If you were to read Google’s recent announcement that they are moving towards universal HTTPS encryption for all ads, you’d likely come away with the idea that they’re being proactive about protecting users and websites that display ads.
However, the reality is that Google has had several problems with ads, some of which they admitted to, and some of which they fixed only after pitchforks and torches were brought out. In fact, just a few days ago, the MalwareBytes blog talked about how ads from AdSense that could infect people with ransomware1 showed up on major sites like huffongtonpost.com.
As the image from MalwareBytes shows, the ad looked legitimate, but when people clicked on it, it redirected them to another site with an exploit kit. The hackers were taking advantage of an exploit in older versions of Flash, so people with up-to-date software were not affected.
Ars Technica points out that just a few days later, another Flash based exploit was being used in another legitimate looking ad, which was displayed through merchenta. Although it’s unclear if those ads were displayed through the DoubleClick network, merchenta does have ties to and works directly with Google.
Horse: running through the field; barn door: firmly shut
After ad issues that cropped up within days of each other, Google coincidentally announced that they are huge proponents of HTTPS Everywhere and will be making ads more secure.
By June 30, 2015, the vast majority of mobile, video, and desktop display ads served to the Google Display Network, AdMob and DoubleClick publishers will be encrypted.
Google also points out that many of their services are already running on this standard, including search, Gmail, YouTube and YouTube ads.
[1] Pretty much exactly what it sounds like. If you’re infected, the only way to gain access to your Internet or files is to pay the hackers and get a code that unlocks whatever they’ve done.