A
- access, Securing the Web Server, Physical tokens: something that you have, Controlling Access to Your Web Server, Identity-Based Access Controls
- (see also identification)
- authorizing (see authorization)
- certification
authorities (CAs), Certification Authorities, Certification practices statement (CPS), How Many CAs Does Society Need?, Certification Authority Certificates,
Server Certificates
- devices
for, Access Devices and Copyrighted Software
- host-based, Host-Based Restrictions
- directive for, Implementing Access Controls with <Limit> Blocks, Manually Setting Up Web Users and Passwords
- passwords
for (see passwords)
- physical tokens
for, Physical tokens: something that you have
- user-based, Identity-Based Access Controls
- access.conf
file, <Limit> Examples
- ACH
(Automated Clearing House) system, Enrollment, Credit Cards and ACH
- ActiveX
controls, Programmability, ActiveX and Authenticode, Internet Exploder, Support for Authenticode in Internet Explorer
- Software Developer’s
Kit, Publishing with Authenticode
- activism, legal, Laws and Activism
- Adleman, Leonard
M., Public Key Algorithms , The public key patents
- administrative
logins, Secure Content Updating
- aggregation information, Digital Certificates Allow For Easy Data Aggregation
- Air Force (U.S.), Preface
- alert( )
method, JavaScript and Resource Management
- alert protocol (SSL), Alert Protocol
- algorithmic attacks on
encryption, Algorithmic attacks
- Allen,
Christopher, TLS Standards Activities
- AllowOverride command, Commands Before the <Limit>. . . </Limit> Directive
- America Online
(AOL), Social Engineering, Blocking Software , Censoring the network
- American Bankers
Association, A Typical Transaction
- Anderson,
Ross, Is Cryptography a Military or Civilian Technology?
- animation, Animation
- anonymity, Anonymizers
- certificates
and, Client Certificates
- digital payment systems and, Internet-Based Payment Systems, Security and privacy, Security and privacy
- AOL (America
Online), Social Engineering, Blocking Software , Censoring the network
- Apache-SSL server, Web Software Covered by This Book, Apache-SSL, Installing Apache-SSL
- APIs
(Application Programming Interfaces), Terminology
- extensibility
of, The Danger of Extensibility, Fixing the problem
- programming
guidelines, Rules To Code By , Rules To Code By
- Apple Macintosh
- security
and, Minimizing Risk by Minimizing Services
- WebStar Pro
server, Web Software Covered by This Book
- applets (see Java)
- Application Programming
Interfaces (see APIs)
- application/pics-labels
encoding, PICS Applications
- application/pics-service encoding, PICS Applications, Rating Services
- application/x-x509-ca-cert
encoding, Adding a New Site Certificate with Internet Explorer
- Atkins, Derek, Factoring attacks
- attacks, Securing Information in Transit
- (see also threats)
- bug
exploitation (see bugs)
- data-driven, Data-Driven Attacks, Web-Based Programming Languages
- on encryption, A Cryptographic Example, Attacks on Symmetric Encryption Algorithms, Factoring attacks, What Cryptography Can’t Do
- legal
options regarding, Your Legal Options After a Break-In, Hazards of Criminal Prosecution
- man-in-the-middle, Features
- on message digests, Attacks on Message Digest Functions
- mirror-world, Mirror Worlds
- packet
sniffing, Lesson: Defeat packet sniffing.
- plug-ins
for, Tactical Plug-In Attacks
- publishing, Attacks on Message Digest Functions
- reasons
for, Animation
- recovering
from, Reconstructing After an Attack, Recovering from an Attack
- replay, Features
- on
resources (see denial-of-service
attacks)
- social
engineering, Social Engineering, Spoofing Username/Password Pop-Ups with Java
- SYN
flooding, Do Denial-of-Service Attacks Matter?
- audits, Signed Code is Not Safe Code, Snapshot tools
- authentication, Locating Your Web Server with Respect to Your Firewall, Cryptography and Web Security
- Authenticode
for, Authenticode, Is Authenticode a Solution?, Recovering from an Attack, Microsoft’s Authenticode Technology, Controlling Authenticode in Internet Explorer
- message
digests, Message Digest Functions, Attacks on Message Digest Functions
- of new users, Manually Setting Up Web Users and Passwords
- token-based, Use a token-based
authentication system.
- authorization, Securing the Web Server
- environment
variables for, Rules for Perl
- directive and, Commands Before the <Limit>. . . </Limit> Directive
- AUTH_TYPE variable, Rules for Perl
- automated
checking systems, Change-detecting tools
B
- back-end databases, Back-End Databases
- backquote function, The problem with the script
- backups, Backups, Hazards of Criminal Prosecution , If You or One of Your Employees Is a Target of an Investigation . . . , Lesson: Make frequent backups.
- bandwidth (see performance)
- Baum,
Michael, Distinguished Names Are Not People , Certificates Today
- Berkeley r commands, Minimizing Risk by Minimizing Services
- Biddle, Bradford, Ten Policy Questions
- biometric identification
systems, Biometrics: something that you are
- HTML
tags, <blink>
- block
algorithms, Symmetric Key Algorithms
- block mode
computing, The Return of Block Mode
- blocking
software, Blocking Software , RSACi
- censorship, Blocking Software and Censorship Technology, PICS and Censorship, Censoring the network
- borrowing private
keys, How Do You Loan a Key?
- branded debit
cards, Refunds and Charge-Backs
- break-ins (see attacks)
- breaking running scripts, Can’t break a running script
- bridges, Terminology
- browsers (see Web
browsers)
- browsers, web, Web Security in a Nutshell, Browser History, Programmability
- bugs
in (see bugs)
- cookies, Cookies, Cookies That Protect Privacy
- crashing, Bug Exploitations
- extensibility
of, Why Worry about Web Security?
- JavaScript
and (see JavaScript)
- log
files of, Log Files, Looking at the Logs
- spoofing status
of, Spoofing Browser Status with JavaScript
- SSL
and, Browser Preferences, Browser Alerts and Indicators
- brute force
attacks, A Cryptographic Example, Key search (brute force) attacks
- BSD
UNIX
- programming
references, Programming and System Administration
- bugs, Bug Exploitations, Implementation Flaws: A Litany of Bugs, Signed Code is Not Safe Code, Faults, Bugs, and Programming Errors, Bugs and flaws
- Bugtraq mailing
list, Bugtraq
- Java, Java implementation errors
- Macromedia Shockwave
plug-in, When Security Fails: Macromedia Shockwave
- bytecode,
Java, Java the Language, Bytecode Verifier
C
- C, programming guidelines
for, Rules for C
- Card Shark program, Card Shark
- CAs (certification
authorities), Certification Authorities, Certification practices statement (CPS), How Many CAs Does Society Need?, Certification Authority Certificates,
Server Certificates
- CCI (Common Client
Interface), Programmability
- censorship, Blocking Software and Censorship Technology, PICS and Censorship, Censoring the network
- Central
Intelligence Agency, Preface
- CERN, CERN HTTP daemon
- CERT (Computer Emergency Response
Team), Bugs and flaws, CERT-advisory
- certificates, Certificates Today, Conclusion
- CAs, Certification Authorities, Certification practices statement (CPS), How Many CAs Does Society Need?, Certification Authority Certificates,
Server Certificates
- class system
of, VeriSign’s Class System
- client-side, Client Certificates, Support for Client-Side Digital Certificates
- CPS
(certification practices statement), Certification practices statement (CPS)
- CRLs
(certificate revokation lists), Revocation
- installing, Installing Your VeriSign Certificate, Installing Your VeriSign Certificate
- managing users
with, Manually Setting Up Web Users and Passwords
- Netscape
Navigator wizard for, Netscape Navigator 3.0’s New Certificate Wizard, Netscape Navigator 3.0’s New Certificate Wizard
- renewing, Certificate renewal
- revoking, Revocation , Revoking a Digital ID
- software
publisher’s, Obtaining a Software Publisher’s Certificate
- SSL
and, Digital Certificates
- VeriSign
Digital ID Center, Bootstrapping the PKI, The SSL Certificate Format, A Tour of the VeriSign Digital ID Center, VeriSign’s Class System
- X.509
v3, The X.509 v3 Certificate, The X.509 v3 Certificate, Should legislation endorse the X.509 paradigm?
