How To Verify Your Alert Pay Account
How To Verify Your Alert Pay Account
View your earnings from Google-certified ad networks
View your earnings from Google-certified ad networks
Back in August 2009, we started to allow multiple Google-certified ad networks to compete against AdWords ads for the display ad space on your sites. We’re pleased to announce that you now have access to a new report that allows you to to view earnings by ad network.
As a refresher, the Google-certified ad networks feature is powered by DoubleClick Ad Exchange, and allows additional networks to compete in the auction to help you earn the most revenue possible. We’re confident that our vast AdWords inventory can provide the highest paying ad, but on the few occasions when it can’t, this feature simply allows more ads to be eligible to appear on your pages. This increased competition can potentially lead to higher earnings for you in the long run. Note that the auction process doesn’t change with these ad networks – our system will still always show the highest-paying ads, whether they’re from these Google-certified ad networks or the AdWords program.
With today’s new report, you’ll be able to see a breakdown of impressions, clicks, and earnings by Google-certified ad network. To view this report, log in to your account and visit the Performance reports tab. Click ‘Ad networks’ in the side navigation to see which networks served ads on your pages and how they performed. When comparing the performance of different ad networks, bear in mind that some metrics like RPM can be affected by networks targeting certain value impressions. Please note that there is no historical data prior to September 27, 2011.
Google-certified ad networks bring you all the benefits of working with multiple networks but also with the safety, convenience and controls offered by AdSense. All third party networks are required to adhere to our standards for ad quality, speed and user privacy. In addition, you have the ability to block entire networks and control ad blocking via the Ad review center. Please do keep in mind that blocking specific networks can reduce the number of eligible ads to appear on your pages and may affect your overall earnings. Just like with AdWords ads, the more ads competing to appear on your pages, the more you can potentially earn.
For more information about Google-certified ad networks, please visit our Help Center.
Updates on the AdSense mobile interface and low bandwidth version
Updates on the AdSense mobile interface and low bandwidth version
If you’ve tried out the mobile-optimized AdSense interface that we launched in March, you know that it gives you quick access to important information from your account including earnings, basic reports and some alerts, without the need for Flash. Starting today, you can access this same interface from most desktop browsers as a low bandwidth version -- this is particularly helpful if you’re using a slower internet connection. You can toggle between the the different versions by clicking the links “Classic / Low bandwidth” in the top right corner of the screen. Please note that your preferences are saved for both mobile and desktop versions. For example if you’ve accessed the low bandwidth version from your desktop, we will show you this interface first the next time you log into your account.
When you use the mobile interface or low bandwidth version and navigate to the Home tab, you’ll be able to see your estimated and finalized earnings, quick links to standard and saved reports, and account alerts. In the Reports tab, you’ll find quick reports (aggregated data for 7 days, 30 days, current month, last month) and your saved reports. In addition, you now have more insights on earnings as you can see data on Page Views, Clicks, Page CTR, CPC, Page RPM and Estimated earnings in a table underneath the earnings graph.
Stay tuned for more new features to come in the future. In the meantime, try the enhanced mobile-optimized and low bandwidth AdSense interface. As always, you can find more information in our Help Center.
Taking your channels to a new limit
Taking your channels to a new limit
As you know, channels in your AdSense account are powerful reporting tools. Custom channels help you track ad performance and enable advertisers to target their ads for maximum impact, while URL channels allow you to deep-dive into the performance of AdSense for content on your subdomains.
To date, you’ve been limited to a total of 200 custom and URL channels, and many of you have asked for more. That’s why today, we’re very excited to announce that we’ve raised this limit to 500 custom channels per product, and 500 URL channels for AdSense for content. You’ll see your available custom channels count clearly displayed in the custom channels table, and also highlighted in the “create new custom channel” pop-up.
This change will enable you to expand your testing, and you’ll be able to do more granular analysis of how different formats, ad styles, and ad types perform. In addition, you can use your increased allocation of custom channels to create new ad placements for advertisers to target directly. This can help increase the amount you earn from placement targeting, as advertisers will be able to review the information you’ve provided about your ad units to match their campaigns to your site and audience. As the holidays approach and advertisers look to create additional placement targeted campaigns, now is the perfect time to set up more custom channels and ad placements.
Log in to your AdSense account today and visit your My ads tab to get started.
Specific recommendations for individual ad units
Specific recommendations for individual ad units
We recently posted about personalized optimization tips you can receive via email or directly in your AdSense account. Today we'd like to introduce another form of optimization tips that we'll be rolling out over the next several weeks. These recommendations will show you how to make changes to your AdSense for Content ad unit type or format setting directly in your account in order to earn more.
To generate these new types of notifications, we use our technology to simulate the ad auction for a specific ad unit using different ad type and/or ad format settings. If our simulation shows that any of these changed settings consistently result in higher revenue for that ad unit, we’ll show a recommendation in your account. Please note that these simulations will not affect your live traffic or earnings, and you’ll only see a recommendation if our simulated auction demonstrated increased revenue for your account.
The recommendations are visible on the “Home” tab of your AdSense account so implementing a recommendation is quick and easy.
For ad type recommendations, simply click the “Do this now” button and your ad unit type will be automatically updated.
For ad format recommendations, clicking the “Create this unit” button will create a new ad unit of the recommended ad format on the “My ads” tab. To complete the implementation, replace the current ad unit code in your webpage(s) with the newly created ad unit code.
With multiple methods of bringing performance suggestions to you, we hope to help you simplify your ad management and maximize your ad revenue. For more information on personalized recommendations, please visit our Help Center.
AdSense crawler error redesign
AdSense crawler error redesign
As we explained in a previous post, there are many ways publishers can optimize their site for AdSense. One of the most overlooked is ensuring that our AdSense crawler can accurately crawl your site so that your ads are as relevant and useful as possible.
Today we're making this task easier for you with our latest redesign of the crawler access page which you’ll find on the Account Settings page of your AdSense account.
