Bidder’s guide to securing RTB callouts

Creatives running on Ad Exchange must be SSL-compliant.

All publisher inventory accessible via Ad Exchange has a secure connection (SSL) and requires SSL-compliant creatives.

For more information, see the SSL implementation guide.

To improve privacy and security, Google is moving to secure the RTB bid requests sent to outside servers. This will be done in two phases:

Phase I: Support SSL callouts

Bidders can voluntarily opt into secure connections on a per-server basis. This allows for a smooth, incremental transition with minimal disruption.

Phase II: Require SSL callouts

Secure connections are mandatory for all bidders by the end of June, 2015. This requires no further action by bidders who have already opted in.

This document presents some best practices and general guidelines opting in to secure RTB callouts. Expanding the support for SSL inventory is outside the scope of this document, and may require some additional effort. Learn more about SSL inventory on the Ad Exchange in the SSL implementation guide.

Performance considerations

SSL connections are slightly slower to establish

  • The extra latency only affects new connections. If you reuse your established connections for new bids, you should not experience any noticeable effects. Ask your Ad Exchange account team to confirm that your connections are being reused properly.
  • Technical issues, such as an expired SSL certificate, can cause high reconnection rates, so it’s important that you track the expiry date of your certificate and renew them prior to expiration.

Encryption has a CPU cost

The additional CPU cost of encrypting your RTB callouts should be less than 10%. While small, even with reused connections, you will likely find that individual servers will service a lower bid rate. Consider adjusting your configured QPS -- depending on the utilization rate of your existing servers, you may need to add capacity.

Configure and test your server’s SSL configuration

  • Some useful details and background information on how to configure a test server to support SSL connections can be found in SSL for Advertisers. This document also provides links to some common servers (e.g. Apache).
  • You can confirm that the configuration is correctly accepting secure connections by using the free SSL Server Test , provided by Qualys.

Test secure RTB callouts

  • Use an existing campaign, or with your account manager's help, create a broadly targeted test campaign.
  • Ask your account manager to add the server to your configuration with a low QPS limit (e.g. 5 QPS).
  • Verify that you’re receiving callouts and are able to correctly interpret them by looking at your server logs. If you're using an Apache web server, use Apache access logs.
  • Respond with a valid bid response, but less than the min CPM.
  • Once it’s working, configure each production server for SSL.
    • Carefully convert servers one at a time and monitor their performance as you slowly increase the QPS limit. You can do this through the REST API, but you may want to involve your account manager for the first few.
    • Don’t forget, since each server may now be able to handle fewer of the slightly more expensive requests, the QPS limits per server may need to be reduced slightly. Be sure to monitor your server’s CPU usage before and after switching to secure callouts and adjust the limits accordingly.
  • If necessary, add additional servers to replace the capacity lost by reducing the individually configured QPS.
Was this article helpful?
How can we improve it?