It would be nice if the sites themselves took some responsibility. If your ad contract includes strong SLAs with massive penalties for malware distribution, the company providing you with ads will probably take a bit more time to vet them.

It baffles me that that isn't already boilerplate in advertising contracts. Sites whine about having their revenue impacted by ad blockers, but they make no effort to ensure the security of their users. Why is nobody ever held accountable for these sorts of breaches? Shifting risk to your customer is a horrible idea - nobody would buy a new car without a warranty, so why on earth are we expected to play Russian roulette with our bank accounts, personal data, and often our employer's assets?

I guess the market will teach them sooner or later, but I really do not understand why the current state of ads is so widely accepted by the people who are trying to sell them.

It seems like a circular argument you're having with the parent, but you haven't yet realized it.

The profit motive is the ultimate incentive. If it takes too much time, reduces revenue by too much, or increases expenses, the ad publishers and networks will find ways to mitigate those issues.

If there aren't waves of lawsuits from users who received malware from ads, there is no direct cost. If vetting ads before they are hosted costs money or reduces the bids for those ad placements, networks are incentivized against doing so.

In my experience, most ad networks have blacklists for bad actors but no vetting and thus no whitelists. Blacklisting means there necessarily will be end-users that get infected and only a percentage of them will know it, a percentage of those will know where it came from, a percentage of them will report it, and only a percentage of those reports will culminate in advertiser blacklists.

It's a numbers game and currently the expenses from lawsuits (the only perceived expense for publishers+networks) is much less than the revenue lost + expenses from pre-vetting all ads before they are used.

Agreed. I did see a few "disable your ad-blocker or you can't use our website" notices a couple months back but haven't seen one since.

It would be interesting to see what happened to their numbers. I imagine they alienated a lot of users by doing that and had to stop.

At my company we have an initiative to roll an ad-blocker out to about 2,500 desktops just to prevent the clean-up costs and improve user experience while using our own white lists. Given our industry, we just can't risk it even with threat management firewalls, OpenDNS Umbrella, and some well-engineered multi-layer security going on.

The disappointing thing for me is that I appreciate well-placed and curated ads. I white list some sites to support them, etc.

It's the websites the remind me of the sort of silliness in the movie Idiocracy [1] are impossible to use, not to mention trust with your computer.

[1] https://filmdump.files.wordpress.com/2013/06/idiocracy-1.jpe...

I agree--but the issue will likely be traceability. That is, how can the victim prove that the malware they received came from PageFair? Unless the victim had a log of all network traffic, I'm not sure there's any way to show that.