Index

Symbols

(backquote) function, The problem with the script

A

access, Securing the Web Server, Physical tokens: something that you have, Controlling Access to Your Web Server, Identity-Based Access Controls
(see also identification)
authorizing (see authorization)
certification authorities (CAs), Certification Authorities, Certification practices statement (CPS), How Many CAs Does Society Need?, Certification Authority Certificates, Server Certificates
devices for, Access Devices and Copyrighted Software
host-based, Host-Based Restrictions
directive for, Implementing Access Controls with <Limit> Blocks, Manually Setting Up Web Users and Passwords
passwords for (see passwords)
physical tokens for, Physical tokens: something that you have
user-based, Identity-Based Access Controls
access.conf file, <Limit> Examples
ACH (Automated Clearing House) system, Enrollment, Credit Cards and ACH
ActiveX controls, Programmability, ActiveX and Authenticode, Internet Exploder, Support for Authenticode in Internet Explorer
Software Developer’s Kit, Publishing with Authenticode
activism, legal, Laws and Activism
Adleman, Leonard M., Public Key Algorithms , The public key patents
administrative logins, Secure Content Updating
aggregation information, Digital Certificates Allow For Easy Data Aggregation
Air Force (U.S.), Preface
alert( ) method, JavaScript and Resource Management
alert protocol (SSL), Alert Protocol
algorithmic attacks on encryption, Algorithmic attacks
Allen, Christopher, TLS Standards Activities
AllowOverride command, Commands Before the <Limit>. . . </Limit> Directive
America Online (AOL), Social Engineering, Blocking Software , Censoring the network
American Bankers Association, A Typical Transaction
Anderson, Ross, Is Cryptography a Military or Civilian Technology?
animation, Animation
anonymity, Anonymizers
certificates and, Client Certificates
digital payment systems and, Internet-Based Payment Systems, Security and privacy, Security and privacy
AOL (America Online), Social Engineering, Blocking Software , Censoring the network
Apache-SSL server, Web Software Covered by This Book, Apache-SSL, Installing Apache-SSL
APIs (Application Programming Interfaces), Terminology
extensibility of, The Danger of Extensibility, Fixing the problem
programming guidelines, Rules To Code By , Rules To Code By
Apple Macintosh
security and, Minimizing Risk by Minimizing Services
WebStar Pro server, Web Software Covered by This Book
applets (see Java)
Application Programming Interfaces (see APIs)
application/pics-labels encoding, PICS Applications
application/pics-service encoding, PICS Applications, Rating Services
application/x-x509-ca-cert encoding, Adding a New Site Certificate with Internet Explorer
Atkins, Derek, Factoring attacks
attacks, Securing Information in Transit
(see also threats)
bug exploitation (see bugs)
data-driven, Data-Driven Attacks, Web-Based Programming Languages
on encryption, A Cryptographic Example, Attacks on Symmetric Encryption Algorithms, Factoring attacks, What Cryptography Can’t Do
legal options regarding, Your Legal Options After a Break-In, Hazards of Criminal Prosecution
man-in-the-middle, Features
on message digests, Attacks on Message Digest Functions
mirror-world, Mirror Worlds
packet sniffing, Lesson: Defeat packet sniffing.
plug-ins for, Tactical Plug-In Attacks
publishing, Attacks on Message Digest Functions
reasons for, Animation
recovering from, Reconstructing After an Attack, Recovering from an Attack
replay, Features
on resources (see denial-of-service attacks)
social engineering, Social Engineering, Spoofing Username/Password Pop-Ups with Java
SYN flooding, Do Denial-of-Service Attacks Matter?
audits, Signed Code is Not Safe Code, Snapshot tools
authentication, Locating Your Web Server with Respect to Your Firewall, Cryptography and Web Security
Authenticode for, Authenticode, Is Authenticode a Solution?, Recovering from an Attack, Microsoft’s Authenticode Technology, Controlling Authenticode in Internet Explorer
message digests, Message Digest Functions, Attacks on Message Digest Functions
of new users, Manually Setting Up Web Users and Passwords
token-based, Use a token-based authentication system.
authorization, Securing the Web Server
environment variables for, Rules for Perl
directive and, Commands Before the <Limit>. . . </Limit> Directive
AUTH_TYPE variable, Rules for Perl
automated checking systems, Change-detecting tools

B

back-end databases, Back-End Databases
backquote function, The problem with the script
backups, Backups, Hazards of Criminal Prosecution , If You or One of Your Employees Is a Target of an Investigation . . . , Lesson: Make frequent backups.
bandwidth (see performance)
Baum, Michael, Distinguished Names Are Not People , Certificates Today
Berkeley r commands, Minimizing Risk by Minimizing Services
Biddle, Bradford, Ten Policy Questions
biometric identification systems, Biometrics: something that you are
HTML tags, <blink>
block algorithms, Symmetric Key Algorithms
block mode computing, The Return of Block Mode
blocking software, Blocking Software , RSACi
censorship, Blocking Software and Censorship Technology, PICS and Censorship, Censoring the network
borrowing private keys, How Do You Loan a Key?
branded debit cards, Refunds and Charge-Backs
break-ins (see attacks)
breaking running scripts, Can’t break a running script
bridges, Terminology
browsers (see Web browsers)
browsers, web, Web Security in a Nutshell, Browser History, Programmability
bugs in (see bugs)
cookies, Cookies, Cookies That Protect Privacy
crashing, Bug Exploitations
extensibility of, Why Worry about Web Security?
JavaScript and (see JavaScript)
log files of, Log Files, Looking at the Logs
spoofing status of, Spoofing Browser Status with JavaScript
SSL and, Browser Preferences, Browser Alerts and Indicators
brute force attacks, A Cryptographic Example, Key search (brute force) attacks
BSD UNIX
programming references, Programming and System Administration
bugs, Bug Exploitations, Implementation Flaws: A Litany of Bugs, Signed Code is Not Safe Code, Faults, Bugs, and Programming Errors, Bugs and flaws
Bugtraq mailing list, Bugtraq
Java, Java implementation errors
Macromedia Shockwave plug-in, When Security Fails: Macromedia Shockwave
bytecode, Java, Java the Language, Bytecode Verifier

