Slide 1

Slide 1 text

σΟεϓϨΠ޿ࠂͷ جૅͱηΩϡϦςΟ @suzu_v VOYAGE GROUP 2016/04/23 at dots. #http2study

Slide 2

Slide 2 text

ࢲʹ͍ͭͯ • ͚ͣ͢Μ https://github.com/suzuken @suzu_v • SSP http://fluct.jp Ͱιϑτ΢ΣΞΤϯδχΞ Λ͍ͯ͠·͢ɻGopherͰ͢ɻ • http2study͸ॳࢀՃͰ͢ɺ͓͡Ό·͠·͢

Slide 3

Slide 3 text

ࠓ೔࿩͢͜ͱ • σΟεϓϨΠ޿ࠂ഑৴ͷ࢓૊Έ • SSLରԠ޿ࠂ഑৴ͱݱঢ় • Malvertising ൃදதͷ࣭໰΋͓ؾܰʹͲ͏ͧʂ

Slide 4

Slide 4 text

σΟεϓϨΠ޿ࠂ഑৴ͷγεςϜ • ͨ͘͞Μͷഔମʹ޿ࠂΛ഑৴͢Δ࢓૊Έ • ༷ʑͳϓϨΠϠʔΛHTTP(S)Ͱͭͳ͛ͯ޿ࠂΛ ΍ΓऔΓ͢Δ • ඞͣ͠΋ࣗ෼ͷγεςϜʹೖߘ͞Εͨad͕ ग़ΔΘ͚Ͱ͸ͳ͍ʢωοτϫʔΫԽ͞Εͯ ͍ΔͷͰɺଞͷ޿ࠂ഑৴γεςϜ͔Βͷad ͕ग़Δʣ

Slide 5

Slide 5 text

original: http://www.slideshare.net/shoho/ ss-36728773

Slide 6

Slide 6 text

SSP΍ΞυωοτϫʔΫͰSSL ରԠͷ޿ࠂ഑৴ͬͯͰ͖ΔΜ Ͱ͔͢ʁ Ͱ͖·͢

Slide 7

Slide 7 text

యܕతͳnested iframe • ৔߹ʹΑͬͯ͸5,6ஈ • ֎ͷۀऀͷ΋ͷ͸جຊతʹ ผυϝΠϯͷiframe • iframeͷதʹෳ਺ JavaScript + HTML + imgλ ά

Slide 8

Slide 8 text

Demo: ղઆ • httpͰͷ޿ࠂ഑৴ͷྫ • SSLରԠ޿ࠂ഑৴ͷྫ

Slide 9

Slide 9 text

mixed content?

Slide 10

Slide 10 text

ϝσΟΞ͔Βݟͨ޿ࠂ഑৴ํ๏ Webϒϥ΢βͰݟΔϝσΟΞΛ૝ఆ͠·͢ • DFP, λάϚωʔδϟʔͳͲͷπʔϧܦ༝ • ࣗࣾ޿ࠂαʔόܦ༝ • JavaScriptλά or iframeλά௚షΓ

Slide 11

Slide 11 text

SSLରԠ޿ࠂ഑৴: SSPͷ৔߹ • ର৅ͱͳΔഔମ΋͘͠͸࿮ͷ഑৴ઃఆͰɺSSL ରԠ͍ͯ͠ΔDSP, ADNWΛબ୒͢Δ • bid request΋͘͠͸޿ࠂϦΫΤετ࣌ʹഔମ ͕HTTPSͰserve͞Ε͍ͯΔ͜ͱΛ఻͑Δ • SSLରԠͷΫϦΤΠςΟϒ͕ग़Δ SSP͔ΒݟΔͱͪΌΜͱSSLରԠͷΫϦΤΠςΟϒ ͕ग़Δ͔Ͳ͏͔͸DSP, ADNWʹҕͶΒΕ·͢ɻ

Slide 12

Slide 12 text

OpenRTB ޿ࠂΦʔΫγϣϯͷϓϩτίϧΛܾΊͨ΋ͷɻ 2.2 (2014/04) Ҏ߱: secureଐੑ͕௥Ճɻഔମଆ͕ HTTPSͷ৔߹ʹ໌ࣔతʹΫϦΤΠςΟϒ͕HTTPS URLͰ͋Δ͜ͱΛཁٻͰ͖ΔΑ͏ʹɻ Flag to indicate whether the impression requires secure HTTPS URL creative assets and markup. from: Real-Time Bidding (RTB) Project