- CGI (Common Gateway
Interface), Terminology, CGIs with Unintended Side Effects, Fixing the problem, Tips on Writing CGI Scripts That Run with Additional Privileges
- extensibility
of, The Danger of Extensibility, Fixing the problem
- programming
guidelines, Rules To Code By , Rules To Code By
- cgi-bin
directory, Programs That Should Not Be CGIs
- change cipher spec protocol
(SSL), ChangeCipherSpec Protocol
- change detections, Change-detecting tools
- Chapters 6
and 7, Downloading and Installing Your Web Server
- characters, filtering, Fixing the problem
- charga-plates, A Very Short History of Credit
- charge-backs, Refunds and Charge-Backs
- charge slips, The charge slip
- chargen utility, Minimizing Risk by Minimizing Services
- Chaum, David, DigiCash
- CheckFree
services, Credit Cards and ACH
- checking (see verification)
- child
pornography, Pornography, Indecency, and Obscenity
- chktrust
program, Verifying Authenticode Signatures
- chosen plaintext attacks, Cryptanalysis
- chrootuid
daemon, chrootuid
- CIAC (Computer Incident
Advisory Capability), CIAC-notes
- ciphers (see encryption)
- civil
laws, Legal Issues: Civil, Incorporation
- Clark,
Jim, Terminology
- class loader,
Java, Java the Language, Class Loader
- classes, certificate, VeriSign’s Class System
- client-pull documents, Animation
- clients, Terminology
- client-side
digital certificates, Client Certificates, Support for Client-Side Digital Certificates
- client/server
model, Terminology
- Clipper chip, Cryptography and the U.S. Trade Secret Law
- COAST (Computer
Operations, Audit, and Security Technology), COAST
- COAST Software Archive, COAST
- code
- downloading (see downloading)
- signing, Code Signing and Microsoft’s Authenticode , Other Code Signing Methods (see digital
signatures)
- Code Signing
Wizard, The Code Signing Wizard
- commerce, Why Worry about Web Security?, Card Shark
- (see also credit
cards; electronic money)
- credit cards
for (see credit cards)
- identification
and, The Need for Identification Today
- Internet-based
payment systems, Internet-Based Payment Systems, Mondex
- merchant
fees, Charge card fees
- programs
that spend money, Programs That Can Spend Your Money, Electronic funds transfers
- reverse
change transactions, Refunds and Charge-Backs
- Common Client
Interface (see CCI)
- Common Gateway
Interface (see CGI)
- computer underground
digest, Computer underground digest
- computers
- crashing, Bug Exploitations
- identification
techniques for, Computerized Identification Techniques, Location: someplace where you are
- impersonating (see spoofing)
- networks
of (see networks)
- security
- references
for, General Computer Security
- security
on, Securing the User’s Computer
- confidentiality (see privacy)
- confiscation of
property, If You or One of Your Employees Is a Target of an Investigation . . .
- connectivity, Java Security Policy
- consistency checking, Rules To Code By
- Consumer Internet Privacy
Protection Act, Personally Identifiable Information
- content
types
- application/pics-labels, PICS Applications
- application/pics-service, PICS Applications, Rating Services
- application/x-x509-ca-cert, Adding a New Site Certificate with Internet Explorer
- content
updating, Secure Content Updating, Secure Content Updating
- Cook, William
J., Legal Issues: Civil
- cookies, Cookies, Cookies That Protect Privacy
- eTrust
program, Personally Identifiable Information
- COPS (Computer Oracle and Password System),
COPS (Computer Oracle and Password System)
- copyright, Copyright Law, Warez, Access Devices and Copyrighted Software, Laws and Activism
- core
files, Rules To Code By
- corporations, Incorporation
- courtesy
cards, A Very Short History of Credit
- CPS (certification practices
statement), Certification practices statement (CPS)
- CPU attacks, CPU and stack attacks
- CPU time
limits, Rules To Code By
- crashing applications, Bug Exploitations
- credentials, Credentials-Based Identification Systems
- credit
cards, Why Worry about Web Security?, Credit Cards, Encryption, and the Web, New Lessons from the Credit Card Example, Charga-Plates, Diners Club, and Credit Cards, Using Credit Cards on the Internet, Credit Cards and ACH, Lesson: Make it easy for your customers to save you money.
- (see also electronic
money)
- Card
Shark program, Card Shark
- evaluating
system for, How to Evaluate a Credit Card Payment System
- fraud, A Typical Transaction
- SET protocol for, SET, SET, Two channels: one for the merchant, one for the bank
- criminal laws, Your Legal Options After a Break-In, Hazards of Criminal Prosecution , Play it Safe . . ., Laws and Activism
- criminal
threats, Criminal Hazards That May Await You, The Responsibility To Report Crime
- CRLs (certificate revokation
lists), Revocation
- cross-certification, Certification Authority Certificates
- cryptanalysis, Cryptanalysis
- cryptography, What’s a “Secure Web Server” Anyway?, Understanding Cryptography, Cryptographic Algorithms and Functions, Cryptography and Web Security, What Cryptography Can’t Do
- (see also encryption)
- attacks
against, A Cryptographic Example, Attacks on Symmetric Encryption Algorithms, Factoring attacks, What Cryptography Can’t Do
- dual
signatures, Two channels: one for the merchant, one for the bank
- exportation
controls on, Cryptographic Programs and Export Controls
- international
restrictions on, Foreign Restrictions on Cryptography, Foreign Restrictions on Cryptography
- message
digests, Message Digest Functions, Attacks on Message Digest Functions
- patents
and, Cryptography and the U.S. Patent System, Cryptography and the U.S. Patent System
- public
keys, Cryptographic Algorithms and Functions, Public Key Algorithms , Factoring attacks, Public Key Infrastructure, Public Key Infrastructure
- symmetric
key algorithms, Cryptographic Algorithms and Functions, Systems-based attacks
- U.S.
restrictions on, Securing Information in Transit, U.S. Restrictions on Cryptography, Cryptography and U.S. Export Control Law
- working
encryption systems, Today’s Working Encryption Systems, IPsec and IPv6
- custom software, Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
- CyberCash system, CyberCash/CyberCoin
- Cylink, History of the public key patents
D
- data, New Lessons from the Credit Card Example
- (see also information)
- aggregating, Digital Certificates Allow For Easy Data Aggregation
- data-driven
attacks, Data-Driven Attacks, Web-Based Programming Languages
- eavesdropping, Securing Information in Transit
- packets (see packets)
- Data Encryption
Standard (see DES)
- databases, Back-End Databases
- Davies,
Simon, Mondex
- deadlock
conditions, Rules To Code By
- Dean, Drew, Implementation Flaws: A Litany of Bugs, Java Security Problems
- debit
cards, Refunds and Charge-Backs
- decryption (see cryptography
encryption)
- defamation, Revealing Disparaging Remarks, Libel and Defamation
- denial-of-service attacks, Securing Information in Transit, Denial-of-Service Attacks, Can Denial-of-Service Attacks Be Stopped?, Rules To Code By
- crashing
computers, Bug Exploitations
- JavaScript for, JavaScript and Resource Management
- Department of Justice
(U.S.), Preface
- DES (Data Encryption
Standard), Symmetric Key Algorithms
- design flaws, Java, Java design flaws
- designing programs (see programming,
guidelines for)
- DESX algorithm, Symmetric Key Algorithms
- detecting changes, Change-detecting tools
- development speeds, Why Worry about Web Security?