C

C, programming guidelines for, Rules for C
Card Shark program, Card Shark
CAs (certification authorities), Certification Authorities, Certification practices statement (CPS), How Many CAs Does Society Need?, Certification Authority Certificates, Server Certificates
CCI (Common Client Interface), Programmability
censorship, Blocking Software and Censorship Technology, PICS and Censorship, Censoring the network
Central Intelligence Agency, Preface
CERN, CERN HTTP daemon
CERT (Computer Emergency Response Team), Bugs and flaws, CERT-advisory
certificates, Certificates Today, Conclusion
CAs, Certification Authorities, Certification practices statement (CPS), How Many CAs Does Society Need?, Certification Authority Certificates, Server Certificates
class system of, VeriSign’s Class System
client-side, Client Certificates, Support for Client-Side Digital Certificates
CPS (certification practices statement), Certification practices statement (CPS)
CRLs (certificate revokation lists), Revocation
installing, Installing Your VeriSign Certificate, Installing Your VeriSign Certificate
managing users with, Manually Setting Up Web Users and Passwords
Netscape Navigator wizard for, Netscape Navigator 3.0’s New Certificate Wizard, Netscape Navigator 3.0’s New Certificate Wizard
renewing, Certificate renewal
revoking, Revocation , Revoking a Digital ID
software publisher’s, Obtaining a Software Publisher’s Certificate
SSL and, Digital Certificates
VeriSign Digital ID Center, Bootstrapping the PKI, The SSL Certificate Format, A Tour of the VeriSign Digital ID Center, VeriSign’s Class System
X.509 v3, The X.509 v3 Certificate, The X.509 v3 Certificate, Should legislation endorse the X.509 paradigm?
CGI (Common Gateway Interface), Terminology, CGIs with Unintended Side Effects, Fixing the problem, Tips on Writing CGI Scripts That Run with Additional Privileges
extensibility of, The Danger of Extensibility, Fixing the problem
programming guidelines, Rules To Code By , Rules To Code By
cgi-bin directory, Programs That Should Not Be CGIs
change cipher spec protocol (SSL), ChangeCipherSpec Protocol
change detections, Change-detecting tools
Chapters 6 and 7, Downloading and Installing Your Web Server
characters, filtering, Fixing the problem
charga-plates, A Very Short History of Credit
charge-backs, Refunds and Charge-Backs
charge slips, The charge slip
chargen utility, Minimizing Risk by Minimizing Services
Chaum, David, DigiCash
CheckFree services, Credit Cards and ACH
checking (see verification)
child pornography, Pornography, Indecency, and Obscenity
chktrust program, Verifying Authenticode Signatures
chosen plaintext attacks, Cryptanalysis
chrootuid daemon, chrootuid
CIAC (Computer Incident Advisory Capability), CIAC-notes
ciphers (see encryption)
civil laws, Legal Issues: Civil, Incorporation
Clark, Jim, Terminology
class loader, Java, Java the Language, Class Loader
classes, certificate, VeriSign’s Class System
client-pull documents, Animation
clients, Terminology
client-side digital certificates, Client Certificates, Support for Client-Side Digital Certificates
client/server model, Terminology
Clipper chip, Cryptography and the U.S. Trade Secret Law
COAST (Computer Operations, Audit, and Security Technology), COAST
COAST Software Archive, COAST
code
downloading (see downloading)
signing, Code Signing and Microsoft’s Authenticode , Other Code Signing Methods (see digital signatures)
Code Signing Wizard, The Code Signing Wizard
commerce, Why Worry about Web Security?, Card Shark
(see also credit cards; electronic money)
credit cards for (see credit cards)
identification and, The Need for Identification Today
Internet-based payment systems, Internet-Based Payment Systems, Mondex
merchant fees, Charge card fees
programs that spend money, Programs That Can Spend Your Money, Electronic funds transfers
reverse change transactions, Refunds and Charge-Backs
Common Client Interface (see CCI)
Common Gateway Interface (see CGI)
computer underground digest, Computer underground digest
computers
crashing, Bug Exploitations
identification techniques for, Computerized Identification Techniques, Location: someplace where you are
impersonating (see spoofing)
networks of (see networks)
security
references for, General Computer Security
security on, Securing the User’s Computer
confidentiality (see privacy)
confiscation of property, If You or One of Your Employees Is a Target of an Investigation . . .
connectivity, Java Security Policy
consistency checking, Rules To Code By
Consumer Internet Privacy Protection Act, Personally Identifiable Information
content types
application/pics-labels, PICS Applications
application/pics-service, PICS Applications, Rating Services
application/x-x509-ca-cert, Adding a New Site Certificate with Internet Explorer
content updating, Secure Content Updating, Secure Content Updating
Cook, William J., Legal Issues: Civil
cookies, Cookies, Cookies That Protect Privacy
eTrust program, Personally Identifiable Information
COPS (Computer Oracle and Password System), COPS (Computer Oracle and Password System)
copyright, Copyright Law, Warez, Access Devices and Copyrighted Software, Laws and Activism
core files, Rules To Code By
corporations, Incorporation
courtesy cards, A Very Short History of Credit
CPS (certification practices statement), Certification practices statement (CPS)
CPU attacks, CPU and stack attacks
CPU time limits, Rules To Code By
crashing applications, Bug Exploitations
credentials, Credentials-Based Identification Systems
credit cards, Why Worry about Web Security?, Credit Cards, Encryption, and the Web, New Lessons from the Credit Card Example, Charga-Plates, Diners Club, and Credit Cards, Using Credit Cards on the Internet, Credit Cards and ACH, Lesson: Make it easy for your customers to save you money.
(see also electronic money)
Card Shark program, Card Shark
evaluating system for, How to Evaluate a Credit Card Payment System
fraud, A Typical Transaction
SET protocol for, SET, SET, Two channels: one for the merchant, one for the bank
criminal laws, Your Legal Options After a Break-In, Hazards of Criminal Prosecution , Play it Safe . . ., Laws and Activism
criminal threats, Criminal Hazards That May Await You, The Responsibility To Report Crime
CRLs (certificate revokation lists), Revocation
cross-certification, Certification Authority Certificates
cryptanalysis, Cryptanalysis
cryptography, What’s a “Secure Web Server” Anyway?, Understanding Cryptography, Cryptographic Algorithms and Functions, Cryptography and Web Security, What Cryptography Can’t Do
(see also encryption)
attacks against, A Cryptographic Example, Attacks on Symmetric Encryption Algorithms, Factoring attacks, What Cryptography Can’t Do
dual signatures, Two channels: one for the merchant, one for the bank
exportation controls on, Cryptographic Programs and Export Controls
international restrictions on, Foreign Restrictions on Cryptography, Foreign Restrictions on Cryptography
message digests, Message Digest Functions, Attacks on Message Digest Functions
patents and, Cryptography and the U.S. Patent System, Cryptography and the U.S. Patent System
public keys, Cryptographic Algorithms and Functions, Public Key Algorithms , Factoring attacks, Public Key Infrastructure, Public Key Infrastructure
symmetric key algorithms, Cryptographic Algorithms and Functions, Systems-based attacks
U.S. restrictions on, Securing Information in Transit, U.S. Restrictions on Cryptography, Cryptography and U.S. Export Control Law
working encryption systems, Today’s Working Encryption Systems, IPsec and IPv6
custom software, Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
CyberCash system, CyberCash/CyberCoin
Cylink, History of the public key patents

