Sunday, October 27, 2013

Mozilla Lightbeam Add-On Shows Risk of Third Party Sites

The slide above shows an experiment I just conducted using the Lightbeam addon with NoScript.

  • The image at left shows the results of visiting nhl.com, nfl.com, mlb.com, and google.com while NoScript is denying JavaScript and similar content.
  • The image at left shows the results of visiting nhl.com, nfl.com, mlb.com, and google.com while NoScript is disabled to allow JavaScript and similar content.

The Lightbeam add-on renders the primary and third party Web sites visited in each case.

  • When NoScript is denying Javascript and similar content, only 9 third party sites are called in order to render the 4 primary Web sites.
  • When NoScript is disabled to allow JavaScript and similar content, 66 third party Web sites are called.

Only a few minutes after taking the original images, the count for the second case increased from 66 to 90.

Why is this a problem? From a security perspective:

  • The more third party Web sites required to render a primary site, the more opportunities intruders have to introduce malicious content.
  • The more third party Web sites required to render a primary site, the more complex the primary site becomes, and the less likely it will perform as intended. We're seeing this at work (or not at work, perhaps) with healthcare.gov.

From a privacy perspective:

  • The Lightbeam rendering shows relationships among the 4 primary Web sites and the third party sites. In the first image, mlb.com and nhl.com share third party sites and therefore could potentially access data about users from each other. mlb.com and google.com are separate from each other.
  • In the second image, all of the primary Web sites are interconnected. This means it is possible for them to share data about user activities. This is how Web sites track you on the Internet.
I recommend installing Lightbeam with NoScript to try for yourself.

Update: Up to 95 sites now...

Update 2: Up to 105 sites now...