We redesigned the page with three objectives in mind:
Provide accurate and actionable information about your crawler errors.
Organize and display the information in a more readable way.
Provide clear and concise steps to help you fix the errors.
We’ve accomplished the goals above by:
Keeping the information that pertains to you and removing everything else.
Incorporating expandable sections so information isn’t overbearing and indigestible.
Adding a new column which shows how many failed crawl requests occurred over a period of time. This gives you an idea of the magnitude of the error.
Adding a new ‘How to fix’ column specifically designed to help you solve the error.
This AdSense redesign is merely a first step toward empowering you with the most accurate and relevant information. This in turn allows for better decision making which can lead to more effective AdSense optimizations, and as a result, increased revenue.
Bringing you a more powerful Ad review center
Bringing you a more powerful Ad review center
Whether it’s via blog comments, forum threads, or in-person events, we’ve heard your feedback about AdSense ad controls and the enhancements you’d like to see. With that in mind, today we’re thrilled to announce that we’re rolling out an entirely new version of the Ad review center. It’ll give you more control over your ads and make it easier than ever to manage the ads showing on your pages.
New controls
The new Ad review center will show you ads of all targeting types (contextual, interest-based, and placement) that have appeared on your pages, and allow you to review them. With placement-targeted ads, you can still review them before they show up on your site. And now, rather than grouping ads together, you can make decisions on individual ads to control what appears on your site at a granular level.
Improved efficiency
We’ve also made the Ad review center easier to use. When you’re reviewing ads, we’ll now first show you the ads that are getting the highest number of impressions on your pages -- or, if you’re holding placement-targeted ads for review, we’ll first show you those that are likely to get the highest number of impressions on your pages. Ads that don’t receive or likely won’t receive any impressions on your sites won’t appear in the tool. As a result, you’ll save time and be able to focus your efforts on reviewing only the ads that your users may see.
In the new Ad review center, you can simply click on an ad to block it. To block multiple ads, highlight and drag the ads to block them all at once. We’ve also provided a magnified view when you hover your mouse over an ad, as well as the option to see an ad in full size, as we know that it can be difficult to see details in ad thumbnails.
Ready to use the new Ad review center?
If you’ve used the Ad review center in the past, the new version will be available in your account in the next few days. If you haven’t yet enabled this feature yet, visit the Allow & block ads tab to get started. Please note that this feature isn’t compatible with Internet Explorer 7 or earlier -- visit our supported browsers page for more information.
For placement-targeted ads, we recommend keeping your review preference set to the default of 'Run ads immediately' and then reviewing them after they’ve started running. This is because ads don't participate in the auction while they’re held for review, which could potentially lower the winning bids and as a result, your overall AdSense earnings.
For more information, visit our Help Center. Over the next few weeks, we’ll be bringing you more updates to the Ad review center -- so stay tuned! Feel free to leave us a comment with your thoughts and feedback in the meantime.
AdSense for mobile content in 15 new countries
AdSense for mobile content in 15 new countries
We’re excited to announce the launch of AdSense for mobile content in 15 new countries: Argentina, Brazil, Chile, Colombia, Czech Republic, Hong Kong, Indonesia, Malaysia, Mexico, New Zealand, Nigeria, Philippines, Slovenia, Thailand, and Turkey.
AdSense for mobile content allows publishers to generate earnings from their mobile webpages using targeted Google ads. Just like AdSense for content, Google matches ads to the content of your site -- in this case, your mobile site. You'll earn money whenever visitors to your mobile site click on the ads they see.
For mobile websites, AdSense will automatically detect the type of phone viewing your site and deliver ads to match. For example, if someone views your site through an iPhone, we'll deliver ads specifically designed for high-end phones.
Please note that AdSense for mobile content ad units may be used in mobile websites only, not in mobile applications -- our policies don't permit placement of AdSense for mobile content ads in a mobile application. If you’re looking for an advertising solution for your mobile application, sign up for AdMob, Google’s leading mobile advertising display product.
Got 2 minutes? Learn how to allow and block ads
Got 2 minutes? Learn how to allow and block ads
Last week, we walked you through the Performance reports tab of the new AdSense interface. In the final two videos of this series, we wanted to highlight the key controls available in your account so that you’re empowered to make smart decisions about the ads that appear on your site. Take a look at the videos below to learn more about the ad review center and the additional features that enable you to allow and block ads:
We hope you’ve enjoyed our six videos walking you through key activities in your account, and that it has enabled you to be more comfortable with the new AdSense interface. If you haven’t started using the new interface yet, we hope you'll check out these demo videos and give it a try today!
The ads you’ve been searching for: Introducing AdSense Custom Search Ads
The ads you’ve been searching for: Introducing AdSense Custom Search Ads
Here at Google we’ve put a lot of work into displaying the best ads on search results pages, and we want your results pages to benefit too. If your site is search-focused -- for example, if your users are looking for jobs, travel, products, or local businesses -- the ads you display can now be targeted to the same search query you use to return results. This means more relevant ads for users, more revenue for publishers, and better value to advertisers. Today we’re excited to share our latest AdSense for search product: Custom Search Ads.
In addition to great targeting, Custom Search Ads are designed to fit your existing search results’ look and feel. Instead of pre-defined sizes, you can specify the precise width of each ad unit along with the number of individual ads to display, the ad layout, font size, font face, and much more. You can take a look at how some of our first publishers are using these today on LemonFree.com or eCrater.com.
With Custom Search Ads, we can rapidly develop and launch new search ad formats and extensions without requiring you to update your search code. For example, on Google’s results pages we’ve been busy testing new search ad extensions to provide users with information like locations, product images, page links, and merchant information. Two of these new formats are available today in Custom Search Ads: Ad Sitelinks and Seller Ratings. Ad Sitelinks extend the value of ads by showcasing up to 4 additional links to specific, relevant content within an advertiser’s site. Seller ratings add star ratings below a merchant’s ad aggregated from review sites across the web. These help highlight ads for merchants highly recommended by online shoppers. As new formats are developed in the future, we’ll continue to bring them to Custom Search Ads so you benefit automatically.
