$30 off During Our Annual Pro Sale. View Details »

ディスプレイ広告の基礎とセキュリティ

Kenta Suzuki
April 23, 2016
Technology
18
3.6k

 ディスプレイ広告の基礎とセキュリティ

2016/04/23のhttp2studyでの発表資料です

http2 勉強会 #7 - connpass
http://http2study.connpass.com/event/29813/

本文はこちら: https://gist.github.com/suzuken/5deb6c450db854ab7fe2fb2c299b0134

Kenta Suzuki

April 23, 2016
Tweet

More Decks by Kenta Suzuki

See All by Kenta Suzuki
Go at fluct
suzuken
0
3.4k
小さな機能、大きな仕事 PHPカンファレンス沖縄2019 / phpcon-okinawa-2019
suzuken
2
1.9k
ADエンジニアがみたre:Invent 2018
suzuken
0
4.4k
広告配信管理システムを支えるPHP - レガシーシステムからの段階的移行戦略 / phpcon2017
suzuken
9
19k
How to use AWS Lambda in Document Processing Pipeline
suzuken
0
3.7k

Other Decks in Technology

See All in Technology
kintone テクニカルライター採用ピッチ資料
cybozuinsideout
PRO
0
720
LLMを活用した爆速アウトプットのすゝめ / bakusoku-outputs-with-llm
yuya4
8
4.1k
The Future of encoding/json
iamshunta
2
260
DMMプラットフォームにおける GKE を利用した プラットフォームエンジニアリングへの 取り組み
pospome
1
180
LINEでのコミュニケーションにマスコットキーホルダーを使ってみる / LINEを使ったLT大会 #5
you
PRO
0
110
VS CodeとPostmanを活用した効率的なAPI開発 / Efficient API development using VS Code and Postman
yokawasa
3
320
継続的なコツコツ技術広報とブランディング磨き込みの過程と課題/engineering-brand
nishiuma
0
110
TextField 表示スタイル変更の 有効活用例 5 選
akkie76
0
140
Azure OpenAI Serviceの採用と挑戦 - Azure AI Hub meetup #1
cimadai
1
280
Java Language Future
chiroito
5
1.3k
ココナラでエンジニアマネージャーをやってみた!
coconala_engineer
1
120
Honoが良さそう🔥
is_ryo
0
180

Featured

See All Featured
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
For a Future-Friendly Web
brad_frost
168
8.4k
Designing for Performance
lara
601
66k
[RailsConf 2023] Rails as a piece of cake
palkan
17
3.2k
KATA
mclloyd
13
11k
Six Lessons from altMBA
skipperchong
18
2.7k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
How to Ace a Technical Interview
jacobian
272
22k
Fireside Chat
paigeccino
18
2.3k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Code Review Best Practice
trishagee
53
14k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k

Transcript

  1. σΟεϓϨΠ޿ࠂͷ
    جૅͱηΩϡϦςΟ
    @suzu_v VOYAGE GROUP
    2016/04/23 at dots.
    #http2study

    View Slide

  2. ࢲʹ͍ͭͯ
    • ͚ͣ͢Μ https://github.com/suzuken @suzu_v
    • SSP http://fluct.jp Ͱιϑτ΢ΣΞΤϯδχΞ
    Λ͍ͯ͠·͢ɻGopherͰ͢ɻ
    • http2study͸ॳࢀՃͰ͢ɺ͓͡Ό·͠·͢

    View Slide

  3. ࠓ೔࿩͢͜ͱ
    • σΟεϓϨΠ޿ࠂ഑৴ͷ࢓૊Έ
    • SSLରԠ޿ࠂ഑৴ͱݱঢ়
    • Malvertising
    ൃදதͷ࣭໰΋͓ؾܰʹͲ͏ͧʂ

    View Slide

  4. σΟεϓϨΠ޿ࠂ഑৴ͷγεςϜ
    • ͨ͘͞Μͷഔମʹ޿ࠂΛ഑৴͢Δ࢓૊Έ
    • ༷ʑͳϓϨΠϠʔΛHTTP(S)Ͱͭͳ͛ͯ޿ࠂΛ
    ΍ΓऔΓ͢Δ
    • ඞͣ͠΋ࣗ෼ͷγεςϜʹೖߘ͞Εͨad͕
    ग़ΔΘ͚Ͱ͸ͳ͍ʢωοτϫʔΫԽ͞Εͯ
    ͍ΔͷͰɺଞͷ޿ࠂ഑৴γεςϜ͔Βͷad
    ͕ग़Δʣ

