Data61, the data and data specialist arm of the Commonwealth Scientific and Industrial Research Organisation (CSIRO), Australia’s national science agency, found out that around half of the Internet’s popular websites are at risk of malicious activity.
This is caused by their dependence on a chain of other third parties to import external resources, which are often required to properly load content.
These external resources include ad providers, tracking and analytics services, and content distribution networks.
Researching ‘trustability’
According to a recent press release, the researchers question the ‘trustability’ of websites and quantify the extent to which the trust model of today’s World Wide Web is fundamentally broken.
Research showed that the aforementioned third parties can further load resources from other domains creating a dependency chain of up to over 30 domains, underpinned by a form of implicit trust with the original website.
The research discovered that the larger the dependency chain, the greater the threat to malicious activity.
The Information Security and Privacy research leader at CSIRO’s Data61 and Scientific Director of Optus Macquarie University Cyber Security Hub explained that although this is a well-known web design decision, often overlooked are its implications on security and privacy.
Third parties
He added that almost all websites today are heavily embedded with tracking components.
For every website visited, a person could be unknowingly loading content from potentially malicious parties and leaving a trail of their internet activity.
JavaScript, which is a popular web resource generally used to improve the user experience of the web, represents the greatest risk of malicious activity as they are designed to be executed undetected.
The potential threat should not be underestimated, as suspicious content loaded on browsers can open the way to further exploits including Distributed Denial of Service attacks, which disrupt traffic to websites; and ransomware campaigns, which cost the world more than US$ 8 billion in 2018.
Unfortunately, the original or the ‘first party’ websites have little to no visibility of where these resources are coming from.
Security measures
This causes lack of ‘trustability’ of content on the web, and the need to better regulate the web by introducing standardised security measures and the notion of explicit trust.
A plethora of solutions is needed to resolve the security issue created by dependency chains. These are:
- Additional research
- Support of the World Wide Web Consortium, which is the predominant organisation focused on developing web standards
- Web ‘hypergiants’
In the meantime, users can install simple web browser extensions such as ad- and JavaScript-blockers to limit exposure to malicious activity through the web.