OFFENSE PRESENTATION

FOR ADJAILStephen Duraski and Allen Zeng

Motivation for Implementation?

• A class of rogue ads, those that involve social engineering, depend on the content of the ads.

• Content such as fake anti-virus scanners etc, are not actually prevented by this system, which has no controls on the content of the ad.

• The New York Times example

Difficulty for each publisher to implement

• This system requires a significant rewrite for the ad portion of a publisher's page.

• Is the time spent on the implementation worth it since any mistakes would threaten the publishers ability to make money from their site.

Rendering a shadow page for each ad?

• Every ad will need a separate shadow page with a unique URI, this increases complexity and difficulty of maintaining a site.

• Sites often use multiple ad networks simultaneously, AdJail would require potentially managing a large number of extra domains for proper use of the Same-Origin Policy

Overhead Time

•Paper states that rendering time is increased by 1.69%• NOT an insignificant amount of time• ~400ms to ~700ms for Google Ads

•Advertisers will not appreciate their ads being rendered slowly, and may react negatively

•Amazon loses 1% of sales for every 100ms delay: • http://

www.exp-platform.com/Documents/IEEEComputer2007OnlineExperiments.pdf

•Google: “Experiments demonstrate that increasing web search latency 100 to 400 ms reduces the daily number of searches per user by 0.2% to 0.6%.”

• http://services.google.com/fh/files/blogs/google_delayexp.pdf

•Google revenue dropped 20% in an experiment that slowed the page down by 0.5 seconds

• http://glinden.blogspot.com/2006/11/marissa-mayer-at-web-20.html

Usability and Scalability Issues

• Currently uses Regular Expressions for textual transformation

• Cannot possibly do this for the hundreds of existing Ad Networks o Will ultimately work for some but fail for most

Real - Shadow Page Communication

• "To facilitate voluntary communication between the two pages, we leverage the window.postMessage() browser API. postMessage() is an inter-origin frame communication mechanism that enables two collaborating frames to share data in a controlled way, even when SOP is in effect"

• What prevents the ads from using the same API call to send its own data?

What happens with bad ads?

• Ad contains code with "unallowed" javascript codeo Gets rendered on Shadow Page - is

anything communicated to the Ad Network / User that content was blocked?

• Does ad network get charged?o Unclear in paper

Evaluation Issues

• What test pages were used? o No examples given

• Parameters of tests were modified for each Ad Network such that it would work