Security Challenges in an Increasingly Tangled Web

Over the past 20 years, websites have grown increasingly complex and interconnected. In 2016, only a negligible number of sites are dependency free, and over 90% of sites rely on external content. In this paper, we investigate the current state of web dependencies and explore two security challenges associated with the increasing reliance on external services: (1) the expanded attack surface associated with serving unknown, implicitly trusted third-party content, and (2) how the increased set of external dependencies impacts HTTPS adoption. We hope that by shedding light on these issues, we can encourage developers to consider the security risks associated with serving third-party content and prompt service providers to more widely deploy HTTPS.

[1]  References , 1971 .

[2]  Ben Adida Weaving the Web: Securing the Web , 1997, IEEE Internet Comput..

[3]  Li Fan,et al.  Web caching and Zipf-like distributions: evidence and implications , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[4]  O. Spatscheck,et al.  Web Caching and Replication , 2001 .

[5]  Balachander Krishnamurthy,et al.  Cat and mouse: content delivery tradeoffs in web access , 2006, WWW '06.

[6]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[7]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[8]  Информатика Public Suffix List , 2010 .

[9]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[10]  Vivek S. Pai,et al.  Towards understanding modern web traffic , 2011, SIGMETRICS '11.

[11]  Vyas Sekar,et al.  Understanding website complexity: measurements, metrics, and implications , 2011, IMC '11.

[12]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[13]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[14]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[15]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[16]  Jun Wang,et al.  Real-time bidding for online advertising: measurement and analysis , 2013, ADKDD '13.

[17]  Stephen Farrell,et al.  Pervasive Monitoring Is an Attack , 2014, RFC.

[18]  David Wetherall,et al.  How Much Can We Micro-Cache Web Pages? , 2014, Internet Measurement Conference.

[19]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[20]  William K. Robertson,et al.  Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions , 2016, Financial Cryptography.

[21]  A. Narayanan,et al.  OpenWPM : An automated platform for web privacy measurement , 2016 .

[22]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[23]  Dan Boneh,et al.  Stickler: Defending against Malicious Content Distribution Networks in an Unmodified Browser , 2016, IEEE Security & Privacy.

[24]  Hari Balakrishnan,et al.  Polaris: Faster Page Loads Using Fine-grained Dependency Tracking , 2016, NSDI.

[25]  Tadayoshi Kohno,et al.  Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016 , 2016, USENIX Security Symposium.