Shim Shimmeny: Evaluating the Security and Privacy Contributions of Link Shimming in the Modern Web

USENIX Security Symposium, pp. 649-664, 2020.

Cited by: 0|Bibtex|Views7
EI
Other Links: academic.microsoft.com|dblp.uni-trier.de
Weibo:
We provided a large-scale empirical evaluation of the security and privacy contributions of link shimming, a technique widely deployed by major online services, in today’s web ecosystem

Abstract:

Link shimming (also known as URL wrapping) is a technique widely used by websites, where URLs on a site are rewritten to direct link navigations to an intermediary endpoint before redirecting to the original destination. This ...More

Code:

Data:

0
Introduction
  • Prominent websites, such as online social networks, forums, and messaging platforms, support user-generated content with URLs linking to external destinations.
  • A website rewrites the URLs displayed on its pages to direct link navigations first to an intermediate endpoint
  • This navigation “shimming” allows the intermediate endpoint to deploy click-time security and privacy protections, before navigating to the original destination.
  • Facebook uses link shim’s navigation intermediation as an opportunity to 1) preserve the privacy of where navigations originated from by minimizing HTTP referrers, 2) improve the security of the navigation method itself through upgrading the network protocol to HTTPS if possible, and 3) secure users from malicious navigation destinations.
  • The authors discuss how Facebook’s implementation of link shimming manages these checks
Highlights
  • Prominent websites, such as online social networks, forums, and messaging platforms, support user-generated content with URLs linking to external destinations
  • A website rewrites the URLs displayed on its pages to direct link navigations first to an intermediate endpoint
  • Our study’s dataset contains 6 billion link shim navigations as well as 328M warning encounters, with the number of each warning type listed in Table 1. These values are for the raw number of warning displays though, and a user on a particular browser client may click on the same external link and witness the same warning multiple times
  • We provided a large-scale empirical evaluation of the security and privacy contributions of link shimming, a technique widely deployed by major online services, in today’s web ecosystem
  • Using a real-world deployment as a case study, we first assessed the privacy gains that link shimming provides through masking HTTP referrers and automatically upgrading links to HTTPS
  • Our populations are large enough that small proportion differences are statistically significantly different, even if they are not necessarily meaningfully different
  • We found that while modern browsers support alternative privacy mechanisms, a substantial minority of users are on legacy clients benefiting from link shimming, with a skew towards certain subpopulations such as mobile-centric developing countries
Methods
  • The authors detail what data the authors use for the study and limitations of the method.

    3.1 Data Collection

    To evaluate how users interact with link shimming, the authors collect telemetry for the study from Facebook link shim navigations and warning displays.
Results
  • For desktop OSes, the authors find that less than 0.7% of browser clients on both Linux and Mac OS are fully legacy browsers, compared to 10.2% on Windows.
  • A small minority of users do engage multiple times, with more users re-engaging for suspicious URL warnings than for redirection warnings (8.7% versus 3.4%, respectively)
  • This difference is statistically significant under a two-tailed Z-test with α = 0.05 (p < 0.01).
Conclusion
  • The authors discuss the implications of the study’s findings, synthesizing promising directions for advancing online user protection moving forward.

    6.1 Link Shimming Costs and Benefits

    In this study, the authors investigated whether link shimming still meaningfully serves its purported security and privacy purposes given the modern web ecosystem.
  • While Facebook’s link shimming design addresses certain concerns, other usability concerns may exist that warrant further exploration, as discussed further in Section 6.3.In this paper, the authors provided a large-scale empirical evaluation of the security and privacy contributions of link shimming, a technique widely deployed by major online services, in today’s web ecosystem.
  • The authors' study indicates that link shimming can provide meaningful security and privacy benefits in today’s web, and suggests directions for advancing online user protection
Summary
  • Introduction:

    Prominent websites, such as online social networks, forums, and messaging platforms, support user-generated content with URLs linking to external destinations.
  • A website rewrites the URLs displayed on its pages to direct link navigations first to an intermediate endpoint
  • This navigation “shimming” allows the intermediate endpoint to deploy click-time security and privacy protections, before navigating to the original destination.
  • Facebook uses link shim’s navigation intermediation as an opportunity to 1) preserve the privacy of where navigations originated from by minimizing HTTP referrers, 2) improve the security of the navigation method itself through upgrading the network protocol to HTTPS if possible, and 3) secure users from malicious navigation destinations.
  • The authors discuss how Facebook’s implementation of link shimming manages these checks
  • Methods:

    The authors detail what data the authors use for the study and limitations of the method.

