The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading

Ikram, Muhammad; Masood, Rahat; Tyson, Gareth; Kâafar, Mohamed Ali; Loizon, Noha; Ensafi, Roya

doi:10.1145/3308558.3313521

Cited by 42 publications

(33 citation statements)

References 20 publications

(23 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Third Party Inclusion. Closely related to our approach is the work of Kumar et al [28] and Ikram et al [21]. Both works use a concept of the implicit trust of the embedded third and further parties.…”

Section: Related Workmentioning

confidence: 99%

“…To do so, we model third party trees (TPTs) for each visited URL (for each landing page and all subpages, respectively), which include all third parties loaded on the visited page. A similar concept was used by Ikram et al [21] and Kumar et al [28] to analyze resource loading dependencies (termed "inclusion chains"). We extend this concept as we visit several sites of a single domain, which enables us to construct a more comprehensive and realistic view of a website's dependencies, and we do not limit ourselves to JavaScript inclusions.…”

Section: Third Party Treesmentioning

confidence: 99%

See 1 more Smart Citation

Beyond the Front Page:Measuring Third Party Dynamics in the Field

Urban¹,

Degeling

Holz

et al. 2020

Proceedings of the Web Conference 2020

View full text Add to dashboard Cite

In the modern Web, service providers often rely heavily on third parties to run their services. For example, they make use of ad networks to finance their services, externally hosted libraries to develop features quickly, and analytics providers to gain insights into visitor behavior.For security and privacy, website owners need to be aware of the content they provide their users. However, in reality, they often do not know which third parties are embedded, for example, when these third parties request additional content as it is common in real-time ad auctions.In this paper, we present a large-scale measurement study to analyze the magnitude of these new challenges. To better reflect the connectedness of third parties, we measured their relations in a model we call third party trees, which reflects an approximation of the loading dependencies of all third parties embedded into a given website. Using this concept, we show that including a single third party can lead to subsequent requests from up to eight additional services. Furthermore, our findings indicate that the third parties embedded on a page load are not always deterministic, as 50 % of the branches in the third party trees change between repeated visits. In addition, we found that 93 % of the analyzed websites embedded third parties that are located in regions that might not be in line with the current legal framework. Our study also replicates previous work that mostly focused on landing pages of websites. We show that this method is only able to measure a lower bound as subsites show a significant increase of privacy-invasive techniques. For example, our results show an increase of used cookies by about 36 % when crawling websites more deeply.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Third Party Treesmentioning

confidence: 99%

Beyond the Front Page:Measuring Third Party Dynamics in the Field

Urban¹,

Degeling

Holz

et al. 2020

Proceedings of the Web Conference 2020

View full text Add to dashboard Cite

show abstract

“…All DNS queries generated from within the same web page should be resolved by the same recursor of the parent domain. Rendering a web page often requires the download of several third-party resources, including images, scripts, and style sheets, as observed by previous work [3,9,22,27,35,38,39]. DNS resolutions of these third-party resources can be used as an effective feature to fingerprint web sites.…”

Section: B Parent-domain-based Recursor Selectionmentioning

confidence: 92%

K-resolver: Towards Decentralizing Encrypted DNS Resolution

Hoang¹,

Lin²,

Ghavamnia³

et al. 2020

Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

Centralized DNS over HTTPS/TLS (DoH/DoT) resolution, which has started being deployed by major hosting providers and web browsers, has sparked controversy among Internet activists and privacy advocates due to several privacy concerns. This design decision causes the trace of all DNS resolutions to be exposed to a third-party resolver, different than the one specified by the user's access network. In this work we propose K-resolver, a DNS resolution mechanism that disperses DNS queries across multiple DoH resolvers, reducing the amount of information about a user's browsing activity exposed to each individual resolver. As a result, none of the resolvers can learn a user's entire web browsing history. We have implemented a prototype of our approach for Mozilla Firefox, and used it to evaluate the performance of web page load time compared to the default centralized DoH approach. While our K-resolver mechanism has some effect on DNS resolution time and web page load time, we show that this is mainly due to the geographical location of the selected DoH servers. When more well-provisioned anycast servers are available, our approach incurs negligible overhead while improving user privacy.

show abstract

“…We classify each domain using the Virus-Total API. 2 This API has been used in a wide set of research, and is known to provide good accuracy [28,31,56]. The API provides a classification for each domain in our dataset, e.g., games, education, file sharing, blogs etc.…”

Section: Website Metadatamentioning

confidence: 99%

Who Watches the Watchmen: Exploring Complaints on the Web

Ibosiola

Castro

Stringhini

et al. 2019

The World Wide Web Conference

Self Cite

View full text Add to dashboard Cite

Under increasing scrutiny, many web companies now offer bespoke mechanisms allowing any third party to file complaints (e.g., requesting the de-listing of a URL from a search engine). While this self-regulation might be a valuable web governance tool, it places huge responsibility within the hands of these organisations that demands close examination. We present the first large-scale study of web complaints (over 1 billion URLs). We find a range of complainants, largely focused on copyright enforcement. Whereas the majority of organisations are occasional users of the complaint system, we find a number of bulk senders specialised in targeting specific types of domain. We identify a series of trends and patterns amongst both the domains and complainants. By inspecting the availability of the domains, we also observe that a sizeable portion go offline shortly after complaints are generated. This paper sheds critical light on how complaints are issued, who they pertain to and which domains go offline after complaints are issued.

show abstract

The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading

Cited by 42 publications

References 20 publications

Beyond the Front Page:Measuring Third Party Dynamics in the Field

Beyond the Front Page:Measuring Third Party Dynamics in the Field

K-resolver: Towards Decentralizing Encrypted DNS Resolution

Who Watches the Watchmen: Exploring Complaints on the Web

Contact Info

Product

Resources

About