Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

Add greater flexibility/control for protocol of akamai-hosted files

Avatar

Avatar
Ignite 3
Community Advisor
Jennifer_Kunz
Community Advisor

Likes

315 likes

Total Posts

85 posts

Correct reply

0 solutions
Top badges earned
Ignite 3
Give Back 10
Validate 1
Contributor
Seeker
View profile

Avatar
Ignite 3
Community Advisor
Jennifer_Kunz
Community Advisor

Likes

315 likes

Total Posts

85 posts

Correct reply

0 solutions
Top badges earned
Ignite 3
Give Back 10
Validate 1
Contributor
Seeker
View profile
Jennifer_Kunz
Community Advisor

24-05-2019

Something that was a potential security concern in DTM is become a breaking defect in Launch. If I have a page that doesn't load on the typical "http" or "https" protocol, I would need to specify a protocol in my embed code, so this:

<script src="//assets.adobedtm.com/9310dd7d04eb33be499693ff5cc9558ffcacdf54/satelliteLib-38d69d073d347 9a9c730481247813276cb9fc3c0-staging.js"></script>

Would become this:

<script src="https://assets.adobedtm.com/9310dd7d04eb33be499693ff5cc9558ffcacdf54/satelliteLib-38d69d07 3d3479a9c730481247813276cb9fc3c0-staging.js"></script>

In DTM there is a potential security flaw with this, where it will load my main file as HTTPS, but any of the other files (like my appMeasurement library) get loaded as HTTP. (You can see this on Testing Launch Utility if you load the page as "http" or download it and run it locally- the main library is secure, but the appMeasurement and mbox files are non-secure 😞

1759188_pastedImage_3.png

In Launch when a file is run locally (or through something like a mobile hybrid app, which is increasingly common), it doesn't even default to "http:" for those side files, it tries to use the protocol of the current page (even if it is "file://")... which leads to 404s. You can see this on Testing Launch Utility(though you may need to download and run the file locally).

1759189_pastedImage_5.png

As far as I can tell, the only current solution to this would be to self-host anything where you need to not just inherit the protocol of the page.

Can we please add some flexibility/control over this for akamai-hosted adapters?

See also Default to https:// for Launch Embed for Akamai Type Adaptors

16 Comments

Avatar

Avatar
Give Back
Level 1
MarnieAlmand
Level 1

Likes

0 likes

Total Posts

5 posts

Correct reply

0 solutions
Top badges earned
Give Back
View profile

Avatar
Give Back
Level 1
MarnieAlmand
Level 1

Likes

0 likes

Total Posts

5 posts

Correct reply

0 solutions
Top badges earned
Give Back
View profile
MarnieAlmand
Level 1

29-05-2019

This is an issue for us we have been remediating for the last few months with one of our largest accounts.  I spend a lot of time addressing perceived vulnerabilities presented by the DTM.  We are hoping migration to Launch will eliminate these concerns. We are just beginning to migrate our over 20 digital properties to Launch.

Avatar

Avatar
Artisan
Employee
thebenrobb
Employee

Likes

148 likes

Total Posts

318 posts

Correct reply

83 solutions
Top badges earned
Artisan
Give Back 100
Give Back 50
Give Back 25
Give Back 10
View profile

Avatar
Artisan
Employee
thebenrobb
Employee

Likes

148 likes

Total Posts

318 posts

Correct reply

83 solutions
Top badges earned
Artisan
Give Back 100
Give Back 50
Give Back 25
Give Back 10
View profile
thebenrobb
Employee

31-05-2019

I met with the Eng team this morning and here is the plan.

If you are using the Managed by Adobe host, and you have not checked the Archive box on your Environment, then the main Launch library will reference all external files (3rd party libraries bundled with extensions, custom code actions, etc) by https.

If you are using the Managed by Adobe Host and you have checked the Archive box on your Environment or if you are using an SFTP host, then we will use whatever you put in the "Self-hosted Path to Library" file on the Environment (//, http, https, etc).

Avatar

Avatar
Give Back
Level 1
MarnieAlmand
Level 1

Likes

0 likes

Total Posts

5 posts

Correct reply

0 solutions
Top badges earned
Give Back
View profile

Avatar
Give Back
Level 1
MarnieAlmand
Level 1

Likes

0 likes

Total Posts

5 posts

Correct reply

0 solutions
Top badges earned
Give Back
View profile
MarnieAlmand
Level 1

31-05-2019

That is awesome news!  Thank you Jenn and Ben 🙂

Avatar

Avatar
Give Back
Level 1
MarnieAlmand
Level 1

Likes

0 likes

Total Posts

5 posts

Correct reply

0 solutions
Top badges earned
Give Back
View profile

Avatar
Give Back
Level 1
MarnieAlmand
Level 1

Likes

0 likes

Total Posts

5 posts

Correct reply

0 solutions
Top badges earned
Give Back
View profile
MarnieAlmand
Level 1

31-05-2019

One more question.  Anthem also hosts some content with Akamai.  I confirmed they provide HIPAA certified cloud hosting, and we also have a BAA with them (allows them to host PII/PII).  

Can you confirm that the Akamai servers Adobe hosts our libraries on is or is not HIPAA certified, and does Adobe have a BAA with Akamai?

That would be super helpful information to provide our very large account that I'm working with to address DTM/Launch security concerns.

Marnie

Avatar

Avatar
Artisan
Employee
thebenrobb
Employee

Likes

148 likes

Total Posts

318 posts

Correct reply

83 solutions
Top badges earned
Artisan
Give Back 100
Give Back 50
Give Back 25
Give Back 10
View profile

Avatar
Artisan
Employee
thebenrobb
Employee

Likes

148 likes

Total Posts

318 posts

Correct reply

83 solutions
Top badges earned
Artisan
Give Back 100
Give Back 50
Give Back 25
Give Back 10
View profile
thebenrobb
Employee

03-06-2019

This is a little off-topic, and I'm not any kind of expert in this area, but I'll do my best to answer.

We have customers who have HIPAA-compliant implementations using DTM and Launch, but we are not directly involved in any way.  Those two solutions only have the settings and configuration that you enter, and they don't collect/store any end-user data on their own.  Customers who do this type of implementation control the data stored within those solutions with their own business processes.

I do not believe we have a BAA with Akamai. Those are very HIPAA specific and as I said above, we have not been directly involved in HIPAA compliance in the past (speaking specifically about DTM and Launch here).

Avatar

Avatar
Artisan
Employee
thebenrobb
Employee

Likes

148 likes

Total Posts

318 posts

Correct reply

83 solutions
Top badges earned
Artisan
Give Back 100
Give Back 50
Give Back 25
Give Back 10
View profile

Avatar
Artisan
Employee
thebenrobb
Employee

Likes

148 likes

Total Posts

318 posts

Correct reply

83 solutions
Top badges earned
Artisan
Give Back 100
Give Back 50
Give Back 25
Give Back 10
View profile
thebenrobb
Employee

17-07-2019

The solution I explained above has been implemented.  Specifically: