research-article

The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading

Authors:

Muhammad Ikram,

Mohamed Ali Kaafar,

Roya EnsafiAuthors Info & Claims

WWW '19: The World Wide Web Conference

Pages 2851 - 2857

https://doi.org/10.1145/3308558.3313521

Published: 13 May 2019 Publication History

Abstract

The Web is a tangled mass of interconnected services, where websites import a range of external resources from various third-party domains. The latter can also load resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third-parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility on where these resources are loaded from. This paper performs a large-scale study of dependency chains in the Web, to find that around 50% of first-party websites render content that they did not directly load. Although the majority (84.91%) of websites have short dependency chains (below 3 levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third-parties are classified as suspicious - although seemingly small, this limited set of suspicious third-parties have remarkable reach into the wider ecosystem.

References

[1]

M. A. Bashir, S. Arshad, W. Roebertson, and C. Wilson. Tracing information flows between ad exchanges using retargeted ads. In USENIX Security Symposium, 2016.

Digital Library

[2]

J. Canto, M. Dacier, E. Kirda, and C. Leita. Large scale malware collection: lessons learned. In IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing Systems. Citeseer, 2008.

[3]

I. X. Exchange. Statcounter session hijack. https://exchange.xforce.ibmcloud.com/vulnerabilities/20506, 2005.

[4]

M. Falahrastegar, H. Haddadi, S. Uhlig, and R. Mortier. Anatomy of the third-party web tracking ecosystem. Traffic Measurements Analysis Workshop (TMA), 2014.

[5]

S. C. Forum. http://www.statcounter.com/counter/counter.js has malware inside it ! https://forum.statcounter.com/threads/ http-www-statcounter-com-counter-counter-js-has-malware-inside-it.43792/, 2016.

[6]

Google. Headless chromium. https://chromium.googlesource.com/chromium/src/+/lkgr/headless/README.md, 2018.

[7]

D. Ibosiola, I. Castro, G. Stringhini, S. Uhlig, and G. Tyson. Who watches the watchmen: Exploring complaints on the web. In Web Conference, 2019.

Digital Library

[8]

D. Ibosiola, B. Steer, A. Garcia-Recuero, G. Stringhini, S. Uhlig, and G. Tyson. Movie pirates of the caribbean: Exploring illegal streaming cyberlockers. International AAAI Conference on Web and Social Media (ICWSM), 2018.

[9]

M. Ikram, H. Asghar, M. A. Kaafar, and A. Mahanti. On the intrusiveness of javascript on the web. In CoNEXT Student Workshop, 2014.

Digital Library

[10]

M. Ikram, H. J. Asghar, M. A. Kaafar, A. Mahanti, and B. Krishnamurthy. Towards seamless tracking-free web: Improved detection of trackers via one-class learning. Proceedings on Privacy Enhancing Technologies, 2017(1):79-99, 2017.

[11]

M. Ikram and M. A. Kaafar. A first look at mobile ad-blocking apps. In Network Computing and Applications (NCA), 2017 IEEE 16th International Symposium on, pages 1-8. IEEE, 2017.

[12]

M. Ikram, R. Masood, G. Tyson, M. A. Kaafar, N. Loizon, and R. Ensafi. The chain of implicit trust: An analysis of the web third-party resources loading. arXiv preprint arXiv:1901.07699, 2019.

[13]

M. Ikram, N. Vallina-Rodriguez, S. Seneviratne, M. A. Kaafar, and V. Paxson. An analysis of the privacy and security risks of android vpn permission-enabled apps. In IMC, 2016.

Digital Library

[14]

V. Inc. Virustotal public api. https://www.virustotal.com/en/documentation/public-api/, 2017.

[15]

S. Jerome. Large angler malvertising campaign hits top publishers. https://blog.malwarebytes.com/threat-analysis/2016/03/large-angler-malvertising-campaign-hits-top-publishers/. Accessed: 2018-09-18.

[16]

A. Kantchelian, M. C. Tschantz, S. Afroz, B. Miller, V. Shankar, R. Bachwani, A. D. Joseph, and J. D. Tygar. Better malware ground truth: Techniques for weighting anti-virus vendor labels. In Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security, pages 45-56. ACM, 2015.

Digital Library

[17]

A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda. Cutting the gordian knot: A look under the hood of ransomware attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 3-24. Springer, 2015.

Digital Library

[18]

D. Kumar, Z. Ma, A. Mirian, J. Mason, J. A. Halderman, and M. Bailey. Security Challenges in an Increasingly Tangled Web. In Proceedings of the 2017 World Wide Web Conference on World Wide Web, 2017.

Digital Library

[19]

J. Kurkowski. Accurately separate the TLD from the registered domain and subdomains of a url, using the public suffix list. https://github.com/john-kurkowski/tldextract, 2018.

[20]

T. Lauinger, A. Chaabane, S. Arshad, W. Robertson, C. Wilson, and E. Kirda. Thou shalt not depend on me: Analysing the use of outdated javascript libraries on the web. In NDSS, 2017.

[21]

Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 674-686. ACM, 2012.

Digital Library

[22]

N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: Large-scale evaluation of remote javascript inclusions. In CCS, 2012.

Digital Library

[23]

G. Pellegrino, C. Rossow, F. J. Ryba, T. C. Schmidt, and M. WAdhlisch. Cashing out the great cannon? on browser-based ddos attacks and economics. In USENIX, 2015.

[24]

B. Popa. 85 infected android apps stealing social network passwords found on play store. https://news.softpedia.com/news/85-infected-android-apps-stealing-social-network-passwords-found-on-play-store-518984.shtml, 2017.

