undefined | Better HN

0 pointsryan-c9y ago0 comments

> it is within their (the website) responsibility to ensure that ads and/or content should not cause harm to a visitor.

I don't think that's been established. With the current state of advertising on the internet, it's not even possible to do this.

In general, websites use advertising networks which do not allow them to proactively vet the content. Even if they did, no amount of vetting can guarantee the content is benign (active content can do naughty things only some of the time or on some platforms, or things not yet recognized as naughty - this is also why antivirus isn't reliable). So, clearly the solution is to not allow Javascript or flash, right? Nope - exploits in image parsers, font parsers, video parsers, audio parsers, etc. come out fairly often.

This could maybe be dealt with by contracts between websites and advertising networks specifying that the advertising network will be liable for malicious content, but I don't see that happening.

0 comments

Dylan168079y ago

>exploits in image parsers, font parsers, video parsers, audio parsers, etc. come out fairly often.

Exploits in jpg/png are very rare.

At worst, all you have to do is make the ad network [re]compress the image.

Silhouette9y ago

Exploits in jpg/png are very rare.

A major security issue with probably the most popular automated image processing toolkit in existence came to light just the other day. That particular one would be used for attacking servers, but there have been client-side vulnerabilities in other common resources such as fonts before too. Assuming that just because a format is common the software processing it won't introduce any vulnerabilities is not a great idea.

In any case, the relative rarity isn't really the point. Either it's ethically and/or legally correct to assign blame for malicious advertising to the final host site that the user actually visits, or it isn't. That's the principle we're really debating, and the rest is just a degree of risk.

Dylan168079y ago

>A major security issue with probably the most popular automated image processing toolkit in existence came to light just the other day.

Because of all the weird formats it supports. That's why I said jpg/png, not 'images'. Any software that supports 200 formats probably has severe bugs on the rare ones. Doesn't matter for making a secure image server where you can dictate the format.

>In any case, the relative rarity isn't really the point. Either it's ethically and/or legally correct to assign blame for malicious advertising to the final host site that the user actually visits, or it isn't. That's the principle we're really debating, and the rest is just a degree of risk.

Whether they are being negligent is relevant. Allowing known-risky formats that keep failing over and over is negligent.

1 more reply

ryan-cOP9y ago

> Exploits in jpg/png are very rare.

I would like to introduce you to libpng: https://www.cvedetails.com/vulnerability-list/vendor_id-7294...

j / k navigate · click thread line to collapse

0 pointsryan-c9y ago0 comments

> it is within their (the website) responsibility to ensure that ads and/or content should not cause harm to a visitor.

I don't think that's been established. With the current state of advertising on the internet, it's not even possible to do this.

This could maybe be dealt with by contracts between websites and advertising networks specifying that the advertising network will be liable for malicious content, but I don't see that happening.

0 comments

Dylan168079y ago

>exploits in image parsers, font parsers, video parsers, audio parsers, etc. come out fairly often.

Exploits in jpg/png are very rare.

At worst, all you have to do is make the ad network [re]compress the image.

Silhouette9y ago

Exploits in jpg/png are very rare.

Dylan168079y ago

>A major security issue with probably the most popular automated image processing toolkit in existence came to light just the other day.

Whether they are being negligent is relevant. Allowing known-risky formats that keep failing over and over is negligent.

1 more reply

ryan-cOP9y ago

> Exploits in jpg/png are very rare.

I would like to introduce you to libpng: https://www.cvedetails.com/vulnerability-list/vendor_id-7294...

j / k navigate · click thread line to collapse