Who ya gonna call? (Alerting Authorities): Measuring Namespaces, Web Certificates, and DNSSEC

During disasters, crisis, and emergencies the public relies on online services provided by authorities to receive timely alerts, trustworthy information, and access to relief programs. It is therefore crucial for the authorities to reduce risks when accessing their Web services. This includes proper naming (e.g., against phishing attacks), name protection (e.g., against forged DNS data), adequate identification (e.g., against spoofing and impersonation), and transport security (e.g., against traffic manipulation). In this paper, we take a first look on Alerting Authorities in the U.S. and measure the deployment of domain names, DNSSEC, and Web certificates related to their websites. Surprisingly, many do not take advantage of existing methods to increase security and reliability. Analyzing 1,388 Alerting Authorities, backed by the Federal Emergency Management Agency (FEMA), we are alarmed by three major findings. First, 50% of the domain names are registered under generic top-level domains, which simplifies phishing. Second, only 8% of the domain names are secured by DNSSEC and about 15% of all hosts fail to provide valid certificates. Third, there is a worrying trend of using shared certificates, which increases dependencies leading to instability in the future.