    3.1 Data Collection

    To evaluate how users interact with link shimming, the authors collect telemetry for the study from Facebook link shim navigations and warning displays.
  • Results:

    For desktop OSes, the authors find that less than 0.7% of browser clients on both Linux and Mac OS are fully legacy browsers, compared to 10.2% on Windows.
  • A small minority of users do engage multiple times, with more users re-engaging for suspicious URL warnings than for redirection warnings (8.7% versus 3.4%, respectively)
  • This difference is statistically significant under a two-tailed Z-test with α = 0.05 (p < 0.01).
  • Conclusion:

    The authors discuss the implications of the study’s findings, synthesizing promising directions for advancing online user protection moving forward.

    6.1 Link Shimming Costs and Benefits

    In this study, the authors investigated whether link shimming still meaningfully serves its purported security and privacy purposes given the modern web ecosystem.
  • While Facebook’s link shimming design addresses certain concerns, other usability concerns may exist that warrant further exploration, as discussed further in Section 6.3.In this paper, the authors provided a large-scale empirical evaluation of the security and privacy contributions of link shimming, a technique widely deployed by major online services, in today’s web ecosystem.
  • The authors' study indicates that link shimming can provide meaningful security and privacy benefits in today’s web, and suggests directions for advancing online user protection
Tables
  • Table1: Dataset size. For each warning type, we list the raw number of warning displays as well as the number of unique displays, defined as unique (browser client cookie value, warning type, destination URL) tuples. The “None” warning type does not represent actual warnings, rather that the link shim navigations redirect directly to the destination URLs
  • Table2: For popular browsers navigating shimmed links, we show the percent of clients without any HTTP referrer privacy protections (i.e., fully legacy browsers), and the percent of clicks from those legacy clients. Here, link shimming is necessary for referrer privacy
  • Table3: For popular browsers navigating shimmed links, we show the percent of clients that are partially legacy browsers, and the percent of clicks from those legacy clients. Here, link shimming allows online services to preserve existing functionality from origin-level referrers without sacrificing referrer privacy
  • Table4: For link shim navigations upgraded from HTTP to HTTPS, we show the percent of browser clients that do not support HSTS, and hence benefit from the protocol upgrade
  • Table5: Number of times a browser client encounters the same warning for the same destination URL
  • Table6: For browser clients which engaged with the same link shim warning multiple times, we consider whether their clickthrough (CT) behavior was consistent
  • Table7: For each warning type, we manually label a random sample of 100 URLs that users did and did not click through to (labeled as CT). We label each URL as Malicious, Benign, or N/A (Not Available)
  • Table8: We list the browser versions that began supporting referrer privacy (RP) mechanisms (for both coarse-grained and flexible control) and HTTP Strict Transport Security (HSTS), based on online documentation [<a class="ref-link" id="c25" href="#r25">25</a>, <a class="ref-link" id="c29" href="#r29">29</a>, <a class="ref-link" id="c30" href="#r30">30</a>, <a class="ref-link" id="c43" href="#r43">43</a>]. Legacy browser versions are lower than those listed
Download tables as Excel
Related work
  • Despite the prevalence of link shimming, to our knowledge, this study is the first to analyze the technique in practice. However, the components of our analysis touch on aspects considered in prior work. Here, we summarize the prior studies as they relate to each of these aspects.

