Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integrity of the Web Content: The Case of Online Advertising Nevena Vratonjic Julien Freudiger Jean-Pierre Hubaux August 2010, Usenix CollSec’10.

Published byEugene Pittmon Modified over 9 years ago

Similar presentations

Presentation on theme: "Integrity of the Web Content: The Case of Online Advertising Nevena Vratonjic Julien Freudiger Jean-Pierre Hubaux August 2010, Usenix CollSec’10."— Presentation transcript:

1 Integrity of the Web Content: The Case of Online Advertising Nevena Vratonjic Julien Freudiger Jean-Pierre Hubaux August 2010, Usenix CollSec’10

2 Internet Economy Online Advertising: The main Internet business model Revenue in 2009 in the US is $22.4 billion Sponsors free services and applications What happens if one meddles with it? 2

3 3 Rogers, Canadian ISP, injected content into web pages

4 Problem Online advertising and Web browsing is not secured Rely on the HTTP protocol Advertisers, publishers and ad networks lose revenues Threatens the Internet business model! 4 How to secure Online Advertising?

5 Outline I. Online Advertising II. Attacks on Online Advertising III. Collaborative Approach to Securing Online Advertising 5

6 Access Network (ISP) Online Advertising System 6 Ad Network User (U) Ad Servers (AS) Websites (WS) Embedding ads Web page Ads Advertiser Placing ads <!-- google_ad_client = “pub-8494067626122848”; google_ad_width = 728; google_ad_height = 90; google_ad_format = “728x90_as”; google_ad_type = “text_image”; google_ad_channel = “”; //- -> <script type = “text/javascript” src = http://pagead2.googlesyndication.com/pagead/show_ads.js> Website’s ID Ad Server’s URL

7 Revenue Model UserAd serverWebsite 7 Ad Network User clicks on an ad: Gets redirected to the advertised Website Advertiser pays Ad Network (e.g., Google) for serving ads Ad Network pays the Website for displaying ads on their web pages Advertiser Pay-per-click

8 Outline I. Online Advertising II. Attacks on Online Advertising III. Collaborative Approach to Securing Online Advertising 8

9 User 9 Exploits against Online Advertising Ad Server Website Advertiser AN Phishing Attacks Profiling and Tracking Users Click FraudBlocking AdsMan-in-the-Middle M. Jakobsson, Phishing and Counter-Measures: Understanding the Increasing Problem of Electronic Identity Theft, Wiley, 2006. A. Rezgui, A. Bouguettaya, and M. Eltoweissy, Privacy on the Web: Facts, challenges, and solutions. IEEE Security and Privacy, 2003. N. Daswani, C. Mysen, V. Rao, S. Weis, K. Gharachorloo, S. Ghosemajumder, and the Google Ad Traffic Quality Team, Online Advertising Fraud, from the book Crimeware, Symantec Press, 2008. B. Krishnamurthy and C. E. Wills, Cat and mouse: content delivery tradeoffs in web access. WWW’06, Edinburgh, Scotland, 2006.

10 Users 10 The Adversary Ad servers Web sites Advertiser 3 Advertiser 1 Advertiser 2 AN Power of the adversary: eavesdrop, alter, inject and delete messages Man-in-the-Middle Wireless Access Point Wireless Social Community Network (WSCN) Internet Service Provider (ISP)

11 Recently Reported Cases Growing number of ISPs injecting own content into web pages [1][2] Third party ad companies partnering with ISPs e.g., Adzilla, Phorm, NebuAd Free ISPs [3] 11 [1] C. Reis, S.D. Gribble, T. Kohno and N.C. Weaver. Detecting In-flight Page Changes with Web Tripwires, NSDI 2008. [2] B. April, F. Hacquebord and R. Link, A Cybercrime Hub, August 2009. [3] thefreesite.com Free Internet Access Providers

12 Injecting Attack Pollution Attack Injecting ads not necessarily targeted to the content of the web page or users’ interests Targeted Attack Injecting ads into Search Engine Result Pages (SERPs) Injecting ads into Location Based Services (LBS) 12

13 13 #5 #1

14 Users Ad servers Web sites Advertisers AN Arbitrary Ad server On-the-fly Ads Modifications 14 Redirect users to arbitrary Ad Servers (e.g., Yahoo!) Consequence: Yahoo! earns money instead of Google

15 Ad Server Redirection 15 HTTP requests to ad servers different from those that were referenced in the HTML of the original web page <!-- google_ad_client = “pub-8494067626122848”; google_ad_width = 728; google_ad_height = 90; google_ad_format = “728x90_as”; google_ad_type = “text_image”; google_ad_channel = “”; //- -> <script type = “text/javascript” src = http://pagead2.googlesyndication.com/pagead/show_ads.js> src=“http://pagead2.arbitraryAdServer.com/pagead/show_ads.js” Website’s ID Ad Server’s URL

16 Outline I. Online Advertising II. Attacks on Online Advertising III. Collaborative Approach to Securing Online Advertising 16

17 Securing the Web: Traditional Approach SSL/TLS (HTTPS) Authenticity and data integrity Only for sensitive information (e.g., e-banking…) Two problems 1. Authentication failure (misaligned incentives) Web sites expected to pay for certificates 2. Inefficiency of HTTPS Computation and communication overhead 17

18 HTTPS to Secure the Web Authentication problems Costs Annual cost $500 Websites tend to use self-signed certificates Failure Authentication can fail (MitM attacks against self-signed cert.) Browser security warnings might deter users from visiting website Not trivial to implement and deploy Incentives Websites buy certificates to help users and advertisers Overhead Problems Computation and communication overhead Gradual deployment of HTTPS only by major companies 18 Most of the costs imposed on websites!

