Time for publishers, advertisers to ‘catch up’ on web encryption?

Google and others have called for all websites encrypt traffic to and from browsers, but the task for publishers is a tricky one, largely because of online advertising.

Last year Google said it would use website encryption as a signal in its search rankings. The general idea was that it would give priority to web admins that implemented HTTP over Transport Layer Security, which is represented in a browser address bar as a URL with the “HTTPS” prefix — with S denoting “secure”. It was meant to provide an incentive for webmasters to go through the rigmarole of buying and managing digital certificates.

While Silicon Valley companies, in response to government surveillance, have made efforts to encrypt email, social networks and other services, there are still relatively few publishers that support HTTPS, either by default or at all. Even online publishers that do support HTTPS may include resources on their news page that don’t.

The Interactive Advertising Bureau (IAB) — whose members include online publishers, advertisers, as well as Google, Twitter and Facebook — has now called for the online advertising industry to step up to the plate and “finish catching up” on the push for all websites to use encryption.

According to the IAB, the weak link in the chain is not advertisers but publishers. A recent survey of its membership indicated that 80 percent of member ad delivery systems already supported HTTPS.

That’s a good foundation but the IAB points out that in an ecosystem where publishers are connected to ad networks, analytics suppliers and other organisations, implementing HTTPS isn’t easy. The group uses publishers to highlight the point.

“A publisher moving to HTTPS delivery needs every tag on page, whether included directly or indirectly, to support HTTPS. That means that in addition to their ad server, the agency ad server, beacons from any data partners, scripts from verification and brand safety tools, and any other system required by the supply chain also needs to support HTTPS,” Brendan Riordan-Butterworth is the Director of Technical Standards at IAB, pointed out.

“That’s a lot of dependencies - and when one fails to support HTTPS, the website visitor’s experience is impacted, initiating a costly search for the failure point by the publisher,” he added.

Cost is a major factor in the decision to support HTTPS. Researchers from Carnegie Mellon University highlighted in a paper late last year that adding the S to HTTP introduces overheads on infrastructure costs, communication latency, data usage, and energy consumption. In a world where one additional second to load a page could cost $1.6bn in sales, minute latency matters.

So, as Riordan-Butterworth points out, supporting HTTPS isn’t as simple as “flipping a switch”. Overheads include the cost of acquiring certificates that are used to validate the origin of a website, and managing their eventual expiry, as well as additional resources required to support encryption on servers.

Image sharing site Pinterest, which recently enabled HTTPS, had serious concerns over higher costs from its content distribution network (CDN) providers due to the price of distributing the site’s image over HTTPS.

Some of those costs may however be alleviated by new initiatives such as Lets Encrypt, headed up by Mozilla, the maker of the Firefox browser, Akamai, Cisco, the Electronic Frontiers Foundation, and others such as IdenTrust, a certificate provider. Launched last year, the group is aiming to deliver free digital certificates this year, and lower the cost of buying and managing certificates.

Despite the higher costs to each individual organisation, the payoff is that the internet overall benefits by raising the cost of running a malicious hacking operation.

“Each server delivering encrypted content has to acquire a certificate that’s signed by a trusted authority and issued to their specific domain. This results in a larger set of consistent identifiers for servers, which has beneficial implications in the fight against malware - it’s more expensive for malware peddlers to set up shop on an HTTPS server, and easier to identify the same peddler across occurrences,” said Riordan-Butterworth.

Join the CSO newsletter!

Error: Please check your email address.

Tags web encryptionGooglepublishersonline advertisingHTTPencrypt trafficInteractive Advertising Bureau (IAB)Brendan Riordan-Butterworth

More about CiscoFacebookGoogleInteractiveInteractive Advertising BureauInteractive Advertising Bureau (IAB)MellonMozillaTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts