Chrome tackles Abusive Ads

Security Now


Chrome Fortunately will be getting tough on abusive ads. In a posting on get hub. Google's engineer John. Delaney has spelled out the chromium projects, intentions regarding abusive ads. So. First of all modern web pages are a jungle of stuff. So how does chromium the chromium engine determine? For itself what's an ad and what isn't It comes down to something known as add tagging. Chromium is able to detect some ads and the resources they load in the browser. This enables the browser to measure the size, the performance and the count of ads displayed. To its users, it also allows the browser to intervene on the user's behalf when ads run counter to what they decide is the users interest, for example, using crazy amount of resources engaging in some abusive behavior or whatever. So that add detection infrastructure, they call at tagging and it's not very inspired. It works by matching resource requests against a filter list to determine if they're ad requests and in there in a sample that they've got of some code, they show them you like importing the easy list, which of course, is a well known list that's being maintained by a community of a known domain names that are providing ads. So they said any requests. Matching the filter are tagged as adds further requests and some dom elements such as I frames made on behalf of previously tagged scripts are also tagged as ads by the AD tracker. So it's not just it's as images that match the filter. It's if scripts were coming from a a known add source than the things that are essentially descendents of those scripts would also be tagged as ads, which certainly you'd want to have happen. They said I pray will be marked as an ad I frame. If it's your L. matches the filter list if tagged. Is Involved in the creation of the I frame or if it's parent frame is an ad I frame. So you know you can't get can't sneak out of it by creating a frame within a frame and say look I'm not the original one. The mainframe on a page will never be tagged as an add good. and. Then they said any request made within an ad I frame is considered an ad resource request. So drilling down on this one level. We learned that this sub resource filter loads the filter list, and then perform this url matching of any requests against that list it's distributed. That is the filter list is distributed via the component update, which is just part of the chrome installation. So it's be main, it's being kept current constantly, and the same list and component is also used for blocking ads on abusive sites. And those that violate the better ads standard. they explained that each sub resource request in the render process is processed by the sub resource filter before the request is sent from the browser out. So it's not that it blocks things coming back. It never makes the request in the first place. It just you know denies denies it on the from the the page making the request. Okay so you get ads identified as such. How were they treated differently this is where John, explains what they they call the heavy add intervention. A small fraction of ads on the Web us and John Likes the word egregious will see there's a couple of times and egregious amount of system resources. He says these poorly performance ads whether intentional or not harm the user's browsing experience by making pages slow draining the device's battery and consuming mobile data. He says for those without unlimited plans and then he says, in these egregious cases, the browser can upload the offending adds. To, protect the individuals divide. I'm sorry that browser can unload saying wet the browser can unload the offending adds to protect the individuals device resources. He says, this is a strong intervention that's meant to safeguard the users resources with low risk because unloading and add is unlikely to result in loss of functionality of the pages main content. Is as examples of observed at behavior that are intended to be discouraged. Are Note no surprise adds that mine crypto currency. ADDS that load large poorly compressed into is So just sloppy ads ads that loge large video files before a user gesture. Or adds that perform expensive operations in Java script such as decoding video files or seat. CPU Timing Attacks Yeah we don't want those. So Google notes that is not their intention to discourage any specific ad creative formats such as display video ads. So they're trying to be as agnostic as possible. So the user agent, the Browser will unload ads that US and he says again and agreed amount of network bandwidth or CPU usage. We define reaches as using more of a resource than ninety nine point, nine percent of ads as measured by the browser. That's well, you know. So that sets a very high bar says he and he says only adds that have not been interacted with by the user will be unloaded. And here's what's interesting and this is some tech We've never talked about before that's therefore worth mentioning. All unloaded frames will be notified via an intervention report. That the intervention occurred. This feedback is necessary to help advertisers or their AD technology vendors to identify and fix ads that are triggering this intervention. So first of all, just a little bit a little last word on the classification of ads. He says that's left to the discretion of the user agent. For example, chrome detects ads using what we talked about the ad tagging feature. An advertisement is considered heavy if it has not been clicked on by the user and meets any of the following criteria. It uses the main thread for more than sixty seconds total. The or used the main thread for more than fifteen seconds in any thirty second window. So they they said and parental fifty percent utilization over thirty seconds. Or used more than four megabytes of network bandwidth to load resources. So any of those thresholds get crossed the that the new chrome technology will say, nope and just boot the ad it's you know, sorry, you're a bad. And he said that the thresholds above were inspired by the I. ABC's lean standard that's in caps but chosen to but has chosen by looking at crumbs metrics at the ninety nine point ninth percentile of network and CPU usage in ads so again. Most ads are not gonNa Cross that line but those that do, and there are some bye-bye.

Coming up next