Online References

This is a complete list of all URLs referenced in the book, gathered together as a convenience to readers.

1. What is Web Security?

6. Web Privacy

11. Encryption and Certificate-Based Access Control

2. Basic Cryptography

7. Server Security

12. Safe CGI Scripting

3. SSL, SET and Digital Payment Systems

8. UNIX Web Servers

13. Remote Authoring and Administration

4. Using SSL

9. Windows NT Web Servers

14. Web Servers and Firewalls

5. Active Content

10. Access Control

Chapter 1: What is Web Security?

The World Wide Web Security FAQ
The on-line version of this book.
http://www.w3c.org/Security/faq/

The WWW Consortium security pages
A good survey of security standards-making activity by the W3C and others.
http://www.w3c.org/Security/

The NCSA Web security pages - now defunct. (noted 2/10/98)
http://hoohoo.ncsa.uiuc.edu/security/

The Digicrime Web Site
Many pointers to computer security information, plus examples of hostile applets and other exploits.
http://www.digicrime.com/

Netscape's Security Pages
A good overview of technological fixes lightly slanted to one company's products.
http://home.netscape.com/info/security-doc.html

Yahoo security pages
Links to public and commercial Web sites dealing with Web security.
http://www.yahoo.com/Computers_and_Internet/Security_and_Encryption/

Chapter 2: Basic Cryptography

The Cryptography Source Pages
Links to cryptography information
http://www.cs.hut.fi/crypto/

Ray Kopsa's Shortcut to Cryptography
More links
http://www.subject.com/crypto/crypto.html

The Cryptography FAQ (list of frequently asked questions with answers)
ftp://rtfm.mit.edu/pub/usenet-by-group/sci.crypt/

RSA Data Security
http://www.rsa.com/

Netscape's Cryptography Pages
http://www.netscape.com/newsref/ref/rsa.html

Microsoft's Cryptography Pages
http://www.microsoft.com/workshop/prog/security/pkcb/crypt1.htm

A long list of cryptography-enhanced software products
http://www.semper.org/sirene/people/gerrit/secprod.html

Information on the DES "Cracking"
http://www.frii.com/~rcv/deschall.htm

Information on other brute-force key cracking attempts
http://www.cl.cam.ac.uk/brute/

Chapter 3: SSL, SET and Digital Payment Systems

SSL Protocol
http://home.netscape.com/newsref/std/SSL.html
http://home.netscape.com/newsref/ref/internet-security.html

TLS Protocol
http://www.consensus.com/ietf-tls/

IPv6 Specification
http://www.globecom.net/(nocl,sv)/ietf/rfc/rfc1883.shtml

IPv6 Security Contrasted with SSL's
http://www.seas.gwu.edu/student/reto/ipv6/index.htm

SET Specification
http://www.visa.com/cgi-bin/vee/sf/standard.html

SET and Banking Regulations
A nice discussion of the legal issues that SET is designed to solve. - defunct (noted 2/10/98)
http://www.citynet.net/personal/till/set1.htm

Microsoft Wallet
http://www.microsoft.com/commerce/wallet/

Netscape Commerce Server
http://www.netscape.com/

Microsoft Merchant
http://www.microsoft.com/merchant/

First Virtual
http://www.fv.com/

CyberCash
http://www.cybercash.com

DigiCash
http://www.digicash.nl/

Millicent
http://www.millicent.digital.com/

Chapter 4: Using SSL

VeriSign
http://www.verisign.com/

Safe Passage
http://www.c2.net/ (U.S. and Canada)
http://www.stronghold.ukweb.com/ (overseas)

PGP
http://www.pgp.com/

RSA Data Security's listing of S/MIME e-mail software
http://www.rsa.com/rsa/S-MIME/

Simple Perl-based packet sniffer
http://www.genome.wi.mit.edu/~lstein/talks/WWW6/sniffer/

Tcpdump & libpcap (both required for sniffer)
ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
ftp://ftp.ee.lbl.gov/libpcap.tar.Z

Chapter 5: Active Content

Internet Scams
The Electronic Scams Page
http://www.rcmp-grc.gc.ca/html/scams.htm
Java Applets
Sun's Documentation and White Papers
http://www.javasoft.com/

Java Security FAQ
http://java.sun.com/sfaq/

Edward Felten's Pages on Java Security
http://www.cs.princeton.edu/sip

Netscape's description of signed Java applets
http://developer.netscape.com/software/signedobj/index.html
ActiveX Controls and Authenticode
Microsoft's Authenticode page
http://www.microsoft.com/INTDEV/security/misf8.htm

The World Wide Web Consortium's Digital Signature initiative
http://www.w3.org/pub/WWW/Security/DSig/Overview.html