Slide 13

Slide 13 text

࠷ۙͷ࿩: ࠃ಺ಈ޲ • ࠃ಺DSPʹ͍ͭͯ΋ঃʑʹSSLରԠ͕͞Ε͖͍ͯͯΔͷͰɺར༻Մೳͳ DSP΋૿͖͍͑ͯͯ·͢ • εϚϗ޲͚ͷ৔߹͸iOSͷATS͕͋ΓɺSSLରԠඞਢ • ୈࡾऀ഑৴αʔόͰHTTPݶఆͰ഑৴ઃఆ͞Ε͍ͯΔ΋ͷʹ͍ͭͯ͸ͦ ͪΒΛมߋ͢Δඞཁ͕͋Γ·͢ • ޿ࠂ࿮͝ͱʹSSLར༻͢Δ͔͠ͳ͍͔ɺͱ͍͏ͷΛมߋ͢Δඞཁ͕͋ Δ͔΋͠Ε·ͤΜ • ྫ: ϩάΠϯޙͷϖʔδ͸͢΂ͯSSLରԠͷ޿ࠂ͔͠ग़͞ͳ͍Α͏ʹ͢ Δ • ͪͳΈʹฐࣾͷSSPͰ͸৽نλά͸શͯSSL഑৴ରԠͷ޿ࠂλάΛ഑ͬ ͍ͯ·͢

Slide 14

Slide 14 text

mixed contentsରԠ mixed contentͷblock͸Ϣʔβͷબ୒ͱͯ͠ଥ౰ • SSLରԠͷad͕ਖ਼͘͠഑৴͞ΕΕ͹໰୊ͳ͍ • ͔͠͠ɺexchange΍SSP͕࠷ऴతʹadΛαʔϒ͢ ΔγεςϜ͕SSLରԠ͔൱͔Λ஌Δํ๏͸ͳ͍ • ࣮ࡍʹmixed contentʹΑΓad͕block͞ΕΔࣄྫ΋ աڈʹ͋ͬͨ • ֘౰͢ΔDSP / Ad Exchange͔Βͷ޿ࠂ഑৴Λ׬શ ʹఀࢭ͢ΔͳͲͷରԠΛͨ͠

Slide 15

Slide 15 text

SSLରԠͱ޿ࠂɺͦͯ͠ऩӹੑ • SSLରԠ͸ϢʔβͱϝσΟΞͷཁٻɻ޿ࠂࣄۀऀ ͸͜ΕʹԠ͑Δඞཁ͕͋Γ·͢ɻ • SSLରԠͷ޿ࠂΛग़͢͜ͱ͸ٕज़తʹ΋ͪΖΜՄ ೳɻ • SSLରԠͷ޿ࠂࣄۀऀ͕૿͑ͳ͚Ε͹ϝσΟΞଆ ͷબ୒ࢶ͕ݮΔɻ • ରԠ͢Δ޿ࠂ഑৴ࣄۀऀ͕૿͑ͳ͍ͱ͍͚ͳ ͍

Slide 16

Slide 16 text

Malvertising

Slide 17

Slide 17 text

Malvertising original: http://www.anti-malvertising.com/

Slide 18

Slide 18 text

Malvertisingࣄྫ • 2015೥9݄ ෆਖ਼޿ࠂ͕໿3,000 ͷࠃ಺େखαΠτΛԚ છɺ50ສϢʔβʹӨڹ | τϨϯυϚΠΫϩ ηΩϡϦςΟ ϒϩά • ද͚ࣔͨͩ͠ͰϑΝΠϧ͕μ΢ϯϩʔυ͞Εͯ͠·͏ • ߈ܸऀ͕ෆਖ਼ͳ޿ࠂΛւ֎ͷ޿ࠂ഑৴ۀऀʹೖߘɺ޿ ࠂ͕දࣔ͞Εͨஈ֊Ͱ߈ܸऀͷαʔόʹΞΫηεͤ͞Δ • ϒϥ΢β΍Flash PlayerͳͲͷ੬ऑੑΛར༻ͯ͠ exploit kitΛΠϯετʔϧͤ͞Δ

Slide 19

Slide 19 text

PublisherଆͰͰ͖Δରࡦ શͯͷഔମɺ΋͘͠͸supply-sideͷPublisher͸ Ϛϧ΢ΣΞ࡞ऀͷඪతʹͳΔՄೳੑ͕͋Δɻ • ޿ࠂओΛݟఆΊΔ͜ͱ • LPͷυϝΠϯ͸৴པͰ͖Δ΋ͷ͔ʁ৽͗͢͠ͳ͍͔ʁࠃ֎ ͷ޿ࠂ͔ʁಉҰIPʹෳ਺޿ࠂओͷad͕αʔϒ͞Ε͍ͯͳ͍ ͔ʁ • શͯͷΫϦΤΠςΟϒʹܧଓతͳ஫ҙΛ෷͏͜ͱ • 2008೥: Google Online Security Blog: All Your iFrame Are Point to Us

