Introduction

Web security is a complex topic, encompassing computer system security, network security, authentication services, message validation, personal privacy issues, and cryptography. This page contains links to various aspects of Web and Internet security.

Overview: The World Wide Web Security FAQ

The World Wide Web Security FAQ (Frequently Asked Questions with answers) provides an overview of Web security issues, security hole alerts, and practical advice for avoiding unpleasant surprises. It is recommended as a starting point for exploration.

Security Initiatives at the W3C

The W3C is involved in the development of several protocols that relate to Web security. Presently, the main areas of work is on the signed-XML proposed activity. Other related activities include the HTTP/1.1 protocol and eCommerce. The W3C also produces software reference implementations that demonstrate the use of security measures.

Digital Signatures

1. The IETF/W3C have created a joint working group to address XML Signatures.
2. The Digital Signature Initiative released a PICS Signed Labels 1.0 Recommendation on 27-May-1998. This specification permits digital signatures to be associated with PICS labels (a Web annotation system.)

HTTP/1.1

The HTTP/1.1 protocol includes a much improved scheme for authenticating the identity of users known as Digest Authentication.

Electronic Commerce Initiatives

The W3C is involved in several initiatives in the realm of electronic commerce and secure payments. More information can be found in the Electronic Commerce Interest Group pages.

Reference Implementations

The W3C has implemented Jigsaw, an HTTP/1.1-compliant Web server written entirely in Java. The source code illustrates the implementation of HTTP authentication protocols in general, and Digest Authentication in particular.

Other Security Links

Protocols and Standards

• The HTTP/1.0 Basic authentication scheme.
• HTTP/1.1 Digest Authentication.
• Secure Sockets Layer (SSL) pages.
• TLS specification (IETF protocol based on SSL)
• A Distributed Authorization Model for WWW by Jose Kahan (INET'95).
• An introduction to Shen.
• The Web Transaction Security Working Group's Requirementes for Web Transaction Security
• Generic Security Service(GSS) API for WWW transactions
• Microsoft's Private Communication Technology(PCT) protocol.

Electronic Commerce

• The Secure Electronic Transactions (SET) protocol.
• The CyberCash system.
• The DigiCash system.
• The Millicent system.

Cryptography

• Ron Rivest's large compilation of links.
• The Crypto*Log Internet cryptography page.
• Bruce Schneier's Cryptography Hotlinks

General Sources for Internet Security

• Netscape's security pages.
• Microsoft's security pages.
• Netsurfer Focus on computer and network security.
• Yahoo's security links.
• EINet's general security page.
• COAST: Computer Operations, Audit and Security Technology (at Purdue University)
• Gene Spafford's Computer Security, Law & Privacy hotlist.
• UNIX Computer Security Checklist and the Intruder Detection Checklist compiled by the Australian CERT.
• NIST Computer Security Resource Clearinghouse and Federal Information Processing Standards -- includes DSS, DES.
• Bugtraq Archives for Unix security vulnerabilites.
• Computer Security Technology Center's Computer and Network Security Resources.