negligence.
OK, so let's be constructive. What reasonable, practical alternative do you suggest for someone who is just running a small site and wants to cover their hosting costs?
There are other potential attack vectors than buffer overflows, though that seems the most likely source of vulnerabilities if you're going to limit images to JPG or PNG.
Of course now you're not only prohibiting third party resources except images, you're even prohibiting modern image formats like SVG, which is a little ironic since SVG-based ads might be smaller and/or look cleaner than equivalent bitmaps.
I don't think that's been established. With the current state of advertising on the internet, it's not even possible to do this.
In general, websites use advertising networks which do not allow them to proactively vet the content. Even if they did, no amount of vetting can guarantee the content is benign (active content can do naughty things only some of the time or on some platforms, or things not yet recognized as naughty - this is also why antivirus isn't reliable). So, clearly the solution is to not allow Javascript or flash, right? Nope - exploits in image parsers, font parsers, video parsers, audio parsers, etc. come out fairly often.
This could maybe be dealt with by contracts between websites and advertising networks specifying that the advertising network will be liable for malicious content, but I don't see that happening.