A Security Model for Web-Based Communication

Web access involves various protocols to resolve domain names to IP addresses, establish data exchange channels with Web servers, and to authenticate communication partners. Each protocol has its own set of requirements and security measures. In addition to technical features, operating the Web also introduces organizational and political aspects which are important to consider when deploying a secure basis for Web-based communication.In this paper, we propose an algorithmic security model based on the widely deployed technologies DNSSEC and Web PKI to cover three dimensions: identification, resolu-tion, and transaction. Our model enables quantification and qualification of the security assurance provided by an online service provider. To verify the applicability of our model, we investigate the online presence of Alerting Au-thorities in the U.S., selected German Emergency Serviceproviders, and UN member states. We observe partially en-hanced security relative to global Internet trends, yet find cause for concern as only about 6% of unique hosts cater to secure resolution. About 46% of investigated organizations use shared certificates with 1% of all organizations having no or invalid certificates. Two thirds of organizations are not uniquely identifiable and as such lack the basic require-ment of trustworthy communication