D

data, New Lessons from the Credit Card Example
(see also information)
aggregating, Digital Certificates Allow For Easy Data Aggregation
data-driven attacks, Data-Driven Attacks, Web-Based Programming Languages
eavesdropping, Securing Information in Transit
packets (see packets)
Data Encryption Standard (see DES)
databases, Back-End Databases
Davies, Simon, Mondex
deadlock conditions, Rules To Code By
Dean, Drew, Implementation Flaws: A Litany of Bugs, Java Security Problems
debit cards, Refunds and Charge-Backs
decryption (see cryptography encryption)
defamation, Revealing Disparaging Remarks, Libel and Defamation
denial-of-service attacks, Securing Information in Transit, Denial-of-Service Attacks, Can Denial-of-Service Attacks Be Stopped?, Rules To Code By
crashing computers, Bug Exploitations
JavaScript for, JavaScript and Resource Management
Department of Justice (U.S.), Preface
DES (Data Encryption Standard), Symmetric Key Algorithms
design flaws, Java, Java design flaws
designing programs (see programming, guidelines for)
DESX algorithm, Symmetric Key Algorithms
detecting changes, Change-detecting tools
development speeds, Why Worry about Web Security?
Dierks, Tim, TLS Standards Activities
differential analysis, Cryptanalysis
Diffie, Bailey Whitfield, Public Key Algorithms , The public key patents
Diffie-Hellman key exchange, Public Key Algorithms , The public key patents
SSL and, 4. Server Key Exchange
DigiCash system, DigiCash, Security and privacy
DigiCrime web site, Window system attacks
digital
certificates (see certificates)
coins, DigiCash
payment (see credit cards electronic money)
postmarks, Are There Better Suited Alternatives to Public Key Digital Signatures?
watermarking, Securing the User’s Computer
Digital IDs (see certificates)
digital notary, Are There Better Suited Alternatives to Public Key Digital Signatures?
digital signatures, Signed Code is Not Safe Code, Signed Code Can Be Hijacked, Using Digital Signatures for Identification, Veritas: digital signatures for physical credentials, Certificates Today, Cryptographic Algorithms and Functions, Public Key Algorithms
(see also certificates)
Authenticode, Authenticode
certification authorities, Certification Authorities, Certification practices statement (CPS)
DSS (Digital Signature Standard), Public Key Algorithms , Message Digest Functions
key system for, Using Digital Signatures for Identification
legislation on, Ten Policy Questions, Should governments act as CAs?
for program code, Code Signing and Microsoft’s Authenticode , Code Signing and U.S. Export Controls
X.509 v3 certificates, The X.509 v3 Certificate, The X.509 v3 Certificate, Should legislation endorse the X.509 paradigm?
distinguished names, Distinguished Names Are Not People
DNS (Domain Name System), Minimizing Risk by Minimizing Services
DNSSEC standard, DNSSEC
spoofing, Java and, The Java DNS policy dispute
SSL certificates and, The SSL Certificate Format
document-based identification, Using a document-based ID system
domains
DNS, The Java DNS policy dispute
impersonating (see spoofing)
names of, Trademarks and domain names
domestic-grade security, Securing Information in Transit
Donnerhacke, Luiz, Electronic funds transfers
The Doubleclick Network, Cookies for Tracking
downloading, Helper Applications , When Good Browsers Go Bad, The Sexy Girls Pornography Viewer, The Risks of Downloaded Code, Reconstructing After an Attack
ActiveX controls (see ActiveX controls)
data-driven attacks, Data-Driven Attacks, Web-Based Programming Languages
web server, Downloading and Installing Your Web Server
dual signatures, Two channels: one for the merchant, one for the bank

E

eavesdropping, Securing Information in Transit, Reconstructing After an Attack
credit card information and, A Typical Transaction
password sniffing, Password Sniffing, Use a system that relies on encryption.
private keys, Using Digital Signatures for Identification
echo command, Minimizing Risk by Minimizing Services
edit detections, Change-detecting tools
electronic mail, Minimizing Risk by Minimizing Services
authorizing payments by, Virtual PIN, Security and privacy
forwarding, copyright law and, Copyright infringement
message digests, Message Digest Functions, Attacks on Message Digest Functions
electronic money, Why Worry about Web Security?
(see also credit cards)
CyberCash system, CyberCash/CyberCoin
debit cards, Refunds and Charge-Backs
DigiCash system, DigiCash, Security and privacy
Mondex system, Mondex
programs that spend, Programs That Can Spend Your Money, Electronic funds transfers
SET protocol for, SET, Two channels: one for the merchant, one for the bank
Virtual PIN system, Virtual PIN, Security and privacy
ElGamal encryption system, Public Key Algorithms
Ellison, Carl, A Typical Transaction, How Do You Loan a Key?, Key search (brute force) attacks
employees, If You or One of Your Employees Is a Target of an Investigation . . . , If You or One of Your Employees Is a Target of an Investigation . . . , Play it Safe . . .
encoding
application/pics-labels, PICS Applications
application/pics-service, PICS Applications, Rating Services
application/x-x509-ca-cert, Adding a New Site Certificate with Internet Explorer
cryptography (see cryptography)
encryption, Securing Information in Transit, A Typical Transaction, Using Digital Signatures for Identification, Terminology, Use a system that relies on encryption., Lesson: Encrypt sensitive information and be careful with your decryption keys.
(see also cryptography)
attacks on, A Cryptographic Example, Attacks on Symmetric Encryption Algorithms, Factoring attacks, What Cryptography Can’t Do
of private keys, Server Key: To Encrypt or Not To Encrypt?
program traps, What Cryptography Can’t Do
programs for UNIX, Today’s Working Encryption Systems, PGP
public key (see public keys)
public keys, Cryptographic Algorithms and Functions, Public Key Algorithms , Factoring attacks, Public Key Infrastructure, Public Key Infrastructure
SSL for (see SSL)
symmetric key algorithms, Cryptographic Algorithms and Functions, Systems-based attacks
systems for, Today’s Working Encryption Systems, IPsec and IPv6
enforcing digital certificates, Server Certificates
enrollment, Internet-Based Payment Systems
environment variables, CGI/API and, Rules for Perl
errors in implementation (see bugs)
errors, programming (see bugs)
escrow proposal
key recovery versus, Cryptography and U.S. Export Control Law
/etc/passwd file, Manually Setting Up Web Users and Passwords
eTrust program, Personally Identifiable Information
evaluating
credit card systems, How to Evaluate a Credit Card Payment System
site security, Security Tools, Network scanning programs
ExecCGI option, Commands Before the <Limit>. . . </Limit> Directive
execution context, separate, Separate Execution Contexts
exportation controls, U.S., Securing Information in Transit, Code Signing and U.S. Export Controls, Cryptography and U.S. Export Control Law, Cryptography and U.S. Export Control Law, U.S. Exportability, Cryptographic Programs and Export Controls
extensibility, Why Worry about Web Security?, The Danger of Extensibility, Fixing the problem
plug-ins for (see plug-ins)

F

factoring attacks, Factoring attacks
fair use, Copyright infringement
Farmer, Dan, Network scanning programs
FastTrack server, Web Software Covered by This Book
faults (see bugs)
federal jurisdiction, Federal jurisdiction
federal laws, Federal Computer Crime Laws
fees, charge card, Charge card fees
Felten, Edward W., Implementation Flaws: A Litany of Bugs, Java Security Problems, JavaScript-Enabled Spoofing Attacks, Mirror Worlds
files
access to (see access)
core files, Rules To Code By
document-based identification, Using a document-based ID system
downloading (see downloading)
log (see logging)
temporary, Rules for C
filing criminal complaints, Filing a Criminal Complaint, Federal jurisdiction
filtering invalid characters, Fixing the problem
finger protocol, Minimizing Risk by Minimizing Services
Finjan Software, Java Security Future
firewalls, Terminology, Firewalls: Part of the Solution, Locating Your Web Server with Respect to Your Firewall, A wealth of private data, Firewalls
mailing list for, Academic-Firewalls, Firewalls
FIRST teams, FIRST
First Virtual Holdings, Card Shark, Virtual PIN
FollowSymLinks option, Commands Before the <Limit>. . . </Limit> Directive
forgery-proof identification, Forgery-proof IDs
format of SSL certificates, The SSL Certificate Format
Fortezza encryption cards, Cryptography and the U.S. Trade Secret Law
forwarding email messages, Copyright infringement
fraud, Access Devices and Copyrighted Software
credit-card (see credit cards)
digital certificates, Server Certificates
free software, Lesson: Eschew free software.
Friedland, Jay, Censoring the network
FTP (File Transfer Protocol), Password Sniffing, Minimizing Risk by Minimizing Services, Secure Content Updating
future of Java security, Java Security Future
FWALL-users mailing list, FWALL-user

G

gateways, Terminology
GIF animation, Animation
Global Positioning System (GPS), Location: someplace where you are
Goldberg, Ian, Implementation Flaws: A Litany of Bugs
Gosling, James, Java
government
as certificate authority, Should governments act as CAs?
tax collection, Security and privacy
GPS (Global Positioning System), Location: someplace where you are
Graff, Michael, Factoring attacks
Grant, Michael, SSLeay Examples
Graphical User Interface (see GUIs)
Greene, Paul, Preface, Implementation Flaws: A Litany of Bugs
guest logins, Secure Content Updating
GUIs (Graphical User Interfaces), Window system attacks

H

handshake, SSL, Handshake Protocol, Application Data
harassment, Libel and Defamation
Hellman, Martin E., Public Key Algorithms , The public key patents
helper applications, Helper Applications , Helper Applications , Netscape Plug-Ins
hidden URLs, Hidden URLs
hijacked AcitveX controls, Signed Code Can Be Hijacked
history
browser risk, Browser History, Programmability
of credit, A Very Short History of Credit
cryptography, Roots of Cryptography
Java, Java
public key patents, History of the public key patents
SSL protocol, History
unsecure hosts, Historically Unsecure Hosts, Historically Unsecure Hosts
web page, mechanism for, JavaScript and Privacy
holograms, Forgery-proof IDs
hosts, Terminology
restricting by, Host-Based Restrictions
security of, Host and Site Security, Backups
.htaccess file, Implementing Access Controls with <Limit> Blocks
HTML (Hypertext Markup Language), Terminology, <blink>
tag, Behind the scenes with Netscape Navigator
tag, The <OBJECT> Tag
refer links, The Refer Link
htpasswd program, Manually Setting Up Web Users and Passwords
HTTP (Hypertext Transfer Protocol), Terminology
requesting PICS labels by, Requesting PICS Labels by HTTP
S-HTTP system, S-HTTP
HTTPS_RANDOM variable, Rules for Perl
hybrid public/private cryptosystems, Cryptographic Algorithms and Functions
Hypertext Markup Language (see HTML)
Hypertext Transfer Protocol (see HTTP)

I

IDEA (International Data Encryption Algorithm), Symmetric Key Algorithms
identification, Identification, Veritas: digital signatures for physical credentials
access based on, Identity-Based Access Controls
digital certificates for (see certificates)
private keys and (see private keys)
signatures for (see digital signatures)
smart cards for (see smart cards)
IIS server, Web Software Covered by This Book
images, animation of, Animation
imitating (see spoofing)
impersonation (see spoofing)
implementation errors (see bugs)
Includes option, Commands Before the <Limit>. . . </Limit> Directive
IncludesNoExec option, Commands Before the <Limit>. . . </Limit> Directive
incorporation, Incorporation
indecency, Pornography, Indecency, and Obscenity
Indexes option, Commands Before the <Limit>. . . </Limit> Directive
information, Securing Information in Transit
aggregating, Digital Certificates Allow For Easy Data Aggregation
asking users for, Social Engineering, Spoofing Username/Password Pop-Ups with Java
censorship of, Blocking Software and Censorship Technology, PICS and Censorship, Censoring the network
on charge slips, The charge slip
indecent, definition of, Pornography, Indecency, and Obscenity
personal, New Lessons from the Credit Card Example, The Java DNS policy dispute, JavaScript and Privacy, Programs That Violate Privacy and Steal Confidential Information, Personally Identifiable Information, Unanticipated Disclosure, X.509 v3 Does Not Allow Selective Disclosure
(see also privacy)
proprietary, Why Worry about Web Security?
secure content updating, Secure Content Updating, Secure Content Updating
infrastructure, public key, Public Key Infrastructure, Public Key Infrastructure, Public Key Infrastructure
inline ActiveX controls, Signed Code Can Be Hijacked
input, verifying, Rules To Code By
installing
digital certificates, Installing Your Digital Certificate, Installing Your Digital Certificate
web servers, Downloading and Installing Your Web Server
integrity, Java design flaws, Cryptography and Web Security
intellectual property, Violating Trade Secrets, Intellectual Property, Trademark violations
trade secrets, Cryptography and the U.S. Trade Secret Law, RC2, RC4, and trade secret law
interception of data (see eavesdropping)
interest on credit, Charge card fees
International Data Encryption Algorithm (IDEA), Symmetric Key Algorithms
international law
cryptography restrictions, Foreign Restrictions on Cryptography, Foreign Restrictions on Cryptography
public key patents, Public key patents overseas
Internet, Web Security in a Nutshell, Terminology
credit cards on (see credit cards)
law and (see law and legal issues)
payment systems on, Internet-Based Payment Systems, Mondex
service providers (see ISPs)
SIP group, Java Security Problems
Internet Exploder control, Internet Exploder
Internet Explorer, Preface, Web Software Covered by This Book
Authenticode support, Support for Authenticode in Internet Explorer, Controlling Authenticode in Internet Explorer
bugs, Implementation Flaws: A Litany of Bugs
certificates and, Adding a New Site Certificate with Internet Explorer, Adding a New Site Certificate with Internet Explorer
digital signatures and, Internet Exploder
Java security and, Setting Java policy from Netscape Navigator 2.3
private key generation, Behind the scenes with Internet Explorer
ratings implemented in, RSACi
SSL preferences, Internet Explorer preferences
Internet Protocol (see IP)
Internet Worm, A wealth of private data
internetworks, Terminology
interpreter applications, Helper Applications
intranets, Terminology
intrusion detection programs, Intrusion detection programs
invalid characters, Fixing the problem
IP (Internet Protocol), Terminology
address, restricting access by, Host-Based Restrictions
connectivity, Lesson: Set milestones and stick to them.
IPsec and IPv6 protocols, IPsec and IPv6
ISPs (Internet service providers), Personally Identifiable Information, Lessons from Vineyard.NET, Conclusion
copyright and, Warez
ISS (Internet Security Scanner), Network scanning programs, ISS (Internet Security Scanner)

J

Java, Java, Java Security Future
class loader, Java the Language, Class Loader
sandbox, Sandbox
security policy, Java Security Policy, Setting Java policy from Internet Explorer 4.0
security problems with, Implementation Flaws: A Litany of Bugs, Java Security Problems, The Java DNS policy dispute, Can Denial-of-Service Attacks Be Stopped?
self-defending applet killer, Window system attacks
virtual machine (JVM), Java the Language
JavaScript, JavaScript , JavaScript and Privacy
for denial-of-service attacks, JavaScript and Resource Management
security problems with, Implementation Flaws: A Litany of Bugs
spoofing with, JavaScript-Enabled Spoofing Attacks, Mirror Worlds
jurisdiction, Local jurisdiction
JVM (see Java virtual machine)

K

Kerberos system, Kerberos, Public key patents overseas, Kerberos
HTML tag, Behind the scenes with Netscape Navigator
keys
digital signature system, Using Digital Signatures for Identification
key search attacks, A Cryptographic Example, Key search (brute force) attacks
private (see private keys)
public (see public keys)
recovery system, Cryptography and U.S. Export Control Law
signing parties, PGP
knapsack algorithm, The public key patents
known plaintext attacks, Cryptanalysis
Koops, Bert-Jaap, Foreign Restrictions on Cryptography

