An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

Bertil Chapuis, Olamide Omolola, Mauro Cherubini, Mathias Humbert, Kevin Huguenin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Web developers can (and do) include subresources such as scripts, stylesheets and images in their webpages. Such subresources might be stored on content delivery networks (CDNs). This practice creates security and privacy risks, should a subresource be corrupted. The subresource integrity (SRI) recommendation, released in mid-2016 by the W3C, enables developers to include digests in their webpages in order for web browsers to verify the integrity of subresources before loading them. In this paper, we conduct the first large-scale longitudinal study of the use of SRI on the Web by analyzing massive crawls (≈ 3B URLs) of the Web over the last 3.5 years. Our results show that the adoption of SRI is modest (≈), but grows at an increasing rate and is highly influenced by the practices of popular library developers (e.g., Bootstrap) and CDN operators (e.g., jsDelivr). We complement our analysis about SRI with a survey of web developers (N=): It shows that a substantial proportion of developers know SRI and understand its basic functioning, but most of them ignore important aspects of the recommendation. The results of the survey also show that the integration of SRI by developers is mostly manual – hence not scalable and error prone. This calls for a better integration of SRI in build tools.
Original languageEnglish
Title of host publicationThe Web Conference 2020 - Proceedings of the World Wide Web Conference, WWW 2020
PublisherAssociation of Computing Machinery
Pages34-45
Number of pages12
ISBN (Electronic)978-1-4503-7023-3
DOIs
Publication statusPublished - 20 Apr 2020

Publication series

NameThe Web Conference 2020 - Proceedings of the World Wide Web Conference, WWW 2020

Keywords

  • common crawl
  • subresource integrity
  • web security

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources'. Together they form a unique fingerprint.

Cite this