Who ya gonna call? (Alerting Authorities): Measuring Namespaces, Web Certificates, and DNSSEC
share
During disasters, crisis, and emergencies the public relies on online services provided by official authorities to receive timely alerts, trustworthy information, and access to relief programs. It is therefore crucial for the authorities to reduce risks when accessing their online services. This includes catering to secure identification of service, secure resolution of name to network service, and content security and privacy as a minimum base for trustworthy communication. In this paper, we take a first look at Alerting Authorities (AA) in the US and investigate security measures related to trustworthy and secure communication. We study the domain namespace structure, DNSSEC penetration, and web certificates. We introduce an integrative threat model to better understand whether and how the online presence and services of AAs are harmed. As an illustrative example, we investigate 1,388 Alerting Authorities, backed by the United States Federal Emergency Management Agency (US FEMA). We observe partial heightened security relative to the global Internet trends, yet find cause for concern as about 80 trustworthy service provision. Our analysis shows two major shortcomings: About 50 on others, 55 and less than 0.4 lead to DNS poisoning and possibly to certificate misissuance. Furthermore, 15 of all hosts provide none or invalid certificates, thus cannot cater to confidentiality and data integrity, 64 certificates that lack any identity information, and shared certificates have gained on popularity, which leads to fate-sharing and can be a cause for instability.
READ FULL TEXT