这是indexloc提供的服务,不要输入任何密码
Skip to content

Ways to authenticate data coming from reporting events #214

@vincent-grosbois

Description

@vincent-grosbois

Hello
In Fledge, in at least an alpha version, the advertiser would receive notifications for each display event.
How can the advertiser ensure that the notification he receives is genuine ? Especially knowing the following:

  • the code emitting the notification is open-source
  • the notification is emitted by the client, so the notification mechanism is done on the client, and the notification parameters (eg what is being reported) is also sent by the client
  • bad clients could either do replay attack (re-send the notification) or send a different notification
    Is where a built-in way in Fledge to address these issues ?

A way I see of tacking this issues, would be the following :

  1. As per issue Reporting on User signals and trusted server signals #213 , allow reporting to send back data coming from trusted bidding signals
  2. During bidding, the trusted bidding server computes the hash of a private key + a nonce + timestamp of the request + whatever needs to be authenticated (for instance, bid price), let's call this H
  3. this H is sent back as trusted bidding signals, along with the nonce and the request timestamp
  4. During reporting, the advertiser recovers the nonce, the request timestamp etc and can compute the same hash, let's call it H2
  5. Advertiser checks that H = H2, otherwise it means that the data sent through reporting was tampering with

What do you think about this ? Would such an idea work ?

Metadata

Metadata

Assignees

No one assigned

    Labels

    Non-breaking Feature RequestFeature request for functionality unlikely to break backwards compatibility

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions