SilkSecured: A Comprehensive Analysis of Security and Dependencies in China's Governmental Web Systems

doi:10.21203/rs.3.rs-4275987/v1

Download PDF

Article

SilkSecured: A Comprehensive Analysis of Security and Dependencies in China's Governmental Web Systems

https://doi.org/10.21203/rs.3.rs-4275987/v1

This work is licensed under a CC BY 4.0 License

Version 1

posted

You are reading this latest preprint version

The study "SilkSecured" delves into the practice of governmental web systems in China. It scrutinizes the security and dependency challenges besieging China's governmental web infrastructure, with an intent to unearth pivotal concerns and proffer enhancements. The inquiry reveals substantial vulnerabilities and dependencies that could impede the digital efficacy and safety of governmental web systems.

To counter these identified frailties, "SilkSecured" presents a suite of strategic recommendations tailored to bolster the digital fortitude of China's governmental web infrastructure. It underscores the critical need for robust domain name resolution services to assure secure and reliable access to government websites. The study accentuates the necessity for stringent vetting and regular updates of third-party libraries, aiming to avert potential security threats. Furthermore, it advocates for an optimized deployment of web systems by advocating for a diversified distribution of network nodes, which could substantially augment system resilience and performance.

Through this comprehensive analysis, "SilkSecured" aspires to serve as a beacon for governmental departments, championing the ongoing enhancement of security protocols within China's governmental web domains. This initiative is envisioned to fortify the digital infrastructure against the spectrum of evolving cyber threats, thus safeguarding the digital governance ecosystem in China. The recommendations provided aim to underpin the robustness and reliability of governmental web systems, ensuring their integrity in the digital era.

Physical sciences/Mathematics and computing/Computer science

Physical sciences/Mathematics and computing/Information technology

Physical sciences/Mathematics and computing/Statistics

Web information security

Web data mining

Web measurement

Digital governance

Digital infrastructure

With the rapid advancement of the Internet, governments worldwide are progressively transitioning to electronic information technology. As the most populous nation globally, China plays a crucial role as a significant participant and contributor to this global trend. Within this landscape, government websites emerge as vital conduits facilitating communication between the government and its citizens.

However, the management and operation of government web information systems entail a multitude of complex considerations, necessitating effective decision-making in information dissemination, emergency response, disaster management, e-governance, and service accessibility.

When confronted with the choice between centralized and decentralized management, government website administrators must weigh numerous factors. Centralized management offers potential cost reductions but may compromise user experience and jeopardize information security, particularly during crises when the risk of data loss escalates. Conversely, decentralized management can enhance disaster recovery capabilities and user satisfaction but entails higher management and maintenance expenses. Moreover, the decision to opt for self-maintenance or rely on third-party services presents a critical dilemma. Self-maintenance may be constrained by technical limitations, while third-party reliance may entail risks concerning service quality and security.

Information System Management encounters various challenges, foremost among them being security breaches and risks. Issues such as information leakage, data loss, and unauthorized access pose threats to the security of citizen data and sensitive information, undermining societal trust. Additionally, government websites may grapple with operational inefficiencies and service disruptions. Regional disparities in geographical and demographic conditions result in differential system maintenance and updates, influencing user experience and service delivery quality.

With the popularization of the Internet and the accelerated development of informatization, the improvement of government website management levels has not matched this, making it face increasingly complex security threats and challenges. Increasingly complex cyber threats have made government websites the main target of hackers and cyber attackers. High interconnectivity and correlation have increased the complexity of the system. The ever-changing network ecology requires government websites to continuously adapt to new technologies and threats and adopt advanced technologies. Cybersecurity measures and best practices to maintain the availability and security of public services. Comprehensive analysis of these issues can help provide improvement suggestions, enhance the management and technical foundation of government websites, and improve their overall level in terms of security and usability.

This study aims to gain an in-depth understanding of the security and usability issues of China's government web information system, and explore its potential risks and room for improvement from multiple dimensions. It also discusses the potential negative impact of management difficulties on these issues.

This research focuses on investigating key aspects of website infrastructure and security, distilled into four core areas:

Infrastructure and Security Reliance: How do websites depend on domain name resolution services, third-party libraries, and CDN deployments? This includes examining DNS server redundancy, DNSSEC support, library security risks, and CDN service provider dependence.
Certificate Authority and Encryption Standards: What CA certificate services are used, their origin (domestic or international), and the adoption of TLS versions? This seeks to understand the encryption practices and any associated issues.
Network and Geographic Distribution: Investigating the distribution of website server operators, including ASN distribution and geospatial redundancy, to assess network diversity and resilience.
Government Website Practices: Analyzing HTTPS adoption, security issues, and room for improvement in Chinese government websites, alongside evaluating UI/UX interactivity, mobile friendliness, and SEO optimization.

Through in-depth research on these issues, we aim to provide effective security and improvement suggestions for government departments, as well as promote the continuous improvement of government Web information systems in information security and public services, and provide strong support for the future development of government websites. to ensure its security and effectiveness in the digital age.

The main contributions of this study are succinctly summarized as follows:

This study represents the first comprehensive security audit of all government websites in China, identifying security and dependency issues while highlighting the reliance on specific institutions within the government's web information system.
We introduce an innovative method for calculating server redundancy, aimed at analyzing servers designated for varied functions (e.g., Web Server, Name Server), enhancing the understanding of infrastructure resilience.
A novel approach for aggregating website information from multiple dimensions to construct a comprehensive information graph involving domain names, DNS records, CA certificates, and Whois information is proposed. This improvement strengthens the interconnectivity between entities, paving the way for more effective management and exploration of web dependencies and vulnerabilities. Consequently, it offers vital threat intelligence and strategic guidance for effective oversight.
We have made public the processed URL data of Chinese government websites and the developed security auditing tool, supporting further research by scholars in this field.

The initiation of internet navigation through the entry of a domain such as "https://www.example.com" into a browser triggers a sophisticated series of network activities. This process begins with a DNS lookup, wherein the browser reaches out to a DNS server to convert the domain name into an IP address, potentially navigating through the DNS hierarchy to locate the correct address. After obtaining the IP address, a TCP connection is established between the browser and the server to exchange data. For sites that utilize HTTPS, the connection is secured through an SSL/TLS handshake, during which the server provides a CA-signed certificate to authenticate itself and encrypt the communication. Following this, the browser sends an HTTP request to the server, which in return, sends back the webpage content for the browser to render and display. This intricate process, which encompasses DNS resolution, secure connections, and content delivery, is fundamental to the web browsing experience, guiding the user from the point of domain entry to the visualization of the webpage.

This seamless web browsing experience masks the extensive network activities that occur behind the scenes, crucial for the uninterrupted functioning of internet services, as no user anticipates being denied service when visiting a website [1].

The security of websites is partly reliant on DNS security measures such as DNSSEC, among other protective mechanisms, to prevent malicious attacks that could compromise domain name resolution [2, 3]. The performance and availability of a website, especially for those relying on cloud service providers for DNS resolution, depend on the reliability of these services. The incorporation of third-party services, including social media plugins and advertising, introduces additional complexity to domain name resolution, requiring effective management to prevent impacts on website functionality and loading speeds.

The domain name resolution process, which involves an average of 46 servers, highlights the potential vulnerabilities within this complex network. A compromised DNS server could have far-reaching implications, underscoring the importance of a robust DNS infrastructure [2]. This complexity justifies the need for comprehensive DNS research, especially for critical infrastructures such as the Chinese government's web information system, where the deployment of authoritative DNS servers has been meticulously studied [4].

Content Delivery Networks (CDNs) significantly enhance user experience by improving website access speed and stability. These networks depend on DNS to direct users to the nearest server node, but challenges in DNS resolution can diminish their effectiveness. In China, the deployment of CDN services is complicated by specific policies and network environments, necessitating reliance on domestic providers like ChinaCache, ChinaNetCenter, FastWeb, AliCDN, Baidu Yunjiasu, and Tencent, despite the risk of CDNs being exploited for malicious purposes [5].

The dominance of large ISPs in the market presents limited competitive options for government entities, potentially impacting the cost and quality of services. The threat of website hijacking by ISPs introduces a significant security risk, necessitating careful ISP selection to ensure the reliability and security of online services [6]. In conclusion, the array of network activities foundational to web browsing, from DNS resolution through to CDN functionality, is critical for the delivery of web content. The strategic selection of ISPs, alongside the implementation of rigorous security measures, is imperative for maintaining the integrity and efficiency of the digital infrastructure, thus ensuring a secure and seamless online experience for users.

With the continuous expansion of the Internet, scholars have shown a keen interest in the extent to which government Web information systems rely on internet infrastructure and related service providers. Websites offer users a variety of services [7], and the stability and reliability of these websites largely depend on their reliance on third-party services, including Content Delivery Network (CDN), Domain Name System (DNS), and Certificate Authority (CA) services [8, 9, 10, 11]. Additionally, the adoption of IPv6 [12,13, 14, 15], the application of IPv6 in domain name resolution servers [16], Internet Service Providers (ISPs) [17, 18], and the third-party components and resources on which web services rely [19, 20, 21, 22] also impact their overall performance and availability.

Of particular concern is the vulnerability of JavaScript in supply chain attacks [23, 24, 25], highlighting deficiencies in verifying the integrity of third-party script content, making JavaScript a potential threat that jeopardizes user security. To enhance the security of government websites, security measures such as Subresource Integrity (SRI) [26] and Content Security Policy (CSP) [27, 28, 29, 30, 31, 32] become crucial. These measures help mitigate security risks faced by government websites and enhance their resilience against malicious attacks.

[33] studied the concentration of email infrastructure providers for each top-level domain and identified the most important providers in the market. Additionally, scholars have also focused on the application of HTTPS [34, 35].

What sets our work apart from previous studies is our focus on government Web information systems rather than popular sites like the top 500 or top 20k. Government websites are typically one of the main channels for the public to access government-related information and play a crucial role in providing government information, increasing transparency and openness, and serving as an important platform for public services. The information they carry often involves security risks such as national security, personal privacy, and data breaches, thereby protecting public interests and national security. This is the basis of our work. We aim to understand the situation of Chinese government websites in terms of CDN, DNS, CA, HTTPS application, DNSSEC application, and other aspects, thereby providing meaningful insights for managers and technical personnel of Chinese government websites.

Because government websites are important dissemination platforms for information, their management involves the organization, storage, transmission and use of information. Information science is the study of the organization, acquisition, processing, and transmission of information, so our study focuses on the dependence of government websites on Internet infrastructure and service providers, which is closely related to the core concerns of the information science field.

In this section, we detail our methodology for conducting a thorough analysis of web information systems. Our study employed a sophisticated suite of scripts and tools designed for exhaustive data collection and analysis, targeting various facets of web information systems. We sourced our data from the Chinese National Government Website Basic Information Database, deliberately excluding data from Taiwan Province, Hong Kong Special Administrative Region, and Macao Special Administrative Region. Our automated scripts facilitated the download of all accessible CSV files, capturing critical information such as serial numbers, website identification numbers, names, and homepage URLs.

The data processing stage presented several challenges, including the incorrect use of Chinese symbols, missing URL scheme data, and the absence of delimiters in entries with multiple URLs. Addressing these issues required extensive data cleansing and validation efforts, including attempts to access the websites. This process yielded data from 13,464 local government websites and 535 websites affiliated with the State Council, encompassing a total of 13,999 web pages. These pages corresponded to 13,898 unique web information systems, with some instances where websites from different regions were merged into a single system.

Building upon this dataset, our analysis extended to a wide array of dimensions, such as domain name resolution, the usage of third-party JavaScript libraries, Certificate Authority (CA) services, Content Delivery Network (CDN) services, website structure, operator information, the application of security technologies, and accessibility features, as depicted in Fig. 1. Our methodology ensured that the data collection process was non-intrusive and did not disrupt the normal functioning of any web services.

4.1 Domain name resolution information collection

For information related to domain name resolution, we focus on IP address, IPv6 usage, CNAME, NS and other information, aiming to fully understand the operation status and redundancy of the target website.

Domain name extraction was conducted using the dig tool from a dataset comprising 13,999 URLs. We initiated the analysis by querying the NS records of these domain names to ascertain the domain name servers employed by the respective websites. This investigation accounted for instances where NS records were not set, identifying occurrences where glue records were provided within A record queries. To enhance the comprehensiveness of our NameServer information, we expanded our queries to include A and AAAA records. Further analysis was conducted using the nslookup tool to meticulously examine the adoption of IPv4, IPv6, and CNAME records across the websites. This systematic approach ensured a detailed evaluation of DNS configurations within the dataset.

4.2 Collection of third-party library usage information

In the process of building and using web information systems, developers usually make extensive use of third-party libraries. In the actual deployment stage, the introduction of these libraries may involve sites like http://www.pearlwater.gov.cn/ needing to load third-party resources like https://hm.baidu.com/hm.js?30adc4a87c48b04b19d1dfdf1e31fe3f. These libraries are usually stored on third-party servers, such as hm.baidu.com.

However, users usually know nothing about the specific implementation of these libraries and can only choose to believe that hm.baidu.com returns the correct implementation, that is, no malicious code is embedded. In addition to being affected by third-party storage, the version iteration of the third-party library itself may also cause a series of problems, such as unknown vulnerabilities, known vulnerabilities that have not been fixed, fixes in new versions but not yet updated to the current version, etc.

Therefore, it is crucial to have an in-depth understanding and judicious use of third-party libraries. System maintainers need to always pay attention to the security, stability and updates of the library to ensure that the system is not affected by potential risks and problems during use.

When conducting research on a website's third-party libraries, we look at the JavaScript libraries used and their versions to fully assess their security. We can perform analysis using the Lighthouse tool provided by Google, which is widely regarded for its comprehensive performance review and security assessment.

Lighthouse will generate a detailed report on http://www.example.com with information about performance, accessibility, best practices, SEO, and more. In this section, we will focus on the "js-libraries" section to get key information about the third-party libraries used by the website.

In the "js-libraries" section we can find details of the third-party JavaScript libraries used by the website and their versions. This step is critical to accurately assess the security of these libraries and whether they are up to date.

4.3 CA service information collection

In Internet communications, certificate information plays a key role, including the issuer of the certificate, the country of the issuer, and the version used by the certificate. Many application technologies ensure the security of the communication connection between two entities by using the Internet Public Key Infrastructure with X.509 (PKIX) certificates in the context of Transport Layer Security (TLS) [36].

In order to collect certificate issuer (CA) information, a secure connection to the target host must first be established. After the connection is established, the process of obtaining certificate information involves detailed parsing of the certificate. By analyzing the details of the certificate, you can learn key information such as the identity of the issuer, the country of the issuer, and the usage scope and validity period of the certificate.

4.4 CDN usage information collection

In order to evaluate whether a web information system adopts CDN services, we adopt an analysis method based on DNS records, in which most CDN services are implemented through CNAME (Canonical Name) records [11]. By configuring the CNAME record, the domain name is pointed to the CDN service provider's domain name instead of the system's server IP. When a user accesses a web information system, DNS resolution will be directed to the CDN provider's server, and the CDN provider will route the request to the nearest edge node based on the user's geographical location.

The core of this method is that the CDN service will leave a characteristic CNAME record in the DNS record of the domain name. By performing a DNS query on a domain name, such as using dig or nslookup tools, we can check its CNAME record to infer whether the system uses a CDN service. Taking "kjt.yn.gov.cn" as an example, through the dig command, we found that it has a CNAME record: "kjt.yn.gov.cn.w.kunlunaq.com". In addition, the DNS server also returned multiple A records for "kjt.yn.gov.cn.w.kunlunaq.com", which further confirms that the system uses CDN services.

4.5 ISP information collection

To analyze the administrative dimensions of a web information system's server, the initial step involves separating domain names from URLs, omitting paths and query parameters. These domain names are then queried using nslookup to find their IP addresses. The "dig" command is used to determine the DNS server handling domain resolution, with hostnames or glue records guiding IP address retrieval.

The Diversity Score, an analytical metric, encapsulates several aspects: Autonomous System Number (ASN), Internet Service Provider (ISP), geographical coordinates (latitude and longitude), and geopolitical information (country, province, city). It aggregates these elements by counting unique ASNs and ISPs, calculating distances between geographical coordinates using the Haversine formula (considering pairs beyond a certain threshold as diverse), and assessing geopolitical identifier similarity with the fuzzywuzzy library's ratio function (entities exceeding a set similarity threshold are deemed diverse). The IP Address Score reflects the total count of IP addresses. The Overall Diversity Score, an average of these components, offers a nuanced view of the diversity within a dataset, enhancing understanding of the geographical and organizational spread of web information systems.

4.6 Security technology application information collection

We first extract the hostname in the URL and then run nslookup to query the IP address and alias of the domain name.

As described in Algorithm 1, for checking the HTTPS application status of the website, we simultaneously check HTTP and HTTPS requests based on the URL and analyze their responses. If there is only an HTTP response, the website is considered to support only HTTP; if there is only an HTTPS response, the website is considered to support only HTTPS; if there are both HTTP and HTTPS responses, the website is considered to support both HTTPS and HTTP.

Algorithm 1

A security technology application information collection algorithm

	Input: domainList
	Output: analysisResults
1:	for each domain in domainList do:
2:	hostname←extracrt from domain
3:	address, alias←nslookup hostname
4:	httpResponse←response from sending an HTTP request to the domain
5:	httpsReponse←response from sending an HTTPS request to the domain
6:	if only httpResponse then
7:	status←only HTTP
8:	else if only httpsResponse then
9:	status←only HTTPS
10:	else
11:	status←both HTTP and HTTPS
12:	end if
13:	digDomainOutput←output from dig command with + dnssec option for the domain
14:	if RRSIG records are found in the digDomainOutput then
15:	domainStatus←signed
16:	else
17:	domainStatus←not signed
18:	end if
19:	digServerOutput←Using dig querying the domain's DNS server
20:	if RRSIG RR in digServerOutput then
21:	serverStatus←supported
22:	else
23:	serverStatus←not supported
24:	end if
25:	Add the domain’s results into analysisResults
26:	end for
27:	Return analysisResults

Regarding the DNSSEC signature of domain names, we count the DNSSEC signatures of domain names whose Whois [37] information can be queried. In addition, we also query the DNSSEC signature of the domain name by using the dig command, such as “dig + dnssec test.com @8.8.8.8”, where 8.8.8.8 is Google's public DNS server. If the domain name is DNSSEC signed, it will be displayed in the output Display RRSIG records.

As for DNSSEC support of DNS servers [38], we use all domain names with RRSIG records and pass “dig + dnssec support.com @a.b.c.d”, where a.b.c.d is the DNS server to be tested. If the DNS server supports DNSSEC, the RRSIG resource record will be shown in the results; otherwise, only normal resolution results will be shown.

4.7 Information gathering method

Drawing inspiration from the study [39], we employed Lighthouse and ZAP as our tools of choice to conduct a thorough evaluation of website performance, SEO, and various other critical aspects.

As shown in Fig. 2, this diagram describes a comprehensive approach that collects and integrates various key information of a website through multiple dimensions. From architecture, security, network configuration to authentication, various components and related features of the system are taken into consideration.

The figure describes the core architectural components of the website, such as web applications, third-party JS libraries, domain name servers, etc., as well as the dependencies between them. In addition, the system's security measures are demonstrated, including identified vulnerabilities and corresponding solutions, as well as the use of SSL certificates and security features supported by domain name servers.

Regarding network configuration, the figure details the network configuration information of the domain name server, including open ports and supported protocols, as well as the physical location and owner information related to the IP address. In addition, it also provides detailed information on various DNS record types stored on the domain name server, as well as related authentication information of the SSL certificate, such as the subject and issuer of the certificate.

This comprehensive method enables researchers to fully understand the website's operating mechanism, security measures, network configuration and authentication information, providing an important reference and analysis basis for in-depth analysis and optimization of the website.

In this section, we delve into the examination of security and dependency challenges within the Chinese Government Web Information System. Our focus encompasses a range of critical components including domain name resolution, the utilization of third-party libraries, Certificate Authority (CA) services, Content Delivery Network (CDN) services, Internet Service Providers (ISP), the adoption of HTTPS, IPv6 integration, and DNSSEC implementation. To conduct more thorough analysis, we employ a suite of advanced tools, aiming to provide a comprehensive overview of the existing security posture and interdependencies.

5.1 Domain name resolution

Failures within the DNS can have a dramatic impact on the broader Internet, most notably by blocking access to any services (e.g., web, mobile applications) that rely on the domain name [40].

We found that 2,234 domains have NS records, 4,687 domains have CNAME records, 13,708 domains have A records, and 7,462 domains have AAAA records. Surprisingly, the results show that 26.85% of domain names do not have NS records set. This means that these domain names may not have effective DNS configuration, which may cause them to be inaccessible or unstable on the Internet.

Consider the 4,687 domain names that have CNAME records, which are often used to alias one domain name to another domain name. This means that although these domain names do not have direct A or AAAA records, they can be successfully mapped to the corresponding IP addresses through the resolution of alias names. This approach may be to facilitate the management and maintenance of the domain name system, but it also adds a certain amount of complexity and potential resolution delays. We queried 13,898 unique domain names and found that these domain names were resolved by 563 DNS host names. We measured all 563 DNS servers corresponding to all hostnames. The results showed that these host names involved a total of 894 different DNS servers after resolution, of which 634 were IPv4 servers and 260 were IPv6 servers.

In order to understand the redundancy of these DNS servers, we further calculated the Diversity scores of these DNS servers. From Fig. 3 we found that 64.51% of them had scores between 1.0 and 2.0. 2.0–3.0 accounts for 7.21%. 3.0–4.0 accounts for 16.03%. 4.0–5.0 accounts for 10.63%. 5.0–6.0 accounts for 1.62%. 1.0 represents no redundancy measures. [41] point out that servers must be placed in both topological and geographically dispersed locations on the Internet to minimize the possibility of a single failure disabling all these functions. A good example is using different servers with different ASNs from different operators in different regions.

In Table 1, the Internet Domain Name System Beijing Engineering Research Center LLC is identified as managing China's root (mirror) servers, providing enterprise-level and top-level domain name services. Notably, the China Internet Network Information Center does not directly offer domain name registration services to end users; instead, this service is predominantly provided by other companies in Table 1, which typically include both domain name registration and resolution services, defaulting to the registrar's own domain name servers.

Table 1

Top 10 DNS resolution service providers: (A domain name may have multiple DNS servers).
Company Name	Domain Count
Beijing Guokeyun Computing Technology Co.,Ltd.	7553
Alibaba Cloud Computing (Beijing) Co.,Ltd.	5928
Xin Net Technology Corporation	3170
DNSPod, Inc.	1631
Internet Domain Name System Beijing Engineering Research Center LLC	1369
Leascend Technology Co.,Ltd	823
Guangdong Huyi Science&Technology Co.,Ltd	488
Bizcn.com,Inc.	454
China Internet Network Information Center	423
Chengdu west dimension digital technology Co., LTD	256
Xiamen Nawang Technology Co., Ltd	162

From Table 1, we observe a notable dependence on the top five service providers for DNS services. This concentration suggests that a significant portion of domain name registration and resolution services is managed by a handful of companies. Such a scenario has both advantages and disadvantages.

On the positive side, relying on major service providers can lead to increased reliability and efficiency. These companies often have the resources to ensure high uptime, robust security measures, and the ability to handle large volumes of traffic. Their experience and expertise in managing DNS services can also contribute to the stability and performance of the internet infrastructure within their service areas.

However, this heavy reliance also introduces potential risks. A lack of diversity among service providers could lead to single points of failure in the network infrastructure. In the event of a technical issue, cyber attack, or regulatory action affecting one of these major providers, a significant portion of the DNS infrastructure could be compromised, impacting accessibility and security across a wide area. Additionally, this concentration could limit competition, potentially leading to higher prices and less innovation in the DNS service market.

Given these considerations, the reliance on the top five service providers for DNS services underscores the importance of adopting strategies to mitigate risks associated with such concentration. These could include encouraging the development and use of alternative DNS providers, implementing regulatory measures to ensure fair competition and service quality, and promoting the adoption of DNSSEC and other security measures to enhance the resilience and integrity of DNS services across different providers.

5.2 Third-party libraries

As shown in Fig. 4, 78.91% of the systems use jQuery. Considering its proportion, we focused on the version distribution of jQuery. The results are shown in Fig. 5.

The analysis reveals that a significant number of the third-party libraries in use, specifically 4,250, are vulnerable, notably due to the CVE-2020-23064 vulnerability affecting jQuery versions 2.2.0 to just before 3.5.0.

In response to this problem, more stringent vulnerability management and security review measures should be adopted to ensure the security and reliability of government websites. This includes regularly updating third-party libraries to the latest versions, monitoring and timely fixing known vulnerabilities, and other measures. However, this management task can be affected by many complex factors, such as incompatibility issues and considerations of other dependencies.

When implementing vulnerability management and security reviews, government agencies need to balance security and system stability. When updating third-party libraries, thorough testing should be performed to ensure that the new version does not introduce new compatibility issues or other surprises. At the same time, third-party libraries that have undergone security reviews and are continuously updated and maintained should be given priority to minimize security risks.

5.3 CA services

In our analysis of 9,011 certificates, we uncovered that 2,011 did not align with any SubjectAltName or SubjectCommonName, hinting at potential lapses in certificate management or setup. A noteworthy finding is that 31.86% of the certificates were issued by entities outside of China, with a significant number originating from North America and Europe, showcasing the global distribution within the digital certificate ecosystem [36].

The effectiveness of different Transport Layer Security (TLS) versions varies markedly, with the adoption rates among Chinese government websites reflecting a dedication to cybersecurity enhancement. TLSv1.3 is utilized by 34.77% of these sites, indicating a substantial shift towards the most current standards, known for their superior security and performance benefits compared to earlier versions. Despite this progress, TLSv1.2 remains prevalent at 65.20%, likely due to legacy system compatibility needs or delayed updates in some areas. The nearly obsolete TLSv1, at just 0.03%, highlights its diminished relevance and susceptibility to recognized threats.

This evolution from TLS 1.0 to TLS 1.3 signifies considerable advancements in securing online communications. TLS 1.0's vulnerabilities are extensively documented, while TLS 1.1, though better, still does not meet current security standards. TLS 1.2 introduced significant enhancements, including stronger encryption algorithms and protocol improvements, providing effective protection against modern cyber threats. However, it's also prone to specific vulnerabilities, such as the Lucky 13 side-channel attack.

TLS 1.3 marks a significant improvement in both speed and security, streamlining the handshake process and removing outdated cryptographic methods. The adoption of TLS 1.3 by 3,133 government websites reflects a proactive approach to implementing the latest security protocols, crucial for protecting sensitive data [42].

The TLS version distribution—minimal use of TLS 1.1, a majority on TLS 1.2 (5,875 sites), and a noteworthy transition to TLS 1.3 (3,133 sites)—demonstrates a strategic upgrade path among government bodies. This trajectory not only emphasizes the importance of information security but also indicates an eagerness to adopt advanced technologies for strengthening digital infrastructure.

The shift towards newer TLS versions among Chinese government websites signals a broad commitment to enhancing cybersecurity. This gradual transition from TLS 1.1 to the more secure TLS 1.2, and eventually to the latest TLS 1.3, reflects a wider intention to embrace state-of-the-art technologies and protocols, ensuring comprehensive security measures against evolving online threats.

From Fig. 6, the landscape of Certificate Authority (CA) certificate issuers is marked by DigiCert Inc.'s prominent position, holding a 26.56% market share. This dominance underscores the trust and reliability placed in DigiCert's services, indicating a high level of confidence from its users. Similarly, the China Financial Certification Center (CFCA) with a 16.96% market share, highlights its significant role within China, likely fulfilling specific regulatory or industry-specific requirements. Beijing Xinchacha Credit Management Co., Ltd.'s 13.42% market share suggests its strategic importance in regional or industry-specific security needs.

The widespread adoption of TLSv1.3 reflects a commitment to cybersecurity, showing a preference for CA certificates that meet high security standards, especially in sensitive sectors. Nonetheless, the continued use of TLSv1.2 poses security risks, necessitating a move towards more secure versions like TLSv1.3 and routine security assessments to protect against vulnerabilities.

Relying heavily on a single CA issuer introduces risks of concentrated attacks or disruptions. Therefore, diversifying CA sources is crucial to reduce dependency and enhance system resilience. It's recommended to conduct regular audits and adhere to security best practices, ensuring the integrity and reliability of the certificate ecosystem.

5.4 CDN services

In the digital landscape of Chinese government web information systems, the adoption of Content Delivery Network (CDN) services plays a pivotal role in enhancing web performance and security.

Table 2

Top10 CDN service providers.

Table 2

Top10 CDN service providers
Company Name	Count
Hangzhou Dbappsecurity Co., Ltd.	966
Beijing Knownsec Information Technology Co., Ltd.	794
Qi-Anxin Legendsec Information Technology (Beijing) Inc.	710
Fujian Wanwu Yilian Network Technology Co., Ltd.	633
eName Technology Co., Ltd	407
Wangsu Science&Technology Co.,Ltd.	300
Changsha Zhiwei Information Technology Co.,Ltd.	173
Shenzhen Zhi'an Network Co., Ltd.	140
China Telecom Corporation Limited Network Security Product Operation Center	131
Yundun Intelligent Security Technology Co., Ltd.	131

The analysis shows that 5994 web information systems, constituting 43.13% of the total, leverage CDN (Content Delivery Network) services, highlighting the critical role of CDN technologies in enhancing efficiency and security for government web resources. The data in Table 2 reveals a notable preference for established CDN providers within the government sector, with the top five companies delivering 58.56% of CDN services to Chinese government websites. This trend underscores the government's prioritization of reliability and performance in web services.

Leading the provision of CDN services are key players such as Hangzhou Dbappsecurity Co., Ltd., Beijing Knownsec Information Technology Co., Ltd., and Qi-Anxin Legendsec Information Technology (Beijing) Inc., among others. Hangzhou Dbappsecurity Co., Ltd. stands out with 966 instances, illustrating the competitive nature and strategic government partnerships with these firms. The geographical distribution of these services, with companies serving specific regions, suggests a strategy to optimize CDN efficiency through local expertise and infrastructure.

This strategic selection of CDN providers reflects a balanced approach to managing digital infrastructure in the government sector, focusing on both performance optimization and stringent cybersecurity measures.

5.5 ISP

In our analysis, we explored the security and redundancy of China's government web information systems through a unified lens, focusing on geographical distribution, ASN diversity, ISP diversity, and domain redundancy. By examining the geographical spread of IP addresses linked to DNS servers, we highlighted the importance of diverse locations for enhanced fault tolerance. The evaluation of Autonomous System Numbers (ASNs) associated with IP addresses revealed that DNS servers drawing from a wide range of ASNs are less vulnerable to issues tied to a singular network provider. Furthermore, analyzing the Internet Service Provider (ISP) information for each IP underscored the value of utilizing multiple ISPs for additional redundancy layers. Additionally, we assessed the redundancy of IP addresses for individual domain names, emphasizing the necessity for domains to associate with multiple IPs for higher resilience.

As depicted in Fig. 7, our analysis introduces a 'server diversity score' that encompasses several critical factors: server count, ASN, geographical distribution, and ISP diversity. The majority of scores fell between 1.00 and 2.00, reflecting a moderate distribution of servers across various geographies, ASNs, and ISPs, without any scores surpassing 2. This pattern highlights a significant potential to improve server redundancy across Chinese government websites. Our findings indicate that the existing levels of diversity and redundancy fall short of what is required for optimal security and reliability.

An important addition to the analysis is that a lower diversity score may suggest that a government website's servers are concentrated under a specific geographic region, ASN, or ISP, increasing the risk of a single point of failure. Improving your diversity score can help improve the stability and reliability of your system, reducing the potential risk of service interruptions due to region-specific or network failures. Therefore, improving the geographical location, ASN and ISP distribution of servers to improve diversity scores, as well as increasing the number of servers, are key steps to improve the overall redundancy capabilities of government websites.

From Fig. 8, it can be found that among the ISPs, China Mobile, China Telecom, China Unicom, and Alibaba Cloud occupy 98.29% of the market.

The threats brought by reliance on a small number of ISPs mainly involve network stability, security and competitive environment. A small number of ISPs means that control of the entire network infrastructure is highly concentrated in the hands of a few providers, which can lead to risks in terms of network availability. If one of the ISPs experiences a failure or attack, the entire network could be affected, causing widespread service outages. The risk of this single point of failure poses a serious threat to the business continuity and communication capabilities of enterprises and individual users.

The monopoly position of a few ISPs may also lead to a deterioration of the competitive environment. The lack of competition means that users have limited space for choice, which can lead to lower service quality and higher prices. ISP monopoly may also lead to the destruction of network neutrality, that is, some content providers may receive better service quality or access speed, while other content providers will be treated unfairly, thus distorting market competition.

Reliance on a few ISPs may pose serious threats to network stability, security, and competitive environment. Governments, regulatory agencies, and industry organizations need to take measures to promote the diversity and competition of network infrastructure to ensure network stability, safe and fair.

5.6 Other applications

(1) HTTPS adoption

In the analysis of 6789 (48.50%) sites that only support HTTP, 483 (3.45%) sites that only support HTTPS, and 6435 (45.97%) sites that support both HTTP and HTTPS, we found that potential security risks mainly exist in Only in sites that support HTTP.This is because HTTP communications are not encrypted and are vulnerable to man-in-the-middle attacks. In comparison, the number of sites that only support HTTPS is relatively low, but because it provides SSL/TLS encrypted communication and can guarantee the confidentiality and integrity of data, it has higher security.

