An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

Chapuis, Bertil; Omolola, Olamide; Cherubini, Mauro; Humbert, Mathias; Huguenin, Kévin

doi:10.1145/3366423.3380092

Cited by 11 publications

(12 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While SRI is used on a total of 1,562 sites, we found that 626 of these only used SRI to pin popular libraries, virtually all of which were jQuery or Bootstrap (in line with what Chapuis et al [4] found). We attribute this fact mainly to the inclusion advice on the homepages of both projects, which supply HTML code snippets already, including the integrity attribute.…”

Section: B Sri In the Wildsupporting

confidence: 86%

“…Naturally, allowing any subdomain of a given domain increases the chances of such an endpoint being allowed. As examples show 4 , such endpoints are often contained on subdomains of widelyincluded domains, e.g., on detector.alicdn.com.…”

Section: A Host-based Allowlistsmentioning

confidence: 99%

“…Nevertheless, even though the feature was added in 2016 to the CSP standard, it has not been adopted by many sites, and script-controlling policies are still as insecure as ever [27]. Similarly, while SRI's popularity is slowly increasing, this is primarily due to widespread libraries like jQuery [4], leaving many other resources susceptible to cause severe harm in case of compromised third parties.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI

Steffens¹,

Musch²,

Johns³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Section: B Sri In the Wildsupporting

confidence: 86%

Section: A Host-based Allowlistsmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI

Steffens¹,

Musch²,

Johns³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

“…And failures to address this issue can create detrimental false alarm situations. These issues are discussed in more details (for SRI) in a recent study [39].…”

Section: Subresource Integritymentioning

confidence: 99%

“…A recent study by Chapuis et al [39] shows that web developers have a strong interest in extending SRI to downloads (i.e., a elements) as well as pictures, videos, etc. We made a proposal in this direction and communicated it to W3C's WebAppSec Working Group.…”

Section: Extending Subresource Integrity To Linksmentioning

confidence: 99%

A Study on the Use of Checksums for Integrity Verification of Web Downloads

Meylan

Cherubini

Chapuis

et al. 2020

ACM Trans. Priv. Secur.

Self Cite

View full text Add to dashboard Cite

App stores provide access to millions of different programs that users can download on their computers. Developers can also make their programs available for download on their websites and host the program files either directly on their website or on third-party platforms, such as mirrors. In the latter case, as users download the software without any vetting from the developers, they should take the necessary precautions to ensure that it is authentic. One way to accomplish this is to check that the published file's integrity verification code-the checksum-matches that (if provided) of the downloaded file. To date, however, there is little evidence to suggest that such process is effective. Even worse, very few usability studies about it exist. In this paper, we provide the first comprehensive study that assesses the usability and effectiveness of the manual checksum verification process. First, by means of an in-situ experiment with 40 participants and eye-tracking technology, we show that the process is cumbersome and error-prone. Second, after a 4-month long in-the-wild experiment with 134 participants, we demonstrate how our proposed solution-a Chrome extension that verifies checksums automatically-significantly reduces human errors, improves coverage, and has only limited impact on usability. It also confirms that, sadly, only a tiny minority of websites that link to executable files in our sample provide checksums (0.01%), which is a strong call to action for web standards bodies, service providers and content creators to increase the use of file integrity verification on their properties.

show abstract