HTML5 Ads Aren't That Safe Compared To Flash, Experts Say (softpedia.com) 108
An anonymous reader writes: [Softpedia reports:] "A study from GeoEdge (PDF), an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves. The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser. Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users." The real culprit is the ability to send JavaScript code at runtime, and not if the ad is a Flash object, an image or a block of HTML(5) code.
Re: (Score:3)
Its possible to block js based ads as well, and blocking works really well, just look at the ad blocking extensions.
No, the actual reason for js was that it allows the advertisers to run their own analytics on the users. They can find out what site they browse, etc.
Re: (Score:1)
Eh, no biggie, just block javascript and flash... and HTML
Re: (Score:1)
Re: (Score:3)
Are you shitting us? The advertisers would have never stick to gif and animated gif for their ads campaign. They want to know about you and everybody. The more they know, the higher they can charge for an advertisement campaign to their customers. They would have used any eye candy possible to get people's attention. So, that is completely false to say they would have stick to animated gif. They are basically blood suckers with a budget.
These f... morons should be threaten without pitty until they disciplin
Re: (Score:2)
nope. The malicious adserver standards came before anti-adblock techniques, just because it's possible.
Re: (Score:3)
If something is moving on the page, it prevents me from reading. Why can't we just do static PNGs and JPEGs?
Re: (Score:2)
yeah...yeah.. flash was safe... (Score:2)
Re: (Score:3, Insightful)
Re: (Score:3)
Assuming that you're referring to replacement of SWF wtih HTML5:
you replaced one format that [...] Was owned by a company that had no problem not only allowing it to be bundled with anything but ALSO allowed for FOSS alternatives
Initially, Adobe's SWF spec was licensed under terms that specifically forbade its use to create third-party players. Adobe didn't drop that provision until the Open Screen Project in the second quarter of 2008.
[Flash does] Not only did video but animation and gaming.
HTML5 also does gaming. See Cookie Clicker [dashnet.org] and Pirates Love Daisies [pirateslovedaisies.com], for example.
[HTML5 video] Had mandatory DRM baked in
It's not mandatory. A web browser publisher can just choose not to support Netflix and Amazon video.
[HTML5 video] Requires a codec that is not only owned by one of the biggest patent trolls around but is openly hostile to FOSS
Where does the HTML5 spec require use of MPEG-4 codecs?
Correction (Score:1)
...VAST and VAPID are the rules of the game....
There, FTFY.
HTML is still better than Flash (Score:4, Insightful)
Re: (Score:3, Informative)
But I can just not install flash. What's the best way to get rid of html5 video?
Re: HTML is still better than Flash (Score:5, Informative)
You could build the browser without video support. Actually trivial to do on Gentoo...
Gentoo. Not just for ricers.
Re: (Score:2)
But I can just not install flash. What's the best way to get rid of html5 video?
A reasonable approach is an ad-blocker to outright block the most obvious and egregious crap, and enabling Click to Play on the rest.
In Firefox you can set media.autoplay.enabled to false, which will disable auto-playing videos. Some sites (including YouTube) act a little wonky and require two or three clicks (the first is interpreted as "Pause" since it assumes the video is already playing). Even with this I've found it to be a lot nicer with fewer auto-play videos, especially on news websites which seem
Re: (Score:2)
> In Firefox you can set media.autoplay.enabled to false, which will disable auto-playing videos.
I use Pale Moon, a Firefox fork. I find that I need to set 2 values
media.autoplay.allowscripted false
media.autoplay.enabled false
The first one stops scripted HTML5 videos. This allows me to run with Javascript on, but still no HTML5 autoplaying ads.
> Some sites (including YouTube) act a little wonky and require two or three clicks
> (the first is interpreted as "Pause" since it assumes the video is alrea
Re: (Score:2)
disable media autoplay in about:config.
Re: (Score:2)
Not to memtion, if there's bad javascript from a domain, block it! Your web browser doesn't HAVE to run every piece of javascript out there - NoScript and the like prove that.
So the ad networks javascript is never run, period. Even better, it can be substituted/
Flash ads? They run any damn thing from anywhere, bypassing any restrictions your browser may impose. That's why the only good option is to block the entire thing.
Eventually, they'll learn to not use javascript for ads, and to serve it up directly. S
Re: (Score:1)
With flash the attack surface was the html renderer ,the javascript VM with limited features needed to run most sites and flash. The last could be disabled without issue.