It’s worth noting that the number of sites supporting both HTTP and HTTPS is higher, which is a positive trend. This approach provides users with flexibility of choice; however, for security reasons, ensure that a secure HTTPS connection is used by default.

In our examination, we found 292 sites that were inaccessible for various reasons, requiring further investigation and resolution. These issues can be grouped into three main categories, each representing a different proportion of the total: Client Request Errors (9.9%), Certificate and SSL/TLS Errors (13.0%), and Network Connection Issues (77.1%). This distribution underscores the critical need for a multifaceted approach to enhance management of request parameters and permissions, improve certificate configurations and renewal mechanisms, and optimize network architecture and maintenance practices. Addressing these areas is pivotal for boosting service quality, security, and availability, while also tackling the managerial and technical challenges associated with network security and protocol transitions. It highlights the urgency of adopting a rigorous and scientific methodology to develop systematic and comprehensive solutions.

(2) IPv6 adoption

It is fascinating to examine the data on the adoption of IPv6, as it sheds light on the current state of internet protocols. Based on the information gathered, it is apparent that IPv4 is still the dominant protocol, as evidenced by the fact that 11,114 websites (equivalent to 79.97% of the sample) rely solely on it. This situation is likely due to historical reasons, device compatibility issues, and network configurations. This trend indicates that the adoption of IPv6 is still lagging behind in some network areas.

Only 93 websites use Dual Stack architecture, supporting both IPv4 and IPv6. This approach is positive because it provides users with greater flexibility and compatibility. This may be the leading practice of some advanced institutions or service providers in adapting to IPv6 transition.

The 2,691 (19.36%) websites that only use IPv6 reflect the active adoption of IPv6 by some organizations or service providers. This may be to meet future IPv4 address shortage challenges, or to improve network performance and security.

(3) DNSSEC adoption

Our comprehensive testing of DNS servers revealed that 51 of them are equipped to support DNSSEC (Domain Name System Security Extensions). However, a subsequent examination of domain name information via whois queries disclosed a peculiar inconsistency: all DNSSEC signatures were listed as unsigned. This finding contradicts our observations from querying domain name DNS records using the dig tool, where we discovered RRSIG (Resource Record Signature) records for 101 subdomains.

Despite the apparent lack of signed DNSSEC statuses in the whois database, the presence of RRSIG records for 101 subdomains, as revealed through dig tool queries, typically signifies the implementation of DNSSEC to safeguard the integrity and authenticity of DNS records. This discrepancy suggests that while specific DNS records may have been signed, such signatures might not be accurately represented in the whois database, or alternatively, the signing may be limited to certain subdomains rather than encompassing the entire domain.

5.7 Comprehensive analysis

(1) ZAP analysis

A ZAP analysis of Chinese government websites revealed multiple security issues. Through our research, we found that 10,187 government websites are not configured with the X-Content-Type-Options Header, which may make the websites vulnerable to MIME type spoofing attacks. 10,323 government websites do not set the Content Security Policy (CSP) header, which may increase the risk of cross-site scripting attacks. 8,182 government websites lack Anti-CSRF Tokens, which may make them vulnerable to cross-site request forgery (CSRF) attacks. On the CSP side, 3,203 websites included Wildcard Directives in their policies, 761 used insecure eval, and 3,202 used insecure inline. These problems may lead to potential security vulnerabilities and need to be repaired in time. 8,158 government websites are missing Anti-clickjacking headers, making them more vulnerable to clickjacking attacks. The HttpOnly Flag is not enabled for the cookies of 3,313 websites, and 6,624 cookies lack the SameSite attribute, which may put the cookies at risk of improper access. 1,069 government websites have private IP addresses leaked, which may reveal sensitive information about system architecture.

In summary, government websites need to take a series of measures, including but not limited to configuring security headers, implementing effective CSP, strengthening CSRF protection, restricting cookie access, repairing private IP address leaks, etc., to improve their overall security level.

(2) Lighthouse analysis

When Lighthouse is executed, it evaluates websites across multiple dimensions, including:

SEO: It emphasizes the creation of concise, meaningful meta descriptions that accurately summarize page content. It advises ensuring pages are accessible to search engines through appropriate robots.txt configuration and recommends using descriptive text for links and managing anchors that can be crawled to enhance site discovery. The implementation of hreflang tags is suggested for specifying language and regional nuances. Caution is urged with plugin use, as they may impact a page's indexability. Optimizing viewport settings and document titles are also recommended to improve search engine relevancy.
Accessibility: The guidance includes adhering to ARIA roles and properties to clarify the purpose of elements, using aria-hidden to control visibility for screen reader compatibility, and ensuring ARIA attributes are valid. It stresses the importance of sufficient color contrast for readability, assigning unique IDs to focusable elements, providing descriptive titles for frames, and alt text for images. It also suggests optimizing click targets for interactive elements and addressing various accessibility issues to enhance the experience for individuals with disabilities.
Performance: Strategies involve compressing text-based resources to reduce network load, minimizing interaction delays, optimizing blocking times, and improving paint events like first content paint, largest contentful paint, and speed index. Recommendations include minimizing unused JavaScript, deferring script loading when possible, and leveraging back/forward caching for faster navigation.
Progressive Web Apps (PWA): Recommendations focus on optimizing for mobile screens, including viewport settings and content width, reducing input latency, and ensuring content displays correctly across devices.
Best Practices: Ensuring websites are served over HTTPS for security, implementing a robust content security policy (CSP) to mitigate cross-site scripting (XSS) risks, managing geolocation and notification prompts to enhance user trust, and avoiding restrictions on input pasting to maintain user experience and security.

For instance, metrics in Fig. 9 such as "uses-http2" and "is-on-https" reflect adherence to best practices, while attributes like "aria–" indicate a site's accessibility level. Metrics like "link-name" can boost a site's SEO score.

Based on the report of Lighthouse, we calculated the correlation between performance, accessibility, best practices, SEO, and PWA. Drawing from Table 3, our correlation coefficient analysis exposes intriguing relationships among website performance and various critical metrics, weaving a detailed narrative of their interconnections. A notable negative correlation emerges between website performance and indicators such as accessibility, best practices, SEO, and PWA, with coefficients ranging from − 0.30 to -0.40. This pattern suggests a prevalent trend where regions with diminished website performance concurrently exhibit deficiencies in these crucial areas.

Table 3

Correlation between performance, accessibility, best_practices, seo and pwa.
Metrics	performance	accessibility	best_practices	seo	pwa
performance	1	-0.37	-0.32	-0.31	-0.39
accessibility	-0.37	1	0.33	0.51	0.41
best_practices	-0.32	0.33	1	0.62	0.57
seo	-0.31	0.51	0.62	1	0.81
pwa	-0.39	0.41	0.57	0.81	1

A strong positive linkage is observed between best practices and both SEO and PWA, with coefficients of 0.62 and 0.57, respectively, signifying that commitment to best practices is a reliable predictor of success in SEO and PWA development.

