The chain of implicit trust: an analysis of the Web third-party resources loading

Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kaafar, Noha Loizon, Roya Ensafi

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

15 Citations (Scopus)

Abstract

The Web is a tangled mass of interconnected services, where websites import a range of external resources from various third-party domains. The latter can also load resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third-parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility on where these resources are loaded from. This paper performs a large-scale study of dependency chains in the Web, to find that around 50% of first-party websites render content that they did not directly load. Although the majority (84.91%) of websites have short dependency chains (below 3 levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third-parties are classified as suspicious - although seemingly small, this limited set of suspicious third-parties have remarkable reach into the wider ecosystem.
Original languageEnglish
Title of host publicationProceeding WWW '19 The World Wide Web Conference
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Pages2851-2857
Number of pages7
ISBN (Electronic)9781450366748
DOIs
Publication statusPublished - 2019
EventThe Web Conference 2019, WWW 2019: 30th World Wide Web Conference - San Francisco, United States
Duration: 13 May 201917 May 2019

Conference

ConferenceThe Web Conference 2019, WWW 2019
CountryUnited States
CitySan Francisco
Period13/05/1917/05/19

Fingerprint

Dive into the research topics of 'The chain of implicit trust: an analysis of the Web third-party resources loading'. Together they form a unique fingerprint.

Cite this