An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources
Détails
Télécharger: Chapuis20WWW.pdf (3041.47 [Ko])
Etat: Public
Version: Final published version
Licence: CC BY 4.0
Etat: Public
Version: Final published version
Licence: CC BY 4.0
ID Serval
serval:BIB_641044F40080
Type
Actes de conférence (partie): contribution originale à la littérature scientifique, publiée à l'occasion de conférences scientifiques, dans un ouvrage de compte-rendu (proceedings), ou dans l'édition spéciale d'un journal reconnu (conference proceedings).
Collection
Publications
Institution
Titre
An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources
Titre de la conférence
Proceedings of the Web Conference (WWW)
Editeur
ACM
Adresse
Taipei, Taiwan
Statut éditorial
Publié
Date de publication
04/2020
Peer-reviewed
Oui
Pages
34-45
Langue
anglais
Résumé
Web developers can (and do) include subresources such as scripts, stylesheets and images in their webpages. Such subresources might be stored on remote servers such as content delivery networks (CDNs). This practice creates security and privacy risks, should a subresource be corrupted, as was recently the case for the British Airways websites. The subresource integrity (SRI) recommendation, released in mid-2016 by the W3C, enables developers to include digests in their webpages in order for web browsers to verify the integrity of subresources before loading them. In this paper, we conduct the first large-scale longitudinal study of the use of SRI on the Web by analyzing massive crawls (3B unique URLs) of the Web over the last 3.5 years. Our results show that the adoption of SRI is modest (3.40%), but grows at an increasing rate and is highly influenced by the practices of popular library developers (e.g., Bootstrap) and CDN operators (e.g., jsDelivr). We complement our analysis about SRI with a survey of web developers (N =227): It shows that a substantial proportion of developers know SRI and understand its basic functioning, but most of them ignore important aspects of the specication, such as the case of malformed digests. The results of the survey also show that the integration of SRI by developers is mostly manual-hence not scalable and error prone. This calls for a better integration of SRI in build tools.
Mots-clé
web security, subresource integrity, common crawl
Open Access
Oui
Financement(s)
La Fondation Hasler / 19024
Création de la notice
27/04/2020 18:07
Dernière modification de la notice
21/11/2022 8:25