# The Chain of Implicit Trust: An Analysis of the Web Third-party   Resources Loading

**Authors:** Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kaafar, Noha, Loizon, Roya Ensafi

arXiv: 1901.07699 · 2019-02-19

## TL;DR

This study analyzes the web's dependency chains of third-party resources, revealing that many websites load resources indirectly, with some third-parties being suspicious and potentially malicious, raising security concerns.

## Contribution

It provides a large-scale analysis of web dependency chains, highlighting the prevalence of indirect resource loading and identifying the presence of suspicious third-parties.

## Key findings

- 50% of websites load indirectly sourced content
- 84.91% of dependency chains are short (below 3 levels)
- 1.2% of third-parties are suspicious and often malicious

## Abstract

The Web is a tangled mass of interconnected services, where websites import a range of external resources from various third-party domains. However, the latter can further load resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third-parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility of where these resources are loaded from. This paper performs a large-scale study of dependency chains in the Web, to find that around 50% of first-party websites render content that they did not directly load. Although the majority (84.91%) of websites have short dependency chains (below 3 levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third-parties are classified as suspicious --- although seemingly small, this limited set of suspicious third-parties have remarkable reach into the wider ecosystem. By running sandboxed experiments, we observe a range of activities with the majority of suspicious JavaScript downloading malware; worryingly, we find this propensity is greater among implicitly trusted JavaScripts.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1901.07699/full.md

## Figures

28 figures with captions in the complete paper: https://tomesphere.com/paper/1901.07699/full.md

## References

46 references — full list in the complete paper: https://tomesphere.com/paper/1901.07699/full.md

---
Source: https://tomesphere.com/paper/1901.07699