Third Party Domain Scripts Beef

12 Aug 2011
Posted by adrianb

Many websites use extra software programmes to deliver useful and sometimes not so useful functionality that you might not get with good old HTML (in all it's variants).
Examples of “extra” programs include Flash and Javascript, but there are plenty of others. A “good” site will keep these extra programmes to a minimum, and any it feels are really necessary, it will service via it's own domain. That way, you know that the operators of the website are likely to have taken great care examining the suitability and safety of these programmes, because they are likely to be hosted on their own servers, or at least mixed up with all their own web infrastructure and services.
If you know and trust the organisation that owns the website, that is usually going to be good enough and you won't have to worry any further.

However, lots of websites now contain software that isn't served directly from the main website domain. This means that a familiar website might contain software that is coming from several different domains. You, as a user, will have no idea which of these are legitimate, and which are not. You might also be aware of the several instances of these third party programmes being compromised so that they serve some very unhealthy stuff to site visitor's PC's.

A good analogy is with holiday rental properties. The rental property is like the website – you visit it and get to use the all the facilities while you are there.
Now suppose the owner gives keys to a housekeeper, and you don't know about him/her.
A legitimate housekeeper might come and make breakfast, clean up, and all sorts of other useful stuff. That's nice – but it would have been nicer if the owner had told you about it in advance!
How will you know the difference between a legitimate housekeeper and a thief? If the accepted norm is that anyone might be in the property, how do you tell good from bad?
The housekeeper/thief is like these extra programmes or scripts.

On my PC's I routinely block scripts from my browser that are or appear to be from third party domains. I do this because I think they are a significant risk, and I don't want to take a chance with a PC that I use for important stuff. I choose to use a browser that lets me block these programmes – Firefox (though Explorer now also offers script blocking options), and by using an add-on called "Noscript".
Even as an experienced IT/Digital professional, It's often difficult to tell what the risk from a particular script is likely to be, so I take the "safety first" approach.
For a new website I'm not familiar with, I block all scripts. If the site doesn't then do what I want without these extra scripts, and assuming I still want to use the site, I might use my browser plug-in to permit scripts served by the main domain.
With Linkedin, having used the site for quite a while (not for anything critical) and been convinced by their relatively professional approach (until now that is),
I thought they take care to make sure their website doesn't serve nasty stuff to my browser, so I trusted programmes to access my browser and PC.
However, I don't trust software from third party domains to be as careful. They might be as safe, but often I've not heard of them at all, or they are very small companies with no profile, and/or they seem to be just about advertising and user tracking services. I don't have time to track down and research every tin-pot activity tracking company to see how safe they are likely to be, and don't see why I should need to.
Why don't Linkedin tell me if they have done it already, or even better, why doesn't Linkedin just keep them all under the domain, then it's easy to see that which programmes are authorised and which are not and so can be easily blocked by the browser. Of course most users will have no idea of the risks they run.

If the owners of websites I use believe that the functionality offered by these third party programs is so important, and think that I should trust them, I wonder why it is they don't trust this software enough to have it installed on their own web server or be up front about all these third parties involved in the operation of their websites.
There might be reasonable technical or cost reasons for not hosting these programmes with the main websites - but why not be up front about it, if there is nothing to hide?
It's just cheaper and easier to have a third party specialist look after all these extra mostly supplementary services, activity tracking and advertising related, which offer little benefit to the site visitors. See this recent USA Today article for more on the widespread risks.

Until now Linkedin has worked fine for me without any third party scripts. But in this case it seems that Linked in used third party hosted software (or at least something not delivered by the main domain) to deliver (in a rather uncertain manner) a very important bit of information about the changes to the way they were going to use my data. And it screwed up.