ディスプレイ広告の基礎とセキュリティ

Transcript

1. σΟεϓϨΠ޿ࠂͷ جૅͱηΩϡϦςΟ @suzu_v VOYAGE GROUP 2016/04/23 at dots. #http2study

2. ࢲʹ͍ͭͯ • ͚ͣ͢Μ https://github.com/suzuken @suzu_v • SSP http://fluct.jp Ͱιϑτ΢ΣΞΤϯδχΞ Λ͍ͯ͠·͢ɻGopherͰ͢ɻ

   • http2study͸ॳࢀՃͰ͢ɺ͓͡Ό·͠·͢

3. ࠓ೔࿩͢͜ͱ • σΟεϓϨΠ޿ࠂ഑৴ͷ࢓૊Έ • SSLରԠ޿ࠂ഑৴ͱݱঢ় • Malvertising ൃදதͷ࣭໰΋͓ؾܰʹͲ͏ͧʂ

4. σΟεϓϨΠ޿ࠂ഑৴ͷγεςϜ • ͨ͘͞Μͷഔମʹ޿ࠂΛ഑৴͢Δ࢓૊Έ • ༷ʑͳϓϨΠϠʔΛHTTP(S)Ͱͭͳ͛ͯ޿ࠂΛ ΍ΓऔΓ͢Δ • ඞͣ͠΋ࣗ෼ͷγεςϜʹೖߘ͞Εͨad͕ ग़ΔΘ͚Ͱ͸ͳ͍ʢωοτϫʔΫԽ͞Εͯ ͍ΔͷͰɺଞͷ޿ࠂ഑৴γεςϜ͔Βͷad

   ͕ग़Δʣ

5. original: http://www.slideshare.net/shoho/ ss-36728773

6. SSP΍ΞυωοτϫʔΫͰSSL ରԠͷ޿ࠂ഑৴ͬͯͰ͖ΔΜ Ͱ͔͢ʁ Ͱ͖·͢

7. యܕతͳnested iframe • ৔߹ʹΑͬͯ͸5,6ஈ • ֎ͷۀऀͷ΋ͷ͸جຊతʹ ผυϝΠϯͷiframe • iframeͷதʹෳ਺ JavaScript

   + HTML + imgλ ά

8. Demo: ղઆ • httpͰͷ޿ࠂ഑৴ͷྫ • SSLରԠ޿ࠂ഑৴ͷྫ

9. mixed content?

10. ϝσΟΞ͔Βݟͨ޿ࠂ഑৴ํ๏ Webϒϥ΢βͰݟΔϝσΟΞΛ૝ఆ͠·͢ • DFP, λάϚωʔδϟʔͳͲͷπʔϧܦ༝ • ࣗࣾ޿ࠂαʔόܦ༝ • JavaScriptλά or

    iframeλά௚షΓ

11. SSLରԠ޿ࠂ഑৴: SSPͷ৔߹ • ର৅ͱͳΔഔମ΋͘͠͸࿮ͷ഑৴ઃఆͰɺSSL ରԠ͍ͯ͠ΔDSP, ADNWΛબ୒͢Δ • bid request΋͘͠͸޿ࠂϦΫΤετ࣌ʹഔମ ͕HTTPSͰserve͞Ε͍ͯΔ͜ͱΛ఻͑Δ

    • SSLରԠͷΫϦΤΠςΟϒ͕ग़Δ SSP͔ΒݟΔͱͪΌΜͱSSLରԠͷΫϦΤΠςΟϒ ͕ग़Δ͔Ͳ͏͔͸DSP, ADNWʹҕͶΒΕ·͢ɻ

12. OpenRTB ޿ࠂΦʔΫγϣϯͷϓϩτίϧΛܾΊͨ΋ͷɻ 2.2 (2014/04) Ҏ߱: secureଐੑ͕௥Ճɻഔମଆ͕ HTTPSͷ৔߹ʹ໌ࣔతʹΫϦΤΠςΟϒ͕HTTPS URLͰ͋Δ͜ͱΛཁٻͰ͖ΔΑ͏ʹɻ Flag to

    indicate whether the impression requires secure HTTPS URL creative assets and markup. from: Real-Time Bidding (RTB) Project

