experts find that HTML5 ads aren't safer than FLASH ones

[zMeul]

source: http://www.geoedge.com/downloads/documents/Security_Aspects_of_HTML5_in_Video_Ads.pdf?ge_campaign=html5_video

http://news.softpedia.com/news/html5-ads-aren-t-that-safe-compared-to-flash-study-reveals-505597.shtml

 

Quote

A study from GeoEdge, an ad scanning vendor, reveals that Flash has been wrongly accused of being the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves.

 

According to the GeoEdge study, attacks using malicious ads, known as malvertising, do not necessarily rely on the underlying ad, but more on the insecure standards used to build the advertising network's infrastructure, regardless of whether they deliver static or video ads.

The company argues that, for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser.

No matter if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there, so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users.

 

A malicious ad creator can use their ability to send third-party JavaScript to the ad via AdParameter values. Instead of user tracking code or ad delivery instructions, they can very easily deliver malicious code instead. At no point does it matter to them if the ad was created in Flash or HTML5.

Of course, there's a discussion on whether HTML5 is actually an improvement over Flash. While Flash has better image quality rendering, HTML5 ads are usually larger in size. While Flash ads require a plugin to work, HTML5 ads don't work in older browsers. While Flash ads can be easily optimized, HTML5 ads are easier to create and work on mobile devices by default. In terms of security, HTML5 is the clear-cut winner, but currently, Flash ads are still a solid alternative.

 

 

---

 

well then .. color me surprised; we are so used to bash Flash that we ignore the elephant in the room 

 

---

 

JavaScript was designed by Brendan Eich, and made 1st apearance in 1995 Netscape Navigator web browser

JavaScript, not to be confused with Java, is a interpreted language used alongside HTML and CSS as one of the core technologies for WWW content production

In 1996, MS reverse engineered Netscape's JavaScript into JScript and implemented it into Internet Explorer 3

Also in 1996, Netscape submitted JavaScript to ECMA (European Computer Manufacturers Association) for standardization - 1997

[minibois]

inb4 people trying to justify their adblock usage.. Just stop it, nobody cares. Use it or don't, don't brag about either.

 

Anyways, I am not surprised. The main reason I want Flash to go away is because I just don't want the software installed anymore, as well as making everything compatible on all platforms. Flash is just kind of an annoying standard.

[Bananasplit_00]

well i still prefer HTML5 over Flash but this is honestly not surprising to me but good info nevertheless  

[Prysin]

And Javascript is mostly blocked or restricted by all browsers by default these days so the issue is?

[SurvivorNVL]

There's only one way to fix this.  We must block all ads and inform all companies to create monthly subscriptions starting as low as $2.

[Trixanity]

Yup, it was inevitable. While HTML5 might be inherently more secure, it's not like it's invulnerable. We've moved the vulnerability from a plugin to the browser itself and the HTML5 implementation I guess. 

 

I'm guessing (haven't really read up on it) HTML5 is open source and it's now up to those who maintain the standard and browser developers to make sure to patch things in the browser instead of relying on Adobe to patch their clusterfuck of a piece of software.

[samcool55]

49 minutes ago, Prysin said:

And Javascript is mostly blocked or restricted by all browsers by default these days so the issue is?

Javascript is almost used everywhere, facebook, youtube, everywhere, even LTT forum.

If you use chrome, press F12 and look how many times you see the word "javascript".

It's a lot btw. And not blocked at all.

[colonel_mortis]

The big difference between flash ads and HTML5 ads though is that, while both can result in malicious adverts being served, a malicious HTML5 advert is limited by the browser sandbox, and can only do anything damaging to your computer if it finds a vulnerability in the browser that you're using (which has happened in the past, but isn't at all common), while a flash ad is not sandboxed by the browser, and relies instead on flash's notoriously ineffective sandboxing.

55 minutes ago, Prysin said:

And Javascript is mostly blocked or restricted by all browsers by default these days so the issue is?

No, java is mostly blocked, and java is a very different thing to javascript. Without javascript, most websites will provide a degraded experience at best, and some more modern websites won't work at all. For example, while you can use this site without JS, things like the editor are significantly nerfed without it.

[deviant88]

so its not HTML5's fault either you made it sound like that in the title

[zMeul]

18 minutes ago, deviant88 said:

you made it sound like that in the title

that's not what the title sais

[Celmor]

To add to the last statement in the quote, html5 videos also cost less ressources than Flash ones.

Also why is not everyone just using a script blocker like NoScript or uMatrix already, the latter one of which can be used with default settings on most sites without problems as it only blocks 3rd party scripts.

[minibois]

2 hours ago, SurvivorNVL said:

There's only one way to fix this.  We must block all ads and inform all companies to create monthly subscriptions starting as low as $2.

Do you only go to 10 websites or something? And would you immediately pay 2 USD when you visit a site for the first time? I know this is not a 100% serious post, but I like taking stuff (too) serious.

[SurvivorNVL]

2 minutes ago, Minibois said:

Do you only go to 10 websites or something? And would you immediately pay 2 USD when you visit a site for the first time? I know this is not a 100% serious post, but I like taking stuff (too) serious.

