$30 off During Our Annual Pro Sale. View Details »

ディスプレイ広告の基礎とセキュリティ

 ディスプレイ広告の基礎とセキュリティ

2016/04/23のhttp2studyでの発表資料です

http2 勉強会 #7 - connpass
http://http2study.connpass.com/event/29813/

本文はこちら: https://gist.github.com/suzuken/5deb6c450db854ab7fe2fb2c299b0134

Kenta Suzuki

April 23, 2016
Tweet

More Decks by Kenta Suzuki

Other Decks in Technology

Transcript

  1. σΟεϓϨΠ޿ࠂͷ
    جૅͱηΩϡϦςΟ
    @suzu_v VOYAGE GROUP
    2016/04/23 at dots.
    #http2study

    View Slide

  2. ࢲʹ͍ͭͯ
    • ͚ͣ͢Μ https://github.com/suzuken @suzu_v
    • SSP http://fluct.jp Ͱιϑτ΢ΣΞΤϯδχΞ
    Λ͍ͯ͠·͢ɻGopherͰ͢ɻ
    • http2study͸ॳࢀՃͰ͢ɺ͓͡Ό·͠·͢

    View Slide

  3. ࠓ೔࿩͢͜ͱ
    • σΟεϓϨΠ޿ࠂ഑৴ͷ࢓૊Έ
    • SSLରԠ޿ࠂ഑৴ͱݱঢ়
    • Malvertising
    ൃදதͷ࣭໰΋͓ؾܰʹͲ͏ͧʂ

    View Slide

  4. σΟεϓϨΠ޿ࠂ഑৴ͷγεςϜ
    • ͨ͘͞Μͷഔମʹ޿ࠂΛ഑৴͢Δ࢓૊Έ
    • ༷ʑͳϓϨΠϠʔΛHTTP(S)Ͱͭͳ͛ͯ޿ࠂΛ
    ΍ΓऔΓ͢Δ
    • ඞͣ͠΋ࣗ෼ͷγεςϜʹೖߘ͞Εͨad͕
    ग़ΔΘ͚Ͱ͸ͳ͍ʢωοτϫʔΫԽ͞Εͯ
    ͍ΔͷͰɺଞͷ޿ࠂ഑৴γεςϜ͔Βͷad
    ͕ग़Δʣ

    View Slide

  5. original: http://www.slideshare.net/shoho/
    ss-36728773

    View Slide

  6. SSP΍ΞυωοτϫʔΫͰSSL
    ରԠͷ޿ࠂ഑৴ͬͯͰ͖ΔΜ
    Ͱ͔͢ʁ
    Ͱ͖·͢

    View Slide

  7. యܕతͳnested
    iframe
    • ৔߹ʹΑͬͯ͸5,6ஈ
    • ֎ͷۀऀͷ΋ͷ͸جຊతʹ
    ผυϝΠϯͷiframe
    • iframeͷதʹෳ਺
    JavaScript + HTML + imgλ
    ά

    View Slide

  8. Demo: ղઆ
    • httpͰͷ޿ࠂ഑৴ͷྫ
    • SSLରԠ޿ࠂ഑৴ͷྫ

    View Slide

  9. mixed
    content?

    View Slide

  10. ϝσΟΞ͔Βݟͨ޿ࠂ഑৴ํ๏
    Webϒϥ΢βͰݟΔϝσΟΞΛ૝ఆ͠·͢
    • DFP, λάϚωʔδϟʔͳͲͷπʔϧܦ༝
    • ࣗࣾ޿ࠂαʔόܦ༝
    • JavaScriptλά or iframeλά௚షΓ

    View Slide

  11. SSLରԠ޿ࠂ഑৴: SSPͷ৔߹
    • ର৅ͱͳΔഔମ΋͘͠͸࿮ͷ഑৴ઃఆͰɺSSL
    ରԠ͍ͯ͠ΔDSP, ADNWΛબ୒͢Δ
    • bid request΋͘͠͸޿ࠂϦΫΤετ࣌ʹഔମ
    ͕HTTPSͰserve͞Ε͍ͯΔ͜ͱΛ఻͑Δ
    • SSLରԠͷΫϦΤΠςΟϒ͕ग़Δ
    SSP͔ΒݟΔͱͪΌΜͱSSLରԠͷΫϦΤΠςΟϒ
    ͕ग़Δ͔Ͳ͏͔͸DSP, ADNWʹҕͶΒΕ·͢ɻ

    View Slide

  12. OpenRTB
    ޿ࠂΦʔΫγϣϯͷϓϩτίϧΛܾΊͨ΋ͷɻ
    2.2 (2014/04) Ҏ߱: secureଐੑ͕௥Ճɻഔମଆ͕
    HTTPSͷ৔߹ʹ໌ࣔతʹΫϦΤΠςΟϒ͕HTTPS
    URLͰ͋Δ͜ͱΛཁٻͰ͖ΔΑ͏ʹɻ
    Flag to indicate whether the impression requires
    secure HTTPS URL creative assets and markup.
    from: Real-Time Bidding (RTB) Project

