Spectre, Meltdown, Adtech, Malware, and Encryption

2 min read

This week has seen a lot of attention paid to Spectre and Meltdown, and justifiably so. Get the technical details here: https://spectreattack.com/

These issues are potentially catastrophic for cloud providers (see the details in the articles linked above) but they can also affect regular users on the web. While there are updates available for browsers that mitigate the attack, and updates available for most major operating systems, updates only work when they are applied, which means that we will almost certainly see vulnerable systems into the foreseeable future.

I was very happy to see both Nicholas Weaver and Zeynep Tufekci addressing the connection between these vulnerabilities and adtech. 

Adtech leaves all internet users exposed to malware - it has for a while, and, in its current form, adtech exposes us to unneeded risk (as well as compromising our privacy). This risk is increased because many commonly used adtech providers do not support or require encryption.

To examine traffic over the web, use an open source tool like OWASP ZAP. If you are running a Linux machine, routing traffic through your computer and OWASP ZAP is pretty straightforward if you set your computer up to act as an access point

But, using these basic tools, it's simple to see how widespread the issue of unencrypted adtech actually is, in both web sites and mobile applications (on a related note, some mobile apps actually get their content via an unencrypted zip file. You read that correctly - the expected payload is an unencrypted zip file. That's a topic for a different post, and I'm not naming names, but the fact that this is accepted behavior within app stores in 2018 should raise some serious questions).

The unencrypted adtech includes javascript sent to the browser or the device. Because this javascript is sent unencrypted over the network, intercepting it and modifying it would be pretty straightforward, which exposes people to increased risk. 

The next time you are in a coffee shop and see a kid playing a game on their parent's device while the parent talks with a friend, ask yourself: is that kid playing an online game, or downloading malware, or both? Because so much adtech is sent unencrypted, anything is possible.