VeriSign's Software Publishers' Certificates Pages
http://digitalid.verisign.com/software_publishers.html

Microsoft's ActiveX Gallery
http://www.microsoft.com/gallery/default.asp

Microsoft's ActiveX Development Pages
http://www.microsoft.com/activex/.
Virus Checkers
McAfee VirusScan
http://www.mcafee.com/

Symantec AntiVirus
http://www.symantec.com/

Norton AntiVirus
http://www.symantec.com/

Virex
http://www.datawatch.com/virex.shtml

IBM AntiVirus
http://www.av.ibm.com/

Dr. Solomon's Anti-Virus
http://www.drsolomon.com/
Security Holes in Microsoft Internet Explorer
Description of how LAN passwords can be intercepted in NT versions
http://www.ee.washington.edu/computing/iebug

A similar hole in Windows 95 versions
http://www.security.org.il/msnetbreak/

A similar hole that works across firewalls
http://www.efsl.com/security/ntie/

Description of the "shortcut" bug
http://www.cybersnot.com/iebug.html

The Unofficial Microsoft Internet Explorer Security FAQ
http://www.teleport.com/~hindu/iesf.html
Browser Security Pages and Alerts
Microsoft Security Advisor
http://www.microsoft.com/security/

Netscape Security
http://home.netscape.com/info/security-doc.html

Chapter 6: Web Privacy

Cookies
Netscape Cookie Specification
http://cgi.netscape.com/newsref/std/cookie_spec.html

HTTP/1.1 State Management Specification
http://www.ics.uci.edu/pub/ietf/http/rfc2109.txt

NSClean, IEClean
http://www.nsclean.com/
Anonymizing Proxies
Internet Junkbuster Proxy (Unix)
http://internet.junkbuster.com/

InterMute (Windows, Macintosh, Unix)
http://www.intermute.com/

The Anonymizer
http://www.anonymizer.com/
Anonymous Remailers
A good list of remailers and information on using them
http://www.stack.nl/~galactus/remailers/

A comprehensive, but cryptic list of remailers
http://www.cs.berkeley.edu/~raph/remailer-list.html

Information on anonymizing mail and news gateways
http://students.cs.byu.edu/~don/mail2news.html

A "full service" provider of anonymizing services
http://www.cyberpass.net/
Electronic Privacy Resources
The Electronic Frontier Foundation
http://www.eff.org/

Electronic Privacy Information Center (EPIC)
http://www.epic.org/

Center for Democracy and Technology
http://www.cdt.org/
Web Privacy Policy Intiatives
W3C Platform for Privacy Preferences (P3) Project
http://www.w3.org/Privacy/

Open Profiling Standard (OPS) Proposal
http://www.w3.org/Submission/1997/6/Overview.html

TRUSTe Project
http://www.truste.org/

PICS
PICS Home Page
http://www.w3.org/pub/WWW/PICS/

Recreational Software Advisory Committee (RSAC)
http://www.rsac.org/

SafeSurf
http://www.safesurf.com/

The Parental Control FAQ
http://www.vtw.org/

Listings of PICS filtering software
http://www.microsys.com/pics/software.htm
http://www.n2h2.com/pics/proxy_servers.html

Chapter 7: Server Security

Operating System Security Information and Alerts
CERT (Computer Emergency Response Team) Coordination Center
This is a part of the Software Engineering Institute at Carnegie Mellon University. To subscribe to its security advisory mailing list send an e-mail message to cert-advisory-request@cert.org with a subject line of "SUBSCRIBE your-email-address".
Advisories are also published in the Usenet newsgroup comp.security.announce, and archived at ftp://info.cert.org/pub/

Linux-alert
This is a moderated mailing list run by the RedHat company that carries alerts specific to the Linux operating system. Many of the alerts that appear here are applicable to other Unix dialects. Subscribe to it by e-mailing a letter to linux-alert-request@RedHat.com with a subject line of "subscribe".
Archives of the mailing list can be found at http://www.redhat.com/linux-info/security/linux-alert/.