- Dierks,
Tim, TLS Standards Activities
- differential analysis, Cryptanalysis
- Diffie, Bailey Whitfield, Public Key Algorithms , The public key patents
- Diffie-Hellman key exchange, Public Key Algorithms , The public key patents
- SSL
and, 4. Server Key Exchange
- DigiCash system, DigiCash, Security and privacy
- DigiCrime web site, Window system attacks
- digital
- certificates (see certificates)
- coins, DigiCash
- payment (see credit
cards electronic money)
- postmarks, Are There Better Suited Alternatives to Public Key Digital Signatures?
- watermarking, Securing the User’s Computer
- Digital
IDs (see certificates)
- digital
notary, Are There Better Suited Alternatives to Public Key Digital Signatures?
- digital
signatures, Signed Code is Not Safe Code, Signed Code Can Be Hijacked, Using Digital Signatures for Identification, Veritas: digital signatures for physical credentials, Certificates Today, Cryptographic Algorithms and Functions, Public Key Algorithms
- (see also certificates)
- Authenticode, Authenticode
- certification
authorities, Certification Authorities, Certification practices statement (CPS)
- DSS
(Digital Signature Standard), Public Key Algorithms , Message Digest Functions
- key system
for, Using Digital Signatures for Identification
- legislation on, Ten Policy Questions, Should governments act as CAs?
- for program
code, Code Signing and Microsoft’s Authenticode , Code Signing and U.S. Export Controls
- X.509 v3
certificates, The X.509 v3 Certificate, The X.509 v3 Certificate, Should legislation endorse the X.509 paradigm?
- distinguished
names, Distinguished Names Are Not People
- DNS (Domain Name
System), Minimizing Risk by Minimizing Services
- DNSSEC
standard, DNSSEC
- spoofing, Java
and, The Java DNS policy dispute
- SSL certificates
and, The SSL Certificate Format
- document-based
identification, Using a document-based ID system
- domains
- DNS, The Java DNS policy dispute
- impersonating (see spoofing)
- names
of, Trademarks and domain names
- domestic-grade
security, Securing Information in Transit
- Donnerhacke,
Luiz, Electronic funds transfers
- The Doubleclick Network, Cookies for Tracking
- downloading, Helper Applications , When Good Browsers Go Bad, The Sexy Girls Pornography Viewer, The Risks of Downloaded Code, Reconstructing After an Attack
- ActiveX
controls (see ActiveX controls)
- data-driven
attacks, Data-Driven Attacks, Web-Based Programming Languages
- web
server, Downloading and Installing Your Web Server
- dual
signatures, Two channels: one for the merchant, one for the bank
E
- eavesdropping, Securing Information in Transit, Reconstructing After an Attack
- credit card
information and, A Typical Transaction
- password
sniffing, Password Sniffing, Use a system that relies on encryption.
- private
keys, Using Digital Signatures for Identification
- echo command, Minimizing Risk by Minimizing Services
- edit detections, Change-detecting tools
- electronic
mail, Minimizing Risk by Minimizing Services
- authorizing payments
by, Virtual PIN, Security and privacy
- forwarding, copyright law
and, Copyright infringement
- message digests, Message Digest Functions, Attacks on Message Digest Functions
- electronic
money, Why Worry about Web Security?
- (see also credit
cards)
- CyberCash
system, CyberCash/CyberCoin
- debit cards, Refunds and Charge-Backs
- DigiCash
system, DigiCash, Security and privacy
- Mondex
system, Mondex
- programs that
spend, Programs That Can Spend Your Money, Electronic funds transfers
- SET protocol
for, SET, Two channels: one for the merchant, one for the bank
- Virtual PIN system, Virtual PIN, Security and privacy
- ElGamal encryption
system, Public Key Algorithms
- Ellison,
Carl, A Typical Transaction, How Do You Loan a Key?, Key search (brute force) attacks
- employees, If You or One of Your Employees Is a Target of an Investigation . . . , If You or One of Your Employees Is a Target of an Investigation . . . , Play it Safe . . .
- encoding
- application/pics-labels, PICS Applications
- application/pics-service, PICS Applications, Rating Services
- application/x-x509-ca-cert, Adding a New Site Certificate with Internet Explorer
- cryptography (see cryptography)
- encryption, Securing Information in Transit, A Typical Transaction, Using Digital Signatures for Identification, Terminology, Use a system that relies on encryption., Lesson: Encrypt sensitive information and be careful with your decryption keys.
- (see also cryptography)
- attacks
on, A Cryptographic Example, Attacks on Symmetric Encryption Algorithms, Factoring attacks, What Cryptography Can’t Do
- of private keys, Server Key: To Encrypt or Not To Encrypt?
- program
traps, What Cryptography Can’t Do
- programs
for UNIX, Today’s Working Encryption Systems, PGP
- public
key (see public keys)
- public
keys, Cryptographic Algorithms and Functions, Public Key Algorithms , Factoring attacks, Public Key Infrastructure, Public Key Infrastructure
- SSL
for (see SSL)
- symmetric
key algorithms, Cryptographic Algorithms and Functions, Systems-based attacks
- systems
for, Today’s Working Encryption Systems, IPsec and IPv6
- enforcing digital certificates,
Server Certificates
- enrollment, Internet-Based Payment Systems
- environment variables, CGI/API
and, Rules for Perl
- errors in
implementation (see bugs)
- errors,
programming (see bugs)
- escrow proposal
- key recovery
versus, Cryptography and U.S. Export Control Law
- /etc/passwd
file, Manually Setting Up Web Users and Passwords
- eTrust program, Personally Identifiable Information
- evaluating
- credit card
systems, How to Evaluate a Credit Card Payment System
- site
security, Security Tools, Network scanning programs
- ExecCGI option, Commands Before the <Limit>. . . </Limit> Directive
- execution context,
separate, Separate Execution Contexts
- exportation controls, U.S., Securing Information in Transit, Code Signing and U.S. Export Controls, Cryptography and U.S. Export Control Law, Cryptography and U.S. Export Control Law, U.S. Exportability, Cryptographic Programs and Export Controls
- extensibility, Why Worry about Web Security?, The Danger of Extensibility, Fixing the problem
- plug-ins
for (see plug-ins)
F
- factoring attacks, Factoring attacks
- fair use, Copyright infringement
- Farmer,
Dan, Network scanning programs
- FastTrack
server, Web Software Covered by This Book
- faults (see bugs)
- federal jurisdiction, Federal jurisdiction
- federal laws, Federal Computer Crime Laws
- fees, charge card, Charge card fees
- Felten, Edward W., Implementation Flaws: A Litany of Bugs, Java Security Problems, JavaScript-Enabled Spoofing Attacks, Mirror Worlds
- files
- access
to (see access)
- core
files, Rules To Code By
- document-based
identification, Using a document-based ID system
- downloading (see downloading)
- log (see logging)
- temporary, Rules for C
- filing criminal
complaints, Filing a Criminal Complaint, Federal jurisdiction
- filtering invalid
characters, Fixing the problem
- finger protocol, Minimizing Risk by Minimizing Services
- Finjan
Software, Java Security Future
- firewalls, Terminology, Firewalls: Part of the Solution, Locating Your Web Server with Respect to Your Firewall, A wealth of private data, Firewalls
- mailing list
for, Academic-Firewalls, Firewalls
- FIRST teams, FIRST
- First Virtual
Holdings, Card Shark, Virtual PIN
- FollowSymLinks
option, Commands Before the <Limit>. . . </Limit> Directive
- forgery-proof
identification, Forgery-proof IDs
- format of SSL
certificates, The SSL Certificate Format
- Fortezza encryption
cards, Cryptography and the U.S. Trade Secret Law
- forwarding email
messages, Copyright infringement
- fraud, Access Devices and Copyrighted Software
- credit-card (see credit
cards)
- digital
certificates,
Server Certificates
- free
software, Lesson: Eschew free software.