L

labels, PICS (see PICS)
LaDue, Mark, Window system attacks
languages, programming (see programming)
LANs (local area networks), Terminology
laws and legal issues, Legal Issues: Civil
activism, Laws and Activism
after break-in, Your Legal Options After a Break-In, Hazards of Criminal Prosecution
CPS (certification practices statement), Certification practices statement (CPS)
credit cards, A Typical Transaction
criminal prosecution, Hazards of Criminal Prosecution
cryptographic technologies and, Securing Information in Transit, Cryptography and U.S. Export Control Law, Cryptography and U.S. Export Control Law
digital signatures, Ten Policy Questions, Should governments act as CAs?
identification, The Need for Identification Today
intellectual property, Intellectual Property, Trademark violations
law enforcement, Filing a Criminal Complaint, Hazards of Criminal Prosecution , Play it Safe . . .
outside United States, Public key patents overseas
patents, Cryptography and the U.S. Patent System, Public key patents overseas
privacy, Personally Identifiable Information
torts, Torts, Incorporation
trade secrets, Cryptography and the U.S. Trade Secret Law, RC2, RC4, and trade secret law
U.S. exportation controls, Code Signing and U.S. Export Controls, U.S. Exportability
legacy systems, Firewalls: Part of the Solution
Lenstra, Arjen, Factoring attacks
Leyland, Paul, Factoring attacks
liability, Liability for Damage
PICS and, Censoring the network
private key infrastructure and, How should liability and risk be allocated in a PKI?
libel, Revealing Disparaging Remarks, Libel and Defamation
Limit command, Commands Before the <Limit>. . . </Limit> Directive
directive, Implementing Access Controls with <Limit> Blocks, Manually Setting Up Web Users and Passwords
limiting access (see access)
LiveScript (see JavaScript)
loaning private keys, How Do You Loan a Key?
loans, credit (see credit cards)
local area networks (see LANs)
local jurisdiction, Local jurisdiction
logging, Logging, Play it Safe . . ., Lesson: Log everything, and have lots of reports.
applet downloads and actions, Java Security Future
browser, Log Files, Looking at the Logs
programming and, Rules To Code By
Swatch program, Swatch
logins
limiting, Secure Content Updating
logins, limiting, Lesson: Limit logins to your servers.

M

Macintosh
security and, Minimizing Risk by Minimizing Services
WebStar Pro server, Web Software Covered by This Book
Macromedia Shockwave plug-in, When Security Fails: Macromedia Shockwave
MACs (message authentication codes), Message Digest Algorithms at Work
mailing lists, Mailing Lists, WWW-security
man-in-the-middle attacks, Features
Massachusetts Registry of Motor Vehicles, The Web: Promises and Threats
McLain, Fred, Internet Exploder
MD2, MD4, MD5 functions, Message Digest Functions
meet-in-the-middle plaintext attacks, Symmetric Key Algorithms
memory (see resources)
merchant fees, Charge card fees
Merkle, Ralph C., The public key patents
message digests, Cryptographic Algorithms and Functions, Message Digest Functions, Attacks on Message Digest Functions
Metcalfe, Bob, Historically Unsecure Hosts
Microsoft
ActiveX controls, Programmability, ActiveX and Authenticode, Internet Exploder
ActiveX Software Developer’s Kit, Publishing with Authenticode
Authenticode, Authenticode, Is Authenticode a Solution?, Recovering from an Attack, Microsoft’s Authenticode Technology, Controlling Authenticode in Internet Explorer
Internet Explorer, Preface, Web Software Covered by This Book, Implementation Flaws: A Litany of Bugs, Setting Java policy from Netscape Navigator 2.3 (see Internet Explorer)
Internet Information Server (IIS), Web Software Covered by This Book
PCT security protocol, PCT
Software Publisher’s Pledge, The “Pledge”
MIIS (see IIS)
Miller, James, PICS and Censorship, Access controls become tools for censorship, The PICS Specification
minimizing number of services, Securing the Web Server, Minimizing Risk by Minimizing Services, Minimizing Risk by Minimizing Services
mirror worlds, Mirror Worlds
mkstemp( ), Rules for C
Mondex system, Mondex
money (see credit cards electronic money)
monitoring software, Monitoring Software, Lesson: Monitor your system.
Morris, Robert T., A wealth of private data
Mosaic browser, Browser History
Mozilla (see Netscape Navigator)
multihoming, Terminology
multimedia, A wealth of private data

N

names
web site, certificates and, Wrong server address
Naughton, Patrick, Java
Naval Research Lab, U.S., Implementation Flaws: A Litany of Bugs
NCSA Mosaic, Browser History
NetBIOS (SMB) file sharing, Secure Content Updating
Netscape
certification authorities and, Bootstrapping the PKI
cookies, Cookies, Cookies That Protect Privacy
FastTrack server, Web Software Covered by This Book
plug-ins (see plug-in modules)
SSL (see SSL)
viewing certificates with, Viewing a Site’s Certificate
Netscape Navigator, Web Software Covered by This Book
bugs, Implementation Flaws: A Litany of Bugs
certificate wizard, Netscape Navigator 3.0’s New Certificate Wizard, Netscape Navigator 3.0’s New Certificate Wizard
Java security policy and, Setting Java policy from Netscape Navigator 2.3
private key generation, Behind the scenes with Netscape Navigator
random number generator, Implementation Flaws: A Litany of Bugs
SSL preferences, Navigator preferences
netstat utility, Minimizing Risk by Minimizing Services
Network Solutions, Inc., Trademarks and domain names
networks, Why Worry about Web Security?, Terminology
blocking software and, Censoring the network
connectivity limitations, Java Security Policy
local area (see LANs)
NFS, Secure Content Updating
security references, Network Technology and Security
wide area (see WANs)
newuser script (example), The newuser Script
NFS (Network File System), Secure Content Updating
nonrepudiation, Cryptography and Web Security
nonreusable passwords, Use a non-reusable password system.

O

Oak (see Java)
HTML tag, The <OBJECT> Tag
obscenity, Pornography, Indecency, and Obscenity
online
service providers (see ISPs)
stalking, Libel and Defamation
transactions (see commerce)
online service providers (ISPs), Lessons from Vineyard.NET, Conclusion
Options command, Commands Before the <Limit>. . . </Limit> Directive

