If ads were safe (i.e. text-only, no JavaScript, no video) and the publishers actually vetted the products, I wouldn't block them. I don't care that a physical NYT has ads. It's the algorithmic sale and distribution of ads that broke the model.
I work in ad technology for a publisher. We put in a lot of effort to make the tech fast, lightweight and secure for our visitors - we hate bad ads too. We screen our partners, use whitelists and monitor what JS is running on the site.
This being said - things sometimes slip through the cracks. Somebody with a browser-based 0-day will pay huge CPMs to insert their ad and own thousands of machines. We can't prevent this - if you have any ideas on how, I'd love to hear it.
You can either: 1) disable JS in ads entirely, or 2) give all users an option to pay for an ad-free site.
Since few publishers do either, I'll continue to use my adblocker and simultaneously pay the publishers I think we can't do without (e.g. ProPublica).
Can you define often? It seems quite rare actually for a malware to be distributed online without user intervention, with the recent Firefox 0-day being one of theses cases and only touched a small proportion of people.
The web is quite secure already and sure ads network is a good vector but so is Hacker News, Reddit and Facebook, which nobody cares about (have you ever not clicked on a link on any of theses platforms and looked at the URL first?).
I seriously hate that argument of security, it's just wrong.
Happened regularly about a year or two ago, certainly more often than every month, haven't seen it since, though.
> have you ever not clicked on a link on any of theses platforms and looked at the URL first?
That's not what happens.
> I seriously hate that argument of security, it's just wrong.
Maybe you should contemplate the possibility that you're wrong.
That's seems more like a browser issue, but none the less, any links on Hacker News could do the same.
I don't consider that malware to have to close an application, just like I don't consider a malware a link that rick roll me (which still force me to close a tab ;) unless I want to stay on Youtube).
> That's not what happens.
Aren't we talking about running malicious JS? Any link you click can contains malicious JS, yet you click on that link without thinking about it, but when it's an ad that may contains malicious JS, you block it altogether.
I don't understands really what you means by not what happens.
> Maybe you should contemplate the possibility that you're wrong.
I contemplate each time I'm discussing with someone about it. I still haven't got any evidence about it.
Each time I ask someone that does it for "security purpose", when they don't answer by "do your own research" (which I always try when they say that even if it's absurd to have nothing to defends yourself), the best example they always have is either link to some report with stats that doesn't define malware, or the Forbes case of when one of their ad was a fake Java update. If that's malware, then here we go, HN now serve malware too: Click on that URL to update Java: https://forbes.com
If we were arguing blocking Javascript for security purpose, now that does make sense (still pretty unlikely, but based on news, it seems to happen much more).
It doesn't matter. It could be 1 out of every million hits, but it's still a source of malware. Most of us don't upgrade to the latest browser version the minute it's released, which makes us vulnerable.
> ads network is a good vector but so is Hacker News
Uhh... what are you talking about? HN has minimal JS, and they wrote it. Some ad networks are injecting JavaScript into your browser that they have never seen before and didn't write themselves.
I may trust, let's say, NYT not to serve me malware with code they wrote in their offices, but NYT is not the entity that wrote the JavaScript delivered in their ads.
> have you ever not clicked on a link on any of theses platforms and looked at the URL first?
You seem to be arguing that hyperlinks are an attack vector, which assumes such a broad interpretation of "attack vector" that the word becomes meaningless. It's like saying that an airplane is an attack vector because it can fly you into a war zone. Yes, it can... but I get to choose where I'm going.
Regarding that choice: these platforms show you the domain you're clicking through to, so you have a chance to bail. And with an ad blocker, you don't have to be as afraid to visit a malicious site. I have JS and ad blocking on by default, and I whitelist a site when it seems trustworthy enough.
It does matter, you used the word often, that word has a meaning.
> Uhh... what are you talking about? HN has minimal JS, and they wrote it. Some ad networks are injecting JavaScript into your browser that they have never seen before and didn't write themselves.
You never click on the article link? That page can be anything, thus include any JS.
> I get to choose where I'm going.
Thus you check every link before clicking on it? I feel like that's not the case, but I would applaud you to be consistent if you do.
> And with an ad blocker, you don't have to be as afraid to visit a malicious site.
Ad blockers only block ads, not malicious JS. If you visit a website which include malicious JS, it's just as bad as an ad that contains malicious JS.
> I have JS and ad blocking on by default
Blocking JS that's a good way to stop malicious JS. Blocking ads then is redundant, what does it give you more?
