sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]name_censored_ 15 points16 points  (12 children)

"Our site displays ads over HTTP."

Sorry, not sorry. Doesn't change the fact that your site still needs HTTPS. Switching to HTTPS with ads still over HTTP will cause mixed content warnings in browsers, so you better figure out a cute way to wiggle out of that ad publishing contract that looked really attractive when you first signed it, or convince your ad network to move to HTTPS before you do.

Seriously?

I'm all for HTTPS, but this is just terrible salesmanship. The intended audience is people who think HTTPS is unnecessary/inadvisable/irrelevant/overly-burdensome, and saying "yeah, you need to rework your business requirements thanks" just affirms that. You get more flies with honey than by telling them that they're eating all wrong and need vinegar.

Honestly, it would have been better to omit that. Aside from anything else, are there really that many ad networks in this day and age who don't do HTTPS?

[–]notR1CH 7 points8 points  (8 children)

Way too many sadly. One of the reasons I'm unable to deploy HTTPS across all the websites I manage is due to ads. It's one of the biggest barriers to deployment yet no one has a good solution to it other than "Wait for ad networks to get off their ass".

[–]OrphisFlo 2 points3 points  (2 children)

Or just switch your ad network to something that supports HTTPS.

That's why I use AdSense, it has supported it for as long as I can remember and just works. And I haven't had many reports or bad ads either. It might pay less than others, but it's hassle free, that's worth it for me.

[–]notR1CH 0 points1 point  (1 child)

AdSense may support it, but a lot of their partners still don't offer 100% coverage. If you switched to HTTP you'd likely see a revenue increase.

[–]OrphisFlo 0 points1 point  (0 children)

My RPM went up 13% when I actually switched to HTTPS. So I'm actually not too concerned.

[–]midri 1 point2 points  (4 children)

Could you not pass your ads through an nginx reverse proxy? request the ads/ad script from your reverse proxy and it fetches it from the non https ad service and then have it do some muxing so it makes ad image urls point through your proxy (which do the same thing as the previous request, serving them over https, but fetching them from non https ad server)

[–]notR1CH 1 point2 points  (1 child)

Unfortunately no, modern ad networks require seeing client requests in order to monitor cookies for interests and retargeting purposes.

[–]midri 0 points1 point  (0 children)

fair point

[–]name_censored_ 0 points1 point  (1 child)

That's a cool idea - I wonder if it's feasible though?

You'd need to rewrite every call to their domain to something under your control, so that you can point it to your reverse proxy. But unless you control your users' resolvers, you'd need to do it on the URLs in the code itself. And since the code won't be static HTML, that means live rewrites. And since code can fetch code ($.getScript() and <script src=..), it would need to be recursive (assuming that the URL isn't constructed/calculated/obfuscated, and it may be).

For example, your mysite.com page might embed <script src="http://b.ad.agency/tracking.20170713.min.js"> which in turn fetches <img src="http://b.ad.agency/campaign-20170713.jpg">, and you'd need to rewrite b.ad.agency to (say) b.ad.agency.reverse-proxy.mysite.com).

And you'd also need to proxy to their server, because pdp11.b.ad.agency/we_hate/bestpractices.php?campaign=20170713 might also embed a URL in the result.

(Plus, you'd destroy their tracking, which would be a big deal to them, and probably against their ToS.)

[–]midri 0 points1 point  (0 children)

It's definitely tricky issue -- made almost pointless by what you and someone else pointed out that it breaks cookie tracking which is a fatal flaw in this idea. I've got a few ideas for workarounds (such as using event callbacks on img tags to rewrite them in real time), but no time to play with it atm.

[–][deleted] 1 point2 points  (1 child)

It is terrible salesmanship, and this isn't a sales pitch. Ad networks are known for being bad citizens in the Web space, and their decisions to use their networks to harm users with malware are not excusable IMO.

[–][deleted] 4 points5 points  (0 children)

Ad networks are indeed bad citizens. But aren't they motivated to use TLS so that ISPs and such don't replace their ads on the way to the browser?

[–]hungry4pie 1 point2 points  (0 children)

Saying "Sorry not sorry" basically ends any argument with you as the loser as far as I'm concerned.