Study reveals weaknesses of alerting authorities and foreign ministries and presents systematic security model for the WWW

Computer scientists from TU Dresden, George Mason University in Fairfax, USA and HAW Hamburg develop security model for web-based communication. The renowned journal Communications of the ACM has published the results as a Research Highlight.

Web developers and service providers rely on a whole range of protocols, services and libraries to provide their software. The individual components are often linked together. This allows vulnerabilities, bugs, malware and data leaks to creep in, which are all the more critical the more critical infrastructures and security services depend on them.

One example of important web services are the Alerting Authorities (AAs) in the USA - authorities that are authorized to alert the public when a disaster or threat is imminent or people are missing. Today, there are more than 1,600 federal, state, local and territorial alerting authorities that issue important public warnings in their jurisdictions. Like many other emergency services, the alert centers rely on the Internet for their communications and operations to maintain safety in the country.

The study published in the October issue of "Communications of the ACM" under the title "A Security Model for Web-Based Communication" with the collaboration of Prof. Matthias Wählisch and Pouyan Fotouhi Tehrani, Chair of Distributed and Networked Systems at the Faculty of Computer Science at TU Dresden, reveals worrying security gaps in the Internet communication of these alerting authorities, German emergency services and websites of the foreign ministries of UN member states. Around 46% of the organizations examined use shared certificates - 1% of all organizations have no or invalid certificates. Two thirds of the organizations are not clearly identifiable, which is the basic requirement for trustworthy communication.

Names and certificates are necessary for critical services such as alerting authorities to function on the web. Both services, the Domain Name Service (DNS) for names and the certificates themselves, must be trustworthy and secure. According to the study, however, the available security mechanisms are not used sufficiently. Attackers can use them to pretend to be a web service without the user being able to adequately check the correctness.

The published study verifies an enormous number of alerting authority websites, which are scattered across various resources. The study is based on very carefully conducted Internet measurements and thus provides a valuable data set for analyzing the domain namespace and web PKI. The results on security profiles and vulnerabilities were shared with the authorities to sensitize them for improvements. The proposed security model generalizes the findings so that algorithmic verification is possible in the future.

"Our studies concern all countries where similar systems for public emergency alerts have been introduced and the World Wide Web in general," explains Prof. Matthias Wählisch. "We want to ensure that the security situation on the web can be communicated automatically in the future, both for laypeople and experts."

The specialist journal Communications of the ACM has been published monthly since 1958. It is one of the most important journals in computer science. The Research Highlights category recognizes outstanding research work of overriding importance.

The article is available as open access at https://doi.org/10.1145/3623292 and https://cacm.acm.org/research-highlights/a-security-model-for-web-based-communication/.