13. ࠷ۙͷ࿩: ࠃ಺ಈ޲ • ࠃ಺DSPʹ͍ͭͯ΋ঃʑʹSSLରԠ͕͞Ε͖͍ͯͯΔͷͰɺར༻Մೳͳ DSP΋૿͖͍͑ͯͯ·͢ • εϚϗ޲͚ͷ৔߹͸iOSͷATS͕͋ΓɺSSLରԠඞਢ • ୈࡾऀ഑৴αʔόͰHTTPݶఆͰ഑৴ઃఆ͞Ε͍ͯΔ΋ͷʹ͍ͭͯ͸ͦ ͪΒΛมߋ͢Δඞཁ͕͋Γ·͢

    • ޿ࠂ࿮͝ͱʹSSLར༻͢Δ͔͠ͳ͍͔ɺͱ͍͏ͷΛมߋ͢Δඞཁ͕͋ Δ͔΋͠Ε·ͤΜ • ྫ: ϩάΠϯޙͷϖʔδ͸͢΂ͯSSLରԠͷ޿ࠂ͔͠ग़͞ͳ͍Α͏ʹ͢ Δ • ͪͳΈʹฐࣾͷSSPͰ͸৽نλά͸શͯSSL഑৴ରԠͷ޿ࠂλάΛ഑ͬ ͍ͯ·͢

14. mixed contentsରԠ mixed contentͷblock͸Ϣʔβͷબ୒ͱͯ͠ଥ౰ • SSLରԠͷad͕ਖ਼͘͠഑৴͞ΕΕ͹໰୊ͳ͍ • ͔͠͠ɺexchange΍SSP͕࠷ऴతʹadΛαʔϒ͢ ΔγεςϜ͕SSLରԠ͔൱͔Λ஌Δํ๏͸ͳ͍ •

    ࣮ࡍʹmixed contentʹΑΓad͕block͞ΕΔࣄྫ΋ աڈʹ͋ͬͨ • ֘౰͢ΔDSP / Ad Exchange͔Βͷ޿ࠂ഑৴Λ׬શ ʹఀࢭ͢ΔͳͲͷରԠΛͨ͠

15. SSLରԠͱ޿ࠂɺͦͯ͠ऩӹੑ • SSLରԠ͸ϢʔβͱϝσΟΞͷཁٻɻ޿ࠂࣄۀऀ ͸͜ΕʹԠ͑Δඞཁ͕͋Γ·͢ɻ • SSLରԠͷ޿ࠂΛग़͢͜ͱ͸ٕज़తʹ΋ͪΖΜՄ ೳɻ • SSLରԠͷ޿ࠂࣄۀऀ͕૿͑ͳ͚Ε͹ϝσΟΞଆ ͷબ୒ࢶ͕ݮΔɻ

    • ରԠ͢Δ޿ࠂ഑৴ࣄۀऀ͕૿͑ͳ͍ͱ͍͚ͳ ͍

16. Malvertising

17. Malvertising original: http://www.anti-malvertising.com/

18. Malvertisingࣄྫ • 2015೥9݄ ෆਖ਼޿ࠂ͕໿3,000 ͷࠃ಺େखαΠτΛԚ છɺ50ສϢʔβʹӨڹ | τϨϯυϚΠΫϩ ηΩϡϦςΟ ϒϩά

    • ද͚ࣔͨͩ͠ͰϑΝΠϧ͕μ΢ϯϩʔυ͞Εͯ͠·͏ • ߈ܸऀ͕ෆਖ਼ͳ޿ࠂΛւ֎ͷ޿ࠂ഑৴ۀऀʹೖߘɺ޿ ࠂ͕දࣔ͞Εͨஈ֊Ͱ߈ܸऀͷαʔόʹΞΫηεͤ͞Δ • ϒϥ΢β΍Flash PlayerͳͲͷ੬ऑੑΛར༻ͯ͠ exploit kitΛΠϯετʔϧͤ͞Δ

19. PublisherଆͰͰ͖Δରࡦ શͯͷഔମɺ΋͘͠͸supply-sideͷPublisher͸ Ϛϧ΢ΣΞ࡞ऀͷඪతʹͳΔՄೳੑ͕͋Δɻ • ޿ࠂओΛݟఆΊΔ͜ͱ • LPͷυϝΠϯ͸৴པͰ͖Δ΋ͷ͔ʁ৽͗͢͠ͳ͍͔ʁࠃ֎ ͷ޿ࠂ͔ʁಉҰIPʹෳ਺޿ࠂओͷad͕αʔϒ͞Ε͍ͯͳ͍ ͔ʁ •

