2016/04/23のhttp2studyでの発表資料です
http2 勉強会 #7 - connpass http://http2study.connpass.com/event/29813/
本文はこちら: https://gist.github.com/suzuken/5deb6c450db854ab7fe2fb2c299b0134
σΟεϓϨΠࠂͷجૅͱηΩϡϦςΟ@suzu_v VOYAGE GROUP2016/04/23 at dots.#http2study
View Slide
ࢲʹ͍ͭͯ• ͚ͣ͢Μ https://github.com/suzuken @suzu_v• SSP http://fluct.jp ͰιϑτΣΞΤϯδχΞΛ͍ͯ͠·͢ɻGopherͰ͢ɻ• http2studyॳࢀՃͰ͢ɺ͓͡Ό·͠·͢
ࠓ͢͜ͱ• σΟεϓϨΠࠂ৴ͷΈ• SSLରԠࠂ৴ͱݱঢ়• Malvertisingൃදதͷ࣭͓ؾܰʹͲ͏ͧʂ
σΟεϓϨΠࠂ৴ͷγεςϜ• ͨ͘͞ΜͷഔମʹࠂΛ৴͢ΔΈ• ༷ʑͳϓϨΠϠʔΛHTTP(S)Ͱͭͳ͛ͯࠂΛΓऔΓ͢Δ• ඞͣࣗ͠ͷγεςϜʹೖߘ͞Εͨad͕ग़ΔΘ͚Ͱͳ͍ʢωοτϫʔΫԽ͞Ε͍ͯΔͷͰɺଞͷࠂ৴γεςϜ͔Βͷad͕ग़Δʣ
original: http://www.slideshare.net/shoho/ss-36728773
SSPΞυωοτϫʔΫͰSSLରԠͷࠂ৴ͬͯͰ͖ΔΜͰ͔͢ʁͰ͖·͢
యܕతͳnestediframe• ߹ʹΑͬͯ5,6ஈ• ֎ͷۀऀͷͷجຊతʹผυϝΠϯͷiframe• iframeͷதʹෳJavaScript + HTML + imgλά
Demo: ղઆ• httpͰͷࠂ৴ͷྫ• SSLରԠࠂ৴ͷྫ
mixedcontent?
ϝσΟΞ͔Βݟͨࠂ৴ํ๏WebϒϥβͰݟΔϝσΟΞΛఆ͠·͢• DFP, λάϚωʔδϟʔͳͲͷπʔϧܦ༝• ࣗࣾࠂαʔόܦ༝• JavaScriptλά or iframeλάషΓ
SSLରԠࠂ৴: SSPͷ߹• ରͱͳΔഔମ͘͠ͷ৴ઃఆͰɺSSLରԠ͍ͯ͠ΔDSP, ADNWΛબ͢Δ• bid request͘͠ࠂϦΫΤετ࣌ʹഔମ͕HTTPSͰserve͞Ε͍ͯΔ͜ͱΛ͑Δ• SSLରԠͷΫϦΤΠςΟϒ͕ग़ΔSSP͔ΒݟΔͱͪΌΜͱSSLରԠͷΫϦΤΠςΟϒ͕ग़Δ͔Ͳ͏͔DSP, ADNWʹҕͶΒΕ·͢ɻ
OpenRTBࠂΦʔΫγϣϯͷϓϩτίϧΛܾΊͨͷɻ2.2 (2014/04) Ҏ߱: secureଐੑ͕Ճɻഔମଆ͕HTTPSͷ߹ʹ໌ࣔతʹΫϦΤΠςΟϒ͕HTTPSURLͰ͋Δ͜ͱΛཁٻͰ͖ΔΑ͏ʹɻFlag to indicate whether the impression requiressecure HTTPS URL creative assets and markup.from: Real-Time Bidding (RTB) Project
࠷ۙͷ: ࠃಈ• ࠃDSPʹ͍ͭͯঃʑʹSSLରԠ͕͞Ε͖͍ͯͯΔͷͰɺར༻ՄೳͳDSP૿͖͍͑ͯͯ·͢• εϚϗ͚ͷ߹iOSͷATS͕͋ΓɺSSLରԠඞਢ• ୈࡾऀ৴αʔόͰHTTPݶఆͰ৴ઃఆ͞Ε͍ͯΔͷʹ͍ͭͯͦͪΒΛมߋ͢Δඞཁ͕͋Γ·͢• ࠂ͝ͱʹSSLར༻͢Δ͔͠ͳ͍͔ɺͱ͍͏ͷΛมߋ͢Δඞཁ͕͋Δ͔͠Ε·ͤΜ• ྫ: ϩάΠϯޙͷϖʔδͯ͢SSLରԠͷࠂ͔͠ग़͞ͳ͍Α͏ʹ͢Δ• ͪͳΈʹฐࣾͷSSPͰ৽نλάશͯSSL৴ରԠͷࠂλάΛ͍ͬͯ·͢
