The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading Muhammad Ikram Rahat Masood Gareth Tyson
[email protected] [email protected] [email protected] Macquarie University UNSW and Data61, CSIRO Queen Mary University of London University of Michigan Mohamed Ali Kaafar Noha Loizon Roya Ensafi
[email protected] [email protected] [email protected] Macquarie University and Data61, Data61, CSIRO University of Michigan CSIRO ABSTRACT Consider the bbc.com webpage, which loads JavaScript from The Web is a tangled mass of interconnected services, where web- widgets.com, which, upon execution loads additional content sites import a range of external resources from various third-party from another third-party, say ads.com. Here, bbc.com as the first- domains. The latter can also load resources hosted on other domains. party website, explicitly trusts widgets.com, but implicitly trusts For each website, this creates a dependency chain underpinned by ads.com. This can be represented as a simple dependency chain in a form of implicit trust between the first-party and transitively which widgets.com is at level 1 and ads.com is at level 2. Past work connected third-parties. The chain can only be loosely controlled tends to ignore this, instead, collapsing these levels into a single set as first-party websites often have little, if any, visibility onwhere of third-parties [4, 22]. Here, we argue that this overlooks a vital these resources are loaded from. This paper performs a large-scale aspect of website design.