    શͯͷΫϦΤΠςΟϒʹܧଓతͳ஫ҙΛ෷͏͜ͱ • 2008೥: Google Online Security Blog: All Your iFrame Are Point to Us

20. ͲͷΑ͏ʹMalvertisingΛ๷͙͔ • ޿ࠂ৹ࠪͰ༧๷͢Δ • ഑৴͞ΕΔ޿ࠂ͸ଥ౰ͳ಺༰͔ʁ: όφʔͷ಺༰ͱ LP(Landing Page)͕ဃ཭ͨ͠΋ͷͰ͸ͳ͍͔ɻ • ৴པͰ͖Δ޿ࠂओ͔ʁ

    • ೖߘ͞ΕΔΫϦΤΠςΟϒͷυϝΠϯ / ޿ࠂओΛ੍ݶ͢Δ ୈࡾऀͷ޿ࠂ഑৴γεςϜ͔Βෆਖ਼ͳ޿ࠂ͕ྲྀΕ Δ৔߹ɺ͜ΕΛࣗಈతʹഉআ͢Δ࢓૊Έ͕ٻΊΒ Ε͍ͯΔɻͰ͸AdBlock͔ʁ

21. ҆શͳϒϥ΢δϯάͱAdBlock Ϣʔβͷߦಈ͸ৗʹ߹ཧత • ʮ޿ࠂΛϒϩοΫ͢Ε͹΢Πϧεʹ͸ײછ͠ͳ͍ʯͱͳΒͳ͍ Α͏ʹ • ऩӹʹෛͷӨڹ͕͋Δ / ޿ࠂΛ৴པͯ͠΋Β͏ͨΊͷऔΓ૊ ΈΛ͠ͳ͚Ε͹ͳΒͳ͍ɻ

    • ϢʔβΛةݥʹ͞Β͞ͳ͍Α͏ͳ޻෉ΛɻMalvertising͸޿ࠂࣄ ۀऀ͕औΓ૊Ή΂͖՝୊ɻ • AdBlock͞Ε͍ͯΔ͔Β࢓ํͳ͍ɺͰ͸ͳͯ͘Ϣʔβʹ৴པͯ͠ ΋Β͑ΔΑ͏ʹ޿ࠂۀքͱͯ͠΋ͷͮ͘Γͱӡ༻ΛॏͶ͍ͯ͘ ඞཁ͕͋Δɻ

22. AdBlockͱऩӹੑɺͦͯ͠Ϛϧ΢ΣΞ • 2016/01/08 Forbes forces readers to turn off ad

    blockers, promptly serves malware | ExtremeTech • adblockΛ༗ޮʹ͍ͯ͠ΔϢʔβʹ͍ͭͯForbes.com͕ఏڙΛ ఀࢭͨ͠ɺ͔͠͠Ϛϧ΢ΣΞ͕αʔϒ͞Εͯ͠·ͬͨ • Cyphort | Malvertising Report 2015 ʹΑΔͱMalvertisingͰ΋ ߈ܸऀαʔό΁ͷ༠ಋʹhttpsͷϦμΠϨΫλ͕ར༻͞ΕΔΑ ͏ʹͳ͖͍ͬͯͯΔɻѱҙͷ͋ΔαΠτͷಛఆ͕೉͘͠ͳΔɻ • αΠτར༻ͷշదੑͱऩӹੑͷ݉Ͷ߹͍ • Ad͕ऩӹͷେ෦෼Λ͠ΊΔഔମͩͱAdblock͍ͯ͠ΔϢʔβ ͕૿͑Δͱड͚ೖΕ͕͍ͨ

23. ·ͱΊ • SSLରԠ޿ࠂ഑৴͸Ͱ͖·͢ ޿ࠂࣄۀऀͱͯ͠ • Ϣʔβɺഔମʹ҆શʹ޿ࠂΛར༻ͯ͠΋Β͑Δ Α͏ʹద੾ͳํ๏Ͱ޿ࠂΛαʔϒ͢Δ͜ͱ͕Ҿ ͖ଓ͖ٻΊΒΕ͍ͯΔ • Ϣʔβͷ޿ࠂ΁ͷ৴པΛอͪɺऩӹੑΛ୲อ͠

    ͭͭɺ࣌ྲྀʹଈͨ͠޿ࠂ഑৴Λ͍ͯ͘͠ඞཁ͕ ͋Δ