Measuring and Analysing the Chain of Implicit Trust: A Study of Third-party Resources Loading

Abstract: The web is a tangled mass of interconnected services, whereby websites import a range of external resourcesfrom various third-party domains. The latter can also load further resources hosted on other domains. Foreach website, this creates a dependency chain underpinned by a form of implicit trust between the first-partyand transitively connected third-parties. The chain can only be loosely controlled as first-party websitesoften have little, if any, visibility on where these resources are loaded from. This paper performs a large-scalestudy of dependency chains in the web, to find that around 50% of first-party websites render content thatthey do not directly load. Although the majority (84.91%) of websites have short dependency chains (below 3levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of thesethird-parties are classified as suspicious – although seemingly small, this limited set of suspicious third-partieshave remarkable reach into the wider ecosystem. We find that 73% of websites under-study load resourcesfrom suspicious third-parties, and 24.8% of first-party webpages contain at least three third-parties classifiedas suspicious in their dependency chain. By running sandboxed experiments, we observe a range of activitieswith the majority of suspicious JavaScript codes downloading malware.

Download paper here

Recommended citation: ‘Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kaafar, Roya Ensafi, "Measuring and Analysing the Chain of Implicit Trust: A Study of Third-party Resources Loading", ACM Transaction on Privacy and Security (TOPS), 2020.’