To get started with Custom Search Ads, sign up today! We’re currently only able to accept and support a limited number of publishers, but we’re excited to review your application and expand this program in the future.
Watch the recorded GoMo for Publishers videos to learn how to mobilize your site
Watch the recorded GoMo for Publishers videos to learn how to mobilize your site
As part of Google’s ongoing GoMo initiative, we hosted a live webinar a few weeks ago to help publishers learn the benefits of creating mobile-friendly sites, hear tips and case studies, and tap into new resources to get started. If you missed it, no problem! You can watch the recorded video or download the slides below.
Watch this webinar to learn:
1. Why go mobile?
Your users have gone mobile in a big way, hear why you must follow suit.
2. Tips for building mobile sites
Mobile is different. Learn 10 practical tips for building engaging, uniquely mobile experiences.
3. Best practices in action
Hear from web publisher FindTheBest about the success they’ve seen from going mobile.
4. How to get started
Google is here to help. Learn about tools we’ve created to get you started on the path to delighting
your users and maximizing your mobile revenue.
Interested in learning more? Watch the recorded webinar and download the slides.
Mobile Mondays: Going Mobile - Why FindTheBest went mobile
Mobile Mondays: Going Mobile - Why FindTheBest went mobile
For our second post in the Mobile Mondays series, we’ve invited Grace Nasri of FindtheBest to share her company’s experience in going mobile. Read last week’s post to learn about setting mobile goals.
Mobile is rising at a rate much faster than any other technology to date. Last year at Google’s Think Mobile Event, Kleiner Perkins’ Mary Meeker said the pace and force of mobile growth was unlike anything seen previously and Google’s Dennis Woodside predicted, “mobile will create the largest technology market ever. This market will dwarf the PC and all the PC industry has done.”
Seeing this global trend toward mobile, realizing that large segments of potential consumers only have access to mobile devices, and knowing that about 60% of time spent on smartphones is spent engaging in new activities—meaning potentially new customers— we at FindTheBest decided to launch a mobile-optimized version of our site.
FindTheBest is a data-driven comparison engine, and we launched our mobile site in January after realizing there was a large segment of potential customers we weren’t able to effectively reach. Before launching the mobile site, mobile visitors were 12% more likely to bounce and viewed 27% less pages than desktop visitors.
FindTheBest has gone mobile, and has been rewarded with a 3.5x increase in mobile revenue.
However, designing a mobile site doesn’t come without challenges and we had to consider three main issues:
While traditional desktops offer a lot of real estate, mobile devices are more limited in terms of space.
Desktops and laptops have faster Internet connections than mobile devices.
Mobile devices are primarily touch-based, which requires an entirely different user interface.
How FindTheBest went mobile
We hired a mobile expert to design our mobile site. Several decisions needed to be factored in to guarantee the best user experience, as users who visit mobile sites that don’t offer a great UX often leave a site and go to a competitor site. Since we offer a diverse amount of information presented in a range of ways on the traditional site, we had to limit what it would include in the mobile version. We took into consideration questions like, “What are the most relevant filters that need to be included?” and narrowed the data fields on each comparison’s search results page to only the top three most important ones. Similarly, we made design considerations to ensure users could access the information they needed within three taps and that the pages loaded quickly over 3G networks.
After developing and designing the mobile site, we were able to take some of our findings and apply it to the main site.
The Results: Increased customers and ad revenue for FindTheBest and its partners
Currently, 25% of our customers are accessing the site through mobile devices. While traffic to FindTheBest is rising by about 15-20% month-over-month, the percentage of mobile users accessing FindTheBest is rising by 25%.
Between January 2011 and January 2012, the total number of visits to FindTheBest has grown by 3X, while the number of visits from mobile alone has grown 7X. The week after launching the mobile version, visits from mobile devices increased 28% (as compared to 19% for non-mobile visits). Our user engagement has also significantly increased as page views per mobile visit increased by more than 15%--which reaffirmed the benefit of optimizing for mobile.
The mobile site has also translated into more ad revenue for us. After launching the mobile site, our ad revenue from mobile devices increased 3.5X. The benefits of having a mobile-optimized site have also carried over to our publisher partners, which currently include TechCrunch, VentureBeat and Android Authority.
What’s Next?
We constantly analyze user behavior and continue to optimize the mobile site accordingly. We’re currently researching ways to include responsive design technologies into the site, so that the mobile and desktop code bases can be merged into one. Maintaining multiple code bases is time consuming, but we believe this is the future and will be worth the investment.
Introducing the Google+ Share button
Introducing the Google+ Share button
(Cross posted to the Google+ Developers Blog)
When your visitors come across something interesting on your site, sometimes you want to encourage a simple endorsement (like +1). Other times, however, you want to help visitors share with their friends, right away. Today’s new Google+ Share button lets you do just that.
In line with the design of the new +1 button, here’s how it looks:
Before visitors share:
When clicked, visitors can add a comment and choose who to share with:
After they’ve shared, the button turns red. They can click to share again.
The new Google+ Share button is available to all publishers, globally. Try adding it to your site now - just visit Google Developers to get the code.
Follow the conversation on Google+.
Prepare for the upcoming holiday season with placement targeting
Prepare for the upcoming holiday season with placement targeting
With the holidays right around the corner, premium brand-name AdWords advertisers are preparing for the season by increasing their marketing budgets and scheduling targeted campaigns. You can prepare too by taking advantage of placement targeting to allow advertisers to directly target your site.
While all sites are eligible for placement targeting, there are things you can do to help increase the amount of placement targeted ads on your site. First, turn your custom channels into ad placements. Be sure to fill out a well-written title and description to help potential advertisers understand the audiences they’ll reach by bidding on your site. Some details to include in the description are your site name, vertical, ad position, ad size and site demographic.