    View Slide

  5. original: http://www.slideshare.net/shoho/
    ss-36728773

    View Slide

  6. SSP΍ΞυωοτϫʔΫͰSSL
    ରԠͷ޿ࠂ഑৴ͬͯͰ͖ΔΜ
    Ͱ͔͢ʁ
    Ͱ͖·͢

    View Slide

  7. యܕతͳnested
    iframe
    • ৔߹ʹΑͬͯ͸5,6ஈ
    • ֎ͷۀऀͷ΋ͷ͸جຊతʹ
    ผυϝΠϯͷiframe
    • iframeͷதʹෳ਺
    JavaScript + HTML + imgλ
    ά

    View Slide

  8. Demo: ղઆ
    • httpͰͷ޿ࠂ഑৴ͷྫ
    • SSLରԠ޿ࠂ഑৴ͷྫ

    View Slide

  9. mixed
    content?

    View Slide

  10. ϝσΟΞ͔Βݟͨ޿ࠂ഑৴ํ๏
    Webϒϥ΢βͰݟΔϝσΟΞΛ૝ఆ͠·͢
    • DFP, λάϚωʔδϟʔͳͲͷπʔϧܦ༝
    • ࣗࣾ޿ࠂαʔόܦ༝
    • JavaScriptλά or iframeλά௚షΓ

    View Slide

  11. SSLରԠ޿ࠂ഑৴: SSPͷ৔߹
    • ର৅ͱͳΔഔମ΋͘͠͸࿮ͷ഑৴ઃఆͰɺSSL
    ରԠ͍ͯ͠ΔDSP, ADNWΛબ୒͢Δ
    • bid request΋͘͠͸޿ࠂϦΫΤετ࣌ʹഔମ
    ͕HTTPSͰserve͞Ε͍ͯΔ͜ͱΛ఻͑Δ
    • SSLରԠͷΫϦΤΠςΟϒ͕ग़Δ
    SSP͔ΒݟΔͱͪΌΜͱSSLରԠͷΫϦΤΠςΟϒ
    ͕ग़Δ͔Ͳ͏͔͸DSP, ADNWʹҕͶΒΕ·͢ɻ

    View Slide

  12. OpenRTB
    ޿ࠂΦʔΫγϣϯͷϓϩτίϧΛܾΊͨ΋ͷɻ
    2.2 (2014/04) Ҏ߱: secureଐੑ͕௥Ճɻഔମଆ͕
    HTTPSͷ৔߹ʹ໌ࣔతʹΫϦΤΠςΟϒ͕HTTPS
    URLͰ͋Δ͜ͱΛཁٻͰ͖ΔΑ͏ʹɻ
    Flag to indicate whether the impression requires
    secure HTTPS URL creative assets and markup.
    from: Real-Time Bidding (RTB) Project

    View Slide

  13. ࠷ۙͷ࿩: ࠃ಺ಈ޲
    • ࠃ಺DSPʹ͍ͭͯ΋ঃʑʹSSLରԠ͕͞Ε͖͍ͯͯΔͷͰɺར༻Մೳͳ
    DSP΋૿͖͍͑ͯͯ·͢
    • εϚϗ޲͚ͷ৔߹͸iOSͷATS͕͋ΓɺSSLରԠඞਢ
    • ୈࡾऀ഑৴αʔόͰHTTPݶఆͰ഑৴ઃఆ͞Ε͍ͯΔ΋ͷʹ͍ͭͯ͸ͦ
    ͪΒΛมߋ͢Δඞཁ͕͋Γ·͢
    • ޿ࠂ࿮͝ͱʹSSLར༻͢Δ͔͠ͳ͍͔ɺͱ͍͏ͷΛมߋ͢Δඞཁ͕͋
    Δ͔΋͠Ε·ͤΜ
    • ྫ: ϩάΠϯޙͷϖʔδ͸͢΂ͯSSLରԠͷ޿ࠂ͔͠ग़͞ͳ͍Α͏ʹ͢
    Δ
    • ͪͳΈʹฐࣾͷSSPͰ͸৽نλά͸શͯSSL഑৴ରԠͷ޿ࠂλάΛ഑ͬ
    ͍ͯ·͢

