Publication

Shim Shimmeny: Evaluating the Security and Privacy Contributions of Link Shimming in the Modern Web

USENIX Security Symposium


Abstract

Link shimming (also known as URL wrapping) is a technique widely used by websites, where URLs on a site are rewritten to direct link navigations to an intermediary endpoint before redirecting to the original destination. This “shimming” of URL clicks can serve navigation security, privacy, and analytics purposes, and has been deployed by prominent websites (e.g., Facebook, Twitter, Microsoft, Google) for over a decade. Yet, we lack a deep understanding of its purported security and privacy contributions, particularly in today’s web ecosystem, where modern browsers provide potential alternative mechanisms for protecting link navigations without link shimming’s costs.

In this paper, we provide a large-scale empirical evaluation of link shimming’s security and privacy contributions, using Facebook’s real-world deployment as a case study. Our results indicate that even in the modern web, link shimming can provide meaningful security and privacy benefits to users broadly. These benefits are most notable for the sizable populations that we observed with a high prevalence of legacy browser clients, such as in mobile-centric developing countries. We discuss the tradeoff of these gains against potential costs. Beyond link shimming, our findings also provide insights for advancing user online protection, such as on the web ecosystem’s distribution of responsibility, legacy software scenarios, and user responses to website security warnings.

Related Publications

All Publications

Trusted Smart Contracts Workshop at Financial Cryptography (FC) - May 12, 2021

Reactive Key-Loss Protection in Blockchains

Sam Blackshear, Konstantinos Chalkias, Panagiotis Chatzigiannis, Riyaz Faizullabhoy, Irakliy Khaburzaniya, Eleftherios Kokoris Kogias, Joshua Lind, David Wong, Tim Zakian

Information and Inference: a Journal of the IMA - January 18, 2021

Secure multiparty computations in floating-point arithmetic

Chuan Guo, Awni Hannun, Brian Knott, Laurens van der Maaten, Mark Tygert, Ruiyu Zhu

VLDB - July 31, 2021

CALYPSO: Private Data Management for Decentralized Ledgers

Eleftherios Kokoris-Kogias, Enis Ceyhun Alp, Linus Gasser, Philipp Jovanovic, Ewa Syta, Bryan Ford

USENIX Security - February 22, 2021

SocialHEISTing: Understanding Stolen Facebook Accounts

Jeremiah Onaolapo, Nektarios Leontiadis, Despoina Magka, Gianluca Stringhini

To help personalize content, tailor and measure ads, and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookies Policy