“HTTPS Everywhere”, Google’s campaign for establishing transport encryption as the default case for the whole internet has shown that sometimes the strong commitment of one big player is enough to introduce changes nobody would have considered to be possible only a few months ago.
Now Browser vendors like Mozilla have announced they will mark unencrypted HTTP as deprecated; Competitors like Yahoo and Bing have switched to HTTPS, and even publishers like the Washington Post have joined forces and started a full migration.
We were excited to jump on the “HTTPS Everywhere” initiative as well. This is an important step to making the internet a more secure place and to reflect the importance the digital sphere has gained over the years.
So right after Google announced that they would enable HTTPS for all their ads as well, we thought the time is right to switch. So we started to activate HTTPS on our servers and been in discussion with all of our service providers (CDNs, Video Hosting, Tracking and Reporting, etc.) to avoid any "mixed scripting" alerts or vulnerabilities.
Some of these services didn't have any issues supporting HTTPS right away, others needed at least some time to be ready, and then we started to talk to our programmatic service providers.
Just a brief summary of our sales stack. Beside native campaigns, we run display/pre-roll campaigns sold by our in-house team and fill the remains with programmatic ads. We use the Google DFP stack and forward requests to Rubicon, OpenX, AdX, Millennial Media and others. The Google stack worked straight forward, as expected, but when we approached more and more of the programmatic ad providers, it became obvious, that this is a showstopper the ad industry is not ready to support the HTTPS Everywhere initiative.
This is especially frustrating, as we already have to deal with the massive impact on rendering time from ad providers (more on that in a separate blog post), and now we feel slowed down again, because the advertising industry is not up to speed with the current technical development in the internet.
Even Google acknowledges that this is an unresolved issue and tries to ease the burden for Authors by pushing forward initiatives like the upgrade-insecure-requests policy header. Lets hope HTTPS Everywhere won't be an obstacle to the development of websites like the IE6 disaster was 10 years ago.
And this does not solve the problem for the ad networks to deliver content over HTTPS. Although they do support encrypted delivery, all of the networks we are working with confirm that switching to HTTPS would seriously damage ad performance of our inventory.
One of our partners expect that “numbers would be down by anywhere from 20-50%”, while another even said "less than 1% of all money spent by the buyers is directed to secured inventory". Now we're facing a chicken or egg dilemma, without us (and of course others) jumping to HTTPS, there won't be enough inventory available to switch ads to HTTPS, and without enough secure ads, the inventory providers aren't allowed to switch.
Who’s supposed to take the lead from here? I personally think there are two players who can influence the market. First, the programmatic exchanges need to push their buyers (demand partners) to start supporting HTTPS creatives. Second, publishers need to put pressure on their online advertisers to start supporting it as well. Ultimately, if all publishers decided to go HTTPS overnight, plenty of advertisers would go out of business very quickly unless they followed suit. That's why we want to start the conversation right here, right now.
But it seems the only one taking that issue serious right now is Google.
[Switching to HTTPS] shouldn't affect your google demand since we're almost at 100% secure creatives.
– Official statement from Google Ads.
So at the end of the day, one might come to the conclusion that Google's striving towards “HTTPS Everywhere,” flanked by the announcement that encryption is about to become a relevant ranking signal for content websites, is somehow perfectly aligned with a feature only their service and very few other big players in the online advertisement industry are offering at the moment.
So two options for us, just drop all other ad providers and jump exclusively to google, or wait for a little longer. For now we will chose the second option. A pity, as we would have loved to have gone further!