Next, ensure you are using our most successful ad units and are placing them in optimal positions. Finally, claim your site in Ad Planner. Following these steps will help advertisers find your site to target and choose where to place their ads on a specific section or area. Placement targeted ads typically receive much higher RPMs, which results in higher earnings for you.
Creating targeted channels is easy and a great way to earn extra revenue, but it takes time for them to show up for advertisers, so act soon! Just follow the instructions in our Help Center. Once you've made the changes, not only will your ads be ready for this holiday season, but they'll also be targetable by advertisers for every premium campaign in the future.
A fresh face for link units
A fresh face for link units
If you're using link units, you know that they're a great way to earn additional revenue from the smaller spaces on your site. We've made a few updates to this ad type in the past, but today, we're giving link units a well-deserved facelift. We decided that it was time to reevaluate the layout of the link unit and the landing page in order to give this ad type both a modern look and a great performance boost. Here’s an overview of what’s changing.
The link unit
We’ve heard feedback from publishers that it isn’t clear why they should choose to show four versus five terms in their link units. Most people pick one of these options by guessing the expected performance. We’ve actually found that link units with four terms almost always perform better than five. As a result, we’re reducing the number of topics in all link units to four for horizontal orientations and three for vertical orientations. If you’re currently using link units, this change will happen automatically. We’re also slightly increasing spacing between and font size of each term.
The ad page
Following the general makeover of Google pages, we’re giving link unit landing pages a fresh look as well. The color scheme, orientation, fonts, and number of ads are being updated to the following:
We’ll continue to work on improving link units and hope to share more exciting news soon! In the meantime, we recommend viewing this video to learn how to utilize link units.
Highlighting ad titles
Highlighting ad titles
As we continue to improve and launch new features, we’re always interested in hearing your ideas and feedback. Many of you have shared that you want to be able to change the title color of ads when a user moves their mouse over the title link. After a period of testing, we found that this feature resulted in higher earnings for publishers while also increasing user and advertiser value. We are pleased to announce today that we have updated all text ads with this change.
As you can imagine, there are numerous combinations of link and background color across the ad units on all publisher pages. After extensive testing, we have found that the color of the change itself can make a big difference: the wrong shade can even be detrimental to clickthrough rate (CTR). To determine the color that the title link will change to when a user places their mouse cursor over it, we’ll take your chosen title color and find a nearly complementary color on the color wheel. For example, a blue title would change to red. These colors outperformed all the others we tested.
We’ll continue to keep studying the effects of color on CTR and ad performance to bring you more enhancements in the future. Please also feel free to keep sharing your product feedback and suggestions!
New languages and categories in general category blocking feature
New languages and categories in general category blocking feature
We know that being able to control the ads that appear on your pages is important to you, which is why we're excited to share some new enhancements to general category blocking. This feature is already available in English, French and German and from now on, publishers in Spanish-, Portuguese-, Italian-, and Japanese-speaking countries will be able to use it as well. What’s more, we’ve just added 88 new categories to the list of topics that can be blocked from your sites, including apparel, business, family and sports.
If you’re not familiar with the general category blocking feature, it gives you additional control over the ads that are shown on your sites. You have the ability to scalably block categories of ads that you might not find suitable for your audience.
You can block up to 50 categories in your account, and your choices will be applied to ads of all targeting types and formats in the seven supported languages, regardless of the language of the site where they’re showing. Before blocking a general category, please keep in mind that blocking ads can have a negative impact on your potential earnings, as it removes eligible ads from competing in the ad auction. To help you make informed decisions and understand the impact of any blocking choices on your ad performance, we show you the revenue and ad impressions for every category from the last 30 days.
We hope that these extended options help you quickly and easily control the ads on your sites, and we look forward to continuing to enhance these controls in the future.
If you’re not familiar with the general category blocking feature, it gives you additional control over the ads that are shown on your sites. You have the ability to scalably block categories of ads that you might not find suitable for your audience.
You can block up to 50 categories in your account, and your choices will be applied to ads of all targeting types and formats in the seven supported languages, regardless of the language of the site where they’re showing. Before blocking a general category, please keep in mind that blocking ads can have a negative impact on your potential earnings, as it removes eligible ads from competing in the ad auction. To help you make informed decisions and understand the impact of any blocking choices on your ad performance, we show you the revenue and ad impressions for every category from the last 30 days.
We hope that these extended options help you quickly and easily control the ads on your sites, and we look forward to continuing to enhance these controls in the future.
Customize your AdSense personal contact information
Customize your AdSense personal contact information
As you may know, we periodically send out emails with tips for increasing your earnings, updates on the latest product improvements, and information regarding your account. In your AdSense account settings you can select which type of messages you’re interested in receiving.
We understand that some publishers may prefer to receive AdSense-related messages at a different email address than the Google Account used as their AdSense login. From now on, every user on an AdSense account can specify a personal contact email, contact name and optionally a phone number. It’s important to note that this contact email doesn’t need to be associated with a Google Account, and adding it to your account won’t update your login information or change the login you use to access your AdSense account.
To customize your personal contact information, log in to your account and visit the Account settings page under the Home tab. Under Personal settings, click “edit” and enter the desired data in the contact name and contact email fields. We encourage you to also take the opportunity to review your email preferences and then save your settings. Once you make any changes, you’ll receive a verification email to the contact address to confirm that you can receive messages at this address.
If you’d like to learn more about the messages we send to publishers and how you can benefit from them, visit this blog post. We’re looking forward to keeping in touch with you!
Website Security for Webmasters
Website Security for Webmasters
Users are taught to protect themselves from malicious programs by installing sophisticated antivirus software, but often they may also entrust their private information to websites like yours, in which case it’s important to protect their data. It’s also very important to protect your own data; if you have an online store, you don’t want to be robbed.
Over the years companies and webmasters have learned—often the hard way—that web application security is not a joke; we’ve seen user passwords leaked due to SQL injection attacks, cookies stolen with XSS, and websites taken over by hackers due to negligent input validation.