    HTTP Referrer Privacy: Nikiforakis et al [31] investigated how referrer anonymizing services operated. These services proxy traffic for their customers to hide referrers, as also done by link shimming. Related, Weichselbaum et al [47] studied CSP deployment by websites, including considering the CSP referrer policy. These studies looked at server-side deployment of HTTP referrer privacy protections, whereas our study provides an empirical evaluation of support by browser client populations.
Reference
  • Devdatta Akhawe and Adrienne Porter Felt. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. In USENIX Security Symposium, 2013.
    Google ScholarLocate open access versionFindings
  • Hazim Almuhimedi, Adrienne Porter Felt, Robert W. Reeder, and Sunny Consolvo. Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning. In Symposium On Usable Privacy and Security (SOUPS), 2014.
    Google ScholarFindings
  • Barracuda. Understanding Link Protection, 2018. https://campus.barracuda.com/product/
    Findings
  • Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In Network and Distributed System Security Symposium (NDSS), 2011.
    Google ScholarLocate open access versionFindings
  • Bennett Cyphers, Alexei Miagkov, and Andrés Arrieta. Privacy Badger Now Fights More Sneaky Google Tracking, 2018. https://www.eff.org/deeplinks/2018/10/privacy-badger-now-fights-moresneaky-google-tracking.
    Findings
  • Serge Egelman, Lorrie Faith Cranor, and Jason Hong. You’ve Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In ACM Conference on Human Factors in Computing Systems (CHI), 2008.
    Google ScholarLocate open access versionFindings
  • Facebook. Link Shim - Protecting the People who Use Facebook from Malicious URLs, 2012. https://www.facebook.com/notes/facebooksecurity/link-shim-protecting-thepeople-who-use-facebook-from-maliciousurls/10150492832835766/.
    Locate open access versionFindings
  • Facebook. Community Standards, 201https://www.facebook.com/communitystandards/.
    Findings
  • Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes. Improving SSL Warnings: Comprehension and Adherence. In ACM Conference on Human Factors in Computing Systems (CHI), 2015.
    Google ScholarLocate open access versionFindings
  • Adrienne Porter Felt, Richard Barnes, April King, Chris Palmer, Chris Bentzel, and Parisa Tabriz. Measuring HTTPS Adoption on the Web. In USENIX Security Symposium, 2017.
    Google ScholarLocate open access versionFindings
  • Adrienne Porter Felt, Robert W. Reeder, Hazim Almuhimedi, and Sunny Consolvo. Experimenting at Scale with Google Chrome’s SSL Warning. In ACM Conference on Human Factors in Computing Systems (CHI), 2014.
    Google ScholarLocate open access versionFindings
  • Electronic Frontier Foundation. HTTPS Everywhere, 2019. https://www.eff.org/https-everywhere.
    Locate open access versionFindings
  • Google. Google Safe Browsing, 2019. https://safebrowsing.google.com/.
    Findings
  • Jeff Hodges, Collin Jacson, and Adam Barth. RFC 6797 - HTTP Strict Transport Security (HSTS), 2012. https://tools.ietf.org/html/rfc6797.
    Findings
  • Jcunews. Disable Yahoo Search Result URL Redirector, 2019. https://greasyfork.org/en/scripts/381922-disable-yahoo-search-result-urlredirector.
    Locate open access versionFindings
  • Michael Kranch and Joseph Bonneau. Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning. In Network and Distributed System Security Symposium (NDSS), 2015.
    Google ScholarLocate open access versionFindings
  • Frank Li, Lisa Rogers, Arunesh Mathur, Nathan Malkin, and Marshini Chetty. Keepers of the Machines: Examining How System Administrators Manage Software Updates For Multiple Machines. In USENIX Symposium On Usable Privacy and Security (SOUPS), 2019.
    Google ScholarFindings
  • Meng Luo, Pierre Laperdrix, Nima Honarmand, and Nick Nikiforakis. Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers. In Network and Distributed System Security Symposium (NDSS), 2019.
    Google ScholarLocate open access versionFindings
  • Arunesh Mathur, Nathan Malkin, Marian Harbach, Eyal Peer, and Serge Egelman. Quantifying Users’ Beliefs about Software Updates. In NDSS Workshop on Usable Security, 2018.
    Google ScholarLocate open access versionFindings
  • Microsoft. Enhanced User Experienced for Office 365 Advanced Threat Protection, 2018. https://techcommunity.microsoft.com/t5/ Security-Privacy-and-Compliance/EnhancedUser-Experience-for-Office-365-AdvancedThreat/ba-p/201121.
    Findings
  • Microsoft. Office 365 ATP Safe Links, 2019. https://docs.microsoft.com/en-us/microsoft365/security/office-365-security/atp-safelinks.
