17

It's pretty well known that Google Ads doesn't support HTTPS, but since I store my user's session in a bearer token/cookie I feel the need to encrypt this information... at a minimum so I can protect my end users from being hacked.

What are my choices? I'm sure someone has come across this before. Ideas that may work include

  • Changing how I do website membership
  • Using something else other than AdSense (MSN?, anyone else)
  • Complaining to Google that I can't track my users if AdSense is on
  • Finding a different way to monetize my site (aka changing my business model)
Community
  • 1
  • 1
makerofthings7
  • 60,103
  • 53
  • 215
  • 448
  • Related: [What risks should I be aware of before putting 3rd party ads on my site](http://security.stackexchange.com/q/7840/396) – makerofthings7 Mar 09 '12 at 18:57
  • This question needs to be updated. Is it still applicable? – theMayer Feb 28 '13 at 15:46
  • @rmayer06 - What do you mean? Does Google now serve ads over HTTPS? – makerofthings7 Feb 28 '13 at 15:49
  • I don't know, but it is almost 3 years old, which is an eternity in this realm... – theMayer Mar 01 '13 at 06:39
  • Also, as an engineer, I typically find that the best way to solve a problem is not to try to redesign someone else's system to work with your constraints, but to redesign your system to work with theirs. Why do you need to pass a secure token to an ad?? – theMayer Mar 01 '13 at 06:42
  • 1
    @rmayer06 I don't need to pass a token to an ad. If I use HTTPS everywhere, and advertisements use HTTP then a web browser will warn the end user of a "mixed content warning" on each page. HTTPS everywhere will prevent my session cookie from being stolen. All this is about protecting my primary site, and getting advert revenue. Otherwise I can only have HTTPS for login, and HTTP elsewhere. – makerofthings7 Mar 01 '13 at 12:55

5 Answers5

5

What happens if you use this URL for calling adsense

https://pagead2.googleadservices.com/pagead/show_ads.js

Instead of

http://pagead2.googlesyndication.com/pagead/show_ads.js

?

Looks like it's delivering the same script, you just have to check if it can retrieve your page content to deliver contextual ads.

This is undocumented. Just adding "s" in the classic URL gives a certificate error because the domain of the certificate is *.googleadservices.com, hence the final URL i propose. This is of course untested, but I'm curious to know if it could work.

EDIT: The content is delivered but I can't see if I get any warning because the certificate on my test website in not trusted: https://uandco.net/

EDIT: I'm now using a real certificate on the same URL but browsers are complaining about unsecured items. This is because the adsense script, even when called from its https URL, generates unsecured http calls to other scripts and iframes.

Capsule
  • 6,118
  • 1
  • 20
  • 27
  • +1 I hope it works. If someone can test and validate this before the bounty is up I'll award it to you & the tester (if I can split a bounty)... I'm swamped today and can't test. – makerofthings7 Feb 24 '11 at 16:36
  • See my edit, can't test further but I'm afraid the first called JS is generating calls to other http (not secured) scripts and/or iframes... – Capsule Feb 24 '11 at 16:52
  • I'll get you a certificate... contact me at myusername@gmail.com ... substituting my StackOverflow name – makerofthings7 Feb 24 '11 at 20:00
  • I'm awarding you the bounty for all your help in this... still no answer or viable alternative. Your solution does seem to work with IE just fine though – makerofthings7 Feb 24 '11 at 21:26
  • Thanks for the bounty but sorry this is not working. Since Google took a certificate for *.googleadservices.com we can expect a full SSL support in a near future. Crossing my fingers ;-) – Capsule Feb 24 '11 at 21:33
4

The answer I have utilised for a client's website is to move from AdSense to DoubleClick for Publishers Small Businesses. This is another Google run system and even if you don't use it to manage advertising campaigns, it falls back to your AdSense account to serve up adverts.

Google provides the code for you, but it uses a "catch-all" insertion of it's code that operates regardless of HTTPS or HTTP.

<script type='text/javascript'>
    (function() {
        var useSSL = 'https:' == document.location.protocol;
        var src = (useSSL ? 'https:' : 'http:') +
            '//www.googletagservices.com/tag/js/gpt.js';
        document.write('<scr' + 'ipt src="' + src + '"></scr' + 'ipt>');
   })();
</script>

Source: http://support.google.com/dfp_sb/bin/answer.py?hl=en&answer=143694

niaccurshi
  • 1,265
  • 9
  • 9
  • 1
    I have been experimenting with this and so far it has been the best option I've found. The fallback to Adsense does not appear to be 100% HTTPS because once in a while a non HTTPS request is made. It also seems to work best if you allow text ads and don't try to force image ads. – heyrolled May 07 '13 at 13:13
3

Option 3 won't do anything, #4 could be a lot of work, #2.. AdSense is still king.

That leaves option 1 - simplest option in my opinion. Are you using any frameworks?

Edit: another option would be to just continue serving them over HTTP and dealing with the various browser errors and warnings.

When I wrote the original response I was thinking of using something like Open ID but on second thought I'm not sure that'll do anything for you.

Radu
  • 8,561
  • 8
  • 55
  • 91
  • I'm using ASP.NET Membership API. This is currently interfacing with WIF where I use ADFS and my own STS provider. – makerofthings7 Aug 17 '10 at 14:58
  • How would you implement membership in this case? – makerofthings7 Feb 23 '11 at 14:22
  • Hard to tell without more details about what you're doing right now. Also, have you considered just serving the ads over HTTP? You'll get browsers errors but that might not be so bad.. – Radu Feb 23 '11 at 18:26
  • Browser errors is a horrible solution if I want to keep visitors attracted to my site. There has to be a way that a site like StackOverflow can be ad-sponsored and also served over HTTPS – makerofthings7 Feb 24 '11 at 02:32
2

AdSense now supports HTTPS. Just remove the "http:" portion of the ad code.

James
  • 773
  • 2
  • 18
  • 29
0

Just the poor man's solution: Opening a new HTTP window with all the AdSense stuff...

Yes, it stinks, but it should not be too difficult to be implemented with a bit of JS magic.

Regards.

ATorras
  • 4,073
  • 2
  • 32
  • 39