- Friedland,
Jay, Censoring the network
- FTP (File Transfer
Protocol), Password Sniffing, Minimizing Risk by Minimizing Services, Secure Content Updating
- future of Java
security, Java Security Future
- FWALL-users mailing
list, FWALL-user
G
- gateways, Terminology
- GIF animation, Animation
- Global
Positioning System (GPS), Location: someplace where you are
- Goldberg,
Ian, Implementation Flaws: A Litany of Bugs
- Gosling,
James, Java
- government
- as certificate
authority, Should governments act as CAs?
- tax
collection, Security and privacy
- GPS (Global Positioning
System), Location: someplace where you are
- Graff,
Michael, Factoring attacks
- Grant, Michael, SSLeay Examples
- Graphical User
Interface (see GUIs)
- Greene,
Paul, Preface, Implementation Flaws: A Litany of Bugs
- guest logins, Secure Content Updating
- GUIs
(Graphical User Interfaces), Window system attacks
H
- handshake,
SSL, Handshake Protocol, Application Data
- harassment, Libel and Defamation
- Hellman, Martin E., Public Key Algorithms , The public key patents
- helper
applications, Helper Applications , Helper Applications , Netscape Plug-Ins
- hidden URLs, Hidden URLs
- hijacked AcitveX
controls, Signed Code Can Be Hijacked
- history
- browser
risk, Browser History, Programmability
- of
credit, A Very Short History of Credit
- cryptography, Roots of Cryptography
- Java, Java
- public key
patents, History of the public key patents
- SSL
protocol, History
- unsecure
hosts, Historically Unsecure Hosts, Historically Unsecure Hosts
- web page, mechanism
for, JavaScript and Privacy
- holograms, Forgery-proof IDs
- hosts, Terminology
- restricting
by, Host-Based Restrictions
- security
of, Host and Site Security, Backups
- .htaccess file, Implementing Access Controls with <Limit> Blocks
- HTML (Hypertext Markup
Language), Terminology, <blink>
- tag, Behind the scenes with Netscape Navigator
- tag, The <OBJECT> Tag
- refer links,
The Refer Link
- htpasswd
program, Manually Setting Up Web Users and Passwords
- HTTP (Hypertext Transfer
Protocol), Terminology
- requesting PICS labels
by, Requesting PICS Labels by HTTP
- S-HTTP
system, S-HTTP
- HTTPS_RANDOM variable, Rules for Perl
- hybrid public/private
cryptosystems, Cryptographic Algorithms and Functions
- Hypertext Markup
Language (see HTML)
- Hypertext
Transfer Protocol (see HTTP)
I
- IDEA (International Data Encryption
Algorithm), Symmetric Key Algorithms
- identification, Identification, Veritas: digital signatures for physical credentials
- access based
on, Identity-Based Access Controls
- digital
certificates
for (see certificates)
- private keys
and (see private keys)
- signatures
for (see digital signatures)
- smart cards
for (see smart cards)
- IIS server, Web Software Covered by This Book
- images, animation
of, Animation
- imitating (see spoofing)
- impersonation (see spoofing)
- implementation
errors (see bugs)
- Includes option, Commands Before the <Limit>. . . </Limit> Directive
- IncludesNoExec
option, Commands Before the <Limit>. . . </Limit> Directive
- incorporation, Incorporation
- indecency, Pornography, Indecency, and Obscenity
- Indexes option, Commands Before the <Limit>. . . </Limit> Directive
- information, Securing Information in Transit
- aggregating, Digital Certificates Allow For Easy Data Aggregation
- asking users
for, Social Engineering, Spoofing Username/Password Pop-Ups with Java
- censorship
of, Blocking Software and Censorship Technology, PICS and Censorship, Censoring the network
- on charge slips, The charge slip
- indecent,
definition of, Pornography, Indecency, and Obscenity
- personal, New Lessons from the Credit Card Example, The Java DNS policy dispute, JavaScript and Privacy, Programs That Violate Privacy and Steal Confidential Information, Personally Identifiable Information, Unanticipated Disclosure, X.509 v3 Does Not Allow Selective Disclosure
- (see also privacy)
- proprietary, Why Worry about Web Security?
- secure
content updating, Secure Content Updating, Secure Content Updating
- infrastructure, public
key, Public Key Infrastructure, Public Key Infrastructure, Public Key Infrastructure
- inline ActiveX
controls, Signed Code Can Be Hijacked
- input,
verifying, Rules To Code By
- installing
- digital
certificates, Installing Your Digital Certificate, Installing Your Digital Certificate
- web
servers, Downloading and Installing Your Web Server
- integrity, Java design flaws, Cryptography and Web Security
- intellectual
property, Violating Trade Secrets, Intellectual Property, Trademark violations
- trade
secrets, Cryptography and the U.S. Trade Secret Law, RC2, RC4, and trade secret law
- interception of
data (see eavesdropping)
- interest on
credit, Charge card fees
- International
Data Encryption Algorithm (IDEA), Symmetric Key Algorithms
- international law
- cryptography
restrictions, Foreign Restrictions on Cryptography, Foreign Restrictions on Cryptography
- public key
patents, Public key patents overseas
- Internet, Web Security in a Nutshell, Terminology
- credit cards
on (see credit cards)
- law
and (see law and legal issues)
- payment
systems on, Internet-Based Payment Systems, Mondex
- service
providers (see ISPs)
- SIP
group, Java Security Problems
- Internet Exploder control, Internet Exploder
- Internet
Explorer, Preface, Web Software Covered by This Book
- Authenticode
support, Support for Authenticode in Internet Explorer, Controlling Authenticode in Internet Explorer
- bugs, Implementation Flaws: A Litany of Bugs
- certificates and, Adding a New Site Certificate with Internet Explorer, Adding a New Site Certificate with Internet Explorer
- digital signatures
and, Internet Exploder
- Java
security and, Setting Java policy from Netscape Navigator 2.3
- private key
generation, Behind the scenes with Internet Explorer
- ratings
implemented in, RSACi
- SSL
preferences, Internet Explorer preferences
- Internet
Protocol (see IP)
- Internet
Worm, A wealth of private data
- internetworks, Terminology
- interpreter applications, Helper Applications
- intranets, Terminology
- intrusion detection
programs, Intrusion detection programs
- invalid
characters, Fixing the problem
- IP (Internet Protocol), Terminology
- address, restricting access
by, Host-Based Restrictions
- connectivity, Lesson: Set milestones and stick to them.
- IPsec
and IPv6 protocols, IPsec and IPv6
- ISPs (Internet service
providers), Personally Identifiable Information, Lessons from Vineyard.NET, Conclusion
- copyright and, Warez
- ISS (Internet
Security Scanner), Network scanning programs,
ISS (Internet Security Scanner)
J
- Java, Java, Java Security Future
- class
loader, Java the Language, Class Loader
- sandbox, Sandbox
- security
policy, Java Security Policy, Setting Java policy from Internet Explorer 4.0
- security problems
with, Implementation Flaws: A Litany of Bugs, Java Security Problems, The Java DNS policy dispute, Can Denial-of-Service Attacks Be Stopped?
- self-defending applet
killer, Window system attacks
- virtual machine
(JVM), Java the Language
- JavaScript, JavaScript , JavaScript and Privacy
- for
denial-of-service attacks, JavaScript and Resource Management
- security problems
with, Implementation Flaws: A Litany of Bugs
- spoofing
with, JavaScript-Enabled Spoofing Attacks, Mirror Worlds
- jurisdiction, Local jurisdiction
- JVM (see Java virtual
machine)
K
- Kerberos system, Kerberos, Public key patents overseas, Kerberos
- HTML
tag, Behind the scenes with Netscape Navigator
- keys
- digital signature
system, Using Digital Signatures for Identification
- key search
attacks, A Cryptographic Example, Key search (brute force) attacks
- private (see private
keys)
- public (see public
keys)
- recovery
system, Cryptography and U.S. Export Control Law
- signing
parties, PGP
- knapsack
algorithm, The public key patents
- known plaintext attacks, Cryptanalysis
- Koops, Bert-Jaap, Foreign Restrictions on Cryptography
L
- labels,
PICS (see PICS)
- LaDue, Mark, Window system attacks
- languages,
programming (see programming)
- LANs (local
area networks), Terminology
- laws and legal
issues, Legal Issues: Civil
- activism, Laws and Activism
- after
break-in, Your Legal Options After a Break-In, Hazards of Criminal Prosecution
- CPS (certification practices
statement), Certification practices statement (CPS)
- credit
cards, A Typical Transaction
- criminal
prosecution, Hazards of Criminal Prosecution
- cryptographic technologies
and, Securing Information in Transit, Cryptography and U.S. Export Control Law, Cryptography and U.S. Export Control Law
- digital
signatures, Ten Policy Questions, Should governments act as CAs?
