policing ads and 3rd party content at scale on media sites
TRANSCRIPT
Engineering
By Billy Hoffman, Director of Product
Policing ads and 3rd party content at scale on media
sites
[email protected]@zoompf
Who Am I?• Automated analysis
and detection of performance issues
• Founder of Zoompf• Former web security
researcher and pentester
3PC: A Traditional Approach• “Can’t control it”• “It has to be
there”• “I know, I know,
it’s so terribly bad”
• “I don’t even want to see it”
Landscape of Modern Ads
The times they are a’changing• Ad blockers• Parallel platforms
a. Google’s AMPb. Facebook Instant
Articles
Landscape of Modern Ads• Ad Inventory• Direct Ads Sales• Programmatic Ads• Ad networks (Adx, Appnexus)• [tag] -> ad appears
Landscape of Modern Ads• 1 IFrame per ad
a. Asyncb. Each fires own trackersc. Reuse can be poor
• Ads run for fixed impressionsa. Then you go into remnants
Landscape of Modern Ads• No idea what an exchange will
give you ahead of time• Set Polices (video, audio)• Bad stuff still slips through• Different ads among people/geos
“We don’t have 1 page load. We have our page load, and then 3-6 separate mini payloads from
ads.”
“Sub” loads/Waterwalls
Main Goals1.Ad Performance Problems
2.Ads doing shady stuff
(Full) Waterfalls are not helpful
Load Graphs• Build DAG
– Referrers, initiators• Visualize
dependencies
Ad Performance Problems1.Weight of resources2.Redirects3.Head of Line blocking4.Rendering issues5.Quality Issues
Party like it’s 2006
OMG and the creative!
Gotchas1.Caching
a. Can’t update the inclusion markup2.Using/not using CDN
a. Beacons don’t go to edge servers3. JS Reuse
a. “Why are we loading jQuery 3 times?”4. Inlining JS that’s not inlinable
Aside: What are you loading?
Aside: Do 3PC Audit1. Inventory of what’s on your site2.Define who can add a tag3.Master list or Repository?4.Use a tag manager?
Ads Being Shady1.Breaking out of
frames2.Opening new tabs3.Redirecting to app
stores (2 tricks)4.Sending you to
sketchy places
Demo
AdInspect1.PhantomJS script2.Produces custom HARs3.Finds bad/shady stuff
github.com/acidus99
Malware
Catching (Possible) Badness• Malware, Phishing,
Unwanted Downloads• Free!• Local & Remote
Options• 10K lookups/day
Next Generation Stuff1.Does the ad actually render?2.Rendering outside of containers?3. IAB Compliance4.Clickthrough testing?5.Leveraging RUM?
Take Aways1.You can’t ignore 3PC/Ads2.Find the needle in the Haystack,
then audit that3.Typical frontend analysis works*4.Shady things are more common
then you think