Pouyan Fotouhi Tehrani, Eric Osterweil, Jochen H. Schiller, Thomas C. Schmidt, Matthias Wählisch,
Who ya gonna call? (Alerting Authorities): Measuring Namespaces Web Certificates and DNSSEC,
Open Archive: arXiv.org, Technical Report, No. arXiv:2008.10497, August 2020.
HTML   PDF   BibTeX   Abstract  

Abstract: During disasters, crisis, and emergencies the public relies on online services provided by authorities to receive timely alerts, trustworthy information, and access to relief programs. It is therefore crucial for the authorities to reduce risks when accessing their Web services. This includes proper naming (e.g., against phishing attacks), name protection (e.g., against forged DNS data), adequate identification (e.g., against spoofing and impersonation), and transport security (e.g., against traffic manipulation). In this paper, we take a first look on Alerting Authorities in the U.S. and measure the deployment of domain names, DNSSEC, and Web certificates related to their websites. Surprisingly, many do not take advantage of existing methods to increase security and reliability. Analyzing 1,388 Alerting Authorities, backed by the Federal Emergency Management Agency (FEMA), we are alarmed by three major findings. First, 50% of the domain names are registered under generic top-level domains, which simplifies phishing. Second, only 8% of the domain names are secured by DNSSEC and about 15% of all hosts fail to provide valid certificates. Third, there is a worrying trend of using shared certificates, which increases dependencies leading to instability in the future.

Themes: Internet Measurements and Analysis , Network Security , Network Management


This page generated by bibTOhtml on Fr 12. Aug 19:38:33 CEST 2022