- identification, The Need for Identification Today
- intellectual
property, Intellectual Property, Trademark violations
- law enforcement, Filing a Criminal Complaint, Hazards of Criminal Prosecution , Play it Safe . . .
- outside United
States, Public key patents overseas
- patents, Cryptography and the U.S. Patent System, Public key patents overseas
- privacy, Personally Identifiable Information
- torts, Torts, Incorporation
- trade secrets, Cryptography and the U.S. Trade Secret Law, RC2, RC4, and trade secret law
- U.S. exportation
controls, Code Signing and U.S. Export Controls, U.S. Exportability
- legacy
systems, Firewalls: Part of the Solution
- Lenstra, Arjen, Factoring attacks
- Leyland, Paul, Factoring attacks
- liability, Liability for Damage
- PICS
and, Censoring the network
- private key
infrastructure and, How should liability and risk be allocated in a PKI?
- libel, Revealing Disparaging Remarks, Libel and Defamation
- Limit command, Commands Before the <Limit>. . . </Limit> Directive
- directive, Implementing Access Controls with <Limit> Blocks, Manually Setting Up Web Users and Passwords
- limiting
access (see access)
- LiveScript (see JavaScript)
- loaning private keys, How Do You Loan a Key?
- loans,
credit (see credit cards)
- local area
networks (see LANs)
- local jurisdiction, Local jurisdiction
- logging, Logging, Play it Safe . . ., Lesson: Log everything, and have lots of reports.
- applet downloads and
actions, Java Security Future
- browser, Log Files, Looking at the Logs
- programming
and, Rules To Code By
- Swatch
program, Swatch
- logins
- limiting, Secure Content Updating
- logins, limiting, Lesson: Limit logins to your servers.
M
- Macintosh
- security
and, Minimizing Risk by Minimizing Services
- WebStar Pro
server, Web Software Covered by This Book
- Macromedia Shockwave
plug-in, When Security Fails: Macromedia Shockwave
- MACs (message authentication
codes), Message Digest Algorithms at Work
- mailing
lists, Mailing Lists, WWW-security
- man-in-the-middle attacks, Features
- Massachusetts Registry of Motor
Vehicles, The Web: Promises and Threats
- McLain,
Fred, Internet Exploder
- MD2, MD4, MD5 functions, Message Digest Functions
- meet-in-the-middle
plaintext attacks, Symmetric Key Algorithms
- memory (see resources)
- merchant fees, Charge card fees
- Merkle, Ralph
C., The public key patents
- message digests, Cryptographic Algorithms and Functions, Message Digest Functions, Attacks on Message Digest Functions
- Metcalfe,
Bob, Historically Unsecure Hosts
- Microsoft
- ActiveX
controls, Programmability, ActiveX and Authenticode, Internet Exploder
- ActiveX Software
Developer’s Kit, Publishing with Authenticode
- Authenticode, Authenticode, Is Authenticode a Solution?, Recovering from an Attack, Microsoft’s Authenticode Technology, Controlling Authenticode in Internet Explorer
- Internet
Explorer, Preface, Web Software Covered by This Book, Implementation Flaws: A Litany of Bugs, Setting Java policy from Netscape Navigator 2.3 (see Internet Explorer)
- Internet
Information Server (IIS), Web Software Covered by This Book
- PCT security
protocol, PCT
- Software
Publisher’s Pledge, The “Pledge”
- MIIS (see IIS)
- Miller,
James, PICS and Censorship, Access controls become tools for censorship, The PICS Specification
- minimizing number of
services, Securing the Web Server, Minimizing Risk by Minimizing Services, Minimizing Risk by Minimizing Services
- mirror worlds, Mirror Worlds
- mkstemp( ), Rules for C
- Mondex system, Mondex
- money (see credit cards electronic
money)
- monitoring
software, Monitoring Software, Lesson: Monitor your system.
- Morris, Robert
T., A wealth of private data
- Mosaic browser, Browser History
- Mozilla (see Netscape
Navigator)
- multihoming, Terminology
- multimedia, A wealth of private data
N
- names
- web site, certificates
and, Wrong server address
- Naughton,
Patrick, Java
- Naval Research Lab, U.S., Implementation Flaws: A Litany of Bugs
- NCSA Mosaic, Browser History
- NetBIOS (SMB) file
sharing, Secure Content Updating
- Netscape
- certification
authorities and, Bootstrapping the PKI
- cookies, Cookies, Cookies That Protect Privacy
- FastTrack
server, Web Software Covered by This Book
- plug-ins (see plug-in
modules)
- SSL (see SSL)
- viewing certificates
with, Viewing a Site’s Certificate
- Netscape Navigator, Web Software Covered by This Book
- bugs, Implementation Flaws: A Litany of Bugs
- certificate
wizard, Netscape Navigator 3.0’s New Certificate Wizard, Netscape Navigator 3.0’s New Certificate Wizard
- Java
security policy and, Setting Java policy from Netscape Navigator 2.3
- private key
generation, Behind the scenes with Netscape Navigator
- random
number generator, Implementation Flaws: A Litany of Bugs
- SSL
preferences, Navigator preferences
- netstat utility, Minimizing Risk by Minimizing Services
- Network Solutions,
Inc., Trademarks and domain names
- networks, Why Worry about Web Security?, Terminology
- blocking software
and, Censoring the network
- connectivity
limitations, Java Security Policy
- local
area (see LANs)
- NFS, Secure Content Updating
- security
references, Network Technology and Security
- wide
area (see WANs)
- newuser script
(example), The newuser Script
- NFS
(Network File System), Secure Content Updating
- nonrepudiation, Cryptography and Web Security
- nonreusable passwords,
Use a non-reusable password system.
P
- packet sniffing, Lesson: Defeat packet sniffing.
- packets, Terminology
- pages,
Web (see World Wide Web)
- Parekh, Sameer, Downloading and Installing Your Web Server
- passwords, Password-based systems: something that you know, Identity-Based Access Controls
- nonreusable,
Use a non-reusable password system.
- password file,
setting up, Manually Setting Up Web Users and Passwords
- sniffing, Password Sniffing, Use a system that relies on encryption.
- spoofing requests
for, Spoofing Username/Password Pop-Ups with Java
- patches, Bugs and flaws
- patents, Cryptography and the U.S. Patent System, Public key patents overseas, Patent Law, Cryptography and the U.S. Patent System
- PCT security protocol, PCT
- performance, Window system attacks
- (see also resources)
- attacks
on (see denial-of-service attacks)
- block mode
computing, The Return of Block Mode
- C
programs, Rules for C
- monitoring
resources, Lesson: Monitor your system.
