A Security Model for Web-Based Communication

Web access involves various protocols to resolve domain names to IP addresses, establish data exchange channels with Web servers, and to authenticate communication partners. Each protocol has its own set of requirements and security measures. In addition to technical features, operating the Web also introduces organizational and political aspects which are important to consider when deploying a secure basis for Web-based communication.
In this paper, we propose an algorithmic security model based on the widely deployed technologies DNS(SEC) and Web PKI to cover the three dimensions identification, resolution, and transaction. Our model enables quantification and qualification of the security assurance provided by an online service provider. To verify the applicability of our model, we investigate the online presence of Alerting Authorities in the U.S., selected German Emergency Service providers, and UN member states. We observe partially enhanced security relative to global Internet trends, yet find cause for concern as only about 6% of unique hosts cater to secure resolution. About 46% of investigated organizations use shared certificates with 1% of all organizations having no or invalid certificates. Two thirds of organizations are not uniquely identifiable and as such lack the basic requirement of trustworthy communication.