Bugtraq
This is an unmoderated mailing list devoted to finding, exploiting, and fixing Unix security holes. Note that the information on unmoderated lists should always be treated with some caution: the poster may be misinformed. To subscribe, send e-mail to bugtraq-request@fc.net with a message body of "subscribe bugtraq".
An unofficial archive of the mailing list can be found at http://www.geek-girl.com/bugtraq/archives.html

NTBugtraq
NTBugtraq This is similar to the Bugtraq, but devoted to Windows NT
Security issues. To subscribe, send e-mail to listserv@listserv.ntbugtraq.com with a message body of "SUB NTBUGTRAQ your name". Use your full name, not
e-mail address. An online archive is available at http://ntbugtraq.ntadvice.com/archives/

NT Security Mailing List
This mailing list is devoted to security issues in Windows NT. To subscribe send mail to majordomo@iss.net, with a message body of "subscribe ntsecurity your e-mail address".
An archive is available at http://www.iss.net/lists

RISKS forum
This is a moderated forum for the discussion of risks to society from computer systems. It is distributed as a weekly posting to the Usenet group comp.risks. Archived postings are available at ftp://crvax.sri.com/risks/

Forum of Incident and Response Security Teams (FIRST)
FIRST is a coalition of computer emergency response teams from over 50 software vendors, academics and government organizations. From its Web site you can find pointers to security-related information about your system, or information about who to contact if you think you have a problem.
Hardened Web Servers
WebCompare Web Server Comparison Site
http://www.webcompare.com/

HP VirtualVault Web Server
http://hpcc995.external.hp.com/gsy/security/virvault/

John Frank's WN Web Server
http://hopf.math.nwu.edu/docs/security.html

WebSTAR WebServer
Not exactly hardened, but very hard to break into.
http://www.starnine.com/

Chapter 8: UNIX Web Servers

System Configuration Tools
COPS (system configuration checker)
ftp://ftp.cert.org/pub/tools/cops/

TAMU (another system configuration checker)
ftp://net.tamu.edu/pub/security/TAMU/

SATAN (network based security checker)
ftp://ftp.win.tue.nl/pub/security/satan.tar.Z
http://www.cs.purdue.edu/coast/satan.html

Internet Security Scanner (ISS)
ftp://coast.cs.purdue.edu/pub/tools/unix/iss/ (freeware version)
http://www.iss.net/ (commercial version)
Integrity Checkers
md5sum
ftp://prep.ai.mit.edu/pub/gnu/

Tripwire file modification checker
ftp://coast.cs.purdue.edu/pub/COAST/Tripwire/
Log File Analyzers
Swatch Unix logfile analyzer
ftp://sierra.stanford.edu/pub/sources/swatch-2.1.tar.gz

Comprehensive List of Web Log Analyzers
http://www.uu.se/Software/Analyzers/

Analog
http://www.statslab.cam.ac.uk/~sret1/analog/

wusage
http://www.boutell.com/wusage/

wwwstat
http://www.ics.uci.edu/pub/websoft/wwwstat/

Site Tracker
http://www.tuckinfo.com/

net.Analysis
http://www.netgen.com/
Miscellaneous
John Haugh's Shadow Password Suite
ftp://ftp.sunsite.unc.edu/pub/Linux/system/Admin/shadow-960129.tar.gz

Chapter 9: Windows NT Web Servers

NT Configuration
NT Security Alerts
http://www.microsoft.com/security/

Microsoft's Secure NT Installation recommendations
http://www.microsoft.com/security/guidesecnt.htm

Microsoft NT Server Support Pages
http://www.microsoft.com/ntserversupport/

NT Service Packs and "hot fixes"
ftp://ftp.microsoft.com/bussys/winnt-public/fixes/usa/nt4/
Security Scanners
Internet Security Systems Internet Security Scanner (ISS)
http://www.iss.net/ (commercial version)

Midwestern Commerce Administrator Assistant Toolkit
http://www.ntsecurity.com/

Secure Computing NT Security Scanner
http://www.lanwan.fi/turva/nt/ntscan.html
Log Analyzers
SeNTry
http://www.ntsoftdist.com/sentry.htm

DumpEvt
http://somarsoft.com/

SeNTry ELM
http://www.serverware.com

Hit List
http://www.marketwave.com/

WebTrends
http://www.webtrends.com

IIS Assistant
http://www.go-iis.com/

Chapter 10: Access Control

Access Control
user_manage Administrative Tool for Apache
http://www.genome.wi.mit.edu/~lstein/user_manage/

Perl MD5 Module
http://www.perl.com/CPAN/modules/by-module/

DCE and the Web
http://www.osf.org/tech/dce/
http://octavia.anu.edu.au/~markus/DCE-WEB/papers/Conf_94.html
Web Robots
The Robots Page
http://info.webcrawler.com/mak/projects/robots/robots.html

Chapter 11: Encryption and Certificate-Based Access Control

SSL
WebCompare server comparison pages
http://www.webcompare.com/

SSLEay and Apache-SSL
ftp://ftp.psy.uq.oz.au/pub/Crypto/

Stronghold Web Server
http://www.c2.net/ (U.S. and Canada)
http://www.stronghold.ukweb.com/ (overseas)

Jigsaw Web Server
http://www.w3.org/
Certifying Authorities & CA Products
VeriSign CA
http://www.verisign.com/

