Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Advertising Security Communications Java Network Networking Privacy Programming The Internet

HTML5 Ads Aren't That Safe Compared To Flash, Experts Say (softpedia.com) 108

An anonymous reader writes: [Softpedia reports:] "A study from GeoEdge (PDF), an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves. The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser. Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users." The real culprit is the ability to send JavaScript code at runtime, and not if the ad is a Flash object, an image or a block of HTML(5) code.
This discussion has been archived. No new comments can be posted.

HTML5 Ads Aren't That Safe Compared To Flash, Experts Say

Comments Filter:
  • ...but we are better without it :)
    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • by tepples ( 727027 )

        Assuming that you're referring to replacement of SWF wtih HTML5:

        you replaced one format that [...] Was owned by a company that had no problem not only allowing it to be bundled with anything but ALSO allowed for FOSS alternatives

        Initially, Adobe's SWF spec was licensed under terms that specifically forbade its use to create third-party players. Adobe didn't drop that provision until the Open Screen Project in the second quarter of 2008.

        [Flash does] Not only did video but animation and gaming.

        HTML5 also does gaming. See Cookie Clicker [dashnet.org] and Pirates Love Daisies [pirateslovedaisies.com], for example.

        [HTML5 video] Had mandatory DRM baked in

        It's not mandatory. A web browser publisher can just choose not to support Netflix and Amazon video.

        [HTML5 video] Requires a codec that is not only owned by one of the biggest patent trolls around but is openly hostile to FOSS

        Where does the HTML5 spec require use of MPEG-4 codecs?

  • ...VAST and VAPID are the rules of the game....

    There, FTFY.

  • by Anonymous Coward on Thursday June 23, 2016 @07:19PM (#52377597)
    With HTML5 ads, the attack surface is the browser. With Flash, the attack surface is the browser plus the Flash plugin.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      But I can just not install flash. What's the best way to get rid of html5 video?

      • by Short Circuit ( 52384 ) <mikemol@gmail.com> on Thursday June 23, 2016 @09:33PM (#52378097) Homepage Journal

        You could build the browser without video support. Actually trivial to do on Gentoo...

        Gentoo. Not just for ricers.

      • by nmb3000 ( 741169 )

        But I can just not install flash. What's the best way to get rid of html5 video?

        A reasonable approach is an ad-blocker to outright block the most obvious and egregious crap, and enabling Click to Play on the rest.

        In Firefox you can set media.autoplay.enabled to false, which will disable auto-playing videos. Some sites (including YouTube) act a little wonky and require two or three clicks (the first is interpreted as "Pause" since it assumes the video is already playing). Even with this I've found it to be a lot nicer with fewer auto-play videos, especially on news websites which seem

        • > In Firefox you can set media.autoplay.enabled to false, which will disable auto-playing videos.

          I use Pale Moon, a Firefox fork. I find that I need to set 2 values

          media.autoplay.allowscripted false
          media.autoplay.enabled false

          The first one stops scripted HTML5 videos. This allows me to run with Javascript on, but still no HTML5 autoplaying ads.

          > Some sites (including YouTube) act a little wonky and require two or three clicks
          > (the first is interpreted as "Pause" since it assumes the video is alrea

      • by allo ( 1728082 )

        disable media autoplay in about:config.

    • by tlhIngan ( 30335 )

      Not to memtion, if there's bad javascript from a domain, block it! Your web browser doesn't HAVE to run every piece of javascript out there - NoScript and the like prove that.

      So the ad networks javascript is never run, period. Even better, it can be substituted/

      Flash ads? They run any damn thing from anywhere, bypassing any restrictions your browser may impose. That's why the only good option is to block the entire thing.

      Eventually, they'll learn to not use javascript for ads, and to serve it up directly. S

    • by Anonymous Coward

      With flash the attack surface was the html renderer ,the javascript VM with limited features needed to run most sites and flash. The last could be disabled without issue.

      With html 5 the attack surface is the html renderer , the javascript VM and every API added to it in order to replace flash. The last cannot be disabled without breaking most websites.

      So at least for me the attack surface grew enormously.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Except that all the added features of HTML5 have expanded the attack surface of the browser. HTML5 is essentially just Flash that's harder to block, which you cannot uninstall, and which can run its JavaScript within the same context as the rest of the page. I see no progress.

    • by antdude ( 79039 )

      And that is why I still prefer to use Flash for its videos so I can block them. How are we supposed to block HTML5 videos like plugin blockers? :(

  • Ad blockers (Score:3, Informative)

    by Anonymous Coward on Thursday June 23, 2016 @07:19PM (#52377601)

    Use them. There is literally no reason not to.
    Time and again we have seen that ads are used to inject malware.
    Why even take the risk?
    I'd rather fuck a stranger without a condom than browse without noscript and adblock.

  • by FireballX301 ( 766274 ) on Thursday June 23, 2016 @07:21PM (#52377605) Journal
    A bad ad network is a bad ad network, whether they're sending out flash units, html5 units, or putting up billboards on a highway overpass. A middleman injecting malware doesn't care what the underlying tech is, they care about if the network vets their shit on delivery.

    Nobody with a brain thought HTML5 was 'more secure' than Flash in of itself.
    • by Anonymous Coward

      Going to get modded down but regarding HTML5 they did and do. Flash is the boogieman everyone can hate, underneath though they have been using other methods for a while though. Ads in fonts, embedded metrics in URLs, etc.

      Google randomly uses DNS as their backend by making encoding data in hostnames. They dont' have to resolve to anything the fact that you tried is enough and they are under google.com not googlesyndication. We have a name for it - command and control. It isn't new nor did Google create

    • Sure, but Google Chrome allows you to disable Javascript and force click-to-play for flash.

      Last I checked, there is no such thing as "click to play" for HTML5 in Google Chrome.

      http://arstechnica.com/informa... [arstechnica.com]

      I would say it's an oversight, except Google is an advertising company.

  • by Anonymous Coward

    Who among us in the inter-webs or you-tubes (yeah.. slang) ... you know who you are.. thinks that there is any vector, avenue or north-star-ip-address that the abomination called advertising/malvertising/malware/state-sponsored attacks cares about our own personal computer security? No new protocol/process/add-in or anything ratified by the IETF isn't immediately subjected to the violent will of those people/agencies/acting-countries that don't care about you but only care about the end-result being their

  • They are arguing that they will still be relevant, when the vast majority of their usefulness evaporates.
  • The real culprit is the ability to send JavaScript code at runtime

    Derp. The "real" problem with Flash is its use as a vector for installing malware via buffer overflow (usually) attacks. Those are distributed via ad networks.

    Javascript injection is a separate issue, and there are other Flash privacy concerns, but that's not why people are screaming from the hills that Flash must be exterminated.

  • by rsilvergun ( 571051 ) on Thursday June 23, 2016 @08:05PM (#52377787)
    is that Adobe doesn't put enough $$$ behind security. It's not any easier for Google/Mozilla/Microsoft to do this but Google/Mozilla are open source and Microsoft has deep pockets and juicy gov't & corporate contracts as the incentive to spend money on security.
  • by CaroKann ( 795685 ) on Thursday June 23, 2016 @09:11PM (#52378027)
    How many technologies have died in large part due to security issues? VB and VB Scripting, ActiveX, Silverlight, Flash, Java, Browser plugins: the list goes on.
    So when is JavaScript going to be tossed?
    It's frustrating for so many client end technologies to be tossed partly due to the security issues they brought.
    In a way, I actually miss the days when most applications were written using VB or MFC style interfaces, and GUI widgets were being developed and released by the hundreds.
    • VB is still a very common language, users just don't have any way of knowing what language was used because it still gets packaged as an .exe and they don't plaster VB onto the installer anywhere.

      Same is true of Java. Lots of things are still Java. Few people will reject software at the installer stage just because it asks to install Java, and once it is installed, new Java programs don't give you any hint about it.

      Flash isn't trendy, but I don't think usage as a serious tool has gone down; casual and malwa

      • by Tablizer ( 95088 )

        I suspect the poster meant client-side variations of VB. MS wanted VB-script in browsers to compete with client-side JavaScript.

        The plan failed and VB-script is mostly dead on the client-side, but indeed is still common server-side, in desktop apps (as VBA), and for OS scripting.

    • by allo ( 1728082 )

      JS will be tossed at the day, that the government closes facebook.

  • I had no idea the advertisers were so willing to so accurately describe their efforts. It's such a delightful misread that I'm starting to wonder if they were created with intent.

  • I don't believe the absurdity of this article, and this research paper! It's claims read as if contrived and there are no references to support them. Moreover GeoEdge then offers their own product as a solution to these claims.

    Truth is you are not safe from malicious advertising regardless the vector, flash, Javascript or plain text email.

  • Time for an ad-intrusion rating system, somewhat like movie ratings. A site and/or ads that want to be rated would pay to be audited and rated. Browsers would have to option of skipping sites with poor ratings and/or shutting off images, JS, etc.

    Because sites would risk losing traffic if they have poorly-rated ads, they'd have an incentive to pay for being rated and monitored.

    It would probably take a mutual agreement among at least a few big tech companies to get enough momentum to take hold.

  • use an ad-blocker.

  • by Dagmar d'Surreal ( 5939 ) on Friday June 24, 2016 @12:23PM (#52382895) Journal

    This article is pure, unadulterated bullshit. Probably the only truly honest thing in there is their admission that they have services available. It is not a "study" in any reputable sense of the word, and Softpedia is basically lying to you by calling it that. Softpedia is also very blatantly conflating vulnerabilities with mere attack vectors.

    Let me highlight for you the most glaring example of "using a lot of words to lie" that are in the "study" they're linking to... Starting right in the middle of page two they try to compare and contrast a malvertising attack that uses flash as a vector and one that uses HTML5. Unfortunately for them, their HTML5 example is not only fairly nebulous but they cite a redirection to the Angler Exploit kit as if this really meant anything more than an attempt at compromise. One might then ask... what mechanisms does the Angler Exploit Kit use to compromise the system running the browser? Well... That's primarily exploiting vulnerabilities in Flash. This sort of logical shortcoming means one of two things... Either the author is too ignorant to speak authoritatively on the matter or they're just lying. Take your pick.

  • Flash ads were not replaced by HTML5 ads because of security concerns ...

If you didn't have to work so hard, you'd have more time to be depressed.

Working...