About a year ago, when we switched to default HTTPS, we pointed out that one of the major reasons why other news sites refused to do the same was that most ad networks would not support HTTPS. In fact, we had to end a number of relationships with ad partners in order to make the move (but we felt it was worth it). In fact, the really crazy part was that many of the ad network partners we spoke to clearly had absolutely no clue about HTTPS, what it was and why it’s important. But, over the past year, more and more attention has been placed on the value and importance of encrypting web traffic, so it’s great to see that the internet ad industry is starting to wake up to this, even if it’s pretty late in the process.
The Internet Advertising Bureau — the IAB — the main standards-setting board for the internet ad industry has released a statement saying that it’s time for the internet advertising world to embrace HTTPS:
It’s time to talk about security.
In fact, last year was the time to talk about security. From The New York Times to Google, the call went out for websites to encrypt communications with their users, protecting the integrity and privacy of information exchanged in both directions. Even the U.S. government heard this call, and is working to require HTTPS delivery of all publicly accessible Federal websites and web services.
This year, the advertising industry needs to finish catching up. Many ad systems are already supporting HTTPS – a survey of our membership late last year showed nearly 80% of member ad delivery systems supported HTTPS. That’s a good start, but doesn’t reflect the interconnectedness of the industry. A publisher moving to HTTPS delivery needs every tag on page, whether included directly or indirectly, to support HTTPS. That means that in addition to their ad server, the agency ad server, beacons from any data partners, scripts from verification and brand safety tools, and any other system required by the supply chain also needs to support HTTPS.
Let’s break that down a bit more – once a website decides to support HTTPS, they need to make sure that their primary ad server supports encryption. That ad server will sometimes need to include tags from brand safety, audience and viewability measurement, and other tools – all of which also need to support encryption. The publisher’s ad server will often direct to one of several agency ad servers, each of which will also need to serve over HTTPS. Each agency ad server also may include a variety of beacons or tags, depending on how the deal was set up, all of which similarly need to have encrypted versions available. That’s a lot of dependencies – and when one fails to support HTTPS, the website visitor’s experience is impacted, initiating a costly search for the failure point by the publisher.
While I question that 80% number — given that we had difficulty finding many ad providers who supported HTTPS a year ago — it’s good to see the industry finally recognizing how important this is.