P

packet sniffing, Lesson: Defeat packet sniffing.
packets, Terminology
pages, Web (see World Wide Web)
Parekh, Sameer, Downloading and Installing Your Web Server
passwords, Password-based systems: something that you know, Identity-Based Access Controls
nonreusable, Use a non-reusable password system.
password file, setting up, Manually Setting Up Web Users and Passwords
sniffing, Password Sniffing, Use a system that relies on encryption.
spoofing requests for, Spoofing Username/Password Pop-Ups with Java
patches, Bugs and flaws
patents, Cryptography and the U.S. Patent System, Public key patents overseas, Patent Law, Cryptography and the U.S. Patent System
PCT security protocol, PCT
performance, Window system attacks
(see also resources)
attacks on (see denial-of-service attacks)
block mode computing, The Return of Block Mode
C programs, Rules for C
monitoring resources, Lesson: Monitor your system.
server push and client pull, Animation
SSL and, Features, Performance
Perl programming language
Swatch program, Swatch
Perl, programming guidelines for, Rules for Perl
Perry, Rick, Implementation Flaws: A Litany of Bugs
personal computers (see computers)
personal information, New Lessons from the Credit Card Example, Programs That Violate Privacy and Steal Confidential Information, Personally Identifiable Information, Personally Identifiable Information
identification and, X.509 v3 Does Not Allow Selective Disclosure
Java applets and, The Java DNS policy dispute
unanticipated disclosure of, Unanticipated Disclosure
PGP (Pretty Good Privacy), Today’s Working Encryption Systems, PGP
software signature, Software Resources
physical tokens, Physical tokens: something that you have
PICS (Platform for Internet Content Selection), PICS, Censoring the network, The PICS Specification, Requesting a Label From a Rating Service
piracy of software, Software piracy and the SPA, Access Devices and Copyrighted Software
Pitney-Bowes Veritas system, Veritas: digital signatures for physical credentials
PKI (see public keys)
PKP (Public Key Partners), History of the public key patents
PKZIP scam, Code Signing and U.S. Export Controls
plaintext, Terminology, Symmetric Key Algorithms, Cryptanalysis
Platform for Internet Content Selection (PICS), PICS, Censoring the network
plug-in modules, Helper Applications , Netscape Plug-Ins, Tactical Plug-In Attacks
policy, security, Policies
pornography, Pornography, Indecency, and Obscenity
portmap service, portmap
Postal Service, U.S., Are There Better Suited Alternatives to Public Key Digital Signatures?, Server Certificates
Prakash, Jay, The Web: Promises and Threats
prevention techniques
access restrictions (see access)
against eavesdropping, Protection against sniffing
anonymizing web servers, Anonymizers
applying criminal law, Play it Safe . . ., Play it Safe . . .
backups (see backups)
cryptography (see cryptography)
for denial-of-service attacks, Can Denial-of-Service Attacks Be Stopped?
digital watermarking, Securing the User’s Computer
disabling cookies, Disabling Cookies
encryption (see encryption)
evaluating credit card systems, How to Evaluate a Credit Card Payment System
evaluating site security, Security Tools, Network scanning programs
firewalls, Terminology, Firewalls: Part of the Solution, Locating Your Web Server with Respect to Your Firewall, A wealth of private data
for downloading code[prevention techniques
downloading code, Improving the Security of Downloaded Code
intrusion detection programs, Intrusion detection programs
Java bytecode verifier, Bytecode Verifier
logging (see logging)
message digests, Uses of Message Digest Functions
obtaining trademarks, Obtaining a trademark
passwords (see passwords)
programming guidelines, Rules To Code By , Rules To Code By
risk management, Risk Management
server certificates, obtaining, Obtaining a Certificate for Your Server
trust (see trust)
privacy, JavaScript and Privacy, Programs That Violate Privacy and Steal Confidential Information, Privacy, Revealing Disparaging Remarks, Cryptography and Web Security, Publicity and Privacy, Lesson: It is very difficult to change a phone number. So pick your company’s phone number early and use it consistently.
(see also personal information)
cookies to enhance, Cookies That Protect Privacy
cryptography for (see cryptography)
digital cash systems, Internet-Based Payment Systems, Security and privacy, Security and privacy
eTrust program, Personally Identifiable Information
identification and, X.509 v3 Does Not Allow Selective Disclosure
JavaScript and, JavaScript and Privacy
legal issues of, Personally Identifiable Information
private keys, Using Digital Signatures for Identification, Generating a VeriSign Digital ID, Server Key: To Encrypt or Not To Encrypt?
(see also certificates)
loaning, How Do You Loan a Key?
privileges, CGI scripts and, Tips on Writing CGI Scripts That Run with Additional Privileges
programmed threats, Computer Viruses and Programmed Threats
programming, Programmability
errors (see bugs)
guidelines for, Rules To Code By , Rules for the UNIX Shell
references for, Programming and System Administration
web-based, Web-Based Programming Languages
programs, Obtaining a Software Publisher’s Certificate
(see also software)
code signing, Code Signing and Microsoft’s Authenticode , Code Signing and U.S. Export Controls
downloading code for, When Good Browsers Go Bad, The Sexy Girls Pornography Viewer
that spend money, Programs That Can Spend Your Money, Electronic funds transfers
violating privacy, Programs That Violate Privacy and Steal Confidential Information
proprietary information, Why Worry about Web Security?
prosecution, dangers of, Hazards of Criminal Prosecution
proxy servers, Looking at the Logs
Public Key Partners (PKP), History of the public key patents
public keys, Using Digital Signatures for Identification, Public Key Infrastructure, The X.509 v3 Certificate, Cryptographic Algorithms and Functions
cryptographic algorithms, Public Key Algorithms , Factoring attacks
infrastructure of, Public Key Infrastructure, Problems Building a Public Key Infrastructure, Why Do These Questions Matter?, Public Key Infrastructure, Public Key Infrastructure
patents on, The public key patents, Public key patents overseas
PGP and, PGP
X.509 v3 certificates, The X.509 v3 Certificate, The X.509 v3 Certificate, Should legislation endorse the X.509 paradigm?
publicity, Why Worry about Web Security?, Publicity and Privacy, Lesson: It is very difficult to change a phone number. So pick your company’s phone number early and use it consistently.
publishing attacks, Attacks on Message Digest Functions
purchasing over Internet, Internet-Based Payment Systems, Mondex

Q

Quicken, Electronic funds transfers

R

r commands, Minimizing Risk by Minimizing Services
race conditions, Rules To Code By
random number generator bug, Implementation Flaws: A Litany of Bugs
RASC (Recreational Software Advisory Council), RSACi, RSACi
rating services, PICS Applications, The PICS Specification, Requesting a Label From a Rating Service
RSACi, RSACi, RSACi
RC2, RC5 algorithms, Symmetric Key Algorithms, RC2, RC4, and trade secret law, RC2, RC4, and trade secret law
RC4 algorithm, Symmetric Key Algorithms, Key search (brute force) attacks, RC2, RC4, and trade secret law, RC2, RC4, and trade secret law
rcp program, Secure Content Updating
rdist program, Secure Content Updating
Real Mosaic, Web Software Covered by This Book
record layer, SSL, SSL 3.0 Record Layer
recovering from attacks, Reconstructing After an Attack, Recovering from an Attack
Recreational Software Advisory Council (RASC), RSACi, RSACi
refer links, The Refer Link
refunds, Refunds and Charge-Backs
Registry of Motor Vehicles, Massachusetts, The Web: Promises and Threats
remote content updating, Secure Content Updating, Secure Content Updating
REMOTE_ variables, Rules for Perl
renewing certificates, Certificate renewal
replay attacks, Features
Resnick, Paul, PICS and Censorship, Access controls become tools for censorship, The PICS Specification
resources, Denial-of-Service Attacks
(see also denial-of-service attacks; performance)
attacks on, Denial-of-Service Attacks, Can Denial-of-Service Attacks Be Stopped?, Rules To Code By
GUIs and, Window system attacks
monitoring, Lesson: Monitor your system.
swap space attacks, Swap space attacks
resources for further reading
SSL and TLS, Performance, TLS Standards Activities
restricting access (see access)
reverse charge transactions, Refunds and Charge-Backs
revoking certificates, Revocation , Revoking a Digital ID
.rhost file, Secure Content Updating
risk management, New Lessons from the Credit Card Example, Risk Management
(see also threats)
Ritchie, Dennis, Do Denial-of-Service Attacks Matter?
Rivest, Ronald L., Public Key Algorithms , Message Digest Functions, The public key patents, RC2, RC4, and trade secret law
routers, Terminology
RSA Data Security Inc., History of the public key patents
encryption algorithms, Symmetric Key Algorithms, RC2, RC4, and trade secret law, RC2, RC4, and trade secret law
factoring challenges, Factoring attacks
RSA encryption system, Public Key Algorithms , The public key patents
Secure/MIME system, S/MIME
RSA Data Security, Inc., Violating Trade Secrets, The X.509 v3 Certificate, Bootstrapping the PKI
(see also VeriSign)
RSACi rating system, RSACi, RSACi
runtime system, Java, Java Security Future

