The web is a tangled mass of interconnected services, whereby websites import a range of external resources from various third-party domains. The latter can also load further resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility on where these resources are loaded from. This article performs a large-scale study of dependency chains in the web to find that around 50% of first-party websites render content that they do not directly load. Although the majority (84.91%) of websites have short dependency chains (below three levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third parties are classified as suspicious—although seemingly small, this limited set of suspicious third parties have remarkable reach into the wider ecosystem. We find that 73% of websites under-study load resources from suspicious third parties, and 24.8% of first-party webpages contain at least three third parties classified as suspicious in their dependency chain. By running sandboxed experiments, we observe a range of activities with the majority of suspicious JavaScript codes downloading malware.

中文翻译：

---

测量和分析隐式信任链

网络是一个错综复杂的相互关联的服务，网站从各种第三方域导入一系列外部资源。后者还可以加载托管在其他域上的更多资源。对于每个网站，这都会创建一个依赖链，该依赖链以第一方和可传递连接的第三方之间的一种隐式信任形式为基础。该链只能松散地控制，因为第一方网站通常对这些资源的加载位置几乎没有可见性（如果有的话）。本文对 Web 中的依赖链进行了大规模研究，发现大约 50% 的第一方网站呈现了他们不直接加载的内容。尽管大多数（84.91%）网站的依赖链都很短（低于三级），但我们发现依赖链超过 30 的网站。使用 VirusTotal，我们表明，这些第三方中有 1.2% 被归类为可疑第三方——虽然看起来很小，但这些有限的可疑第三方集合在更广泛的生态系统中具有显着的影响力。我们发现 73% 的研究中网站加载来自可疑第三方的资源，24.8% 的第一方网页包含至少三个在其依赖链中被归类为可疑的第三方。通过运行沙盒实验，我们观察到大部分可疑 JavaScript 代码下载恶意软件的一系列活动。8% 的第一方网页包含至少三个在其依赖链中被归类为可疑的第三方。通过运行沙盒实验，我们观察到大部分可疑 JavaScript 代码下载恶意软件的一系列活动。8% 的第一方网页包含至少三个在其依赖链中被归类为可疑的第三方。通过运行沙盒实验，我们观察到大部分可疑 JavaScript 代码下载恶意软件的一系列活动。