[25]

J. Su, Z. Li, S. Grumbach, M. Ikram, K. Salamatian, and G. Xie. Web tracking cartography with dns records. In IEEE 37th International Performance Computing and Communications Conference (IPCC), 2018.

[26]

J. Su, Z. Li, S. Grumbach, M. Ikram, K. Salamatian, and G. Xie. A cartography of web tracking using dns records. Computer Communications, 134:83-95, 2019.

[27]

M. P. Suffix. View the public suffix list. https://publicsuffix.org/list/, 2018.

[28]

A. VANCE. Times web ads show security breach. https://www.nytimes.com/2009/09/15/technology/internet/15adco.html, 2009.

[29]

Q. R. Virus. How do i remove hwcdn.net from my pc. https://quickremovevirus.com/how-do-i-remove-hwcdn-net-from-my-pc/, 2017.

[30]

X. S. Wang, A. Balasubramanian, A. Krishnamurthy, and D. Wetherall. Demystify page load performance with wprof. In Proc. of the USENIX conference on Networked Systems Design and Implementation (NSDI), 2013.

Digital Library

[31]

Websense. Real-time threat analysis with csi: Ace insight. https://csi.websense.com/, 2018.

Cited By

Kanyal RSarangi SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)PanoptiChrome: A Modern In-browser Taint Analysis FrameworkProceedings of the ACM Web Conference 202410.1145/3589334.3645699(1914-1922)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645699
Wang XZhuang ZMeng WCheng JChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Detecting and Understanding Self-Deleting JavaScript CodeProceedings of the ACM Web Conference 202410.1145/3589334.3645540(1768-1778)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645540
Demir NHörnemann JGroße-Kampmann MUrban TPohlmann NHolz TWressnegger CMontpetit MLeivadeas AUhlig SJaved M(2023)On the Similarity of Web Measurements Under Different Experimental SetupsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624795(356-369)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624795
Show More Cited By

Recommendations

Measuring and Analysing the Chain of Implicit Trust: A Study of Third-party Resources Loading

The web is a tangled mass of interconnected services, whereby websites import a range of external resources from various third-party domains. The latter can also load further resources hosted on other domains. For each website, this creates a dependency ...
A First Look at Android Apps’ Third-Party Resources Loading
Network and System Security
Abstract
Like websites, mobile apps import a range of external resources from various third-party domains. In succession, the third-party domains can further load resources hosted on other domains. For each mobile app, this creates a dependency chain ...
Detecting repackaged smartphone applications in third-party android marketplaces
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '19: The World Wide Web Conference

May 2019

3620 pages

ISBN:9781450366748

DOI:10.1145/3308558

Editors:
Ling Liu
Georgia Tech, USA
,
Ryen White
Microsoft Research, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

IW3C2: International World Wide Web Conference Committee

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 May 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

WWW '19

WWW '19: The Web Conference

May 13 - 17, 2019

CA, San Francisco, USA

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
409
Total Downloads

Downloads (Last 12 months)46
Downloads (Last 6 weeks)4

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kanyal RSarangi SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)PanoptiChrome: A Modern In-browser Taint Analysis FrameworkProceedings of the ACM Web Conference 202410.1145/3589334.3645699(1914-1922)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645699
Wang XZhuang ZMeng WCheng JChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Detecting and Understanding Self-Deleting JavaScript CodeProceedings of the ACM Web Conference 202410.1145/3589334.3645540(1768-1778)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645540
Demir NHörnemann JGroße-Kampmann MUrban TPohlmann NHolz TWressnegger CMontpetit MLeivadeas AUhlig SJaved M(2023)On the Similarity of Web Measurements Under Different Experimental SetupsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624795(356-369)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624795
Kashaf ADou JBelova MApostolaki MAgarwal YSekar V(2023)A First Look at Third-Party Service Dependencies of Web Services in AfricaPassive and Active Measurement10.1007/978-3-031-28486-1_25(595-622)Online publication date: 21-Mar-2023
https://dl.acm.org/doi/10.1007/978-3-031-28486-1_25
Klein DMusch MBarber TKopmann MJohns M(2022)Accept All Exploits: Exploring the Security Impact of Cookie BannersProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564647(911-922)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564647
Pourghassemi BBonecutter JLi ZChandramowlishwaran A(2022)adPerf: Characterizing the Performance of Third-party AdsACM SIGMETRICS Performance Evaluation Review10.1145/3543516.345392049:1(37-38)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3543516.3453920
Sprecher SKerschbaumer CKirda E(2022)SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00021(206-222)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00021
Qayyum HSalman MSentana INguyen DIkram MTyson GKaafar M(2022)A First Look at Android Apps’ Third-Party Resources LoadingNetwork and System Security10.1007/978-3-031-23020-2_11(193-213)Online publication date: 9-Dec-2022
https://dl.acm.org/doi/10.1007/978-3-031-23020-2_11
Waheed NIkram MHashmi SHe XNanda P(2022)An Empirical Assessment of Security and Privacy Risks of Web-Based ChatbotsWeb Information Systems Engineering – WISE 202210.1007/978-3-031-20891-1_23(325-339)Online publication date: 31-Oct-2022
https://dl.acm.org/doi/10.1007/978-3-031-20891-1_23
Mehrnezhad MCoopamootoo KToreini E(2021)How Can and Would People Protect From Online Tracking?Proceedings on Privacy Enhancing Technologies10.2478/popets-2022-00062022:1(105-125)Online publication date: 20-Nov-2021
https://doi.org/10.2478/popets-2022-0006
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents