WWW Security

Secure WWW Transactions: Client/Server Solutions

SHTTP - Secure HyperText Transfer Protocol :

• The Secure HyperText Transfer Protocol (Internet Draft)
• cyphernet (SSL v3.0 specification SSLeay & SSLapps FAQ SSLP Project SHTTP S/KEY SSH FAQs on sniffers, anonymous FTP & intruder-detection in UNIX FAQ on Firewalls SESAME MOSS Decense Kerberos )

SSL - Secure Sockets Layer:

• SSL OverView
• SSL-Talk FAQ contains useful SSL-related information.
• NETSCAPE SSLREF
• Index of /pub/Crypto/SSLapps
• Index of /pub/internet/security/ssl/SSL
• SSLeay and SSLapps FAQ
• Brute force SSL cracking page

Other:

• Shen: A Security Scheme for the World Wide Web
• OPIE - One-time Passwords In Everything

NCSA WebServer Security:

• Access control and user authentication
• Setting up a secure server
• Setting up a chroot server
• NCSA HTTPd 1.6 Beta -- a security-enhanced server

Security Information:

Authentication:

• SKey - S/Key generated one time passwords to gain authenticated access to computer hosts. Availability: anonymous ftp at thumper.bellcore.com or coast.cs.purdue.edu
• MD5 - MD5 is a hash function using to the authenticity of a file. Info: RFC 1544, www.rsa.com
• RFC 1704: Internet Authentication (Eunet)
• How to set up protection in the CERN Daemon.
• A Distributed Authorization Model for WWW by Jose Kahan (INET'95).

WWW General:

• Request for Comments: 2196 - This handbook is a guide to developing computer security policies and procedures for sites that have systems on the Internet. The purpose of this handbook is to provide practical guidance to administrators trying to secure their information and services. The subjects covered include policy content and formation, a broad range of technical system and network security topics, and security incident response.
• WWW Security FAQ (Lincoln Stein)
• SunWorld's Web server security + Security

CGI General :

• sbox is a CGI wrapper script that allows Web site hosting services to safely grant CGI authoring privileges to untrusted clients. In addition to changing the process privileges of client scripts to match their owners, it goes beyond other wrappers by placing configurable ceilings on script resource usage, avoiding unintentional (as well as intentional) denial of service attacks. It also optionally allows the Webmaster to place client's CGI scripts in a chroot'ed shell restricted to the author's home directories.
• NCSA's tips for Writing Secure CGI Scripts
• Writing safe CGI scripts -- an overview (Paul Phillips)
• CGI Security Tutorial (Michael Van Biesbrouck)
• CGI-Wrap - Secure User Access to CGI's with httpd - CGIwrap allows more secure user access to CGI's on NCSA, Cern, Apache, and NetSite web servers.
• CGI security FAQ -
• Using CGI at UMR - cgiwrap package to allow any user to run his/her cgi's in secure way
• World Wide Web Security - This document indexes information on security for the World Wide Web, HTTP, HTML, and related software/protocols. It is maintained by Rutgers University Network Services www-security team.
• The World Wide Web Security FAQ

Java:

• Applet Security - FAQ

Perl:

• Latro, a tool for identifying insecure Perl CGI installations, by Tom Christiansen
• Perl Security Announcements

Web Commerce Sollutions:

• CyberCash-Free Wallet
• Digicash
• First Virtual
• Electronic Commerce from Sirene's Pointers
• iWorld's Guide to Electronic Commerce
• W3C Electronic Payments

Books:

• A great list of books with cover images and links tho their publishers (by CGI consult)