Web of worries: are you unknowingly loading malicious content from “trusted” sites?

By Chris Chelvan

14 May 2019

3 minute read

Our researchers have spotlighted a fundamental flaw in its design that has significant implications on privacy and security. Image: Shutterstock

Love it or leave it, the World Wide Web is here to stay. In a mere 20 years, the Internet has evolved from a fledgling ‘network of networks’ developed by Tim Berners-Lee to the all-encompassing behemoth that it is today.

Worldwide, over 56 per cent of the population has access to the internet. That’s 3.2 billion people.

But the World Wide Web is a tangled mass of interconnected services, and our researchers have spotlighted a fundamental flaw in its design that has significant implications on privacy and security.

Are we too trusting of the websites we visit?

The research found that around half of the Internet’s most popular websites are at risk of malicious activity because they depend on a chain of other third parties to import external resources. These include ad providers, tracking and analytics services and content distribution networks, which are often required to properly load content.

“For every website you visit, you could be unknowingly loading content from potentially malicious parties and leaving a trail of your internet activity,” said Professor Dali Kaafar, Privacy and Information Security group leader at CSIRO’s Data61.

For example, many websites — such as news sites and video-sharing sites — rely on content distribution networks to host their content and load it onto the end-user’s web browser.

This is a well-known web design decision, but our world-first research shows that these third parties can further load resources from other domains creating a dependency chain of up to over 30 domains, underpinned by a form of implicit trust with the original website.

An example of a dependency chain, including potentially malicious third-parties (in red)

The longer the chain, the greater the risk

Examining the Internet’s most popular websites, researchers found that the larger the dependency chain, the greater the threat to malicious activity. Dependency chains of up to over 30 web domains in length have been observed.

“The potential threat should not be underestimated, as suspicious content loaded on browsers can open the way to further exploits including Distributed Denial of Service attacks which disrupt traffic to websites, and ransomware campaigns which cost the world more than US$8 billion in 2018,” said Prof Kaafar.

The research also found that 1.2 per cent of third parties linked to the top 200 thousand websites were suspicious, with JavaScript resources representing the greatest risk of malicious activity as they are designed to be executed undetected.

JavaScript is a scripting language that enables web pages to implement dynamically updating content, control multimedia and animated images. One of its important functions is to improve the general user experience of the web.

Breaking the chain

According to Prof Kaafar, the original or ‘first party’ websites have little to no visibility of where these resources originate.

“We need to better regulate the web by introducing standardised security measures and the notion of explicit trust,” he said.

Resolving the security issue created by dependency chains will require additional research, the support of the World Wide Web Consortium, the predominant organisation focused on developing web standards, as well as web ‘hypergiants’.

Top tips for Web safety

While there’s no quick fix, there are steps you can take while surfing the web to limit your exposure to malicious online activity.

  1. Make sure you have an up-to-date antivirus software installed, and run regular scans.
  2. Install an ad-blocking extension to your web browser.
  3. Install a Javascript-blocking extension to your web browser – The trade-off here is that you may have to give up the smooth user experience, underpinned by Javascript, for increased security.

The research paper, The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading, will be presented at The Web Conference in San Francisco on 15 May. Read the full paper here.