Expand my Community achievements bar.

Add greater flexibility/control for protocol of akamai-hosted files

Avatar

Level 9

5/24/19

Something that was a potential security concern in DTM is become a breaking defect in Launch. If I have a page that doesn't load on the typical "http" or "https" protocol, I would need to specify a protocol in my embed code, so this:

<script src="//assets.adobedtm.com/9310dd7d04eb33be499693ff5cc9558ffcacdf54/satelliteLib-38d69d073d347 9a9c730481247813276cb9fc3c0-staging.js"></script>

Would become this:

<script src="https://assets.adobedtm.com/9310dd7d04eb33be499693ff5cc9558ffcacdf54/satelliteLib-38d69d07 3d3479a9c730481247813276cb9fc3c0-staging.js"></script>

In DTM there is a potential security flaw with this, where it will load my main file as HTTPS, but any of the other files (like my appMeasurement library) get loaded as HTTP. (You can see this on Testing Launch Utility if you load the page as "http" or download it and run it locally- the main library is secure, but the appMeasurement and mbox files are non-secure ):

1759188_pastedImage_3.png

In Launch when a file is run locally (or through something like a mobile hybrid app, which is increasingly common), it doesn't even default to "http:" for those side files, it tries to use the protocol of the current page (even if it is "file://")... which leads to 404s. You can see this on Testing Launch Utility(though you may need to download and run the file locally).

1759189_pastedImage_5.png

As far as I can tell, the only current solution to this would be to self-host anything where you need to not just inherit the protocol of the page.

Can we please add some flexibility/control over this for akamai-hosted adapters?

See also Default to https:// for Launch Embed for Akamai Type Adaptors

16 Comments

Avatar

Level 1

5/29/19

This is an issue for us we have been remediating for the last few months with one of our largest accounts.  I spend a lot of time addressing perceived vulnerabilities presented by the DTM.  We are hoping migration to Launch will eliminate these concerns. We are just beginning to migrate our over 20 digital properties to Launch.

Avatar

Employee

5/31/19

I met with the Eng team this morning and here is the plan.

If you are using the Managed by Adobe host, and you have not checked the Archive box on your Environment, then the main Launch library will reference all external files (3rd party libraries bundled with extensions, custom code actions, etc) by https.

If you are using the Managed by Adobe Host and you have checked the Archive box on your Environment or if you are using an SFTP host, then we will use whatever you put in the "Self-hosted Path to Library" file on the Environment (//, http, https, etc).

Avatar

Level 1

5/31/19

One more question.  Anthem also hosts some content with Akamai.  I confirmed they provide HIPAA certified cloud hosting, and we also have a BAA with them (allows them to host PII/PII).  

Can you confirm that the Akamai servers Adobe hosts our libraries on is or is not HIPAA certified, and does Adobe have a BAA with Akamai?

That would be super helpful information to provide our very large account that I'm working with to address DTM/Launch security concerns.

Marnie

Avatar

Employee

6/3/19

This is a little off-topic, and I'm not any kind of expert in this area, but I'll do my best to answer.

We have customers who have HIPAA-compliant implementations using DTM and Launch, but we are not directly involved in any way.  Those two solutions only have the settings and configuration that you enter, and they don't collect/store any end-user data on their own.  Customers who do this type of implementation control the data stored within those solutions with their own business processes.

I do not believe we have a BAA with Akamai. Those are very HIPAA specific and as I said above, we have not been directly involved in HIPAA compliance in the past (speaking specifically about DTM and Launch here).