S

S/Key system, Use a non-reusable password system.
sandbox, Java, Sandbox
SATAN, Network scanning programs
SATAN package, SATAN
scp program, Secure Content Updating
scripts, breaking, Can’t break a running script
search warrants, Hazards of Criminal Prosecution , If You or One of Your Employees Is a Target of an Investigation . . .
secret keys (see private keys)
Secure Hash Algorithms (SHA, SHA-1), Message Digest Functions
Secure Internet Programming (SIP) group, Java Security Problems
Secure Socket Layer (see SSL)
Secure Telnet, Stel
Secure/MIME system, S/MIME
security
cryptographic (see cryptography)
definition of, Web Security in a Nutshell
domestic-grade vs. export-grade, Securing Information in Transit
holograms, Forgery-proof IDs
Java policy on, Java Security Policy, Setting Java policy from Internet Explorer 4.0
security holes
mailing list for, Bugtraq
security tools, Security Tools, Network scanning programs
SecurityManager class (Java), SecurityManager class
self-signed certificates, The X.509 v3 Certificate
separate execution contexts, Separate Execution Contexts
sequence conditions, Rules To Code By
server-push documents, Animation
servers, Web Security in a Nutshell, Terminology, Securing the Web Server
(see also under specific server name)
access to (see access)
anonymizing, Anonymizers
certificates for, Server Certificates , Adding a New Site Certificate with Internet Explorer
client/server model, Terminology
downloading/installing, Downloading and Installing Your Web Server
extensibility of, Why Worry about Web Security?
firewalls (see firewalls)
log files, Log Files, Looking at the Logs
proxy, Looking at the Logs
why they are targets, Why Worry about Web Security?
services
denial-of-service attacks, Securing Information in Transit, JavaScript and Resource Management, Can Denial-of-Service Attacks Be Stopped?
minimizing number of, Securing the Web Server, Minimizing Risk by Minimizing Services, Minimizing Risk by Minimizing Services
SESAME system, Public key patents overseas
session hijacking, Use a system that relies on encryption.
session keys, Cryptographic Algorithms and Functions
SET (Secure Electronic Transaction) protocol, SET, SET, Two channels: one for the merchant, one for the bank
settlement, Internet-Based Payment Systems
setuid( ) and setgid( ), Tips on Writing CGI Scripts That Run with Additional Privileges
sexygirls.com web site, The Sexy Girls Pornography Viewer
SHA, SHA-1 (Secure Hash Algorithms), Message Digest Functions
Shamir, Adi, Public Key Algorithms , The public key patents
shell scripts, Rules for the UNIX Shell
Shockwave plug-in, When Security Fails: Macromedia Shockwave
S-HTTP system, S-HTTP
signcode program, Signing a program
signing code (see digital signatures)
SIP (Secure Internet Programming) group, Java Security Problems
Skipjack encryption algorithm, Cryptography and the U.S. Trade Secret Law
smart cards, Physical devices for digital signatures, Public key patents overseas, Identity-Based Access Controls, Smart Cards
SMB (NetBIOS) file sharing, Secure Content Updating
snapshots, Snapshot tools
sniffing (see eavesdropping)
social engineering attacks, Social Engineering, Spoofing Username/Password Pop-Ups with Java
SOCKS, SOCKS
software
for blocking/censorship, Blocking Software , RSACi
custom, Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
free, Lesson: Eschew free software.
key escrow, Cryptography and U.S. Export Control Law
liability (see liability)
for monitoring, Monitoring Software, Lesson: Monitor your system.
patents, Patent Law, Cryptography and the U.S. Patent System
piracy, Software piracy and the SPA, Access Devices and Copyrighted Software
publishing, The “Pledge”, Obtaining a Software Publisher’s Certificate
Software Publishers Association (SPA), Cryptographic Programs and Export Controls
Software Publishers Association(SPA), Software piracy and the SPA
SomarSoft, Network scanning programs
SPA (Software Publishers Association), Software piracy and the SPA, Cryptographic Programs and Export Controls
Spafford, Gene, What’s a “Secure Web Server” Anyway?
speed, The Return of Block Mode
(see also performance)
development, Why Worry about Web Security?
spoofing, Spoofing Username/Password Pop-Ups with Java, Lesson: Beware of TCP/IP spoofing.
forgery-proof identification, Forgery-proof IDs
Java and, The Java DNS policy dispute
JavaScript and, JavaScript-Enabled Spoofing Attacks, Mirror Worlds
Spry’s Real Mosaic, Web Software Covered by This Book
Spyglass Co., Censoring the network
SSH (secure shell), SSH
SSH program, SSH
SSL (Secure Socket Layer), Securing Information in Transit, A Typical Transaction, A Typical Transaction, Server Certificates , Adding a New Site Certificate with Internet Explorer, SSL, What Is SSL?, Performance, The SSL 3.0 Protocol, Application Data
browsers and, Browser Preferences, Browser Alerts and Indicators
exporability of, U.S. Exportability
protocols for, SSL 3.0 Protocols, Handshake Protocol
TLS and, TLS Standards Activities
SSLeay protocol, Public key patents overseas, SSLeay, SSLeay ca.conf file
SSLeay system, SSLeay
stack attacks, CPU and stack attacks
Stahlman, Mark, The Return of Block Mode
static audits, Snapshot tools
Stel system, Stel
storing private keys, Physical devices for digital signatures, Server Key: To Encrypt or Not To Encrypt?
Strategic Focus, Inc., The Web: Promises and Threats
stream algorithms, Symmetric Key Algorithms
strength, cryptographic, Cryptographic Strength
Stronghold server, Web Software Covered by This Book
substitution ciphers, Roots of Cryptography
SUID and SGID privileges, Tips on Writing CGI Scripts That Run with Additional Privileges
Sun Microsystems, Java
Superincreasing Knapsack Problem, Algorithmic attacks
Surety Technologies, Inc., Are There Better Suited Alternatives to Public Key Digital Signatures?
SurfWatch utility, Censoring the network
swap space attacks, Swap space attacks
Swatch program, Swatch
SymLinksIfOwnerMatch option, Commands Before the <Limit>. . . </Limit> Directive
symmetric key algorithms, Cryptographic Algorithms and Functions, Systems-based attacks
SYN flooding, Do Denial-of-Service Attacks Matter?
systat utility, Minimizing Risk by Minimizing Services
system administration
references on, Programming and System Administration
systems-based crytpographic attacks, Systems-based attacks

