During episode 520 of Security Now: The Quest for Surfing Safely, the topic of web ads came up and with it the problem of having to trust third-, and oftentimes forth- or fifth-, parties.
That happens when, for example, a user goes to http(s)://news.com for his local news. If news.com wants to serve ads from ads.com, the user’s browser is forced to go to ads.com, load a bunch of code and data, and then execute and render it along news.com’s main page. The user trusts news.com—that’s why he went to that site—but does not necessarily trust ads.com (and much less other sites that ads.com might invoke).
This would be solved if the website itself served the content of the ads, but the issue is that the ad providers want to do keep their own tally (if not, websites owners could easily fool them into believing that more users view their ads than they really did.)
I have been thinking about it, and realized that this could be solved in a simple way.
We could define a standard set of basic information that the ad providers really need to have. For example: IP address, user-agent, and the page on the site that is being viewed. Let’s call that a user postcard.
Now let’s suppose that the same user goes to news.com. The (trusted) server sends the user a copy of the index page as usual, but instead of pointing the user’s browser to download the advertisement content from ads.com, it gives a write-only ads.com URL to which the browser must send its postcard to. Then the content of the ads is served directly by news.com.
There is no exchange of data between ads.com and the user; it is a unidirectional channel.
Also, an additional part of the postcard could allow the trusted site to append some (signed) data of its own. That could be a replica of the user’s postcard, but as seen by the server, which allow an even better degree of trust from the ad providers, since they would receive the same information from two sources. (They don’t have that now.)
But they could ask: “How do we know that the user did get the correct ad?”. And they’d be right.
To solve that, we could have the main website explicitly say to the user which parts of the content are ads (on a filename basis like: “ads.js” and “ad.jpg”; or lines x to y of inline code). The browser would then hash those files, attach its values to the postcard and send it to ads.com. Now the ad provider should be happy, and the user wouldn’t have to execute stuff from anywhere other than news.com
Could this work?