Today we’ll show you some examples of how a web application can be exploited so you can learn from them; for this we’ll use Gruyere, an intentionally vulnerable application we use for security training internally, too. Do not probe others’ websites for vulnerabilities without permission as it may be perceived as hacking; but you’re welcome—nay, encouraged—to run tests on Gruyere.
Client state manipulation - What will happen if I alter the URL?
Let’s say you have an image hosting site and you’re using a PHP script to display the images users have uploaded:
http://www.example.com/showimage.php?imgloc=/garyillyes/kitten.jpg
So what will the application do if I alter the URL to something like this and userpasswords.txt is an actual file?
http://www.example.com/showimage.php?imgloc=/../../userpasswords.txt
Will I get the content of userpasswords.txt?
Another example of client state manipulation is when form fields are not validated. For instance, let’s say you have this form:
It seems that the username of the submitter is stored in a hidden input field. Well, that’s great! Does that mean that if I change the value of that field to another username, I can submit the form as that user? It may very well happen; the user input is apparently not authenticated with, for example, a token which can be verified on the server.
Imagine the situation if that form were part of your shopping cart and I modified the price of a $1000 item to $1, and then placed the order.
Protecting your application against this kind of attack is not easy; take a look at the third part of Gruyere to learn a few tips about how to defend your app.
Cross-site scripting (XSS) - User input can’t be trusted
A simple, harmless URL:
http://google-gruyere.appspot.com/611788451095/%3Cscript%3Ealert('0wn3d')%3C/script%3E
But is it truly harmless? If I decode the percent-encoded characters, I get:
<script>alert('0wn3d')</script>
Gruyere, just like many sites with custom error pages, is designed to include the path component in the HTML page. This can introduce security bugs, like XSS, as it introduces user input directly into the rendered HTML page of the web application. You might say, “It’s just an alert box, so what?” The thing is, if I can inject an alert box, I can most likely inject something else, too, and maybe steal your cookies which I could use to sign in to your site as you.
Another example is when the stored user input isn’t sanitized. Let’s say I write a comment on your blog; the comment is simple:
<a href=”javascript:alert(‘0wn3d’)”>Click here to see a kitten</a>
If other users click on my innocent link, I have their cookies:
You can learn how to find XSS vulnerabilities in your own web app and how to fix them in the second part of Gruyere; or, if you’re an advanced developer, take a look at the automatic escaping features in template systems we blogged about on our Online Security blog.
Cross-site request forgery (XSRF) - Should I trust requests from evil.com?
Oops, a broken picture. It can’t be dangerous--it’s broken, after all--which means that the URL of the image returns a 404 or it’s just malformed. Is that true in all of the cases?
No, it’s not! You can specify any URL as an image source, regardless of its content type. It can be an HTML page, a JavaScript file, or some other potentially malicious resource. In this case the image source was a simple page’s URL:
That page will only work if I’m logged in and I have some cookies set. Since I was actually logged in to the application, when the browser tried to fetch the image by accessing the image source URL, it also deleted my first snippet. This doesn’t sound particularly dangerous, but if I’m a bit familiar with the app, I could also invoke a URL which deletes a user’s profile or lets admins grant permissions for other users.
To protect your app against XSRF you should not allow state changing actions to be called via GET; the POST method was invented for this kind of state-changing request. This change alone may have mitigated the above attack, but usually it's not enough and you need to include an unpredictable value in all state changing requests to prevent XSRF. Please head to Gruyere if you want to learn more about XSRF.
Cross-site script inclusion (XSSI) - All your script are belong to us
Many sites today can dynamically update a page's content via asynchronous JavaScript requests that return JSON data. Sometimes, JSON can contain sensitive data, and if the correct precautions are not in place, it may be possible for an attacker to steal this sensitive information.
Let’s imagine the following scenario: I have created a standard HTML page and send you the link; since you trust me, you visit the link I sent you. The page contains only a few lines:
<script>function _feed(s) {alert("Your private snippet is: " + s['private_snippet']);}</script><script src="http://google-gruyere.appspot.com/611788451095/feed.gtl"></script>
Since you’re signed in to Gruyere and you have a private snippet, you’ll see an alert box on my page informing you about the contents of your snippet. As always, if I managed to fire up an alert box, I can do whatever else I want; in this case it was a simple snippet, but it could have been your biggest secret, too.
It’s not too hard to defend your app against XSSI, but it still requires careful thinking. You can use tokens as explained in the XSRF section, set your script to answer only POST requests, or simply start the JSON response with ‘\n’ to make sure the script is not executable.
SQL Injection - Still think user input is safe?
What will happen if I try to sign in to your app with a username like
JohnDoe’; DROP TABLE members;--
While this specific example won’t expose user data, it can cause great headaches because it has the potential to completely remove the SQL table where your app stores information about members.
Generally, you can protect your app from SQL injection with proactive thinking and input validation. First, are you sure the SQL user needs to have permission to execute “DROP TABLE members”? Wouldn’t it be enough to grant only SELECT rights? By setting the SQL user’s permissions carefully, you can avoid painful experiences and lots of troubles. You might also want to configure error reporting in such way that the database and its tables’ names aren’t exposed in the case of a failed query.
Second, as we learned in the XSS case, never trust user input: what looks like a login form to you, looks like a potential doorway to an attacker. Always sanitize and quotesafe the input that will be stored in a database, and whenever possible make use of statements generally referred to as prepared or parametrized statements available in most database programming interfaces.
Knowing how web applications can be exploited is the first step in understanding how to defend them. In light of this, we encourage you to take the Gruyere course, take other web security courses from the Google Code University and check out skipfish if you're looking for an automated web application security testing tool. If you have more questions please post them in our Webmaster Help Forum.
