Web Insecurity: 7 Steps We Should Demand of Advertisers

Monday, September 12, 2011

Chris Weber

Bddd055f2567b4952d8416e168aace64

Article by Dr. John Michener, Chief Scientist at Casaba, LLC 

In the past few years, an escalating battle between website designers and the developers of advertisement blocking browser plugins has turned Web security on its head – and made so-called ‘trustworthy’ websites less safe for the average person.

It’s a conflict most of us are familiar with: websites depend on advertising to make money, so they need those ads to be effective; but certain advertising strategies, like pop-ups and pop-unders, are so annoying that most browsers felt compelled to block or disable them for their users.

To compound the threat to advertisers, advertising blocking plugins for browsers were developed. This posed a huge threat to website operating revenues, so developers countered by making it harder for browsers to identify ads as external content, and instead made them appear to be content from the actual website.

Which leads us to the problem we face today.

Browser security is inherently based upon the source of the material being displayed in the browser: “The Same Origin Policy” which allows the web site and its advertising to be treated differently.

The subversion of ad-blocking technology, by obscuring the origin of advertising content, has created a unique opportunity for online criminals. Today’s hackers increasingly use the advertising platform as a clandestine way to attack visitors to legitimate websites - using malicious ad swaps, drive-by downloads, clickjacking, etc.

Because browser plugins and user software can’t distinguish the true origin of the ad content, browser-based security controls are neutralized and consumers have no way of knowing if a particular website is truly safe.

Here are the most common tactics used by website developers, which are causing the problem:

  • Host adds from their own domain
  • Use scripting functionality (typically JavaScript) running in the client to proxy advertising into their domain
  • Use internal redirects to hide the origin of both content and advertising so that their origin is effectively indistinguishable 
  • Filter file and folder names to prevent recognition and randomize frame sizes to block filtering by frame sizes
  • Rely upon third party scriptable display environments that are not managed by the browser (such as Adobe’s Flash and ShockWave and Microsoft’s Silverlight)

We can expect the same scenario to unfold on tablets, smartphones and other mobile devices as well. 

As a consequence of these developments, the modern web environment is so lacking in trustworthiness that a cautious user who wants to be able to conduct trustworthy transactions needs at a minimum to use some form of functional isolation for web functionality in combination with other domain appropriate controls (anti-malware, scripting controls, etc.).

The advertising industry can (and should) mitigate the threat of advertising malware by constraining the capabilities of advertising scripting to address arbitrary content, proxying advertising content, and filtering advertising content for malware.  

Here are seven security essentials that web servers and advertisers must undertake:

  • The web server must require that the advertising service/platform be responsible for verifying that the advertising that it supplies is not malicious.
  • If a web site hosts important functionality (defined as handling information or performing functionality whose disclosure or tampering would harm  the web site owner and / or the user), the web site must – at a minimum -  place this functionality in a different domain than that used to host third party advertising
  • If a web site is supporting transactions of significant value or handling highly sensitive data (such as medical information), supporting third party advertising is unwise. Indeed, in such cases the user should be advised to close their browser, open it to the site in question using SSL/TLS(HTTPS), and close it afterwards.
  • Companies should restrict the links and functionality of scripting in advertisements so that the only addresses that the advertisement can “call” are explicitly stated and would be redirected/rewritten by the advertising network running it
  • They should also proxy and audit those advertisements to provide higher assurance   Advertising services should run anti-malware scans on the advertising content when it loads it and then rerun these scans whenever the advertising content or links change. 
  • They should also restrict advertisements that come via subrogation from calling for content from any locations except the specified addresses that the subrogation service will proxy. Additionally, they should require that subrogating services also proxy and scan the advertisements that they supply.
  • Content and links should be audited and logged including the chain of responsibility so that if an advertisement supplied by a subrogation service is compromised, the responsibility can be properly assigned.

While there are security precautions the user can take, the easy ones such as AV updates and link-checking services are ineffective against these attacks; the irritating ones such as blocking script functionality altogether can break the website functionality; and the effective defense of managing and running multiple isolated environments requires changes in usage patterns that many users will find infuriating.

Businesses and advertisers will both be hurt if consumers loose trust in their devices and on-line purchasing. Due to the escalating risk to users, and the difficulty of providing adequate security at the browser or device level, it is incumbent upon the website owners and advertisers to harden their online platforms against malicious activity. It is their customers, us, who are being harmed.

Possibly Related Articles:
5015
Webappsec->General
Information Security
Browser Security Advertising malware Clickjacking Malicious Code Scripting drive-by attacks
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.