
Websites using SSAI (server side ad injection) - ressetera
https://github.com/uBlockOrigin/uAssets/issues/1905
======
doctorpangloss
Before anyone thinks this is a Eureka anti-ad-blocking technology: Clearly you
still need client-side javascript, distributed by the mediator, to ensure that
the impression is actually delivered and the click is actually registered.

Otherwise, obviously, the server could just maliciously record
impressions/clicks.

Then, logically, if uBlock Origin doesn't remove the ad, but does successfully
remove the mediator's script, the server can never book the impression. So why
waste precious bandwidth (actually INCREASING the cost of ad delivery for the
publisher) delivering an ad you can never be paid for? Boggles the mind.

Embedding the ad into the video is more akin to a native ad, which is
generally understood by the advertiser to not have measurable conversion and
to be strictly context (as opposed to user) targeted.

We are going full circle--that is, back to the beginning--of ad technology.

~~~
zeta0134
> Before anyone thinks this is a Eureka anti-ad-blocking technology: Clearly
> you still need client-side javascript, distributed by the mediator, to
> ensure that the impression is actually delivered and the click is actually
> registered.

I don't suppose I understand why clientside JavaScript is needed here. The
serverside code could simply generate a unique hash for every visitor, and
include that in the campaign link. Then, server-side code on the receiving end
can read this hash, record a unique hit, and monitor the user on the campaign
landing page to see if a lead is generated.

This seems obvious to me, but I don't actually work in advertising. Where is
the break in this system? What am I missing that allows this to be exploited,
in a way that only clientside JavaScript can fix?

EDIT: In context, I've realized that my proposed solution might work for
clicks, but would do nothing for tracking impressions. Hrm. I'm not really
sure if that problem is solvable. Then again, I'm also not a fan of impression
based ad tracking (it feels creepy) so maybe I don't mind if it remains
broken.

~~~
ryan-c
Threat models:

* The ad server outright telling lies to get paid for nothing.

* The ad server not being trusted to validate that views are legitimate.

Client-side JavaScript can probe the DOM and execution environment for
abnormalities indicative of automation.

~~~
_-___________-_
But why can't a malicious server also serve up some JS that modifies the
behaviour of the JS served by the ad network?

~~~
geocar
You don't need a malicious server.

You can use Google to do this and you'll get a google/branded domain name for
your object-hijacking javascript. The number of times I've seen something like
document.visibilityState='visible' in peoples ads (or ad wrappers) is
astounding.

~~~
Freak_NL
Isn't document.visibilityState a read-only property?

[https://developer.mozilla.org/en-
US/docs/Web/API/Document/vi...](https://developer.mozilla.org/en-
US/docs/Web/API/Document/visibilityState)

~~~
geocar
No.

It is not.

    
    
        Object.defineProperty(document, 'visibilityState', { value: "visible", writable: false })
    

demonstrates trivially that the documentation is clearly wrong.

Maybe it says it's "read-only" because Google _wants_ bad guys to do this sort
of thing, since it makes advertisers buy more ads from them.

Or maybe it's an honest mistake that neither Mozilla, nor Google (nor
Microsoft or anyone else it seems) has any idea what "read-only" means.

------
fixermark
I get the distinct impression, in the war of ads vs. consumer, that some
people will not be satisfied until they've submarined advertising all the way
down to sponsored content and we have to go way out of our way to notice that
the Try Guys are always drinking Coca-Cola or something.

~~~
manigandham
There will always be those fringe people who insist on content being valueless
even though they consume hours of it.

The greater problem is that the ad industry is too unregulated and greedy
which has led to a tragedy of the commons with malware and poor UX everywhere,
leading to adblockers installed by many who otherwise wouldn't mind.

~~~
KozmoNau7
If someone puts content out there for free, it is by definition freely
available, and I decide 100% which content I want my browser to accept and
show, and which content to ignore.

If you want to make sure you get paid for your content, put it behind a
paywall. Yes, the number of users will drop, but you can't have your cake and
eat it, too.

Otherwise, ask nicely for donations or Patreon support or do old-fashioned
sponsored content, obviously with full disclaimers that the content is
sponsored, so people can decide whether they want to watch it or not.

Specifically talking about video ads, look at what Glenn Fricker from Spectre
Media Group does on his Youtube channel. He often gets demonitized because he
tends to swear a lot. So he asks people to "spend a buck, give a fuck" on
Patreon, and he does short sponsor midway interludes in his videos. It's
always a short clip of himself talking about the product or service in
question, and it's always something he uses himself, he won't advertise
something he can't vouch for. So you don't get the jarring cuts to some random
ad agency's standard BS video that runs on thousands of un-related videos.

That's how to do it. Part of and related to the channel's content, but also
clearly demarcated and made fully clear that it is sponsorship/advertising.
And most importantly: No tracking!

~~~
portroyal
> I decide 100% which content I want my browser to accept and show, and which
> content to ignore.

Devil's Advocate says the people who make your browser reduce 100% to maybe
60%. Browser extensions are the 10%.

~~~
KozmoNau7
Depends on which browser and which add-on loadout you use.

On Firefox, with appropriate small changes and with uBlock Origin, uMatrix and
a few other add-ons, you bet I can adequately control the data accepted by my
browser.

If you use Chrome, well that's another situation. Don't use Chrome.

------
dest
The ML algo of Adblock Radio could be used to bypass those video ads. The case
of radio ads is a typical example of server-side ad injection.

[https://www.adblockradio.com](https://www.adblockradio.com)
[https://github.com/adblockradio/adblockradio](https://github.com/adblockradio/adblockradio)

(Disclaimer: I built this)

------
tobyhinloopen
In the end, websites will just be server-side generated images. :D

~~~
h43z
And then Adblockers will convert it back to html and strip ads from it.

~~~
tobyhinloopen
Please let me know how to convert images to HTML & how adblockers know what
part of it is an ad.

That cannot be done reliably without machine learning.

~~~
h43z
Then they will use ML.

------
diafygi
For everyone saying this ruins impression tracking, couldn't an ad-network
just act as a "CDN" (e.g. client <\-- Ad-CDN <\-- server). They'd basically
man-in-the-middle the server response and inject the ads into wherever in the
html the server put the ad-tags. To the client, it would still be SSAI, but
the Ad-CDN could still record impressions.

Not that any server owner should do this (giving over control of your website
ultimately to the ad-network? fuck that), but as ad-tech becomes more
desperate, shouldn't these types of MITM setups get pushed more?

~~~
teddyh
An “Ad-CDN” is exactly what AMP is.

------
bratao
This has been talked about as an obvious evolution for the Ads Network for
quite a while. Do anyone with knowledge in this area , know why is taking so
long for Adsense/ Criteo come up with a solution like this?

~~~
foepys
The ad network needs to trust the website to not only deliver the ads reliably
but also to report back correct data (impressions, clicks, etc). We are
talking about quite a lot of money here.

------
RandomInteger4
Slightly tangential, but does anyone have a good crash course intro guide to
ad ops?

~~~
tacon
[https://wordpress.tv/2017/10/15/james-strang-introduction-
to...](https://wordpress.tv/2017/10/15/james-strang-introduction-to-ad-ops/)

