Laboratory for Communications and Applications LCA

PRIVACY AND SECURITY OF ONLINE ADVERTISING

 

Internet economy relies on online advertising as the main business model for monetizing online content. Over the last decade, online advertising has become a major component of the Web, leading to large annual revenues (e.g., $26.04 billion in US in 2010). Given the ad revenue at stake and the lack of legislation against ad fraud in many countries, fraudsters have economic incentive to engage in fraudulent activities and exploit online advertising systems. In our work, we evaluate the threat to online advertising systems, identify vulnerabilities and exploits of the system, propose countermeasures and evaluate economic incentives of the stakeholders to deploy secure solutions.

A general introduction to online advertising system models, an overview of the known system vulnerabilities, classification of the identified attacks and  countermeasures can be found here. 

 

Inflight Modification of Ad Traffic

 

Our work focuses on a novel type of ad fraud that consists in inflight modification of ad traffic (e.g., by ISPs, hotspots or botnets of compromised access points). We identify possible exploits of the advertising systems and propose secure solutions to thwart such attacks. We also evaluate economic incentives of involved stakeholders, notably ad networks, to invest in secure solutions in order to protect their revenue.

• N. Vratonjic, J.-P. Hubaux, M. Raya and D. C. Parkes.Security Games in Online Advertising: Can Ads Help Secure the Web? In Workshop on Economics of Information Security (WEIS) 2010, Cambridge, MA, USA, June 7-8, 2010.
• N. Vratonjic, J. Freudiger, and J.-P. Hubaux.Integrity of the Web Content: The Case of Online Advertising. In Usenix Collaborative Methods for Security and Privacy (CollSec) 2010, Washington, DC, USA, August 10, 2010.
• N. Vratonjic, M. Manshaei, M. Raya, and J.-P. Hubaux.ISPs and Ad Networks Against Botnet Ad Fraud. In Conference on Decision and Game Theory for Security (GameSec) 2010, Berlin, Germany, November 22-23, 2010.

 

Towards Privacy-Friendly Online Advertising

 

Internet advertising is a very successful form of advertising as it provides an easy and effective way for advertisements to be targeted to individual users’ interests. Obviously, learning users' private information is of tremendous importance for the success of targeted advertising and its business model. This leads the stakeholders (e.g., the ad networks) to deploy mechanisms to profile users.  Currently, the most widely deployed techniques to track users' activities online are mostly based on exploiting client-side browser state (e.g., third-party cookies). Unfortunately, these techniques can allow access to users' browsing information and lead to the identification of users. Users are thus in need of a way to control the sharing of their browsing information with advertisers in order to protect their privacy. We propose a privacy-preserving cookie-management mechanism that enables advertisements to have discrimination capabilities without allowing for excessive tracking of users. 

• J. Freudiger, N. Vratonjic, and J.-P. Hubaux. Towards Privacy-Friendly Online Advertising. In IEEE Web 2.0 Security and Privacy (W2SP) 2009, Oakland, California, May 21, 2009.

 

The Inconvenient Truth about Web Certificates

 

Authentication of publishers' Web servers and ad networks' ad servers is a necessary part of the proposed solutions to secure online advertising systems. The de facto solution for authentication on the Internet is based on digital certificates. Yet, the provided security is dubious, notably because of the obscure management of digital certificates. We investigate this problem and provide a large-scale empirical analysis of the current deployment of certificate-based authentication.

• N. Vratonjic, J. Freudiger, V. Bindschaedler and J.-P. Hubaux. The Inconvenient Truth about Web Certificates. Workshop on Economics of Information Security (WEIS) 2011, Fairfax, Virginia, USA, June 14-15, 2011.