Entrust WebCA
http://www.entrust.com/

GTE CyberTrust
http://www.cybertrust.gte.com/

XCert Sentry
http://www.xcert.com/

Thawte Consulting CA
http://www.thawte.com

EuroSign CA
http://eurosign.com

COST CA
http://www.cost.se

BiNARY SuRGEONS CA
http://www.surgeons.co.za/certificate.html

Keywitness CA
http://www.keywitness.ca

SoftForum CA
http://www.softforum.co.kr/

CompuSource CA
http://www.compusource.co.za/

Frontier Technologies eLock
http://www.frontiertech.com/Products/e-Lock/

SSLEay
ftp://ftp.psy.uq.oz.au/pub/Crypto/
Other Information
Tips on Creating a Certifying Authority with SSLEay
http://www.psy.uq.edu.au:8080/~ftp/Crypto/

Netscape certificate request protocol
http://www.netscape.com/eng/security/certs.html

Netscape <KEYGEN> Tag
http://www2.netscape.com/eng/security/ca-interface.html

Chapter 12: Safe CGI Scripting

Latro security hole scanner
http://www.perl.com/perl/news/latro-announce.html

php language
http://www.vex.net/php/

CGI.pm, CGI::Carp (Perl CGI modules)
These are also part of the standard Perl 5.004 distribution.
http://www.genome.wi.mit.edu/ftp/pub/software/WWW/

Cookie specification
http://cgi.netscape.com/newsref/std/cookie_spec.html

cgic CGI Library for C
http://www.boutell.com/cgic/

C++ CGI library
http://sweetbay.will.uiuc.edu/cgi%2b%2b/

LWP Library for Perl
http://www.perl.com/CPAN/modules/by-module/LWP/

CGIWrap
Wrap CGI scripts to make them more safe
http://www.umr.edu/~cgiwrap/

sbox CGI
Box and wrap CGI scripts to make them even safer
http://www.genome.wi.mit.edu/~lstein/sbox/

Chapter 13: Remote Authoring and Administration

Remote Control for Windows NT
pcANYWHERE
http://www.symantec.com/

WinFrame
http://www.citrix.com/

WinDD
http://www.tek.com/Network_Computers/Products/WinDD.html

NTrigue
http://www.ntrigue.com/

WinCenter
http://www.ncd.com/pwin/pwin.html
Unix Network Access Control
Wietse Venema's TCP Wrapper Suite
ftp://ftp.win.tue.nl:/pub/security/

Secure Shell
http://www.cs.hut.fi/ssh/ (Unix freeware version)
http://www.datafellows.com/f-secure/ (Windows & Macintosh versions)

SSL-Based Telnet
ftp://ftp.psy.uq.oz.au/pub/Crypto/

Stel
ftp://ftp.dsi.umin.it/
One-Time Password Systems
S/Key
ftp://thumper.bellcore.com/pub/nmh/skey/

SECURID
Security Dynamics, One Alewife Center, Cambridge MA 02140,
Tel: (617) 547-7820
Fax: (617) 354-8836

SecureNet
Digital Pathways, 201 Ravendale Drive, Mountain View, CA 94043
Tel: (415) 964-0707
Tel: (415) 961-7487
Network File Copying
ncftp batch FTP client
ftp://ftp.probe.net/pub/ncftp/

mirror, gmirror, pmirror, etc.
ftp://ftp.sunsite.unc.edu/pub/Linux/system/file-transfer/

rdist
ftp://usc.edu/pub/rdist/rdist.tar.gz

rsync
ftp://samba.anu.edu.au/pub/rsync/

afio
ftp://sunsite.unc.edu/pub/Linux/system/Backup/

cpio
ftp://prep.ai.mit.edu/pub/gnu/

Chapter 14: Web Servers and Firewalls

Firewall Products
Trusted Information Systems Firewall Toolkit
ftp://ftp.tis.com/pub/firewalls/toolkit/

SOCKS Proxy
ftp://ftp.nec.com/pub/socks/

AltaVista Firewall
http://www.software.digital.com/

BorderWare Firewall
http://www.sctc.com/

CyberGuard Firewall
http://www.cyberguardcorp.com/

Eagle Firewall
http://www.raptor.com/

Firewall-1
http://www.checkpoint.com/.

Gauntlet Firewall
http://www.tis.com/

ON Guard Firewall
http://www.on.com/
Miscellaneous Documentation
Automatic proxy configuration for Netscape and Microsoft browsers
http://search.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

The Firewalls Mailing List
Subscribe by sending e-mail to majordomo@greatcircle.com. In the body of the e-mail message put subscribe firewalls
An online archive of the list, along with a number of papers and other firewall resources, can be found at http://www.greatcircle.com/firewalls/.
Top of Page