I go to hundreds of websites, though I keep to a primary 30 or so.  I'd be willing to pay.  I'd have to imagine a lot of websites could work together for bundle deals, more bang for your buck.  Some websites likely have a loyal follower base, and people will pay anything.  With that thought in mind - tumblr and Reddit + subscriptions = incredibly, insanely rich over night.

I honestly, in order to be rid of all ads, and have cleaner, safer sites - would pay subscription fees.  I'd say a site would probably have to do an IP check and give people a 30 day trial if you're visiting for the first time.  Maybe have 3 month special deals like Spotify, 99 cents and all.

Alternatively every site could have a Patreon and advertise that primarily on their main page.

[Trixanity]

27 minutes ago, SurvivorNVL said:

I go to hundreds of websites, though I keep to a primary 30 or so.  I'd be willing to pay.  I'd have to imagine a lot of websites could work together for bundle deals, more bang for your buck.  Some websites likely have a loyal follower base, and people will pay anything.  With that thought in mind - tumblr and Reddit + subscriptions = incredibly, insanely rich over night.

I honestly, in order to be rid of all ads, and have cleaner, safer sites - would pay subscription fees.  I'd say a site would probably have to do an IP check and give people a 30 day trial if you're visiting for the first time.  Maybe have 3 month special deals like Spotify, 99 cents and all.

Alternatively every site could have a Patreon and advertise that primarily on their main page.

Your plan:

Internet = rekt. 

 

Good luck, poor people! (quick guesstimate that at least 70% of the world's population can't afford that) 

[CTR640]

Seriously, fuck ads...

 

 

[sof006]

HTML5 can be patched quicker though as it doesn't require any kind of software patches to a browser (although it does help if browsers get updated anyway) in order to fix security vulnerabilities. 

[SansVarnic]

Reminds me of the Microsoft vs Apple virus vulnerability debate. Until Apple became popular did it get attacked, boy was it bad when it happened.

 

But I do strongly agree about blocking those adds though. Either way it is trouble just waiting in the shadow...

[DXMember]

who would ever thought...

maybe the security expects could offer a bill to shut down ad networks?

[Doobeedoo]

HTML5 is still superior to Flash performance wise, no need to install software, sandbox via browser, platforms. Also it's different  all together.

[thekeemo]

5 hours ago, SurvivorNVL said:

There's only one way to fix this.  We must block all ads and inform all companies to create monthly subscriptions starting as low as $2.

Sure let all the people that cant afford $2/site (for me that would end up being hundreds/month) to not have access to the internet

[JoshB2084]

Make sure my Avast and  Malwarebytes ready for battle... LOL!

[LAwLz]

What a bunch of nonsense. The problem with Flash is that it is full of security holes which allows for things like privilege escalation and other dangerous things. The article seems to talk about malicious JavaScript injection which is certainly a bad thing, but that is not the same as the huge amount of Flash exploits that have given it a bad rep.

Flash security holes and malicious JS are two separate issues. The former can be fixed by removing Flash. The latter is a problem we still have and is inherent to ads (as well as websites in general).

 

 

Think of it this way. We had two separate issues which combined caused 100 different exploits to be possible. By removing Flash we removed 60 of those exploits. We are now left with 40, and those are the 40 this article seems to talk about. Sure we still have problems, but there is far less of them.

 

On top of that, it is up to the developers of the browsers to patch any potential security hole related to JS. So if an exploit is discovered in Chrome which allows for arbitrary code execution though JS, it is up to Google to fix it (and the same exploit would probably not work in Firefox). With Flash, if one exploit is discovered then it works in all browsers and it is up to Adobe to fix it.

 

 

All the points here are somewhat or completely false as well:

Quote

Of course, there's a discussion on whether HTML5 is actually an improvement over Flash. While Flash has better image quality rendering, HTML5 ads are usually larger in size. While Flash ads require a plugin to work, HTML5 ads don't work in older browsers. While Flash ads can be easily optimized, HTML5 ads are easier to create and work on mobile devices by default. In terms of security, HTML5 is the clear-cut winner, but currently, Flash ads are still a solid alternative.

Flash does not offer better image quality. What image quality you get entirely depends on the codecs used. A JPEG rendered in Flash should not look any different than a JPEG rendered by the browsers JPEG renderer, unless there is some post-processing going on. Same with videos. In a lot of cases you can even use the exact same video file over HTML5 and Flash.

 

What do they mean HTML5 ads are usually larger? For both HTML5 and Flash ads like 99% of the size is the image or video, which like I said before are often the exact same file.

 

HTML5 is not exactly a new thing. Compatibility is not exactly an issue. Hell, even Internet Explorer 8 has some support for HTML5 (although it is really limited). This can also be circumvented by using things like HTML5 Shiv.

 

HTML5 ads being easier to create is a very subjective things.

 

How can the conclusion of the article be that HTML5 is the clear winner in terms of security, when the text just above it tries to say that both are as vulnerable?