With html 5 the attack surface is the html renderer , the javascript VM and every API added to it in order to replace flash. The last cannot be disabled without breaking most websites.
So at least for me the attack surface grew enormously.
Re: (Score:2, Insightful)
Except that all the added features of HTML5 have expanded the attack surface of the browser. HTML5 is essentially just Flash that's harder to block, which you cannot uninstall, and which can run its JavaScript within the same context as the rest of the page. I see no progress.
Re: (Score:2)
And that is why I still prefer to use Flash for its videos so I can block them. How are we supposed to block HTML5 videos like plugin blockers? :(
Ad blockers (Score:3, Informative)
Use them. There is literally no reason not to.
Time and again we have seen that ads are used to inject malware.
Why even take the risk?
I'd rather fuck a stranger without a condom than browse without noscript and adblock.
Good luck "not visiting" Goatse/Rickroll (Score:2)
The Goatse and Rickroll fads relied on social engineering a user to visit an unintended site. If "not visiting the site(s)" were practical for a non-technical user to accomplish, then those fads would never have happened.
Re: (Score:1)
what about noscript? https://noscript.net/ [noscript.net]
umatrix? https://github.com/gorhill/uMa... [github.com]
It's never been about the specific tech (Score:5, Insightful)
Nobody with a brain thought HTML5 was 'more secure' than Flash in of itself.
Re: (Score:1)
Going to get modded down but regarding HTML5 they did and do. Flash is the boogieman everyone can hate, underneath though they have been using other methods for a while though. Ads in fonts, embedded metrics in URLs, etc.
Google randomly uses DNS as their backend by making encoding data in hostnames. They dont' have to resolve to anything the fact that you tried is enough and they are under google.com not googlesyndication. We have a name for it - command and control. It isn't new nor did Google create
Re: (Score:1)
Sure, but Google Chrome allows you to disable Javascript and force click-to-play for flash.
Last I checked, there is no such thing as "click to play" for HTML5 in Google Chrome.
http://arstechnica.com/informa... [arstechnica.com]
I would say it's an oversight, except Google is an advertising company.
Who assumes any advertisement is "safe" (Score:1)
Who among us in the inter-webs or you-tubes (yeah.. slang) ... you know who you are.. thinks that there is any vector, avenue or north-star-ip-address that the abomination called advertising/malvertising/malware/state-sponsored attacks cares about our own personal computer security? No new protocol/process/add-in or anything ratified by the IETF isn't immediately subjected to the violent will of those people/agencies/acting-countries that don't care about you but only care about the end-result being their
This is a friggen advertisment for GeoEdge (Score:2)
"The real culprit" (Score:2)
Derp. The "real" problem with Flash is its use as a vector for installing malware via buffer overflow (usually) attacks. Those are distributed via ad networks.
Javascript injection is a separate issue, and there are other Flash privacy concerns, but that's not why people are screaming from the hills that Flash must be exterminated.
Re: (Score:3)
You now have to download, trust & configure a third-party plugin to block javascript.
No, no plugin needed at all. You just need to:
1. go to about:config (read more about about:config here: http://kb.mozillazine.org/Abou... [mozillazine.org])
2. toggle the option javascript.enabled to false
And no, disabling javascript does not miraculously protect the user from almost all exploits. Some time ago, firefox has used a fonts library. Simply loading a font then could infect you. They've changed it since.
Re: (Score:2)
mod parent up.
Re: (Score:2)
Global js disable is a bad idea because all sites need js to function. Why should the user be forced to run js inside some random ad? It's Firefox's fault for not blocking javascript from third-party domains. Third-party sites are welcome to show text or image ads, but they should not be allowed to run javascript code.
Blocking 3rd party js would also solve the problem of tracking by sites like google analytics and addthis.com fingerprinting.
Re: (Score:2)
In much the same way that "all $S need $J to function", where:
$S = "Soviet diplomat"
$J = "lapel camera"
Re: (Score:2)
The point of killing flash (Score:3)
Should Javascript be next (Score:3)
So when is JavaScript going to be tossed?
It's frustrating for so many client end technologies to be tossed partly due to the security issues they brought.
In a way, I actually miss the days when most applications were written using VB or MFC style interfaces, and GUI widgets were being developed and released by the hundreds.