Slide 20

Slide 20 text

ͲͷΑ͏ʹMalvertisingΛ๷͙͔ • ޿ࠂ৹ࠪͰ༧๷͢Δ • ഑৴͞ΕΔ޿ࠂ͸ଥ౰ͳ಺༰͔ʁ: όφʔͷ಺༰ͱ LP(Landing Page)͕ဃ཭ͨ͠΋ͷͰ͸ͳ͍͔ɻ • ৴པͰ͖Δ޿ࠂओ͔ʁ • ೖߘ͞ΕΔΫϦΤΠςΟϒͷυϝΠϯ / ޿ࠂओΛ੍ݶ͢Δ ୈࡾऀͷ޿ࠂ഑৴γεςϜ͔Βෆਖ਼ͳ޿ࠂ͕ྲྀΕ Δ৔߹ɺ͜ΕΛࣗಈతʹഉআ͢Δ࢓૊Έ͕ٻΊΒ Ε͍ͯΔɻͰ͸AdBlock͔ʁ

Slide 21

Slide 21 text

҆શͳϒϥ΢δϯάͱAdBlock Ϣʔβͷߦಈ͸ৗʹ߹ཧత • ʮ޿ࠂΛϒϩοΫ͢Ε͹΢Πϧεʹ͸ײછ͠ͳ͍ʯͱͳΒͳ͍ Α͏ʹ • ऩӹʹෛͷӨڹ͕͋Δ / ޿ࠂΛ৴པͯ͠΋Β͏ͨΊͷऔΓ૊ ΈΛ͠ͳ͚Ε͹ͳΒͳ͍ɻ • ϢʔβΛةݥʹ͞Β͞ͳ͍Α͏ͳ޻෉ΛɻMalvertising͸޿ࠂࣄ ۀऀ͕औΓ૊Ή΂͖՝୊ɻ • AdBlock͞Ε͍ͯΔ͔Β࢓ํͳ͍ɺͰ͸ͳͯ͘Ϣʔβʹ৴པͯ͠ ΋Β͑ΔΑ͏ʹ޿ࠂۀքͱͯ͠΋ͷͮ͘Γͱӡ༻ΛॏͶ͍ͯ͘ ඞཁ͕͋Δɻ

Slide 22

Slide 22 text

AdBlockͱऩӹੑɺͦͯ͠Ϛϧ΢ΣΞ • 2016/01/08 Forbes forces readers to turn off ad blockers, promptly serves malware | ExtremeTech • adblockΛ༗ޮʹ͍ͯ͠ΔϢʔβʹ͍ͭͯForbes.com͕ఏڙΛ ఀࢭͨ͠ɺ͔͠͠Ϛϧ΢ΣΞ͕αʔϒ͞Εͯ͠·ͬͨ • Cyphort | Malvertising Report 2015 ʹΑΔͱMalvertisingͰ΋ ߈ܸऀαʔό΁ͷ༠ಋʹhttpsͷϦμΠϨΫλ͕ར༻͞ΕΔΑ ͏ʹͳ͖͍ͬͯͯΔɻѱҙͷ͋ΔαΠτͷಛఆ͕೉͘͠ͳΔɻ • αΠτར༻ͷշదੑͱऩӹੑͷ݉Ͷ߹͍ • Ad͕ऩӹͷେ෦෼Λ͠ΊΔഔମͩͱAdblock͍ͯ͠ΔϢʔβ ͕૿͑Δͱड͚ೖΕ͕͍ͨ

Slide 23

Slide 23 text

·ͱΊ • SSLରԠ޿ࠂ഑৴͸Ͱ͖·͢ ޿ࠂࣄۀऀͱͯ͠ • Ϣʔβɺഔମʹ҆શʹ޿ࠂΛར༻ͯ͠΋Β͑Δ Α͏ʹద੾ͳํ๏Ͱ޿ࠂΛαʔϒ͢Δ͜ͱ͕Ҿ ͖ଓ͖ٻΊΒΕ͍ͯΔ • Ϣʔβͷ޿ࠂ΁ͷ৴པΛอͪɺऩӹੑΛ୲อ͠ ͭͭɺ࣌ྲྀʹଈͨ͠޿ࠂ഑৴Λ͍ͯ͘͠ඞཁ͕ ͋Δ