    View Slide

  14. mixed contentsରԠ
    mixed contentͷblock͸Ϣʔβͷબ୒ͱͯ͠ଥ౰
    • SSLରԠͷad͕ਖ਼͘͠഑৴͞ΕΕ͹໰୊ͳ͍
    • ͔͠͠ɺexchange΍SSP͕࠷ऴతʹadΛαʔϒ͢
    ΔγεςϜ͕SSLରԠ͔൱͔Λ஌Δํ๏͸ͳ͍
    • ࣮ࡍʹmixed contentʹΑΓad͕block͞ΕΔࣄྫ΋
    աڈʹ͋ͬͨ
    • ֘౰͢ΔDSP / Ad Exchange͔Βͷ޿ࠂ഑৴Λ׬શ
    ʹఀࢭ͢ΔͳͲͷରԠΛͨ͠

    View Slide

  15. SSLରԠͱ޿ࠂɺͦͯ͠ऩӹੑ
    • SSLରԠ͸ϢʔβͱϝσΟΞͷཁٻɻ޿ࠂࣄۀऀ
    ͸͜ΕʹԠ͑Δඞཁ͕͋Γ·͢ɻ
    • SSLରԠͷ޿ࠂΛग़͢͜ͱ͸ٕज़తʹ΋ͪΖΜՄ
    ೳɻ
    • SSLରԠͷ޿ࠂࣄۀऀ͕૿͑ͳ͚Ε͹ϝσΟΞଆ
    ͷબ୒ࢶ͕ݮΔɻ
    • ରԠ͢Δ޿ࠂ഑৴ࣄۀऀ͕૿͑ͳ͍ͱ͍͚ͳ
    ͍

    View Slide

  16. Malvertising

    View Slide

  17. Malvertising
    original: http://www.anti-malvertising.com/

    View Slide

  18. Malvertisingࣄྫ
    • 2015೥9݄ ෆਖ਼޿ࠂ͕໿3,000 ͷࠃ಺େखαΠτΛԚ
    છɺ50ສϢʔβʹӨڹ | τϨϯυϚΠΫϩ ηΩϡϦςΟ
    ϒϩά
    • ද͚ࣔͨͩ͠ͰϑΝΠϧ͕μ΢ϯϩʔυ͞Εͯ͠·͏
    • ߈ܸऀ͕ෆਖ਼ͳ޿ࠂΛւ֎ͷ޿ࠂ഑৴ۀऀʹೖߘɺ޿
    ࠂ͕දࣔ͞Εͨஈ֊Ͱ߈ܸऀͷαʔόʹΞΫηεͤ͞Δ
    • ϒϥ΢β΍Flash PlayerͳͲͷ੬ऑੑΛར༻ͯ͠
    exploit kitΛΠϯετʔϧͤ͞Δ

    View Slide

  19. PublisherଆͰͰ͖Δରࡦ
    શͯͷഔମɺ΋͘͠͸supply-sideͷPublisher͸
    Ϛϧ΢ΣΞ࡞ऀͷඪతʹͳΔՄೳੑ͕͋Δɻ
    • ޿ࠂओΛݟఆΊΔ͜ͱ
    • LPͷυϝΠϯ͸৴པͰ͖Δ΋ͷ͔ʁ৽͗͢͠ͳ͍͔ʁࠃ֎
    ͷ޿ࠂ͔ʁಉҰIPʹෳ਺޿ࠂओͷad͕αʔϒ͞Ε͍ͯͳ͍
    ͔ʁ
    • શͯͷΫϦΤΠςΟϒʹܧଓతͳ஫ҙΛ෷͏͜ͱ
    • 2008೥: Google Online Security Blog: All Your iFrame
    Are Point to Us