Written by Gary Illyes, Webmaster Trends Analyst
Validation: measuring and tracking code quality
Validation: measuring and tracking code quality
Google’s Webmaster Team is responsible for most of Google’s informational websites like Google’s Jobs site or Privacy Centers. Maintaining tens of thousands of pages and constantly releasing new Google sites requires more than just passion for the job: it requires quality management.
In this post we won’t talk about all the different tests that can be run to analyze a website; instead we’ll just talk about HTML and CSS validation, and tracking quality over time.
Why does validation matter? There are different perspectives on validation—at Google there are different approaches and priorities too—but the Webmaster Team considers validation a baseline quality attribute. It doesn’t guarantee accessibility, performance, or maintainability, but it reduces the number of possible issues that could arise and in many cases indicates appropriate use of technology.
While paying a lot of attention to validation, we’ve developed a system to use it as a quality metric to measure how we’re doing on our own pages. Here’s what we do: we give each of our pages a score from 0-10 points, where 0 is worst (pages with 10 or more HTML and CSS validation errors) and 10 is best (0 validation errors). We started doing this more than two years ago, first by taking samples, now monitoring all our pages.
Since the beginning we’ve been documenting the validation scores we were calculating so that we could actually see how we’re doing on average and where we’re headed: is our output improving, or is it getting worse?
Here’s what our data say:
Validation score development 2009-2011.
On average there are about three validation issues per page produced by the Webmaster Team (as we combine HTML and CSS validation in the scoring process, information about the origin gets lost), down from about four issues per page two years ago.
This information is valuable for us as it tells us how close we are to our goal of always shipping perfectly valid code, and it also tells us whether we’re on track or not. As you can see, with the exception of the 2nd quarter of 2009 and the 1st quarter of 2010, we are generally observing a positive trend.
What has to be kept in mind are issues with the integrity of the data, i.e. the sample size as well as “false positives” in the validators. We’re working with the W3C in several ways, including reporting and helping to fix issues in the validators; however, as software can never be perfect, sometimes pages get dinged for non-issues: see for example the border-radius issue that has recently been fixed. We know that this is negatively affecting the validation scores we’re determining, but we have no data yet to indicate how much.
Although we track more than just validation for quality control purposes, validation plays an important role in measuring the health of Google’s informational websites.
How do you use validation in your development process?
Preparing your site for a traffic spike
Preparing your site for a traffic spike
It’s a moment any site owner both looks forward to, and dreads: a huge
surge in traffic to your site (yay!) can often cause your site to crash (boo!)
. Maybe you’ll create a piece of viral content, or get Slashdotted, or maybe
Larry Page will get a tattoo and your site on tech tattoos will be suddenly in vogue.
Many people go online immediately after a noteworthy eventa politica
debate, the death of a celebrity, or a natural disaster—to get news and
information about that event. This can cause a rapid increase in traffic to
websites that provide relevant information, and may even cause sites to
crash at the moment they’re becoming most popular. While it’s not always
possible to anticipate such events, you can prepare your site in a variety of
ways so that you’ll be ready to handle a sudden surge in traffic if one should
occur:
Prepare a lightweight version of your site.
Consider maintaining a lightweight version of your website; you
can then switch all of your traffic over to this lightweight version if you
start to experience a spike in traffic. One good way to do this is to have
a mobile version of your site, and to make the mobile site available to desktop/PC
users during periods of high traffic. Another low-effort option is to just maintain a
lightweight version of your homepage, since the homepage is often the
most-requested page of a site as visitors start there and then navigate out to
the specific area of the site that they’re interested in. If a particular article or
picture on your site has gone viral, you could similarly create a lightweight version
of just that page.
A couple tips for creating lightweight pages:
Exclude decorative elements like images or Flash wherever possible; use text
instead of images in the site navigation and chrome, and put most of the content
in HTML.
Use static HTML pages rather than dynamic ones; the latter place more load
on your servers. You can also cache the static output of dynamic pages to
reduce server load.
Take advantage of stable third-party services.
Another alternative is to host a copy of your site on a third-party service that
you know will be able to withstand a heavy stream of traffic. For example,
you could create a copy of your site—or a pared-down version with a focus
on information relevant to the spike—on a platform like Google Sites or Blogger;
use services like Google Docs to host documents or forms; or use a content
delivery network (CDN).
Use lightweight file formats.
If you offer downloadable information, try to make the downloaded files as small
as possible by using lightweight file formats. For example, offering the same data
as a plain text file rather than a PDF can allow users to download the exact same
content at a fraction of the filesize (thereby lightening the load on your servers).
Also keep in mind that, if it’s not possible to use plain text files, PDFs generated
from textual content are more lightweight than PDFs with images in them
. Text-based PDFs are also easier for Google to understand and index fully.
Make tabular data available in CSV and XML formats.
If you offer numerical or tabular data (data displayed in tables), we recommend
also providing it in CSV and/or XML format. These filetypes are relatively
lightweight and make it easy for external developers to use your data in external
applications or services in cases where you want the data to reach as many people
as possible, such as in the wake of a natural disaster.
We’d love to hear your tips and tricks for weathering traffic spikes—come join us in
our Webmaster Help Forum.
Keeping your free hosting service valuable for searchers
Keeping your free hosting service valuable for searchers
Free web hosting services can be great! Many of these services
have helped to lower costs and technical barriers for webmasters
and they continue to enable beginner webmasters to start their
adventure on the web. Unfortunately, sometimes these lower
barriers (meant to encourage less techy audiences) can attract
some dodgy characters like spammers who look for cheap and
easy ways to set up dozens or hundreds of sites that add little or no value
to the web. When it comes to automatically generated sites, our
stance remains the same: if the sites do not add sufficient value,
we generally consider them as spam and take appropriate steps
to protect our users from exposure to such sites in our natural
search results.
If a free hosting service begins to show patterns of spam, we make
a strong effort to be granular and tackle only spammy pages or sites.