19 Collaborative Approach to Securing Online Advertising Provides: 1.Authenticity Ad servers with valid certificates as sources of trust 2.Data Integrity Light-weight authenticated hash-chains 19 Data Integrity in Advertising Services Protocol (DIASP) Websites and ad servers share the costs!

20 DIASP Primitive: H – one way hash function Verify the data integrity and authenticity of a message m: Verify the signature and the hashes of the packets of AH(m) 20 signed H (L 1 ) PkPk END LkLk H (L k ) P k-1 L k-1 H (L 3 ) P2P2 L2L2 H (L 2 ) P1P1 L1L1 P1P1 P2P2 PiPi P k-1 PkPk Web page split into k equally-sized packets Authenticated Hash-chain (AH) AH:

21 DIASP v.1 HTTP 21 Website Ad Server User 1. Page Request 5. page, hash-chain H (L 1 ) 3.3. signed AS H (L 1 ) 4.4. 6. Ads Request 8.ads, hash-chain P’ k END L’ k H (L’ 2 ) P’ 1 L’ 1 signed AS H (L’ 1 ) 7.7. H (L 1 ) PkPk END LkLk H (L 2 ) P1P1 L1L1 2.2. HTTPS Cert

22 DIASP v.1: Pros & Cons Pros: Users verify data integrity upon packet arrival Browsers dynamically render a web page as soon as the first packet of the hash-chain is received Allows to independently check the integrity of the two communication channels: Between the user and the website Between the user and the ad server Cons: Requires 2 signatures per web page hosting ads Uses cross domain signatures (incompatible with the current browser implementation) 22

23 DIASP v.2 23 Website Ad Server User 1. Page Request 4. page, hash-chain H (L 1 ) PkPk END LkLk H (L 2 ) P1P1 L1L1 2.2. H (L 1 ) 3.3. 5. Ads Request 7.ads, hash-chain signed AS H (L’ 1 ) H (L 1 ) P’ k END L’ k H (L’ 2 ) P’ 1 L’ 1 6.6. H (L’ 1 ) H (L 1 ) HTTP HTTPS Cert

24 DIASP v.2: Pros & Cons Pros: Requires only 1 signature per web page hosting ads Solves the problem of cross domain signatures (compatible with the current browser implementation) Cons: May add some delay in rendering web pages (cannot verify data integrity before receiving the signed element from the ad server) Browsers make several requests in parallel Links to ASs at the beginning of HTML pages Requires AS to always be available 24

25 Evaluation of DIASP Loading time of an average size.com web page [1] 250KB content from WS and 51KB ads from AS Sequential requests Apache benchmark software Localhost server with HTTP and HTTPS DIASP v.1 ~ 9 times faster than HTTPS DIASP v.2 ~ 11 times faster than HTTPS 25 [1] B. Krishnamurthy and C. Wills, Cat and Mouse: Content delivery tradeoffs in web access, WWW 2006.

26 Conclusion Man-in-the-Middle Attacks on Online Advertising Easy to perform Threaten the Internet business model Provide incentives to secure online advertising Collaborative Approach to Securing Online Advertising: DIASP Ad Servers protect the ad revenue Publishers do not need to acquire valid certificates Users benefit from the secure Web as a “side effect” 26

Download ppt "Integrity of the Web Content: The Case of Online Advertising Nevena Vratonjic Julien Freudiger Jean-Pierre Hubaux August 2010, Usenix CollSec’10."

Similar presentations

The Internet and the Web

The Internet and the Web
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Setting up Https:// Joshua Sanford David Sanchez.

Setting up Joshua Sanford David Sanchez.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Principles of Information Systems, Sixth Edition The Internet, Intranets, and Extranets Chapter 7.

Principles of Information Systems, Sixth Edition The Internet, Intranets, and Extranets Chapter 7.
Breaking Trust On The Internet

Breaking Trust On The Internet
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.

The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.
C HAPTER 4 W EB H OSTING. I. I NTRODUCTION To make your Web site visible to the world, it has to be hosted on a Web server. In this tutorial we will teach.

C HAPTER 4 W EB H OSTING. I. I NTRODUCTION To make your Web site visible to the world, it has to be hosted on a Web server. In this tutorial we will teach.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
The Inconvenient Truth about Web Certificates Nevena Vratonjic Julien Freudiger Vincent Bindschaedler Jean-Pierre Hubaux June 2011, WEIS’11.

The Inconvenient Truth about Web Certificates Nevena Vratonjic Julien Freudiger Vincent Bindschaedler Jean-Pierre Hubaux June 2011, WEIS’11.
Security Games in Online Advertising: Can Ads Help Secure the Web? Nevena Vratonjic Maxim Raya Jean-Pierre Hubaux June 2010, WEIS’10 David C. Parkes.

Security Games in Online Advertising: Can Ads Help Secure the Web? Nevena Vratonjic Maxim Raya Jean-Pierre Hubaux June 2010, WEIS’10 David C. Parkes.
The OWASP Foundation OWASP Chennai 2007 Phishing.

The OWASP Foundation OWASP Chennai Phishing.
CLICK FRAUD Alexander Tuzhilin By Vinny Rey. Why was the study done? Google was getting sued by advertisers because of click fraud. Google agreed to have.

CLICK FRAUD Alexander Tuzhilin By Vinny Rey. Why was the study done? Google was getting sued by advertisers because of click fraud. Google agreed to have.
Security Warnings TROPE: Teachers’ Resources for Online Privacy Education www.teachingprivacy.org 1.

Security Warnings TROPE: Teachers’ Resources for Online Privacy Education 1.

Similar presentations

Ads by Google