    View Slide

  20. ͲͷΑ͏ʹMalvertisingΛ๷͙͔
    • ޿ࠂ৹ࠪͰ༧๷͢Δ
    • ഑৴͞ΕΔ޿ࠂ͸ଥ౰ͳ಺༰͔ʁ: όφʔͷ಺༰ͱ
    LP(Landing Page)͕ဃ཭ͨ͠΋ͷͰ͸ͳ͍͔ɻ
    • ৴པͰ͖Δ޿ࠂओ͔ʁ
    • ೖߘ͞ΕΔΫϦΤΠςΟϒͷυϝΠϯ / ޿ࠂओΛ੍ݶ͢Δ
    ୈࡾऀͷ޿ࠂ഑৴γεςϜ͔Βෆਖ਼ͳ޿ࠂ͕ྲྀΕ
    Δ৔߹ɺ͜ΕΛࣗಈతʹഉআ͢Δ࢓૊Έ͕ٻΊΒ
    Ε͍ͯΔɻͰ͸AdBlock͔ʁ

    View Slide

  21. ҆શͳϒϥ΢δϯάͱAdBlock
    Ϣʔβͷߦಈ͸ৗʹ߹ཧత
    • ʮ޿ࠂΛϒϩοΫ͢Ε͹΢Πϧεʹ͸ײછ͠ͳ͍ʯͱͳΒͳ͍
    Α͏ʹ
    • ऩӹʹෛͷӨڹ͕͋Δ / ޿ࠂΛ৴པͯ͠΋Β͏ͨΊͷऔΓ૊
    ΈΛ͠ͳ͚Ε͹ͳΒͳ͍ɻ
    • ϢʔβΛةݥʹ͞Β͞ͳ͍Α͏ͳ޻෉ΛɻMalvertising͸޿ࠂࣄ
    ۀऀ͕औΓ૊Ή΂͖՝୊ɻ
    • AdBlock͞Ε͍ͯΔ͔Β࢓ํͳ͍ɺͰ͸ͳͯ͘Ϣʔβʹ৴པͯ͠
    ΋Β͑ΔΑ͏ʹ޿ࠂۀքͱͯ͠΋ͷͮ͘Γͱӡ༻ΛॏͶ͍ͯ͘
    ඞཁ͕͋Δɻ

    View Slide

  22. AdBlockͱऩӹੑɺͦͯ͠Ϛϧ΢ΣΞ
    • 2016/01/08 Forbes forces readers to turn off ad blockers,
    promptly serves malware | ExtremeTech
    • adblockΛ༗ޮʹ͍ͯ͠ΔϢʔβʹ͍ͭͯForbes.com͕ఏڙΛ
    ఀࢭͨ͠ɺ͔͠͠Ϛϧ΢ΣΞ͕αʔϒ͞Εͯ͠·ͬͨ
    • Cyphort | Malvertising Report 2015 ʹΑΔͱMalvertisingͰ΋
    ߈ܸऀαʔό΁ͷ༠ಋʹhttpsͷϦμΠϨΫλ͕ར༻͞ΕΔΑ
    ͏ʹͳ͖͍ͬͯͯΔɻѱҙͷ͋ΔαΠτͷಛఆ͕೉͘͠ͳΔɻ
    • αΠτར༻ͷշదੑͱऩӹੑͷ݉Ͷ߹͍
    • Ad͕ऩӹͷେ෦෼Λ͠ΊΔഔମͩͱAdblock͍ͯ͠ΔϢʔβ
    ͕૿͑Δͱड͚ೖΕ͕͍ͨ

    View Slide

  23. ·ͱΊ
    • SSLରԠ޿ࠂ഑৴͸Ͱ͖·͢
    ޿ࠂࣄۀऀͱͯ͠
    • Ϣʔβɺഔମʹ҆શʹ޿ࠂΛར༻ͯ͠΋Β͑Δ
    Α͏ʹద੾ͳํ๏Ͱ޿ࠂΛαʔϒ͢Δ͜ͱ͕Ҿ
    ͖ଓ͖ٻΊΒΕ͍ͯΔ
    • Ϣʔβͷ޿ࠂ΁ͷ৴པΛอͪɺऩӹੑΛ୲อ͠
    ͭͭɺ࣌ྲྀʹଈͨ͠޿ࠂ഑৴Λ͍ͯ͘͠ඞཁ͕
    ͋Δ

    View Slide