- server push and
client pull, Animation
- SSL
and, Features, Performance
- Perl programming
language
- Swatch program, Swatch
- Perl, programming guidelines
for, Rules for Perl
- Perry, Rick, Implementation Flaws: A Litany of Bugs
- personal
computers (see computers)
- personal information, New Lessons from the Credit Card Example, Programs That Violate Privacy and Steal Confidential Information, Personally Identifiable Information, Personally Identifiable Information
- identification
and, X.509 v3 Does Not Allow Selective Disclosure
- Java applets
and, The Java DNS policy dispute
- unanticipated disclosure
of, Unanticipated Disclosure
- PGP (Pretty Good
Privacy), Today’s Working Encryption Systems, PGP
- software
signature, Software Resources
- physical tokens, Physical tokens: something that you have
- PICS (Platform
for Internet Content Selection), PICS, Censoring the network, The PICS Specification, Requesting a Label From a Rating Service
- piracy of
software, Software piracy and the SPA, Access Devices and Copyrighted Software
- Pitney-Bowes Veritas
system, Veritas: digital signatures for physical credentials
- PKI (see public keys)
- PKP (Public Key
Partners), History of the public key patents
- PKZIP scam, Code Signing and U.S. Export Controls
- plaintext, Terminology, Symmetric Key Algorithms, Cryptanalysis
- Platform for
Internet Content Selection (PICS), PICS, Censoring the network
- plug-in modules, Helper Applications , Netscape Plug-Ins, Tactical Plug-In Attacks
- policy, security, Policies
- pornography, Pornography, Indecency, and Obscenity
- portmap service, portmap
- Postal Service,
U.S., Are There Better Suited Alternatives to Public Key Digital Signatures?,
Server Certificates
- Prakash,
Jay, The Web: Promises and Threats
- prevention
techniques
- access
restrictions (see access)
- against
eavesdropping, Protection against sniffing
- anonymizing web
servers, Anonymizers
- applying criminal
law, Play it Safe . . ., Play it Safe . . .
- backups (see backups)
- cryptography (see cryptography)
- for denial-of-service
attacks, Can Denial-of-Service Attacks Be Stopped?
- digital
watermarking, Securing the User’s Computer
- disabling
cookies, Disabling Cookies
- encryption (see encryption)
- evaluating credit card
systems, How to Evaluate a Credit Card Payment System
- evaluating site
security, Security Tools, Network scanning programs
- firewalls, Terminology, Firewalls: Part of the Solution, Locating Your Web Server with Respect to Your Firewall, A wealth of private data
- for
downloading code[prevention
techniques
- downloading
code, Improving the Security of Downloaded Code
- intrusion detection
programs, Intrusion detection programs
- Java bytecode
verifier, Bytecode Verifier
- logging (see logging)
- message
digests, Uses of Message Digest Functions
- obtaining
trademarks, Obtaining a trademark
- passwords (see passwords)
- programming
guidelines, Rules To Code By , Rules To Code By
- risk
management, Risk Management
- server
certificates, obtaining, Obtaining a Certificate for Your Server
- trust (see trust)
- privacy, JavaScript and Privacy, Programs That Violate Privacy and Steal Confidential Information, Privacy, Revealing Disparaging Remarks, Cryptography and Web Security, Publicity and Privacy, Lesson: It is very difficult to change a phone number. So pick your company’s phone number early and use it consistently.
- (see also personal
information)
- cookies to
enhance, Cookies That Protect Privacy
- cryptography
for (see cryptography)
- digital cash
systems, Internet-Based Payment Systems, Security and privacy, Security and privacy
- eTrust
program, Personally Identifiable Information
- identification
and, X.509 v3 Does Not Allow Selective Disclosure
- JavaScript
and, JavaScript and Privacy
- legal issues
of, Personally Identifiable Information
- private keys, Using Digital Signatures for Identification, Generating a VeriSign Digital ID, Server Key: To Encrypt or Not To Encrypt?
- (see also certificates)
- loaning, How Do You Loan a Key?
- privileges, CGI
scripts and, Tips on Writing CGI Scripts That Run with Additional Privileges
- programmed
threats, Computer Viruses and Programmed Threats
- programming, Programmability
- errors (see bugs)
- guidelines
for, Rules To Code By , Rules for the UNIX Shell
- references
for, Programming and System Administration
- web-based, Web-Based Programming Languages
- programs, Obtaining a Software Publisher’s Certificate
- (see also software)
- code
signing, Code Signing and Microsoft’s Authenticode , Code Signing and U.S. Export Controls
- downloading
code for, When Good Browsers Go Bad, The Sexy Girls Pornography Viewer
- that
spend money, Programs That Can Spend Your Money, Electronic funds transfers
- violating
privacy, Programs That Violate Privacy and Steal Confidential Information
- proprietary information, Why Worry about Web Security?
- prosecution,
dangers of, Hazards of Criminal Prosecution
- proxy servers, Looking at the Logs
- Public Key Partners
(PKP), History of the public key patents
- public keys, Using Digital Signatures for Identification, Public Key Infrastructure, The X.509 v3 Certificate, Cryptographic Algorithms and Functions
- cryptographic
algorithms, Public Key Algorithms , Factoring attacks
- infrastructure
of, Public Key Infrastructure, Problems Building a Public Key Infrastructure, Why Do These Questions Matter?, Public Key Infrastructure, Public Key Infrastructure
- patents on, The public key patents, Public key patents overseas
- PGP and, PGP
- X.509
v3 certificates, The X.509 v3 Certificate, The X.509 v3 Certificate, Should legislation endorse the X.509 paradigm?
- publicity, Why Worry about Web Security?, Publicity and Privacy, Lesson: It is very difficult to change a phone number. So pick your company’s phone number early and use it consistently.
- publishing attacks, Attacks on Message Digest Functions
- purchasing over
Internet, Internet-Based Payment Systems, Mondex
R
- r
commands, Minimizing Risk by Minimizing Services
- race conditions, Rules To Code By
- random number generator bug, Implementation Flaws: A Litany of Bugs
- RASC (Recreational Software Advisory
Council), RSACi, RSACi
- rating services, PICS Applications, The PICS Specification, Requesting a Label From a Rating Service
- RSACi, RSACi, RSACi
- RC2, RC5
algorithms, Symmetric Key Algorithms, RC2, RC4, and trade secret law, RC2, RC4, and trade secret law
- RC4
algorithm, Symmetric Key Algorithms, Key search (brute force) attacks, RC2, RC4, and trade secret law, RC2, RC4, and trade secret law
- rcp
program, Secure Content Updating
- rdist
program, Secure Content Updating
- Real Mosaic, Web Software Covered by This Book
- record layer, SSL, SSL 3.0 Record Layer
- recovering from
attacks, Reconstructing After an Attack, Recovering from an Attack
- Recreational Software Advisory
Council (RASC), RSACi, RSACi
- refer links,
The Refer Link
- refunds, Refunds and Charge-Backs
- Registry of Motor
Vehicles, Massachusetts, The Web: Promises and Threats
- remote content
updating, Secure Content Updating, Secure Content Updating
- REMOTE_ variables, Rules for Perl
- renewing certificates, Certificate renewal
- replay attacks, Features
- Resnick,
Paul, PICS and Censorship, Access controls become tools for censorship, The PICS Specification
- resources, Denial-of-Service Attacks
- (see also denial-of-service attacks;
performance)
- attacks
on, Denial-of-Service Attacks, Can Denial-of-Service Attacks Be Stopped?, Rules To Code By
- GUIs
and, Window system attacks
- monitoring, Lesson: Monitor your system.
- swap space
attacks, Swap space attacks
- resources for further
reading
- SSL and
TLS, Performance, TLS Standards Activities
- restricting
access (see access)
- reverse charge
transactions, Refunds and Charge-Backs
- revoking certificates, Revocation , Revoking a Digital ID
- .rhost file, Secure Content Updating
- risk
management, New Lessons from the Credit Card Example, Risk Management
- (see also threats)
- Ritchie, Dennis, Do Denial-of-Service Attacks Matter?
- Rivest, Ronald
L., Public Key Algorithms , Message Digest Functions, The public key patents, RC2, RC4, and trade secret law
- routers, Terminology
- RSA
Data Security Inc., History of the public key patents
- encryption
algorithms, Symmetric Key Algorithms, RC2, RC4, and trade secret law, RC2, RC4, and trade secret law
- factoring
challenges, Factoring attacks
- RSA
encryption system, Public Key Algorithms , The public key patents
- Secure/MIME
system, S/MIME
- RSA Data Security, Inc., Violating Trade Secrets, The X.509 v3 Certificate, Bootstrapping the PKI
- (see also VeriSign)
- RSACi rating
system, RSACi, RSACi
- runtime system,
Java, Java Security Future
S
- S/Key system,
Use a non-reusable password system.
