There is a very good reason to not secure your site if you are dependent on ad revenue. When I switched to https, my earnings dropped by about half. I tried it for a week, but I couldn't take the losses.
When you have a secure site that uses Adsense, Google only serves ads from secure ad servers. This shrinks the pool of competing bidders significantly.
For me to switch back, either Google needs to push advertising networks into securing their ad servers, or the nonsecure warning will have to be really big and scary.
I recently switched my (small and ad-free) blog to https-only and I saw a sharp drop in traffic. I highly suspect that is due to various malicious robots and crawlers not handling either https or redirects from http to https correctly. For instance, attempted comment spam fell to almost zero after the switch.
Considering that at least part of the ad clicks comes from robots (there was a recent post about that on HN), it might be that some of your lost revenue was due to that effect.
While there certainly are a lot of automated visits, they are still a fraction of what appears to be legitimate traffic. Furthermore, I'm pretty sure that CloudFlare blocks or challenges (edit: malicious) bot traffic, so I doubt that is the spoon that is stirring the pot.
I also switched my small and ad-free blog to https-only and I haven't noticed a drop in traffic. On the other hand, even if I had, I wouldn't have cared.
I'm proud to contribute to a saner Internet and it does matter even for small blogs because I noticed networks that inject content in websites - I don't know how this practice evolved in the US, but a couple of years ago while traveling there the Wifi networks in the 2 motels I stayed at were injecting ads in the websites I was visiting. I found that to be extremely distasteful.
This is a really interesting observation. Can you expand upon what "shrinks the pool of competing bidders significantly" means? For instance, when creating an Ad Words campaign, is there a setting/option that they must opt-in to and if they do not they won't be considered for secure-only advertising?
"HTTPS-enabled sites require that all content on the page, including the ads, be SSL-compliant. As such, AdSense will remove all non-SSL compliant ads from competing in the auction on these pages. If you do decide to convert your HTTP site to HTTPS, please be aware that because we remove non-SSL compliant ads from the auction, thereby reducing auction pressure, ads on your HTTPS pages might earn less than those on your HTTP pages."
To answer your question more directly: besides AdWords, Google manages the ad inventories of a dozen or so third-party ad networks. Lots of the display advertisements that appear on the web are served via these ad networks. Many of these connections are not encrypted and, as you probably know, if a single image on the page is not encrypted it jeopardizes the security of the connection. To maintain the integrity of the connection, the nonsecure networks are eliminated from the bidding process. Fewer bidders, lower final value.
> if a single image on the page is not encrypted it jeopardizes the security of the connection
But only in the sense that the article text could say e.g. "implement the authentication algorithm according to illustration #42" and illustration #42 could have been maliciously replaced with an image showing an incorrect implementation, right?
A script served over an insecure connection, on the other hand, would give the attacker access to the DOM and compromise the entire page (and other pages on the site with AJAX).
So does the fact that ads need to be served securely imply that they have the ability to execute JavaScript in the context of the page? By serving ads (whether encrypted or not) am I trusting every advertiser on the network with the session cookies of all my users, essentially allowing them to intercept communications between the site and its users?
I can't speak too much about this because it is on the fringes of my knowledge. All I can say is that I trust Google's systems to screen for malverstising. I remember there was an incident recently where one of the ad networks that they manage was serving malicious JavaScript, but they caught it pretty quickly and blocked that network from serving ads.
I do not believe that I can improve on their systems.
This is what's holding me back as well. I'm happy to put in whatever development effort is required to get everything on https, but many of our advertisers through various networks (including Google's) don't yet support it.
Have you sent them a request asking when they will support https? The more customers requesting, the more likely they will weight adding support. You could even request it under the cover of Google weighting https more.
When you have a secure site that uses Adsense, Google only serves ads from secure ad servers. This shrinks the pool of competing bidders significantly.
For me to switch back, either Google needs to push advertising networks into securing their ad servers, or the nonsecure warning will have to be really big and scary.