2. Kazuhiro Kosaka
- Working for CyberAgent, Inc. since 2009.
- Pigg [Java/Flash]
- Feature-phone Browser Games [Java]
- Core-technology for Games [A Flash Player written in HTML5/JavaScript/Java dubbed as “Swine”]
- Smartphone Browser Games [JavaScript/HTML/Java]
- Smartphone Native Games [Node.js/Java/Unity C#]
- MDH Ad-technology [Scala/Golang]
- @hyperdash
9. 1. Intelligent Tracking Prevention
- Apple, Inc. has announced “Intelligent Tracking Prevention [ITP]” at WWDC2017.
- As a new WebKit feature.
- Not a sort of ad-blocker.
- Developers of other WebKit browsers than Safari might enable ITP on their products as well?
- “They're gobbling up everything they can learn about you and trying to monetize it. We think that’s
wrong.” — Tim Cook, at the Electronic Privacy Information Center, 2015
- Third-party Cookie will be exterminated?
Source:
https://techcrunch.com/2015/06/02/apples-tim-cook-delivers-blistering-speech-on-encryption-privacy
10. How does ITP work?
If the user has not interacted with example.com in the last 30 days, example.com website data
and cookies are immediately purged and continue to be purged if new data is added.
However, if the user interacts with example.com as the top domain, often referred to as a first-
party domain, Intelligent Tracking Prevention considers it a signal that the user is interested in
the website and temporarily adjusts its behavior as depicted in this timeline:
Source:
https://webkit.org/blog/7675/intelligent-tracking-prevention/
11. 2. Better Ads Standards
- Proposed by The Interactive Advertising Bureau [Google/Facebook/etc]
- Google has announced that Chrome is going to start blocking ads which don’t meet it in early 2018.
- Not directly affects cookies.
- Ethical-Internet-Ad era is coming.
- We need to grasp their actions or trends carefully.
Source:
https://www.betterads.org/
12. What kind of ads are out of the standards?
Source:
https://www.betterads.org/standards
13. What kind of ads are out of the standards?
Source:
https://www.betterads.org/standards
18. ETag
- Part of HTTP to provide web cache validation.
- Client: Requests a content to a web server.
- Server: Responses the web content with an ETag as a HTTP response header value.
- Client: The browser caches the ETag.
- Client: Requests the content again with appending the ETag automatically by the browser.
- Server: If the ETag value matches the value on the web server, the server responses with a HTTP 304 Not
Modified.
- Setting an identifier to the ETag makes it work like as a cookie.
Source:
https://en.wikipedia.org/wiki/HTTP_ETag
21. HTST [HTTP Strict Transport Security]
- Allows web servers to declare that web browsers should only request using HTTPS connections.
- HTST PIN for each domain is stored on browsers.
- HTST PIN is a pattern of the domain and its subdomains with HTST availabilities as a series of bits [= binary].
- Reading the PIN by checking if requests to the domain and the subdomains are redirected or not.
- HTST PIN can be read even in incognito mode.
- Fixed on Firefox.
- Safari stores HTST PIN on iCloud and unremovable, but the PIN changes regularly automatically? [unconfirmed]
- Still available on Chrome. [unconfirmed]
Sources:
http://www.radicalresearch.co.uk/lab/hstssupercookies/
http://dev.classmethod.jp/client-side/browser/hsts-super-cookies/
http://dechnostick.hatenablog.com/entry/2015/01/09/003000
22. HTST [HTTP Strict Transport Security]
Source:
http://www.radicalresearch.co.uk/lab/hstssupercookies/
25. Image Cache + Canvas
- Using browser cache as a storage.
- Using images as identifiers.
- Server: Encode an identifier into a PNG’s chunk tEXt area or pixels.
- Client: The browser caches the image .
- Client: Decoding the image to the identifier by Canvas API and passing it to the server.
Source:
https://www.esat.kuleuven.be/cosic/publications/thesis-289.pdf
27. Fingerprintings
- Fingerprinting = Taking fingerprints by hashing the characteristics of various properties.
- Using fingerprints as cookies.
- The entropies of each fingerprinting are not high enough to identify users.
- The entropies can get increased by combining multiple fingerprints.
Source:
https://www.esat.kuleuven.be/cosic/publications/thesis-289.pdf
28. Fingerprintings
- Browser Fingerprinting - Plugins/System Fonts/User Agent/Screen/HTTP Accept Headers/etc
- Canvas Fingerprinting - Exploiting differences in the rendering of the same image with Canvas.
- Font-based Fingerprinting - By Flash/Java/JavaScript, measuring the dimensions of rendered texts.
- Device Fingerprinting - By Flash/Java/JavaScript/Plugins/Extensions, collecting device information.
- etc
Source:
https://www.esat.kuleuven.be/cosic/publications/thesis-289.pdf
31. Evercookie
- An OSS project by Samy Kamkar.
- https://github.com/samyk/evercookie
- Implements a Super Cookie.
- 17+ Super Cookies in One JavaScript Library.
- As long as one of them is alive at least, Evercookie keeps making all of them respawn.
=> Respawning
Source:
https://www.esat.kuleuven.be/cosic/publications/thesis-289.pdf
36. Rakuten ad4U
- Developed by Drecom Co.,Ltd. in 2008.
- Livedoor Co.,Ltd. [LINE Corporation] also launched it as livedoor ad4U.
- Non-cookie-based targeting technology enabled by a vulnerability of browsers.
- An article from NIKKEI NET revealed the technology enabled ad4U and made it controversial.
- They only provided one-year opt-out.
- Users and some players in the field blamed them on it.
- The vulnerability has been fixed since 2010, and they had to stop their services.
Source:
https://ja.wikipedia.org/wiki/楽天ad4U
40. Conclusion
- Intelligent Tracking Prevention [Apple]
- Better Ads Standards [Google/Facebook]
- Alt-Cookies
- Super Cookie
- ad4U
- Do the Ethically Right Things, or ruin internet ad.
- For the future of internet ad, be more carefully with the matters.