- sandbox, Java, Sandbox
- SATAN, Network scanning programs
- SATAN
package, SATAN
- scp
program, Secure Content Updating
- scripts, breaking, Can’t break a running script
- search warrants, Hazards of Criminal Prosecution , If You or One of Your Employees Is a Target of an Investigation . . .
- secret keys (see private
keys)
- Secure Hash Algorithms (SHA,
SHA-1), Message Digest Functions
- Secure Internet Programming (SIP)
group, Java Security Problems
- Secure Socket
Layer (see SSL)
- Secure Telnet, Stel
- Secure/MIME system, S/MIME
- security
- cryptographic (see cryptography)
- definition
of, Web Security in a Nutshell
- domestic-grade vs.
export-grade, Securing Information in Transit
- holograms, Forgery-proof IDs
- Java
policy on, Java Security Policy, Setting Java policy from Internet Explorer 4.0
- security
holes
- mailing list
for, Bugtraq
- security tools, Security Tools, Network scanning programs
- SecurityManager class
(Java), SecurityManager class
- self-signed
certificates, The X.509 v3 Certificate
- separate execution
contexts, Separate Execution Contexts
- sequence
conditions, Rules To Code By
- server-push documents, Animation
- servers, Web Security in a Nutshell, Terminology, Securing the Web Server
- (see also under
specific server name)
- access
to (see access)
- anonymizing, Anonymizers
- certificates
for,
Server Certificates
, Adding a New Site Certificate with Internet Explorer
- client/server
model, Terminology
- downloading/installing, Downloading and Installing Your Web Server
- extensibility
of, Why Worry about Web Security?
- firewalls (see firewalls)
- log
files, Log Files, Looking at the Logs
- proxy, Looking at the Logs
- why they are
targets, Why Worry about Web Security?
- services
- denial-of-service
attacks, Securing Information in Transit, JavaScript and Resource Management, Can Denial-of-Service Attacks Be Stopped?
- minimizing number
of, Securing the Web Server, Minimizing Risk by Minimizing Services, Minimizing Risk by Minimizing Services
- SESAME
system, Public key patents overseas
- session
hijacking, Use a system that relies on encryption.
- session
keys, Cryptographic Algorithms and Functions
- SET (Secure Electronic Transaction)
protocol, SET, SET, Two channels: one for the merchant, one for the bank
- settlement, Internet-Based Payment Systems
- setuid( ) and setgid( ), Tips on Writing CGI Scripts That Run with Additional Privileges
- sexygirls.com web site, The Sexy Girls Pornography Viewer
- SHA, SHA-1 (Secure
Hash Algorithms), Message Digest Functions
- Shamir,
Adi, Public Key Algorithms , The public key patents
- shell scripts, Rules for the UNIX Shell
- Shockwave
plug-in, When Security Fails: Macromedia Shockwave
- S-HTTP
system, S-HTTP
- signcode
program, Signing a program
- signing code (see digital
signatures)
- SIP (Secure Internet
Programming) group, Java Security Problems
- Skipjack
encryption algorithm, Cryptography and the U.S. Trade Secret Law
- smart cards, Physical devices for digital signatures, Public key patents overseas, Identity-Based Access Controls, Smart Cards
- SMB (NetBIOS) file
sharing, Secure Content Updating
- snapshots, Snapshot tools
- sniffing (see eavesdropping)
- social
engineering attacks, Social Engineering, Spoofing Username/Password Pop-Ups with Java
- SOCKS, SOCKS
- software
- for blocking/censorship, Blocking Software , RSACi
- custom, Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
- free, Lesson: Eschew free software.
- key
escrow, Cryptography and U.S. Export Control Law
- liability (see liability)
- for
monitoring, Monitoring Software, Lesson: Monitor your system.
- patents, Patent Law, Cryptography and the U.S. Patent System
- piracy, Software piracy and the SPA, Access Devices and Copyrighted Software
- publishing, The “Pledge”, Obtaining a Software Publisher’s Certificate
- Software Publishers
Association (SPA), Cryptographic Programs and Export Controls
- Software Publishers
Association(SPA), Software piracy and the SPA
- SomarSoft, Network scanning programs
- SPA (Software Publishers
Association), Software piracy and the SPA, Cryptographic Programs and Export Controls
- Spafford, Gene, What’s a “Secure Web Server” Anyway?
- speed, The Return of Block Mode
- (see also performance)
- development, Why Worry about Web Security?
- spoofing, Spoofing Username/Password Pop-Ups with Java, Lesson: Beware of TCP/IP spoofing.
- forgery-proof
identification, Forgery-proof IDs
- Java
and, The Java DNS policy dispute
- JavaScript
and, JavaScript-Enabled Spoofing Attacks, Mirror Worlds
- Spry’s Real Mosaic, Web Software Covered by This Book
- Spyglass
Co., Censoring the network
- SSH (secure shell), SSH
- SSH program, SSH
- SSL (Secure Socket Layer), Securing Information in Transit, A Typical Transaction, A Typical Transaction,
Server Certificates
, Adding a New Site Certificate with Internet Explorer, SSL, What Is SSL?, Performance, The SSL 3.0 Protocol, Application Data
- browsers
and, Browser Preferences, Browser Alerts and Indicators
- exporability
of, U.S. Exportability
- protocols
for, SSL 3.0 Protocols, Handshake Protocol
- TLS
and, TLS Standards Activities
- SSLeay protocol, Public key patents overseas, SSLeay, SSLeay ca.conf file
- SSLeay system, SSLeay
- stack attacks, CPU and stack attacks
- Stahlman, Mark, The Return of Block Mode
- static audits, Snapshot tools
- Stel
system, Stel
- storing private keys, Physical devices for digital signatures, Server Key: To Encrypt or Not To Encrypt?
- Strategic Focus,
Inc., The Web: Promises and Threats
- stream
algorithms, Symmetric Key Algorithms
- strength,
cryptographic, Cryptographic Strength
- Stronghold server, Web Software Covered by This Book
- substitution
ciphers, Roots of Cryptography
- SUID and SGID
privileges, Tips on Writing CGI Scripts That Run with Additional Privileges
- Sun Microsystems, Java
- Superincreasing
Knapsack Problem, Algorithmic attacks
- Surety Technologies,
Inc., Are There Better Suited Alternatives to Public Key Digital Signatures?
- SurfWatch utility, Censoring the network
- swap space attacks, Swap space attacks
- Swatch program, Swatch
- SymLinksIfOwnerMatch
option, Commands Before the <Limit>. . . </Limit> Directive
- symmetric key
algorithms, Cryptographic Algorithms and Functions, Systems-based attacks
- SYN
flooding, Do Denial-of-Service Attacks Matter?
- systat utility, Minimizing Risk by Minimizing Services
- system
administration
- references
on, Programming and System Administration
- systems-based crytpographic
attacks, Systems-based attacks
T
- tainting Perl, Rules for Perl
- tax collection, Security and privacy
- TCP/IP (Transmission Control
Protocol), Terminology
- spoofing, Lesson: Beware of TCP/IP spoofing.
- SYN
flooding, Do Denial-of-Service Attacks Matter?