The most pronounced positive correlation is between SEO and PWA, standing at 0.81, highlighting a significant synergy where SEO improvements are closely aligned with PWA advancements. This intricate web of correlations offers a nuanced perspective on the interplay between performance, accessibility, best practices, SEO, and PWA, providing invaluable insights for web developers and administrators aiming to refine web experiences.

6.1 Limitations and future works

Our investigation into Chinese government website systems has unveiled pressing security and dependency issues, pointing towards an expansive landscape for scholarly exploration. Our work's limits and recommendations for future work include the following:

Vulnerabilities in Government Website Systems: Despite thorough analyses, practical solutions to bolster the security of these systems remain elusive. Their susceptibility to cyber-attacks, which could facilitate the spread of malicious content or malware, underscores the urgent need for real-time monitoring and malicious activity detection. This area beckons further scholarly attention to develop robust security frameworks that can preemptively neutralize these threats.
The Overlooked Aspect of Integrity: Our current security analysis, while detailed, has disproportionately emphasized dependency and security, inadvertently downplaying the critical importance of integrity. The potential for attacks targeting content integrity, with far-reaching consequences, necessitates a recalibration of focus. Future analyses must integrate integrity as a core element of security evaluations to ensure a well-rounded defense mechanism against diverse cyber threats.
Interactions with New Media Platforms: Interactions with New Media Platforms: According to the 52nd report of the China Internet Network Information Center [43], as of June 2023, China had a total of 1.079 billion internet users, with mobile internet users reaching 1.076 billion, accounting for 99.8% of all internet users. Considering the significant proportion of mobile users among the overall user base, it is essential for a competent web information system to have good cross-device compatibility. The emerging synergy between government websites and new media platforms, evidenced by the adoption of WeChat official accounts, mini-programs, and mobile apps, presents a novel avenue for research. The implications of this trend for public engagement and information dissemination are vast but require a judicious assessment of the effort versus the anticipated benefits. This domain warrants careful consideration to optimize resource allocation and research outcomes.

In summary, our research still has limitations and unresolved issues, necessitating further efforts and exploration to enhance our understanding of government website system security and the relationship with new media platforms.

6.2 Conclusion

In conclusion, this study has made significant strides in enhancing the security posture and understanding of China's government web infrastructure. Our comprehensive security audit of all Chinese government websites marks a pioneering effort in identifying critical security and usability concerns, as well as shedding light on the dependency on certain government institutions for web information system operations. Key contributions include:

The development of a novel methodology for assessing server redundancy across different server roles (e.g., Web Server, Name Server), which has improved our comprehension of the robustness of the infrastructure.
The introduction of an advanced approach to compile website data across various dimensions into a detailed knowledge graph, encompassing domain names, DNS records, CA certificates, and Whois information. This innovation facilitates a more efficient linkage between entities, streamlining the management and identification of web vulnerabilities, thereby providing actionable intelligence and recommendations for remediation.
The publication of processed URL data pertaining to Chinese government websites and the security auditing tool we've developed represents a significant contribution to the academic community. This move not only fosters further research in the domain but also equips scholars with the tools needed to advance the field of web security.

These contributions underscore our study's role in advancing the field of cybersecurity, particularly in the context of government web systems. By providing these resources and methodologies, we aim to facilitate a more secure and resilient digital infrastructure for government entities.

Ethical Approval

Not applicable.

Funding

This work is supported by the Young Teacher Development Fund of Harbin Insti-tute of Technology [Grant No. IDGA10002190] and the Scientific Research Innova-tion Fund of Harbin Institute of Technology [Grant No. IDGAZMZ00210335].

Availability of data and materials

We have made the toolbox we use publicly available at: https://github.com/zm1060/SilkSecured.

Data availability

We have disclosed the original Chinese government website URL data, the link is: https://data.mendeley.com/datasets/8mgb5hp3p9/3.

Funding

This work is supported by the Young Teacher Development Fund of Harbin Institute of Technology [Grant No. IDGA10002190] and the Scientific Research Innovation Fund of Harbin Institute of Technology [Grant No. IDGAZMZ00210335].

Competing interests

All authors certify that they have no affiliations with or involvement in any organization or entity with any financial interest or non-financial interest in the subject matter or materials discussed in this manuscript.

Author contributions

All authors contributed to the study conception and design. Material preparation, data collection, and analysis were performed by Ming Zuo, Yanan Cheng, and Haiyan Xu. The first draft of the manuscript was written by Ming Zuo and all authors commented on previous versions of the manuscript. All authors read and approved the final manuscript.

