Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The ad business REALLY sucks

Sloppy (14984) writes | more than 5 years ago

Security 2

It's bad enough when you're actually serving the data from your own site but it's in some form where you can't audit it. That's one of the many reasons I hate Flash.

It's bad enough when you're actually serving the data from your own site but it's in some form where you can't audit it. That's one of the many reasons I hate Flash.

But even Javascript sucks, when you <script src="someothersite">. The moment you do that, you know that all sorts of horrible things can go wrong. You just have to have faith. Faith is what it comes down to. And it can be justified, I guess, because you can get away with it for years.

Until this morning when our webpage was only showing for a second and then the whole thing would then redirect to someone else's site. Adios, visitors.

(What actually happened: the domain we were including from, apparently expired and now any http request goes to a Network Solutions page, instead of returning a DNS error like it should. Fuck you, Network Solutions, as if we didn't already know you're evil and dangerous. But the same risk remains even if someone's domain doesn't expire; they can always serve a different script today than they did yesterday, and that script can do anything with the DOM that it wants to. There's no way to sandbox it.)

It's "standard practices" to include external scripts. Everyone does it. The ad people aren't techies; if I were to tell them, "uh, we don't want to include any external scripts that might change from load-to-load, and we also don't want to include any Flash crap unless we've compiled it from readable, auditable source ourselves," they would think I'm crazy. You know, one of those open source fanatics. They would say, "Gee, that's a shame you don't want the money," and go on sending the same dangerous ads to our competitors while we collect nothing.

Is it really an unreasonable weirdo religious fanatic position, to just want to be able to make sure that stuff will work and not do anything crazy? I don't think so. The fucking "standard practices" need to change, but how can one person do that? *sigh* I feel so powerless.

cancel ×

2 comments

Be a shame (1)

tqft (619476) | more than 5 years ago | (#25393147)

if "tight@hotmail.com" bought an ad on your company site and redirected your visitors to goatse or worse your competitors though a js enabled flash ad.

Good point (1)

truthsearch (249536) | more than 5 years ago | (#25413955)

That's a really good point. I need to add that to the web application security [docforge.com] wiki page I put together.

Any time a client of mine wants external sources of content or JS (ads, maps, etc.) I always point out the weaknesses. But there are some serious security implications. Using Google APIs often makes people feel too comfortable and forget the risks.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...