However, in some cases, when the spammers have pretty much taken
over the free web hosting service or a large fraction of the service,
we may be forced to take more decisive steps to protect our users
and remove the entire free web hosting service from our search results
. To prevent this from happening, we would like to help owners of free
web hosting services by sharing what we think may help you save
valuable resources like bandwidth and processing power, and also
protect your hosting service from these spammers:
Free web hosting services can be great! Many of these services
have helped to lower costs and technical barriers for webmasters
and they continue to enable beginner webmasters to start their
adventure on the web. Unfortunately, sometimes these lower
barriers (meant to encourage less techy audiences) can attract
some dodgy characters like spammers who look for cheap and
easy ways to set up dozens or hundreds of sites that add little or no value
to the web. When it comes to automatically generated sites, our
stance remains the same: if the sites do not add sufficient value,
we generally consider them as spam and take appropriate steps
to protect our users from exposure to such sites in our natural
search results.
If a free hosting service begins to show patterns of spam, we make
a strong effort to be granular and tackle only spammy pages or sites.
However, in some cases, when the spammers have pretty much taken
over the free web hosting service or a large fraction of the service,
we may be forced to take more decisive steps to protect our users
and remove the entire free web hosting service from our search results
. To prevent this from happening, we would like to help owners of free
web hosting services by sharing what we think may help you save
valuable resources like bandwidth and processing power, and also
protect your hosting service from these spammers:
- Publish a clear abuse policy and communicate it to your users
- , for example during the sign-up process. This step will contribute
- to transparency on what you consider to be spammy activity.
- In your sign-up form, consider using CAPTCHAs or
- similar verification tools to only allow human submissions
- and prevent automated scripts from generating a bunch of
- sites on your hosting service. While these methods may not
- be 100% foolproof, they can help to keep a lot of the bad actors
- out.
- Try to monitor your free hosting service for other spam signals
- like redirections, large numbers of ad blocks, certain spammy
- keywords, large sections of escaped JavaScript code, etc.
- Using the site: operator query or Google Alerts may come in
- handy if you’re looking for a simple, cost efficient solution.
- Keep a record of signups and try to identify typical spam patterns
- like form completion time, number of requests sent from the same
- IP address range, user-agents used during signup, user names
- or other form-submitted values chosen during signup, etc. Again
- , these may not always be conclusive.
- Keep an eye on your webserver log files for sudden traffic spikes,
- especially when a newly-created site is receiving this traffic, and
- try to identify why you are spending more bandwidth and processing
- power.
- Try to monitor your free web hosting service for phishing and
- malware-infected pages. For example, you can use the
- Google Safe Browsing API to regularly test URLs from your
- service, or sign up to receive alerts for your AS.
- Come up with a few sanity checks. For example, if you’re
- running a local Polish free web hosting service, what are the
- odds of thousands of new and legitimate sites in Japanese
- being created overnight on your service? There’s a number
- of tools you may find useful for language detection of newly
- created sites, for example language detection libraries or theGoogle Translate API v2.
Last but not least, if you run a free web hosting service be sure
to monitor your services for sudden activity spikes that may
indicate a spam attack in progress.
For more tips on running a quality hosting service, have a look
For more tips on running a quality hosting service, have a look
at our previous post. Lastly, be sure to sign up and verify your
site in Google Webmaster Tools so we may be able to notify
you when needed or if we see issues.
Five common SEO mistakes (and six good ideas!)
Five common SEO mistakes (and six good ideas!)
Webmaster Level: Beginner to Intermediate
To help you avoid common mistakes webmasters face with regard to search engine optimization (SEO), I filmed a video outlining five common mistakes I’ve noticed in the SEO industry. Almost four years ago, we also gathered information from all of you (our readers) about your SEO recommendations and updated our related Help Center article given your feedback. Much of the same advice from 2008 still holds true today -- here’s to more years ahead building a great site!
Webmaster Level: Beginner to Intermediate
To help you avoid common mistakes webmasters face with regard to search engine optimization (SEO), I filmed a video outlining five common mistakes I’ve noticed in the SEO industry. Almost four years ago, we also gathered information from all of you (our readers) about your SEO recommendations and updated our related Help Center article given your feedback. Much of the same advice from 2008 still holds true today -- here’s to more years ahead building a great site!
If you’re short on time, here’s the gist:
Avoid these common mistakes
1. Having no value proposition: Try not to assume that a site should rank #1 without knowing why it’s helpful to searchers (and better than the competition :)Six fundamental SEO tips
2. Segmented approach: Be wary of setting SEO-related goals without making sure they’re aligned with your company’s overall objectives and the goals of other departments. For example, in tandem with your work optimizing product pages (and the full user experience once they come to your site), also contribute your expertise to your Marketing team’s upcoming campaign. So if Marketing is launching new videos or a more interactive site, be sure that searchers can find their content, too.
3. Time-consuming workarounds: Avoid implementing a hack rather than researching new features or best practices that could simplify development (e.g., changing the timestamp on an updated URL so it’s crawled more quickly instead of easily submitting the URL through Fetch as Googlebot).
4. Caught in SEO trends: Consider spending less time obsessing about the latest “trick” to boost your rankings and instead focus on the fundamental tasks/efforts that will bring lasting visitors.
5. Slow iteration: Aim to be agile rather than promote an environment where the infrastructure and/or processes make improving your site, or even testing possible improvements, difficult.
1. Do something cool: Make sure your site stands out from the competition -- in a good way!Good luck to everyone!
2. Include relevant words in your copy: Try to put yourself in the shoes of searchers. What would they query to find you? Your name/business name, location, products, etc., are important. It's also helpful to use the same terms in your site that your users might type (e.g., you might be a trained “flower designer” but most searchers might type [florist]), and to answer the questions they might have (e.g., store hours, product specs, reviews). It helps to know your customers.
3. Be smart about your tags and site architecture: Create unique title tags and meta descriptions; include Rich Snippets markup from schema.org where appropriate. Have intuitive navigation and good internal links.
4. Sign up for email forwarding in Webmaster Tools: Help us communicate with you, especially when we notice something awry with your site.
