Shim Shimmeny: Evaluating the Security and Privacy Contributions of Link Shimming in the Modern Web

Link shimming (also known as URL wrapping) is a technique widely used by websites, where URLs on a site are rewritten to direct link navigations to an intermediary endpoint before redirecting to the original destination. This “shimming” of URL clicks can serve navigation security, privacy, and analytics purposes, and has been deployed by prominent websites (e.g., Facebook, Twitter, Microsoft, Google) for over a decade. Yet, we lack a deep understanding of its purported security and privacy contributions, particularly in today’s web ecosystem, where modern browsers provide potential alternative mechanisms for protecting link navigations without link shimming’s costs. In this paper, we provide a large-scale empirical evaluation of link shimming’s security and privacy contributions, using Facebook’s real-world deployment as a case study. Our results indicate that even in the modern web, link shimming can provide meaningful security and privacy benefits to users broadly. These benefits are most notable for the sizable populations that we observed with a high prevalence of legacy browser clients, such as in mobile-centric developing countries. We discuss the tradeoff of these gains against potential costs. Beyond link shimming, our findings also provide insights for advancing user online protection, such as on the web ecosystem’s distribution of responsibility, legacy software scenarios, and user responses to website security warnings.

[1]  Meng Luo,et al.  Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers , 2019, NDSS.

[2]  Leyla Bilge,et al.  The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching , 2015, 2015 IEEE Symposium on Security and Privacy.

[3]  Rick Wash,et al.  Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences , 2014, SOUPS.

[4]  Serge Egelman,et al.  Quantifying Users' Beliefs about Software Updates , 2018, ArXiv.

[5]  Michael Backes,et al.  How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security , 2017, USENIX Security Symposium.

[6]  Rick Wash,et al.  Betrayed by updates: how negative experiences affect future security , 2014, CHI.

[7]  Frank Li,et al.  Keepers of the Machines: Examining How System Administrators Manage Software Updates For Multiple Machines , 2019, SOUPS @ USENIX Security Symposium.

[8]  Sebastian Lekies,et al.  CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy , 2016, CCS.

[9]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[10]  Kami Vaniea,et al.  Tales of Software Updates: The process of updating software , 2016, CHI.

[11]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[12]  Joseph Bonneau,et al.  Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning , 2015, NDSS.

[13]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[14]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[15]  Adrienne Porter Felt,et al.  A Week to Remember: The Impact of Browser Warning Storage Policies , 2016, SOUPS.

[16]  Sunny Consolvo,et al.  Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning , 2014, SOUPS.

[17]  Wouter Joosen,et al.  Exploring the Ecosystem of Referrer-Anonymizing Services , 2012, Privacy Enhancing Technologies.

[18]  Sunny Consolvo,et al.  Experimenting at scale with google chrome's SSL warning , 2014, CHI.

[19]  Adrienne Porter Felt,et al.  Measuring HTTPS Adoption on the Web , 2017, USENIX Security Symposium.

[20]  Sunny Consolvo,et al.  An Experience Sampling Study of User Reactions to Browser Warnings in the Field , 2018, CHI.