    Findings
  • Jon Millican. Upgrades to Facebook’s link security, 2018. https://www.facebook.com/notes/protect-the-graph/upgrades-to-facebookslink-security/2015650322008442/.
    Findings
  • MITRE. CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’), 2019. https://cwe.mitre.org/data/definitions/601.html.
    Findings
  • Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching. In IEEE Symposium on Security and Privacy (S&P), 2015.
    Google ScholarLocate open access versionFindings
  • Mozilla Developer Network. <a>: The Anchor element, 2019. https://developer.mozilla.
    Findings
  • Mozilla Developer Network. Browser detection using the user agent, 2019. https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent.
    Findings
  • Mozilla Developer Network. Link Types, 2019.
    Google ScholarLocate open access versionFindings
  • https://developer.mozilla.org/en-
    Findings
  • [28] Mozilla Developer Network. Referer header: privacy and security concerns, 2019.
    Google ScholarFindings
  • [29] Mozilla Developer Network. Referer-Policy, 2019.
    Google ScholarLocate open access versionFindings
  • [30] Mozilla Developer Network. Strict-Transport-Security, 2019.
    Google ScholarLocate open access versionFindings
  • [31] Nick Nikiforakis, Steven Van Acker, Frank Piessens, and Wouter Joosen. Exploring the Ecosystem of ReferrerAnonymizing Services. In Privacy Enhancing Technologies Symposium (PETS), 2012.
    Google ScholarLocate open access versionFindings
  • [32] Pieter. How to Stop Google, Yahoo & Bing from Tracking Your Clicks, 2009.
    Google ScholarFindings
  • [33] Chromium Project. HTTP Strict Transport Security, 2019. https://www.chromium.org/hsts.
    Findings
  • [34] Proofpoint. Targeted Attack Protection, 2019. https://www.proofpoint.com/sites/default/files/proofpoint_tap-datasheet-a4.pdf.
    Findings
  • [35] Elaine Ramirez. South Korea’s Next Presidential Election Might Finally End Its Bizarre Reliance On Internet Explorer, 2017. https://www.forbes.com/sites/elaineramirez/2017/03/03/south-koreas-nextpresidential-election-might-finally-endits-bizarre-reliance-on-internet-explorer.
    Findings
  • [36] Robert W. Reeder, Adrienne Porter Felt, Sunny Consolvo, Nathan Malkin, Christopher Thompson, and Serge Egelman. An Experience Sampling Study of User Reactions to Browser Warnings in the Field. In ACM Conference on Human Factors in Computing Systems (CHI), 2018.
    Google ScholarLocate open access versionFindings
  • [37] Alex Stamos. Preserving Security in Belgium, 2015. https://www.facebook.com/notes/alexstamos/preserving-security-in-belgium/10153678944202929.
    Findings
  • [38] Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In USENIX Security Symposium, 2017.
    Google ScholarLocate open access versionFindings
  • [39] StopBadware. Clearinghouse Search, 2019. https://www.stopbadware.org/clearinghouse/search.
    Findings
  • [40] Symantec. About Click-time URL Protection, 2017. https://support.symantec.com/us/en/article.howto125795.html.
    Findings
  • [41] Geek This. Hide HTTP Referer Headers, 2017. https://geekthis.net/post/hide-httpreferer-headers/.
    Findings
  • [42] Twitter. About Twitter’s link service (http://t.co), 2019.https://help.twitter.com/en/usingtwitter/url-shortener.
    Findings
  • [43] Can I Use. Link type noreferrer, 2019. https://caniuse.com/#feat=rel-noreferrer.
    Findings
  • [44] Kami Vaniea, Emilee Rader, and Rick Wash. Betrayed by Updates: How Negative Experiences Affect Future Security. In ACM CHI Conference on Human Factors in Computing Systems (CHI), 2014.
    Google ScholarLocate open access versionFindings
  • [45] Kami Vaniea and Yasmeen Rashidi. Tales of Software Updates: The Process of Updating Software. In ACM CHI Conference on Human Factors in Computing Systems (CHI), 2016.
    Google ScholarLocate open access versionFindings
  • [46] Rick Wash, Emilee Rader, Kami Vaniea, and Michelle Rizor. Out of the Loop: How Automated Software Updates Cause Unintended Security Consequences. In USENIX Symposium On Usable Privacy and Security (SOUPS), 2014.
    Google ScholarFindings
  • [47] Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy. In ACM Conference on Computer and Communications Security (CCS), 2016.
    Google ScholarLocate open access versionFindings
  • [48] Joel Weinberger and Adrienne Porter Felt. A Week to Remember: The Impact of Browser Warning Storage Policies. In Symposium on Usable Privacy and Security (SOUPS), 2016.
    Google ScholarLocate open access versionFindings
Full Text
Your rating :
0

 

Tags
Comments