T

tainting Perl, Rules for Perl
tax collection, Security and privacy
TCP/IP (Transmission Control Protocol), Terminology
spoofing, Lesson: Beware of TCP/IP spoofing.
SYN flooding, Do Denial-of-Service Attacks Matter?
tcpwrapper system, tcpwrapper
Telnet service, Locating Your Web Server with Respect to Your Firewall, Minimizing Risk by Minimizing Services
Stel system, Stel
temporary files, Rules for C
Thawte Consulting, Viewing a Site’s Certificate, Conclusion
threats, Securing Information in Transit, New Lessons from the Credit Card Example, New Lessons from the Credit Card Example
(see also attacks)
ActiveX controls, Internet Exploder, Signed Code Can Be Hijacked
browsers and, Browser History, Programmability
bugs (see bugs)
criminal, Criminal Hazards That May Await You, The Responsibility To Report Crime
criminal prosecution, Hazards of Criminal Prosecution
cryptography shortcomings, What Cryptography Can’t Do, What Cryptography Can’t Do
digital certificate failure, When Things Go Wrong, Wrong server address
from downloading (see downloading)
eavesdropping, Securing Information in Transit
helper applications and, Helper Applications , Helper Applications
inability to break running scripts, Can’t break a running script
Java (see Java)
JavaScript (see JavaScript)
mailing list for, RISKS
mirror worlds, Mirror Worlds
plug-ins, Evaluating Plug-In Security
programmed, Computer Viruses and Programmed Threats
programs that spend money, Programs That Can Spend Your Money, Electronic funds transfers
public key infrastructure, Problems Building a Public Key Infrastructure, Why Do These Questions Matter?
race conditions, Rules To Code By
risk management, Risk Management
spoofing (see spoofing)
SUID and SGID privileges, Tips on Writing CGI Scripts That Run with Additional Privileges
trademark violation, Trademark violations
unanticipated disclosure, Unanticipated Disclosure
Tiger, Tiger
Tiger utility, Snapshot tools
Time Warner, Java
timeouts, Rules To Code By
timestamping, Are There Better Suited Alternatives to Public Key Digital Signatures?
TIS Internet Firewall Toolkit (FWTK), TIS Internet Firewall Toolkit
TLS (Transport Layer Security), TLS Standards Activities
token-based authentication, Use a token-based authentication system.
tokens, Physical tokens: something that you have
torts, Torts, Incorporation
tracing, ActiveX controls, Support for Authenticode in Internet Explorer
tracking with cookies, Cookies for Tracking
trade secrets, Violating Trade Secrets, Cryptography and the U.S. Trade Secret Law, RC2, RC4, and trade secret law
(see also intellectual property)
trademarks, Trademark Law, Trademark violations
domain names, Trademarks and domain names
transactions, online (see commerce)
Transmission Control Protocol (see TCP)
Transport Layer Security (TLS), TLS Standards Activities
transposition ciphers, Roots of Cryptography
trimlog, trimlog
Triple-DES algorithm, Symmetric Key Algorithms
Tripwire package, Tripwire
Trojan horses, Terminology
trust
certification authorities, Certification Authorities
credentials, Credentials-Based Identification Systems
credit, Charga-Plates, Diners Club, and Credit Cards
domains, Spoofing Browser Status with JavaScript
eTrust program, Personally Identifiable Information
helper applications, Helper Applications
hijacked AcitveX controls, Signed Code Can Be Hijacked
impersonation (see spoofing)
Java applets, Spoofing Username/Password Pop-Ups with Java
operating system, Telephone billing records
PGP’s web of, PGP
plug-ins and, Evaluating Plug-In Security
vendors, Trusted Vendors

U

UDP (User Datagram Protocol), Terminology, UDP Packet Relayer
packet relayer, UDP Packet Relayer
unauthorized use (see access)
United States, Public key patents overseas
(see also international law)
Air Force, Preface
Department of Justice, Preface
exportation controls, Securing Information in Transit, Code Signing and U.S. Export Controls, Cryptography and U.S. Export Control Law, Cryptography and U.S. Export Control Law, U.S. Exportability, Cryptographic Programs and Export Controls
federal computer crime laws, Federal Computer Crime Laws
federal jurisdiction, Federal jurisdiction
Naval Research Lab, Implementation Flaws: A Litany of Bugs
Patent and Trademark Office, Cryptography and the U.S. Patent System
patents (see patents)
payment cards in, Payment Cards in the United States
Postal Service, Are There Better Suited Alternatives to Public Key Digital Signatures?, Server Certificates
trade secret laws, Cryptography and the U.S. Trade Secret Law, RC2, RC4, and trade secret law
UNIX
encryption programs for, Today’s Working Encryption Systems, PGP
programming references, Programming and System Administration
shell scripts, Rules for the UNIX Shell
unspoofable areas, Spoofing Browser Status with JavaScript
updating content securely, Secure Content Updating, Secure Content Updating
URLs (uniform resource locators)
hidden, Hidden URLs
mirror worlds, Mirror Worlds
U.S. (see United States)
Usenet, Usenet Groups
User Datagram Protocol (see UDP)
users
access based on, Identity-Based Access Controls
anonymity of (see anonymity)
asking for information/action, Social Engineering, Spoofing Username/Password Pop-Ups with Java
authenticating, Manually Setting Up Web Users and Passwords
biometric identification systems, Biometrics: something that you are
checking values from, Rules To Code By
computers of, Securing the User’s Computer
cookies for, Cookies That Protect Privacy
denial-of-service attacks on, Do Denial-of-Service Attacks Matter?
identification, Identification, Veritas: digital signatures for physical credentials
information on (see personal information)
managing, A Simple User Management System, The newuser Script
spoofing/impersonating (see spoofing)
Utah Digital Signature Act, Is licensing of certification authorities the right approach?

V

validation (see verification)
VC-I video encryption algorithm, Systems-based attacks
Venema, Wietse, Network scanning programs
Vento, Bruce F., Personally Identifiable Information
verification, The charge card check digit algorithm
(see also authentication)
Authenticode for (see Authenticode)
Authenticode signatures, Verifying Authenticode Signatures
credit card check digit, The charge card check digit algorithm
Java bytecode, Bytecode Verifier
user input, Rules To Code By
VeriSign, The X.509 v3 Certificate, Bootstrapping the PKI, The SSL Certificate Format, A Tour of the VeriSign Digital ID Center, VeriSign’s Class System
(see also RSA Data Security, Inc.)
installing certificate, Installing Your VeriSign Certificate, Installing Your VeriSign Certificate
software publishing and, The “Pledge”, Obtaining a Software Publisher’s Certificate
Veritas system, Veritas: digital signatures for physical credentials
versions, SSL, SSL Versions
viewing certificates, Viewing a Site’s Certificate
virtual machine, Java (JVM), Java the Language
Virtual PIN system, Virtual PIN, Security and privacy
viruses, Terminology, Signed Code is Not Safe Code
references on, Computer Viruses and Programmed Threats

W

Wagner, David, Implementation Flaws: A Litany of Bugs
Wallach, Dan S., Implementation Flaws: A Litany of Bugs, Java Security Problems
WANs (wide area networks), Terminology
warez sites, Warez
Web (see World Wide Web)
web of trust, PGP
WebSite Pro server, Web Software Covered by This Book
WebStar Pro server, Web Software Covered by This Book
wide area networks (see WANs)
Windows NT mailing list, NT-security
windows, attacks on, Window system attacks
World Wide Web, Web Security in a Nutshell, Terminology, Java
(see also Java; JavaScript)
blocking/censorship software for, Blocking Software , RSACi
browsers (see browsers, web)
cookies, Cookies, Cookies That Protect Privacy
downloading from, Helper Applications
mirror worlds, Mirror Worlds
page history mechanism, JavaScript and Privacy
refer links, The Refer Link
servers (see servers)
viewing site’s certificate, Viewing a Site’s Certificate
World Wide Web (WWW)
references on, WWW Pages
security mailing list, WWW-security
worms, Terminology
writing programs (see programming, guidelines for)
wuarchive FTP daemon, wuarchive ftpd

X

X.509 v3 certificates, The X.509 v3 Certificate, The X.509 v3 Certificate, Should legislation endorse the X.509 paradigm?

Y

Young, Eric, Public key patents overseas, SSLeay
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.193.158