A Security Model for Web-Based Communication

Research output: Contribution to journalConference articleInvitedpeer-review

Contributors

Abstract

Web access involves various protocols to resolve domain names to IP addresses, establish data exchange channels with Web servers, and to authenticate communication partners. Each protocol has its own set of requirements and security measures. In addition to technical features, operating the Web also introduces organizational and political aspects which are important to consider when deploying a secure basis for Web-based communication. In this paper, we propose an algorithmic security model based on the widely deployed technologies DNS(SEC) and Web PKI to cover the three dimensions identification, resolution, and transaction. Our model enables quantification and qualification of the security assurance provided by an online service provider. To verify the applicability of our model, we investigate the online presence of Alerting Authorities in the U.S., selected German Emergency Service providers, and UN member states. We observe partially enhanced security relative to global Internet trends, yet find cause for concern as only about 6% of unique hosts cater to secure resolution. About 46% of investigated organizations use shared certificates with 1% of all organizations having no or invalid certificates. Two thirds of organizations are not uniquely identifiable and as such lack the basic requirement of trustworthy communication.

Details

Original languageEnglish
Pages (from-to)83-90
Number of pages8
Journal Communications of the ACM / Association for Computing Machinery
Volume67
Issue number10
Early online dateAug 2024
Publication statusPublished - Oct 2024
Peer-reviewedYes

External IDs

ORCID /0000-0002-3825-2807/work/165453543

Keywords

DFG Classification of Subject Areas according to Review Boards

Subject groups, research areas, subject areas according to Destatis

ASJC Scopus subject areas