Kumar, D., Ma, Z., Durumeric, Z., Mirian, A., Mason, J., Halderman, J.A., Bailey, M.: Security challenges in an increasingly tangled web. Proceedings of the 26th International Conference on World Wide Web (2017)
Ramasubramanian, V., Sirer, E.G.: Perils of transitive trust in the domain name system. In: ACM/SIGCOMM Internet Measurement Conference (2005)
Houser, R., Hao, S., Li, Z., Liu, D., Cotton, C., Wang, H.: A comprehensive measurement-based investigation of dns hijacking. 2021 40th International Symposium on Reliable Distributed Systems (SRDS), 210–221 (2021)
Houser, R., Hao, S., Cotton, C., Wang, H.: A comprehensive, longitudinal study of government dns deployment at global scale. 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 193–204(2022)
Guo, R., Chen, J., Liu, B., Zhang, J., Zhang, C., Duan, H., Wan, T., Jiang, J., Hao, S., Jia, Y.: Abusing cdns for fun and profit: Security issues in cdns’ origin validation. 2018 IEEE 37th Symposium on Reliable Distributed Systems (SRDS), 1–10 (2018)
Nakibly, G., Schcolnik, J., Rubin, Y.: Website-targeted false content injection by network operators. In: USENIX Security Symposium (2016)
Wang, S., Capretz, M.A.M.: A dependency impact analysis model for web services evolution. 2009 IEEE International Conference on Web Services, 359–365 (2009)
Kashaf, A., Dou, J., Belova, M., Apostolaki, M., Agarwal, Y., Sekar, V.: A first look at third-party service dependencies of web services in africa. In: Passive and Active Network Measurement Conference (2023)
Kumar, R., Asif, S., Lee, E., Bustamante, F.E.: Each at its own pace: Third-party dependency and centralization around the world. Proceedings of the ACM on Measurement and Analysis of Computing Systems 7, 1–29 (2023)
Li, Z., Huang, Y.: A first look into the third-party web dependencies in china. Proceedings of the 18th Asian Internet Engineering Conference (2023)
Kashaf, A., Sekar, V., Agarwal, Y.: Analyzing third party service dependencies in modern web services: Have we learned from the mirai-dyn incident? Proceedings of the ACM Internet Measurement Conference (2020)
Czyz, J., Allman, M., Zhang, J., Iekel-Johnson, S., Osterweil, E., Bailey, M.: Measuring ipv6 adoption. ACM SIGCOMM Computer Communication Review 44, 87–98 (2014)
Livadariu, I., Elmokashfi, A.M., Dhamdhere, A.: Measuring ipv6 adoption in africa. In: International Conference on e-Infrastructure and e-Services for Developing Countries (2017)
Streibelt, F., Sattler, P., Lichtblau, F., Gan’an, C.H., Feldmann, A., Gasser, O., Fiebig, T.: How ready is dns for an ipv6-only world? In: Passive and Active Network Measurement Conference (2023)
Bajpai, V., Schönwälder, J.: A longitudinal view of dual-stacked websites-failures, latency and happy eyeballs. IEEE/ACM Transactions on Networking 27, 577–590 (2019) https://doi.org/10.1109/TNET.2019.2895165
Berger, A.W., Weaver, N.C., Beverly, R., Campbell, L.: Internet nameserver ipv4 and ipv6 address relationships. Proceedings of the 2013 conference on Internet measurement conference (2013)
Gigis, P., Calder, M., Manassakis, L., Nomikos, G., Kotronis, V., Dimitropoulos, X.A., Katz-Bassett, E., Smaragdakis, G.: Seven years in the life of hypergiants’ off-nets. Proceedings of the 2021 ACM SIGCOMM 2021 Conference (2021)
Vermeulen, K., Salamatian, L., Kim, S.H., Calder, M., Katz-Bassett, E.: The central problem with distributed content: Common cdn deployments centralize traffic in a risky way. Proceedings of the 22nd ACM Workshop on Hot Topics in Networks (2023)
Urban, T., Degeling, M., Holz, T., Pohlmann, N.: Beyond the front page:measuring third party dynamics in the field. Proceedings of The Web Conference 2020 (2020)
Ikram, M., Masood, R., Tyson, G., Kˆaafar, M.A., Loizon, N., Ensafi, R.: The chain of implicit trust: An analysis of the web third-party resources loading. The World Wide Web Conference (2019)
Podins, K., Lavrenovs, A.: Security implications of using third-party resources in the world wide web. 2018 IEEE 6th Workshop on Advances in Information, Electronic and Electrical Engineering (AIEEE), 1–6 (2018)
Salvador, D., Cucurull-Juan, J., Juli`a, P.: wraudit: A tool to transparently monitor web resources' integrity. In: International Conference on Mining Intelligence and Knowledge Exploration (2018)
Wang, S., Almashor, M., Abuadbba, A., Sun, R., Xue, M., Wang, C., Gaire, R.K., Nepal, S., C¸amtepe, S.A.: Doitrust: Dissecting on-chain compromised internet domains via graph learning. Proceedings 2023 Network and Distributed System Security Symposium (2023)
So, J., Ferdman, M., Nikiforakis, N.: The more things change, the more they stay the same: Integrity of modern javascript. Proceedings of the ACM Web Conference 2023 (2023)
Doan, T.V., Rijswijk-Deij, R., Hohlfeld, O., Bajpai, V.: An empirical view on consolidation of the web. ACM Transactions on Internet Technology (TOIT) 22, 1–30 (2022)
Chapuis, B., Omolola, O., Cherubini, M., Humbert, M., Huguenin, K.: An empirical study of the use of integrity verification mechanisms for web subresources. Proceedings of The Web Conference 2020 (2020)
Lv, Y., Shi, W., Zhang, W., Lu, H., Tian, Z.: Do not trust the clouds easily: The insecurity of content security policy based on object storage. IEEE Internet of Things Journal 10, 10462–10470 (2023)
Calzavara, S., Rabitti, A., Bugliesi, M.: Semantically sound analysis of content security policies. In: Formal Techniques for (Networked And) Distributed Systems (2019)
Calzavara, S., Rabitti, A., Ragazzo, A., Bugliesi, M.: Testing for integrity flaws in web sessions. In: European Symposium on Research in Computer Security (2019)
Calzavara, S., Rabitti, A., Bugliesi, M.: Semantics-based analysis of content security policy deployment. ACM Transactions on the Web (TWEB) 12, 1–36 (2018)
Hausknecht, D., Magazinius, J., Sabelfeld, A.: May i? - content security policy endorsement for browser extensions. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (2015)
Weissbacher, M., Lauinger, T., Robertson, W.K.: Why is csp failing? trends and challenges in csp adoption. In: International Symposium on Recent Advances in Intrusion Detection (2014)
Zembruzki, L., Jacobs, A.S., Granville, L.Z., Pfitscher, R.J.: Examining the centralization of email industry: A landscape analysis for ipv4 and ipv6. 2023 IEEE Symposium on Computers and Communications (ISCC), 360–366 (2023)
Felt, A.P., Barnes, R., King, A., Palmer, C., Bentzel, C., Tabriz, P.: Measuring https adoption on the web. In: USENIX Security Symposium (2017)
Krombholz, K., Mayer, W., Schmiedecker, M., Weippl, E.R.: "i have no idea what i'm doing" - on the usability of deploying https.In: USENIX Security Symposium (2017)
Saint-Andre, P., Hodges, J.: Representation and verification of domain-based application service identity within internet public key infrastructure using x.509 (pkix) certificates in the context of transport layer security (tls). RFC 6125, 1–57 (2011)
Daigle, L.: Whois protocol specification. RFC 3912, 1–4 (2004)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Dns security introduction and requirements. RFC 4033, 1–21 (2005)
McGill, T., Bamgboye, O., Liu, X., Kalutharage, C.S.: Towards improving accessibility of web auditing with google lighthouse. 2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC), 1594–1599 (2023)
Yang, D., Li, Z., Tyson, G.: A deep dive into dns query failures. In: USENIX Annual Technical Conference (2020)
Elz, R., Bush, R., Bradner, S.O., Patton, M.A.: Selection and operation of secondary dns servers. RFC 2182, 1–11 (1997)
Dierks, T., Rescorla, E.: The transport layer security (tls) protocol version 1.2. RFC 5246, 1–104 (2008)
CNNIC: The 52nd statistical report on china’s internet development (2023)

No competing interests reported.

Download PDF

Version 1

posted

You are reading this latest preprint version

SilkSecured: A Comprehensive Analysis of Security and Dependencies in China's Governmental Web Systems

Status:

Version 1

Abstract

Figures

1 Introduction

2 Background

3 Related work

4 Method

4.1 Domain name resolution information collection

4.2 Collection of third-party library usage information

4.3 CA service information collection

4.4 CDN usage information collection

4.5 ISP information collection

4.6 Security technology application information collection

4.7 Information gathering method

5 Results and analysis

5.1 Domain name resolution

5.2 Third-party libraries

5.3 CA services

5.4 CDN services

5.5 ISP

5.6 Other applications

5.7 Comprehensive analysis

6 Discussion and conclusion

6.1 Limitations and future works

6.2 Conclusion

Declarations

References

Additional Declarations

Status:

Version 1