Security Technologies for the World Wide Web -- Contents vii -- Preface xv -- Acknowledgments xxiii -- Chapter 1 Introduction 1 -- 1.1 Internet 1 -- 1.2 WWW 5 -- 1.3 Vulnerabilities, threats, and countermeasures 8 -- 1.4 Generic security model 10 -- References 17 -- Chapter 2 HTTP Security 21 -- 2.1 HTTP 21 -- 2.2 User authentication, authorization, and access control 26 -- 2.3 Basic authentication 29 -- 2.4 Digest access authentication 34 -- 2.5 Certificate-based authentication 41 -- 2.6 Server configuration 42 -- 2.7 Conclusions 46 -- References 48 -- Chapter 3 Proxy Servers and Firewalls 49 -- 3.1 Introduction 49 -- 3.2 Static packet filtering 54 -- 3.3 Dynamic packet filtering or stateful inspection 57 -- 3.4 Circuit-level gateways 58 -- 3.5 Application-level gateways 64 -- 3.6 Firewall configurations 68 -- 3.7 Network address translation 74 -- 3.8 Configuring the browser 76 -- 3.9 Conclusions 80 -- References 83 -- Chapter 4 Cryptographic Techniques 87 -- 4.1 Introduction 87 -- 4.2 Cryptographic hash functions 90 -- 4.3 Secret key cryptography 92 -- 4.4 Public key cryptography 96 -- 4.5 Digital envelopes 103 -- 4.6 Protection of cryptographic keys 105 -- 4.7 Generation of pseudorandom bit sequences 107 -- 4.8 Legal issues 107 -- 4.9 Notation 111 -- References 113 -- Chapter 5 Internet Security Protocols 117 -- 5.1 Introduction 117 -- 5.2 Network access layer security protocols 118 -- 5.3 Internet layer security protocols 125 -- 5.4 Transport layer security protocols 143 -- 5.5 Application layer security protocols 143 -- 5.6 Conclusions 146 -- References 148 -- Chapter 6 SSL and TLS Protocols 153 -- 6.1 SSL Protocol 153 -- 6.2 TLS Protocol 171 -- 6.3 SSL and TLS certificates 175 -- 6.4 Firewall traversal 178 -- 6.5 Conclusions 182 -- References 183 -- Chapter 7 Certificate Management and Public Key Infrastructures 185 -- 7.1 Introduction 185.

7.2 Public key certificates 187 -- 7.3 IETF PKIX WG 193 -- 7.4 Certificate revocation 196 -- 7.5 Certificates for the WWW 201 -- 7.6 Conclusions 207 -- References 210 -- Chapter 8 Authentication and Authorization Infrastructures 213 -- 8.1 Introduction 213 -- 8.2 Microsoft .NET Passport 216 -- 8.3 Kerberos-based AAIs 231 -- 8.4 PKI-based AAIs 241 -- 8.5 Conclusions 245 -- References 245 -- Chapter 9 Electronic Payment Systems 249 -- 9.1 Introduction 249 -- 9.2 Electronic cash systems 255 -- 9.3 Electronic checks 257 -- 9.4 Electronic credit-card payments 259 -- 9.5 Micropayment systems 261 -- 9.6 Conclusions 262 -- References 264 -- Chapter 10 Client-side Security 267 -- 10.1 Introduction 267 -- 10.2 Binary mail attachments 271 -- 10.3 Helper applications and plug-ins 272 -- 10.4 Scripting languages 275 -- 10.5 Java applets 278 -- 10.6 ActiveX controls 283 -- 10.7 Security zones 288 -- 10.8 Implications for firewalls 291 -- 10.9 Conclusions 293 -- References 294 -- Chapter 11 Server-side Security 297 -- 11.1 Introduction 298 -- 11.2 CGI 300 -- 11.3 Server APIs 309 -- 11.4 FastCGI 310 -- 11.5 Server-side includes 311 -- 11.6 ASP 312 -- 11.7 JSP 313 -- 11.8 Conclusions 314 -- References 314 -- Chapter 12 Privacy Protection and Anonymity Services 317 -- 12.1 Introduction 317 -- 12.2 Early work 321 -- 12.3 Cookies 324 -- 12.4 Anonymous browsing 328 -- 12.5 Anonymous publishing 336 -- 12.6 Voluntary privacy standards 341 -- 12.7 Conclusions 343 -- References 344 -- Chapter 13 Intellectual Property Protection 347 -- 13.1 Introduction 347 -- 13.2 Usage control 349 -- 13.3 Digital copyright labeling 351 -- 13.4 Digital Millinium Copyright Act 356 -- 13.5 Conclusions 357 -- References 358 -- Chapter 14 Censorship on the WWW 359 -- 14.1 Introduction 359 -- 14.2 Content blocking 360 -- 14.3 Content rating and self-determination 365 -- 14.4 Conclusions 371.

References 373 -- Chapter 15 Risk Management 375 -- 15.1 Introduction 375 -- 15.2 Formal risk analysis 378 -- 15.3 Alternative approaches and technologies 379 -- 15.4 Conclusions 382 -- References 383 -- Chapter 16 Conclusions and Outlook 385 -- Abbreviations and Acronyms 389 -- About the Author 403 -- Index 405.