Technical Integration Working Group Meeting

Single Point of Failure Analysis20 April 2017

The Goal

• Discuss deployment options / best practices

• Surface technical concerns, requests, etc.

• Facilitate progress:– Testing and results

– Cross-team coordination, within your orgs

– Across all members (publishers + platforms)

• Determine joint deployment dates

Agenda Today: Single Point of Failure Analysis

• Technology overview + dependencies

• Failure scenarios

– Description

– Adverse effect

– How to address (mitigating factors)

Critical Solution Delivery Components

• Zero managed infrastructure• Fault-tolerant CDN• JavaScript libraries

– Client-side execution only

• Decentralized storage of encrypted ID – Replicated across DigiTrust cookie space, plus every

publisher’s cookie space

• Decryption APIs– Batch distribution; applied server-side

Solution Delivery

Web ResourceBrowser Client

(1) HTTP Request

and HTML returned

Akamai CDN

(2) JavaScript

Third Parties

(3) ID generated / read by third parties via JavaScript API

(4) ID read by Web site from their cookie space and passed to third parties

JavaScript Execution

1. The digitrust.js resource creates an iframe– Requires valid member ID and site ID

2. An ID is requested of the iframe by the parent javascript via iframe message passing

3. An unencrypted ID is read (if present) from cookies in the digitru.st domain, encrypted, and returned to the parent frame in encrypted form

4. The encrypted ID is written to a cookie in each publisher’s domain

Decentralized, Replicated Storage

• ID and opt-outs are first set within DigiTru.st cookie, then propagated out to all publisher cookies

• DigiTrust JS required in browser for IDs to be set or read

• Publishers may read from their own cookie space

• Unencrypted ID • Privacy settings:

• Consent timestamp, or• Self regulatory opt-out

• 5 year expiration

DIGITRU.ST domain cookie

• Encrypted ID • Privacy settings:

• Consent timestamp, or• Self regulatory opt-out

• 30 day expiration

PUBLISHER domain cookie

Critical Failure Scenarios

1. CDN failure

2. CDN contents are hacked

3. Ad blockers block digitru.st domain

4. Cookie manipulation (malicious or unintended)

5. Erroneous software updates by DigiTrust

6. Browsers explicitly block DigiTrust

7. Malicious man in the middle

CDN Failure – Adverse Effects

• Examples:– General CDN failure, isolated failure, DigiTrust

incompetence, DNS failure, failure to pay, etc.

• Potential effects:– CDN failure will eventually result in failure to load

JavaScript, once expired from browser cache– Temporary failure to generate new IDs– Temporary failure to read ID from DigiTrust cookie– Temporary failure of IDs to propagate to publisher cookies– Temporary failure of new opt-outs to propagate

Mitigating CDN Failure

• Akamai failure breaks most of the Web anyway

• Performance-based DNS across multiple CDNs

• Industry won’t rely on single identifier overnight

• Browser caching of assets

• Encrypted ID still available in publisher cookie space

Hacked CDN Contents – Adverse Effects

• Example:– JavaScript contents modified to distribute malware, muck

with page content, etc.

• Potential effects:– Malicious updates to cookie containers

– Temporary failure to generate new IDs

– Temporary failure to read ID from DigiTrust cookie

– Temporary failure of IDs to propagate to publisher cookies

– Temporary failure of new opt-outs to propagate

Mitigating Hacked CDN Contents

• Utilize Akamai

– industry-leading CDN and security

• Utilize Subresource Integrity (SRI)

– security feature (using cryptographic hash) that enables browsers to verify that the files they fetch are delivered without unexpected manipulation.

<script src="https://example.com/framework/example-v1.12.39.js"integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"crossorigin="anonymous"></script>

Ad Blocking – Adverse Effects

• Example:– Consumers download ad blockers en masse, which

blocks all DigiTrust requests

• Potential effects:– Failure to generate new IDs

– Failure to read ID from DigiTrust cookie

– Failure of IDs to propagate to publisher cookies

– Failure of new opt-outs to propagate

Mitigating Ad Blocking

• DigiTrust doesn’t solve this industry issue– Doesn’t matter if there is a better ID, or no ID

– Ads won’t serve anyway

• Best practices for publishers:– Help make pages load faster; smaller payload (LEAN)

– Detect ad blocking and engage with consumer (DEAL)• DigiTrust JS intends to offer built-in ad blocker detection

– Tie to regulatory disclosures / consent (in EU)

Cookie Manipulation – Adverse Effects

• Example:

– Device apps, browser add-ons or malware/viruses manipulating DigiTrust cookie containers

• Potential effects:

– Duplicated IDs

– Deleted IDs

– Fabricated opt-outs

Mitigating Cookie Manipulation

• Mitigating factors:

– Tough to battle software installed on devices

– Not likely to scale quickly

– Work with members to monitor and catch early

– Work with industry to address

• Best practices for publishers:

– Detect and engage with consumer

Erroneous Software Updates – Adverse Effects

• Example:

– High severity bug deployed across all publishers

• Potential effects:

– Temporary or permanent failure to provide ID

– Duplicated IDs

– Deleted IDs

– Erroneous opt-outs

Mitigating Erroneous Software Updates

• Semver-based deployments

– Upgrades occur on individual publisher timelines

• Peer code reviews

• Rigorous commit policies + procedures

• Automated browser testing

• Staged releases

Browsers Blocking DigiTrust – Adverse Effects

• Example:

– Safari update blocks DigiTrust requests / cookies

• Potential effects:

– Automated opt-out

– Deleted IDs

– Blocked requests

– No ID available for the industry

Mitigating Browsers Blocking DigiTrust

• Establish relationships proactively

• Communicate mission and consumer benefit

• Offer participation

• Broad industry support compels cooperation– Leading industry trade groups

– Leading brand-name publishers

• Rely on publisher relationship with audience

Malicious Man in the Middle – Adverse Effects

• Example:

– Proxy or other between the device and DigiTrust

– ISP attempting to alter content

– Malicious attacker

• Potential effects:

– Content modification for any purpose

Mitigating Malicious Man in the Middle

• SRI + https make this a non-issue

<script src="https://example.com/framework/example-v1.12.39.js"integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"crossorigin="anonymous"></script>

Thank you for your time!

Any questions …?

Jordan Mitchell, CEO

jordan@digitru.st