Aaron Lerch recently wrestled with whether he should show ads on his site. Sure the temptation of making a few bucks off your blog or website is tempting; I’ve considered it myself from time to time. But often times there are unforeseen effects caused by the addition of ads to your site:

• they can cause your site to load slower or to have no content show up at all until the ad is loaded
• they can be annoying to the visitor by making use of animation or other similarly annoying tactics
• they take up valuable real estate on your site
• they can be a security risk

That’s right, ads can always be used as another vector to infiltrate your computer. It’s third party content being displayed on your site and often times you have no control where the ads link to making the situation even worse. As reported earlier in the year, Google AdWords isn’t too thorough on checking up on who they sell ads to.

In the reported case, the attackers had the Google ad first pass through their site which would try to exploit a vulnerability in IE, then would forward the user onto to a legitimate page. Of course, the attackers don’t need to forward the user on. They can keep the user there and have their way with them, but the forwarding at least makes the ad look authentic. And this was made worse by a nice Google “feature” in AdWords:

Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google’s sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.

Yup, Google always has the user’s best interest at heart. Of course there are still ways to protect yourself from at least the more well known domains: update your hosts file. Your hosts file is the first place your computer goes to when resolving domain names. It’s basically the first tier in your DNS cache. So how do you protect yourself? Just make all the evil domains resolve back to localhost. If you don’t have a web server on your box, the connection will timeout and the ad won’t be retrieved. The advertiser’s domain won’t even be contacted. Can’t get much more protected than that.

But not everyone is protected. Not all of your users will be protected. So if you have ads on your site or are thinking about adding ads, carefully consider what you’ll be exposing your visitors to before adding them.