    View Slide

  13. ࠷ۙͷ࿩: ࠃ಺ಈ޲
    • ࠃ಺DSPʹ͍ͭͯ΋ঃʑʹSSLରԠ͕͞Ε͖͍ͯͯΔͷͰɺར༻Մೳͳ
    DSP΋૿͖͍͑ͯͯ·͢
    • εϚϗ޲͚ͷ৔߹͸iOSͷATS͕͋ΓɺSSLରԠඞਢ
    • ୈࡾऀ഑৴αʔόͰHTTPݶఆͰ഑৴ઃఆ͞Ε͍ͯΔ΋ͷʹ͍ͭͯ͸ͦ
    ͪΒΛมߋ͢Δඞཁ͕͋Γ·͢
    • ޿ࠂ࿮͝ͱʹSSLར༻͢Δ͔͠ͳ͍͔ɺͱ͍͏ͷΛมߋ͢Δඞཁ͕͋
    Δ͔΋͠Ε·ͤΜ
    • ྫ: ϩάΠϯޙͷϖʔδ͸͢΂ͯSSLରԠͷ޿ࠂ͔͠ग़͞ͳ͍Α͏ʹ͢
    Δ
    • ͪͳΈʹฐࣾͷSSPͰ͸৽نλά͸શͯSSL഑৴ରԠͷ޿ࠂλάΛ഑ͬ
    ͍ͯ·͢

    View Slide

  14. mixed contentsରԠ
    mixed contentͷblock͸Ϣʔβͷબ୒ͱͯ͠ଥ౰
    • SSLରԠͷad͕ਖ਼͘͠഑৴͞ΕΕ͹໰୊ͳ͍
    • ͔͠͠ɺexchange΍SSP͕࠷ऴతʹadΛαʔϒ͢
    ΔγεςϜ͕SSLରԠ͔൱͔Λ஌Δํ๏͸ͳ͍
    • ࣮ࡍʹmixed contentʹΑΓad͕block͞ΕΔࣄྫ΋
    աڈʹ͋ͬͨ
    • ֘౰͢ΔDSP / Ad Exchange͔Βͷ޿ࠂ഑৴Λ׬શ
    ʹఀࢭ͢ΔͳͲͷରԠΛͨ͠

    View Slide

  15. SSLରԠͱ޿ࠂɺͦͯ͠ऩӹੑ
    • SSLରԠ͸ϢʔβͱϝσΟΞͷཁٻɻ޿ࠂࣄۀऀ
    ͸͜ΕʹԠ͑Δඞཁ͕͋Γ·͢ɻ
    • SSLରԠͷ޿ࠂΛग़͢͜ͱ͸ٕज़తʹ΋ͪΖΜՄ
    ೳɻ
    • SSLରԠͷ޿ࠂࣄۀऀ͕૿͑ͳ͚Ε͹ϝσΟΞଆ
    ͷબ୒ࢶ͕ݮΔɻ
    • ରԠ͢Δ޿ࠂ഑৴ࣄۀऀ͕૿͑ͳ͍ͱ͍͚ͳ
    ͍

    View Slide

  16. Malvertising

    View Slide

  17. Malvertising
    original: http://www.anti-malvertising.com/

    View Slide

  18. Malvertisingࣄྫ
    • 2015೥9݄ ෆਖ਼޿ࠂ͕໿3,000 ͷࠃ಺େखαΠτΛԚ
    છɺ50ສϢʔβʹӨڹ | τϨϯυϚΠΫϩ ηΩϡϦςΟ
    ϒϩά
    • ද͚ࣔͨͩ͠ͰϑΝΠϧ͕μ΢ϯϩʔυ͞Εͯ͠·͏
    • ߈ܸऀ͕ෆਖ਼ͳ޿ࠂΛւ֎ͷ޿ࠂ഑৴ۀऀʹೖߘɺ޿
    ࠂ͕දࣔ͞Εͨஈ֊Ͱ߈ܸऀͷαʔόʹΞΫηεͤ͞Δ
    • ϒϥ΢β΍Flash PlayerͳͲͷ੬ऑੑΛར༻ͯ͠
    exploit kitΛΠϯετʔϧͤ͞Δ

