The chain of implicit trust: an analysis of the Web third-party resources loading

Muhammad Ikram; Rahat Masood; Gareth Tyson; Mohamed Ali Kaafar; Noha Loizon; Roya Ensafi

doi:10.1145/3308558.3313521

The chain of implicit trust: an analysis of the Web third-party resources loading

Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kaafar, Noha Loizon, Roya Ensafi

School of Computing

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

32 Citations (Scopus)

Abstract

The Web is a tangled mass of interconnected services, where websites import a range of external resources from various third-party domains. The latter can also load resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third-parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility on where these resources are loaded from. This paper performs a large-scale study of dependency chains in the Web, to find that around 50% of first-party websites render content that they did not directly load. Although the majority (84.91%) of websites have short dependency chains (below 3 levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third-parties are classified as suspicious - although seemingly small, this limited set of suspicious third-parties have remarkable reach into the wider ecosystem.

Original language	English
Title of host publication	Proceeding WWW '19 The World Wide Web Conference
Place of Publication	New York
Publisher	Association for Computing Machinery (ACM)
Pages	2851-2857
Number of pages	7
ISBN (Electronic)	9781450366748
DOIs	https://doi.org/10.1145/3308558.3313521
Publication status	Published - 2019
Event	The Web Conference 2019, WWW 2019: 30th World Wide Web Conference - San Francisco, United States Duration: 13 May 2019 → 17 May 2019

Conference

Conference	The Web Conference 2019, WWW 2019
Country/Territory	United States
City	San Francisco
Period	13/05/19 → 17/05/19

Access to Document

10.1145/3308558.3313521

Cite this

@inproceedings{065961dc95474ceaa258c117581529ec,

title = "The chain of implicit trust: an analysis of the Web third-party resources loading",

abstract = "The Web is a tangled mass of interconnected services, where websites import a range of external resources from various third-party domains. The latter can also load resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third-parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility on where these resources are loaded from. This paper performs a large-scale study of dependency chains in the Web, to find that around 50\% of first-party websites render content that they did not directly load. Although the majority (84.91\%) of websites have short dependency chains (below 3 levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2\% of these third-parties are classified as suspicious - although seemingly small, this limited set of suspicious third-parties have remarkable reach into the wider ecosystem.",

author = "Muhammad Ikram and Rahat Masood and Gareth Tyson and Kaafar, \{Mohamed Ali\} and Noha Loizon and Roya Ensafi",

year = "2019",

doi = "10.1145/3308558.3313521",

language = "English",

pages = "2851--2857",

booktitle = "Proceeding WWW '19 The World Wide Web Conference",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

note = "The Web Conference 2019, WWW 2019 : 30th World Wide Web Conference ; Conference date: 13-05-2019 Through 17-05-2019",

}

Ikram, M, Masood, R, Tyson, G, Kaafar, MA, Loizon, N & Ensafi, R 2019, The chain of implicit trust: an analysis of the Web third-party resources loading. in Proceeding WWW '19 The World Wide Web Conference. Association for Computing Machinery (ACM), New York, pp. 2851-2857, The Web Conference 2019, WWW 2019, San Francisco, California, United States, 13/05/19. https://doi.org/10.1145/3308558.3313521

The chain of implicit trust: an analysis of the Web third-party resources loading. / Ikram, Muhammad; Masood, Rahat; Tyson, Gareth et al.
Proceeding WWW '19 The World Wide Web Conference. New York: Association for Computing Machinery (ACM), 2019. p. 2851-2857.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - The chain of implicit trust

T2 - The Web Conference 2019, WWW 2019

AU - Ikram, Muhammad

AU - Masood, Rahat

AU - Tyson, Gareth

AU - Kaafar, Mohamed Ali

AU - Loizon, Noha

AU - Ensafi, Roya

PY - 2019

Y1 - 2019

N2 - The Web is a tangled mass of interconnected services, where websites import a range of external resources from various third-party domains. The latter can also load resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third-parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility on where these resources are loaded from. This paper performs a large-scale study of dependency chains in the Web, to find that around 50% of first-party websites render content that they did not directly load. Although the majority (84.91%) of websites have short dependency chains (below 3 levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third-parties are classified as suspicious - although seemingly small, this limited set of suspicious third-parties have remarkable reach into the wider ecosystem.

AB - The Web is a tangled mass of interconnected services, where websites import a range of external resources from various third-party domains. The latter can also load resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third-parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility on where these resources are loaded from. This paper performs a large-scale study of dependency chains in the Web, to find that around 50% of first-party websites render content that they did not directly load. Although the majority (84.91%) of websites have short dependency chains (below 3 levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third-parties are classified as suspicious - although seemingly small, this limited set of suspicious third-parties have remarkable reach into the wider ecosystem.

UR - https://www.scopus.com/pages/publications/85066901372

U2 - 10.1145/3308558.3313521

DO - 10.1145/3308558.3313521

M3 - Conference proceeding contribution

SP - 2851

EP - 2857

BT - Proceeding WWW '19 The World Wide Web Conference

PB - Association for Computing Machinery (ACM)

CY - New York

Y2 - 13 May 2019 through 17 May 2019

ER -

The chain of implicit trust: an analysis of the Web third-party resources loading

Abstract

Conference

Access to Document

Other files and links

Fingerprint

An empirical assessment of security and privacy risks of web-based chatbots

Measuring and analysing the chain of implicit trust: a study of third-party resources loading

Cite this