5. Attract buzz: Natural links, +1s, likes, follows... In every business there's something compelling, interesting, entertaining, or surprising that you can offer or share with your users. Provide a helpful service, tell fun stories, paint a vivid picture and users will share and reshare your content.
6. Stay fresh and relevant: Keep content up-to-date and consider options such as building a social media presence (if that’s where a potential audience exists) or creating an ideal mobile experience if your users are often on-the-go.
Mobile becomes a core component of AdSense
Mobile becomes a core component of AdSense
We launched AdSense for mobile content before the smartphone
revolution when everyone had a flip phone. Our goal was to help
pioneering publishers monetize their mobile content. Since then,
we’ve seen mobile technology advance and an increasing number
of consumers are viewing content from “smarter” mobile devices.
To make it easier for publishers to use AdSense to monetize mobile web
pages, we've migrated all mobile ad unit sizes, including the
mobile banner ad unit, into the core product.
All mobile ad sizes, including the 320x50, will be
available through AdSense for content.
The new AdSense ad code automatically formats the ads for the
device. We will continue to support high-end ad requests from
our AdSense for mobile content product
until May 1, 2012.
We strongly encourage publishers who have designed mobile
web pages for high-end devices to use the new AdSense ad code to
avoid disruptions to service. Note that publishers with mobile websites
built for WAP browsers should continue to monetize using AdSense for
mobile content.
We continue to be committed to helping our AdSense publishers
monetize their content as the mobile ecosystem evolves. For more information
about AdSense or to learn more about how this transition may impact you,
please visit our AdSense Help Center.
Information about AdSense ads and site speed
Information about AdSense ads and site speed
Earlier today, our Websearch team announced that we now consider the speed
it takes for a website to load when ranking it in Google search results on
google.com. As an AdSense publisher and website owner, you may have
questions about this change, so we'd like to take a minute to give you more details.
This change is part of our efforts to provide the best possible search experience
This change is part of our efforts to provide the best possible search experience
for our users, as we've found that faster sites create happy users. Our internal studies
show that visitors tend to spend less time on sites that respond slowly, and additional
recent data shows that improving site speed also reduces operating costs. For these
reasons, we're now taking site speed into account in our search rankings.
Site speed is just one of over 200 signals we use to determine search ranking, and
because it's a new signal, it doesn't carry as much weight as the relevance of a page
. In fact, less than 1% of all search queries on google.com are affected by the site speed
signal. We launched this change a few weeks back after rigorous testing. If you haven't
seen much change to your site rankings, then this site speed change possibly did not
impact your site.
In general, a website would have to be particularly slow for its ranking to be affected
In general, a website would have to be particularly slow for its ranking to be affected
We look at the time it takes to load all components of a page that contribute to page
speed, including images, rich media, and Javascript/HTML/CSS code.
AdSense is built to load ads quickly so there's no need to change your AdSense setup
AdSense is built to load ads quickly so there's no need to change your AdSense setup
. Even so, we are working to speed up our ads products further. In addition, we also
want to give you some suggestions of things you can do on your side, like enabling
compression for your site, enabling caching of images, JavaScript, and CSS, and
minimizing the size of your JavaScript with Closure Tools.
If you'd like to learn more about speeding up your website, or evaluate your site's speed,
If you'd like to learn more about speeding up your website, or evaluate your site's speed,
we encourage you to look at Site Performance in Webmaster Tools and try developer tools
way to determine whether your site has been affected is if you've seen a recent change in
AdSense ontology
AdSense ontology
Google AdSense program began in March 2003 when Google introduced its own "automated content-targeted ads." The effectiveness of their advertising system as content targeted was challenged by Applied Semantics, which at that time owned the AdSense technology.Applied Semantics was started in 1998 (its name was Oingo at that time) by AdsenseWeissman and Gil Elbaz, with an interest in making computers more "human-literate". They worked to build a new architecture using their expertise in scalable information systems design, database applications development, software engineering, and natural language processing (NLP). Together with a team of linguists and software engineers, they developed the company's patented technology, CIRCA, which serves as the common platform for all Applied Semantics' products.Google eventually bought Applied Semantics in April 2003, making it the owner of the AdSense technology as well as its CIRCA technology (Conceptual Information Retrieval and Communication Architecture) which AdSense is built on.The CIRCA ontology is based on a language independent, scalable ontology consisting of millions of words along with what the words mean, how the words are related conceptually to other meanings. Ontologies are commonly used in artificial intelligence and knowledge representation to define a hierarchical data structure containing all the relevant entities and their relationships and rules.
- Synonymy/antonymy ("good" is an antonym of "bad")
- Similarity ("gluttonous" is similar to "greedy")
- Hypernymy (is a kind of / has kind) ("horse" has kind "Arabian")
- Membership ("commissioner" is a member of "commission")
- Metonymy (whole/part relations) ("motor vehicle" has part "clutch pedal")
- Substance (e.g. "lumber" has substance "wood")
- Product (e.g. "Microsoft Corporation" produces "Microsoft Access")
- Attribute ("past", "preceding" are attributes of "timing")
- Causation (e.g. travel causes displacement/motion)
- Entailment (e.g. buying entails paying)
- Lateral bonds (concepts closely related to one another, e.g. "dog" and "dog collar")
A typical example is the word Java, which has a number of meanings, including a synonym for coffee, an Indonesian island and a computer programming language.
In the case of a word like Ford, however, the system has to rank the relationships generated. Ford is a car manufacturer as well as a company. The concept "car manufacturer" is more specific than company, so it would receive a stronger value. This entire scheme of how concepts relate is called an ontology and forms the core of most linguistics engines produced today.What makes CIRCA ontology a very clever choice for web advertising?
- CIRCA ontology understands and extracts key themes of a page
- CIRCA discerns ambiguous terms
- CIRCA uses the context and delivers relevant keywords
Subscribe to:
Posts (Atom)