    View Slide

  19. PublisherଆͰͰ͖Δରࡦ
    શͯͷഔମɺ΋͘͠͸supply-sideͷPublisher͸
    Ϛϧ΢ΣΞ࡞ऀͷඪతʹͳΔՄೳੑ͕͋Δɻ
    • ޿ࠂओΛݟఆΊΔ͜ͱ
    • LPͷυϝΠϯ͸৴པͰ͖Δ΋ͷ͔ʁ৽͗͢͠ͳ͍͔ʁࠃ֎
    ͷ޿ࠂ͔ʁಉҰIPʹෳ਺޿ࠂओͷad͕αʔϒ͞Ε͍ͯͳ͍
    ͔ʁ
    • શͯͷΫϦΤΠςΟϒʹܧଓతͳ஫ҙΛ෷͏͜ͱ
    • 2008೥: Google Online Security Blog: All Your iFrame
    Are Point to Us

    View Slide

  20. ͲͷΑ͏ʹMalvertisingΛ๷͙͔
    • ޿ࠂ৹ࠪͰ༧๷͢Δ
    • ഑৴͞ΕΔ޿ࠂ͸ଥ౰ͳ಺༰͔ʁ: όφʔͷ಺༰ͱ
    LP(Landing Page)͕ဃ཭ͨ͠΋ͷͰ͸ͳ͍͔ɻ
    • ৴པͰ͖Δ޿ࠂओ͔ʁ
    • ೖߘ͞ΕΔΫϦΤΠςΟϒͷυϝΠϯ / ޿ࠂओΛ੍ݶ͢Δ
    ୈࡾऀͷ޿ࠂ഑৴γεςϜ͔Βෆਖ਼ͳ޿ࠂ͕ྲྀΕ
    Δ৔߹ɺ͜ΕΛࣗಈతʹഉআ͢Δ࢓૊Έ͕ٻΊΒ
    Ε͍ͯΔɻͰ͸AdBlock͔ʁ

    View Slide

  21. ҆શͳϒϥ΢δϯάͱAdBlock
    Ϣʔβͷߦಈ͸ৗʹ߹ཧత
    • ʮ޿ࠂΛϒϩοΫ͢Ε͹΢Πϧεʹ͸ײછ͠ͳ͍ʯͱͳΒͳ͍
    Α͏ʹ
    • ऩӹʹෛͷӨڹ͕͋Δ / ޿ࠂΛ৴པͯ͠΋Β͏ͨΊͷऔΓ૊
    ΈΛ͠ͳ͚Ε͹ͳΒͳ͍ɻ
    • ϢʔβΛةݥʹ͞Β͞ͳ͍Α͏ͳ޻෉ΛɻMalvertising͸޿ࠂࣄ
    ۀऀ͕औΓ૊Ή΂͖՝୊ɻ
    • AdBlock͞Ε͍ͯΔ͔Β࢓ํͳ͍ɺͰ͸ͳͯ͘Ϣʔβʹ৴པͯ͠
    ΋Β͑ΔΑ͏ʹ޿ࠂۀքͱͯ͠΋ͷͮ͘Γͱӡ༻ΛॏͶ͍ͯ͘
    ඞཁ͕͋Δɻ

    View Slide

  22. AdBlockͱऩӹੑɺͦͯ͠Ϛϧ΢ΣΞ
    • 2016/01/08 Forbes forces readers to turn off ad blockers,
    promptly serves malware | ExtremeTech
    • adblockΛ༗ޮʹ͍ͯ͠ΔϢʔβʹ͍ͭͯForbes.com͕ఏڙΛ
    ఀࢭͨ͠ɺ͔͠͠Ϛϧ΢ΣΞ͕αʔϒ͞Εͯ͠·ͬͨ
    • Cyphort | Malvertising Report 2015 ʹΑΔͱMalvertisingͰ΋
    ߈ܸऀαʔό΁ͷ༠ಋʹhttpsͷϦμΠϨΫλ͕ར༻͞ΕΔΑ
    ͏ʹͳ͖͍ͬͯͯΔɻѱҙͷ͋ΔαΠτͷಛఆ͕೉͘͠ͳΔɻ
    • αΠτར༻ͷշదੑͱऩӹੑͷ݉Ͷ߹͍
    • Ad͕ऩӹͷେ෦෼Λ͠ΊΔഔମͩͱAdblock͍ͯ͠ΔϢʔβ
    ͕૿͑Δͱड͚ೖΕ͕͍ͨ

    View Slide

  23. ·ͱΊ
    • SSLରԠ޿ࠂ഑৴͸Ͱ͖·͢
    ޿ࠂࣄۀऀͱͯ͠
    • Ϣʔβɺഔମʹ҆શʹ޿ࠂΛར༻ͯ͠΋Β͑Δ
    Α͏ʹద੾ͳํ๏Ͱ޿ࠂΛαʔϒ͢Δ͜ͱ͕Ҿ
    ͖ଓ͖ٻΊΒΕ͍ͯΔ
    • Ϣʔβͷ޿ࠂ΁ͷ৴པΛอͪɺऩӹੑΛ୲อ͠
    ͭͭɺ࣌ྲྀʹଈͨ͠޿ࠂ഑৴Λ͍ͯ͘͠ඞཁ͕
    ͋Δ

    View Slide