What are the security risks of utilizing a marketing vendor that uses a reverse proxy?

Posted on 2011-09-12
Medium Priority
Last Modified: 2013-11-19
Our Marketing dept has contracted with a outside marketing company (without the IT department's knowledge) which pulls our web site url through their servers whenever someone clicks on one of their ads.  They capture page views, emails, and other information.  What is to prevent them from capturing our credit card numbers (we are an e-commerce site) as well?  And what would prevent criminal elements from using this as a means of stealing credit card information?
Question by:Bible_on_stage
LVL 12

Assisted Solution

jhoekman earned 248 total points
ID: 36526041
I'll let someone who knows more about security than I speak to the actual technicalities, but if I were you, I would just stop serving ads on secure pages like your shopping cart when you are trying to get people to complete their purchase.  The less distractions you have during your conversion funnel, the less likely they are to get distracted, increasing the chances they will complete their purchase.  

And regarding the information they need from your site, they don't need to know anything more than page views and impressions served in order to fulfill the necessary data to the publishers they represent.  If they are collecting anything outside of that, I would be very concerned and again would not serve their information on those secure pages.

They have no reason to ask for email, etc.  They just need to know impressions and clicks so that they can measure ad performance.  

Can you tell us what ad provider you are using?
LVL 33

Expert Comment

by:Dave Howe
ID: 36528478
I think your first step should be some sort of traffic log analysis - you should see the traffic from the reverse proxy as all coming from a single or range of addresses; if that includes https traffic, then you have a significant problem and should contact whomever your ecommerce merchant account is with for advice. If it is http only, then you should move to *only* accepting customer info securely, even if that increases server load.

But it all starts with you finding out what is happening, rather than speculating how their "wrapper" works.  You will find a lot of banner add companies do clickthough tracking (after all, they are paid based on how many they get, or at least need to supply clicks-per-campaign info) and will usually use cookies and other similar mechanisms to establish unique impressions (again, for metrics) but can reasonably defend that practice based on the fact that your *own marketing department* is asking for said metrics. You can also (if you wish) use the source IP to define a unique landing page for your redirected visitors; using many more absolute (full url) links for things like user login/signup (fairly normal if you are forcing redirect to https anyhow) can get users transparently back onto a "direct" channel to you (which you can then monitor, again via the logs) unless the ad vendor is also deliberately rewriting your target urls (which is possible; certainly Novell's reverse proxy products could do that routinely) - but again, your first step (and indeed, every other step :) is log analysis.

Author Comment

ID: 36529271
This company describes their services as enables us to track all activity generated from your ad without ever needing to contact your webmaster.  Netcraft.com identifies their server's OS as Citrix Netscaler.  All traffic, including https. is going through their server, and our logs show the traffic then coming to our server  The url they write replaces our host name with theirs and everything beyond that is identical to our web site's paths.  Their ssl certificate is encrypting the https traffic and Fiddler shows it as being passed to our server as http on port 443.  From a technical side I don't like it but apparently Marketing does.  But what I'm trying to understand is if this is a possible security vulnerability that effects our PCI compliance.  And what would prevent a criminal enterprise from doing something similar. I haven't read anywhere of this type of technique as being identified as a security exploit, but it seems as something that would be reasonably easy to duplicate - so I feel there must be something I am missing and don't understand.
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

LVL 33

Accepted Solution

Dave Howe earned 252 total points
ID: 36529952
Ok. If they are also wrapping your HTTPS traffic, then you have a security issue. A lot depends on how you are processing CC or other PCI information, but effectively you are subject to a known man-in-the-middle attack against your site (if you are using a payment processor that handles such details themselves, then you may not be responsible for the result (but they may well take exception to "your" traffic always coming from another host; correspondingly, if you are knowingly allowing a third party to intercept CC traffic, then you could well be liable if that CC traffic goes astray.

I would first check to see if any PCI sensitive data IS going via these marketing servers. IF they are, then go to marketing and say you need signed paperwork from both the marketing company AND your payment processor that they are ok with this setup and accept all liability arising from this happening - otherwise you will block all HTTPS at the firewall from that IP range, and leave them to sort out the fallout.  
LVL 33

Expert Comment

by:Dave Howe
ID: 36529972
Normally, the only protection you have against a criminal enterprise doing this is your domain name - this is a classic Phishing / MITM attack, and is usually done from a spoofed or typo domain so that the https traffic looks legit.

On the bright side, if all the traffic is going to be going though some other provider and senior management are signing off on it, you can stop having to find the cash for a https cert from your CA - just use a self signed one, its not like this advertising company will care ;)
LVL 27

Expert Comment

ID: 37163633
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It's not just another paperwork submission. Serious planning and rigour to managing the whole thought processes need to be put in place. The intent is not on drilling into the details, but to share tips in getting the first thing right to kick-start…
Cloud computing is a model of provisioning IT services. By combining many servers into one large pool and providing virtual machines from that resource pool, it provides IT services that let customers acquire resources at any time and get rid of the…
An overview of how to create reports in Adobe Analytics (formerly Omniture Site Catalyst) using pageNames, events, eVars and props. This video will show you how to install the Omniture Debugger tool so can see (and test) what is being passed int…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

619 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question