Re: (Score:2)
VB is still a very common language, users just don't have any way of knowing what language was used because it still gets packaged as an .exe and they don't plaster VB onto the installer anywhere.
Same is true of Java. Lots of things are still Java. Few people will reject software at the installer stage just because it asks to install Java, and once it is installed, new Java programs don't give you any hint about it.
Flash isn't trendy, but I don't think usage as a serious tool has gone down; casual and malwa
Re: (Score:1)
I suspect the poster meant client-side variations of VB. MS wanted VB-script in browsers to compete with client-side JavaScript.
The plan failed and VB-script is mostly dead on the client-side, but indeed is still common server-side, in desktop apps (as VBA), and for OS scripting.
Re: (Score:2)
JS will be tossed at the day, that the government closes facebook.
VAST & VAPID (Score:2)
I had no idea the advertisers were so willing to so accurately describe their efforts. It's such a delightful misread that I'm starting to wonder if they were created with intent.
FUD (Score:2)
I don't believe the absurdity of this article, and this research paper! It's claims read as if contrived and there are no references to support them. Moreover GeoEdge then offers their own product as a solution to these claims.
Truth is you are not safe from malicious advertising regardless the vector, flash, Javascript or plain text email.
Rating System? (Score:2)
Time for an ad-intrusion rating system, somewhat like movie ratings. A site and/or ads that want to be rated would pay to be audited and rated. Browsers would have to option of skipping sites with poor ratings and/or shutting off images, JS, etc.
Because sites would risk losing traffic if they have poorly-rated ads, they'd have an incentive to pay for being rated and monitored.
It would probably take a mutual agreement among at least a few big tech companies to get enough momentum to take hold.
practise safe web use (Score:1)
use an ad-blocker.
Nothing to see here. (Score:3)
This article is pure, unadulterated bullshit. Probably the only truly honest thing in there is their admission that they have services available. It is not a "study" in any reputable sense of the word, and Softpedia is basically lying to you by calling it that. Softpedia is also very blatantly conflating vulnerabilities with mere attack vectors.
Let me highlight for you the most glaring example of "using a lot of words to lie" that are in the "study" they're linking to... Starting right in the middle of page two they try to compare and contrast a malvertising attack that uses flash as a vector and one that uses HTML5. Unfortunately for them, their HTML5 example is not only fairly nebulous but they cite a redirection to the Angler Exploit kit as if this really meant anything more than an attempt at compromise. One might then ask... what mechanisms does the Angler Exploit Kit use to compromise the system running the browser? Well... That's primarily exploiting vulnerabilities in Flash. This sort of logical shortcoming means one of two things... Either the author is too ignorant to speak authoritatively on the matter or they're just lying. Take your pick.
May I remind all (Score:1)
Re:you brought this on yourselves (Score:5, Informative)
When people bitched and moaned about ordinary banner ads and started blocking them, advertisers started making ads more intrusive. We could still have simple animated GIF ads except that you freeloaders started blocking them to begin with. Those ads were harmless but, thanks to all of you who had to go and block those ads, we're now stuck with malware and far more intrusive advertising. Thanks a lot for ruining the internet for everyone.
B.S.
http://abcnews.go.com/Business... [go.com]
http://www.foxnews.com/story/2... [foxnews.com]
X10 Pop Under ads ring a bell ?
And what do you know the fist example of Malvertising is Flash
https://en.wikipedia.org/wiki/... [wikipedia.org]
Wouldn't be an issue if Firefox was relevant. (Score:2, Interesting)
If anyone is to blame, I think it would be Mozilla for making Firefox irrelevant by trying to imitate Chrome, even when Firefox's users said very emphatically that they didn't want that.
Firefox used to have over 30% of the market. Now the latest market share stats [caniuse.com] show that Firefox is down to maybe 7% across all versions on the desktop, with essentially no mobile presence at all.
When Firefox had 30% of the market, it was a force to be reckoned with! It held real sway over how the web developed. But then it'
Re: (Score:2)
The current Firefox UI is great and significantly better than it was prior to Chrome, though I'd rather they didn't include things like Pocket.
Firefox's market share fell because Chrome generally makes sense for people who aren't interested in technology. With automatic updating and bundling flash & pdf reader the biggest attack vectors were mitigated.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
They didn't block 'ordinary banner ads', they blocked pop-ups. Your troll-fu is weak.