mixed contentsରԠmixed contentͷblockϢʔβͷબͱͯ͠ଥ• SSLରԠͷad͕ਖ਼͘͠৴͞ΕΕͳ͍• ͔͠͠ɺexchangeSSP͕࠷ऴతʹadΛαʔϒ͢ΔγεςϜ͕SSLରԠ͔൱͔ΛΔํ๏ͳ͍• ࣮ࡍʹmixed contentʹΑΓad͕block͞ΕΔࣄྫաڈʹ͋ͬͨ• ֘͢ΔDSP / Ad Exchange͔Βͷࠂ৴Λશʹఀࢭ͢ΔͳͲͷରԠΛͨ͠
SSLରԠͱࠂɺͦͯ͠ऩӹੑ• SSLରԠϢʔβͱϝσΟΞͷཁٻɻࠂࣄۀऀ͜ΕʹԠ͑Δඞཁ͕͋Γ·͢ɻ• SSLରԠͷࠂΛग़͢͜ͱٕज़తʹͪΖΜՄೳɻ• SSLରԠͷࠂࣄۀऀ͕૿͑ͳ͚ΕϝσΟΞଆͷબࢶ͕ݮΔɻ• ରԠ͢Δࠂ৴ࣄۀऀ͕૿͑ͳ͍ͱ͍͚ͳ͍
Malvertising
Malvertisingoriginal: http://www.anti-malvertising.com/
Malvertisingࣄྫ• 20159݄ ෆਖ਼ࠂ͕3,000 ͷࠃେखαΠτΛԚછɺ50ສϢʔβʹӨڹ | τϨϯυϚΠΫϩ ηΩϡϦςΟϒϩά• ද͚ࣔͨͩ͠ͰϑΝΠϧ͕μϯϩʔυ͞Εͯ͠·͏• ߈ܸऀ͕ෆਖ਼ͳࠂΛւ֎ͷࠂ৴ۀऀʹೖߘɺࠂ͕දࣔ͞Εͨஈ֊Ͱ߈ܸऀͷαʔόʹΞΫηεͤ͞Δ• ϒϥβFlash PlayerͳͲͷ੬ऑੑΛར༻ͯ͠exploit kitΛΠϯετʔϧͤ͞Δ
PublisherଆͰͰ͖Δରࡦશͯͷഔମɺ͘͠supply-sideͷPublisherϚϧΣΞ࡞ऀͷඪతʹͳΔՄೳੑ͕͋Δɻ• ࠂओΛݟఆΊΔ͜ͱ• LPͷυϝΠϯ৴པͰ͖Δͷ͔ʁ৽͗͢͠ͳ͍͔ʁࠃ֎ͷࠂ͔ʁಉҰIPʹෳࠂओͷad͕αʔϒ͞Ε͍ͯͳ͍͔ʁ• શͯͷΫϦΤΠςΟϒʹܧଓతͳҙΛ͏͜ͱ• 2008: Google Online Security Blog: All Your iFrameAre Point to Us
ͲͷΑ͏ʹMalvertisingΛ͙͔• ࠂ৹ࠪͰ༧͢Δ• ৴͞ΕΔࠂଥͳ༰͔ʁ: όφʔͷ༰ͱLP(Landing Page)͕ဃͨ͠ͷͰͳ͍͔ɻ• ৴པͰ͖Δࠂओ͔ʁ• ೖߘ͞ΕΔΫϦΤΠςΟϒͷυϝΠϯ / ࠂओΛ੍ݶ͢Δୈࡾऀͷࠂ৴γεςϜ͔Βෆਖ਼ͳࠂ͕ྲྀΕΔ߹ɺ͜ΕΛࣗಈతʹഉআ͢ΔΈ͕ٻΊΒΕ͍ͯΔɻͰAdBlock͔ʁ
҆શͳϒϥδϯάͱAdBlockϢʔβͷߦಈৗʹ߹ཧత• ʮࠂΛϒϩοΫ͢ΕΠϧεʹײછ͠ͳ͍ʯͱͳΒͳ͍Α͏ʹ• ऩӹʹෛͷӨڹ͕͋Δ / ࠂΛ৴པͯ͠Β͏ͨΊͷऔΓΈΛ͠ͳ͚ΕͳΒͳ͍ɻ• ϢʔβΛةݥʹ͞Β͞ͳ͍Α͏ͳΛɻMalvertisingࠂࣄۀऀ͕औΓΉ͖՝ɻ• AdBlock͞Ε͍ͯΔ͔Βํͳ͍ɺͰͳͯ͘Ϣʔβʹ৴པͯ͠Β͑ΔΑ͏ʹࠂۀքͱͯ͠ͷͮ͘Γͱӡ༻ΛॏͶ͍ͯ͘ඞཁ͕͋Δɻ
AdBlockͱऩӹੑɺͦͯ͠ϚϧΣΞ• 2016/01/08 Forbes forces readers to turn off ad blockers,promptly serves malware | ExtremeTech• adblockΛ༗ޮʹ͍ͯ͠ΔϢʔβʹ͍ͭͯForbes.com͕ఏڙΛఀࢭͨ͠ɺ͔͠͠ϚϧΣΞ͕αʔϒ͞Εͯ͠·ͬͨ• Cyphort | Malvertising Report 2015 ʹΑΔͱMalvertisingͰ߈ܸऀαʔόͷ༠ಋʹhttpsͷϦμΠϨΫλ͕ར༻͞ΕΔΑ͏ʹͳ͖͍ͬͯͯΔɻѱҙͷ͋ΔαΠτͷಛఆ͕͘͠ͳΔɻ• αΠτར༻ͷշదੑͱऩӹੑͷ݉Ͷ߹͍• Ad͕ऩӹͷେ෦Λ͠ΊΔഔମͩͱAdblock͍ͯ͠ΔϢʔβ͕૿͑Δͱड͚ೖΕ͕͍ͨ
·ͱΊ• SSLରԠࠂ৴Ͱ͖·͢ࠂࣄۀऀͱͯ͠• Ϣʔβɺഔମʹ҆શʹࠂΛར༻ͯ͠Β͑ΔΑ͏ʹదͳํ๏ͰࠂΛαʔϒ͢Δ͜ͱ͕Ҿ͖ଓ͖ٻΊΒΕ͍ͯΔ• Ϣʔβͷࠂͷ৴པΛอͪɺऩӹੑΛ୲อͭͭ͠ɺ࣌ྲྀʹଈͨ͠ࠂ৴Λ͍ͯ͘͠ඞཁ͕͋Δ