- tcpwrapper
system, tcpwrapper
- Telnet
service, Locating Your Web Server with Respect to Your Firewall, Minimizing Risk by Minimizing Services
- Stel
system, Stel
- temporary
files, Rules for C
- Thawte
Consulting, Viewing a Site’s Certificate, Conclusion
- threats, Securing Information in Transit, New Lessons from the Credit Card Example, New Lessons from the Credit Card Example
- (see also attacks)
- ActiveX
controls, Internet Exploder, Signed Code Can Be Hijacked
- browsers
and, Browser History, Programmability
- bugs (see bugs)
- criminal, Criminal Hazards That May Await You, The Responsibility To Report Crime
- criminal
prosecution, Hazards of Criminal Prosecution
- cryptography
shortcomings, What Cryptography Can’t Do, What Cryptography Can’t Do
- digital
certificate failure, When Things Go Wrong, Wrong server address
- from
downloading (see downloading)
- eavesdropping, Securing Information in Transit
- helper
applications and, Helper Applications , Helper Applications
- inability to break
running scripts, Can’t break a running script
- Java (see Java)
- JavaScript (see JavaScript)
- mailing
list for, RISKS
- mirror
worlds, Mirror Worlds
- plug-ins, Evaluating Plug-In Security
- programmed, Computer Viruses and Programmed Threats
- programs
that spend money, Programs That Can Spend Your Money, Electronic funds transfers
- public
key infrastructure, Problems Building a Public Key Infrastructure, Why Do These Questions Matter?
- race
conditions, Rules To Code By
- risk
management, Risk Management
- spoofing (see spoofing)
- SUID and SGID
privileges, Tips on Writing CGI Scripts That Run with Additional Privileges
- trademark
violation, Trademark violations
- unanticipated
disclosure, Unanticipated Disclosure
- Tiger, Tiger
- Tiger
utility, Snapshot tools
- Time Warner, Java
- timeouts, Rules To Code By
- timestamping, Are There Better Suited Alternatives to Public Key Digital Signatures?
- TIS Internet Firewall Toolkit
(FWTK), TIS Internet Firewall Toolkit
- TLS (Transport Layer
Security), TLS Standards Activities
- token-based authentication, Use a token-based
authentication system.
- tokens, Physical tokens: something that you have
- torts, Torts, Incorporation
- tracing, ActiveX controls, Support for Authenticode in Internet Explorer
- tracking with
cookies, Cookies for Tracking
- trade
secrets, Violating Trade Secrets, Cryptography and the U.S. Trade Secret Law, RC2, RC4, and trade secret law
- (see also intellectual
property)
- trademarks, Trademark Law, Trademark violations
- domain
names, Trademarks and domain names
- transactions,
online (see commerce)
- Transmission Control
Protocol (see TCP)
- Transport Layer
Security (TLS), TLS Standards Activities
- transposition
ciphers, Roots of Cryptography
- trimlog, trimlog
- Triple-DES
algorithm, Symmetric Key Algorithms
- Tripwire package, Tripwire
- Trojan
horses, Terminology
- trust
- certification
authorities, Certification Authorities
- credentials, Credentials-Based Identification Systems
- credit, Charga-Plates, Diners Club, and Credit Cards
- domains, Spoofing Browser Status with JavaScript
- eTrust
program, Personally Identifiable Information
- helper
applications, Helper Applications
- hijacked AcitveX
controls, Signed Code Can Be Hijacked
- impersonation (see spoofing)
- Java
applets, Spoofing Username/Password Pop-Ups with Java
- operating
system, Telephone billing records
- PGP’s web
of, PGP
- plug-ins
and, Evaluating Plug-In Security
- vendors, Trusted Vendors
U
- UDP (User
Datagram Protocol), Terminology, UDP Packet Relayer
- packet
relayer, UDP Packet Relayer
- unauthorized
use (see access)
- United
States, Public key patents overseas
- (see also international
law)
- Air Force, Preface
- Department of
Justice, Preface
- exportation
controls, Securing Information in Transit, Code Signing and U.S. Export Controls, Cryptography and U.S. Export Control Law, Cryptography and U.S. Export Control Law, U.S. Exportability, Cryptographic Programs and Export Controls
- federal
computer crime laws, Federal Computer Crime Laws
- federal
jurisdiction, Federal jurisdiction
- Naval Research
Lab, Implementation Flaws: A Litany of Bugs
- Patent and
Trademark Office, Cryptography and the U.S. Patent System
- patents (see patents)
- payment cards
in, Payment Cards in the United States
- Postal
Service, Are There Better Suited Alternatives to Public Key Digital Signatures?,
Server Certificates
- trade secret laws, Cryptography and the U.S. Trade Secret Law, RC2, RC4, and trade secret law
- UNIX
- encryption
programs for, Today’s Working Encryption Systems, PGP
- programming
references, Programming and System Administration
- shell
scripts, Rules for the UNIX Shell
- unspoofable areas, Spoofing Browser Status with JavaScript
- updating content
securely, Secure Content Updating, Secure Content Updating
- URLs (uniform resource
locators)
- hidden, Hidden URLs
- mirror worlds, Mirror Worlds
- U.S. (see United
States)
- Usenet, Usenet Groups
- User
Datagram Protocol (see UDP)
- users
- access based
on, Identity-Based Access Controls
- anonymity
of (see anonymity)
- asking for
information/action, Social Engineering, Spoofing Username/Password Pop-Ups with Java
- authenticating, Manually Setting Up Web Users and Passwords
- biometric
identification systems, Biometrics: something that you are
- checking values
from, Rules To Code By
- computers
of, Securing the User’s Computer
- cookies
for, Cookies That Protect Privacy
- denial-of-service
attacks on, Do Denial-of-Service Attacks Matter?
- identification, Identification, Veritas: digital signatures for physical credentials
- information
on (see personal information)
- managing, A Simple User Management System, The newuser Script
- spoofing/impersonating (see spoofing)
- Utah Digital Signature
Act, Is licensing of certification authorities the right approach?
V
- validation (see verification)
- VC-I video encryption
algorithm, Systems-based attacks
- Venema,
Wietse, Network scanning programs
- Vento, Bruce F., Personally Identifiable Information
- verification, The charge card check digit algorithm
- (see also authentication)
- Authenticode
for (see Authenticode)
- Authenticode
signatures, Verifying Authenticode Signatures
- credit card
check digit, The charge card check digit algorithm
- Java
bytecode, Bytecode Verifier
- user
input, Rules To Code By
- VeriSign, The X.509 v3 Certificate, Bootstrapping the PKI, The SSL Certificate Format, A Tour of the VeriSign Digital ID Center, VeriSign’s Class System
- (see also RSA Data
Security, Inc.)
- installing
certificate, Installing Your VeriSign Certificate, Installing Your VeriSign Certificate
- software
publishing and, The “Pledge”, Obtaining a Software Publisher’s Certificate
- Veritas
system, Veritas: digital signatures for physical credentials
- versions, SSL, SSL Versions
- viewing
certificates, Viewing a Site’s Certificate
- virtual machine,
Java (JVM), Java the Language
- Virtual PIN
system, Virtual PIN, Security and privacy
- viruses, Terminology, Signed Code is Not Safe Code
- references
on, Computer Viruses and Programmed Threats
W
- Wagner,
David, Implementation Flaws: A Litany of Bugs
- Wallach, Dan S., Implementation Flaws: A Litany of Bugs, Java Security Problems
- WANs (wide area
networks), Terminology
- warez sites, Warez
- Web (see World Wide
Web)
- web of
trust, PGP
- WebSite Pro server, Web Software Covered by This Book
- WebStar Pro server, Web Software Covered by This Book
- wide
area networks (see WANs)
- Windows NT mailing list, NT-security
- windows, attacks on, Window system attacks
- World Wide Web, Web Security in a Nutshell, Terminology, Java
- (see also Java;
JavaScript)
- blocking/censorship software
for, Blocking Software , RSACi
- browsers (see browsers,
web)
- cookies, Cookies, Cookies That Protect Privacy
- downloading
from, Helper Applications
- mirror worlds, Mirror Worlds
- page history
mechanism, JavaScript and Privacy
- refer links,
The Refer Link
- servers (see servers)
- viewing site’s
certificate, Viewing a Site’s Certificate
- World Wide Web
(WWW)
- references on, WWW Pages
- security mailing
list, WWW-security
- worms, Terminology
- writing
programs (see programming, guidelines for)
- wuarchive FTP
daemon, wuarchive ftpd
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.