TEAMFLY

Team-Fly
®

Security Technologies for the World
Wide Web
For quite a long time, computer security was a rather narrow field of study that was
populated mainly by theoretical computer scientists, electrical engineers, and applied

mathematicians. With the proliferation of open sys- tems in general, and of the Internet and
the World Wide Web (WWW) in particular, this situation has changed fundamentally.
Today, computer and network practitioners are equally interested in computer security,
since they require technologies and solutions that can be used to secure applications related
to electronic commerce. Against this background, the field of computer security has become
very broad and includes many topics of interest. The aim of this series is to publish state-of-
the-art, high standard technical books on topics related to computer security. Further
information about the series can be found on the WWW at the following URL:
/>Also, if you’d like to contribute to the series by writing a book about a topic related to
computer security, feel free to contact either the Commissioning Editor or the Series Editor
at Artech House.
Recent Titles in the Artech House
Computer Security Series
Rolf Oppliger, Series Editor
Computer Forensics and Privacy, Michael A. Caloyannides
Demystifying the IPsec Puzzle, Sheila Frankel
Developing Secure Distributed Systems with CORBA, Ulrich Lang and Rudolf Schreiner
Implementing Electronic Card Payment Systems, Cristian Radu
Implementing Security for ATM Networks, Thomas Tarman and Edward Witzke
Information Hiding Techniques for Steganography and Digital Watermarking,
Stefan Katzenbeisser and Fabien A. P. Petitcolas, editors
Internet and Intranet Security, Second Edition, Rolf Oppliger
Non-repudiation in Electronic Commerce, Jianying Zhou
Secure Messaging with PGP and S/MIME, Rolf Oppliger
Security Fundamentals for E-Commerce, Vesna Hassler
Security Technologies for the World Wide Web, Second Edition, Rolf Oppliger
For a listing of recent titles in the Artech House
Computing Library, turn to the back of this book.
Security Technologies for the World
Wide Web

Second Edition
Rolf Oppliger
Artech House
Boston
*
London
Library of Congress Cataloging-in-Publication Data
Oppliger, Rolf.
Security technologies for the World Wide Web/Rolf Oppliger.—2nd ed.
p. cm. — (Artech House computer security library)
Includes bibliographical references and index.
ISBN 1-58053-348-5 (alk. paper)
1. Computer security. 2. World Wide Web (Information retrieval system)—Security measures
I. Title II. Series.
QA76.9.A.25 O67 2002
005.8—dc21 2002032665
British Library Cataloguing in Publication Data
Oppliger, Rolf
Security technologies for the World Wide Web.—2nd ed.—
(Artech House computer security library)
1. World Wide Web—Security measures
I. Title
005.8
ISBN 1-58053-348-5
Cover design by Christine Stone
© 2003 ARTECH HOUSE, INC.
685 Canton Street
Norwood, MA 02062
Many screen shots in this book are copyright 2002 Microsoft Corporation (USA) or Opera Software ASA (Nor
-

way). All rights reserved. These pages may not be reprinted or copied without express written permission of Mi
-
crosoft or Opera Software.
Microsoft Corporation and Opera Software ASA have not authorized, sponsored, endorsed, or approved this
publication and are not resposible for its content. Microsoft and the Microsoft corporate logos are trademarks and
trade names of Microsoft Corporation. Similarly, Opera and Opera Software logos are trademarks and trade
names of Microsoft Corporation. Similarly, Opera and Opera Software logos are trademarks and trade names of
Opera Software ASA. All other product names and logos are trademarks of their respective owners.
All rights reserved. Printed and bound in the United States of America. No part of this book may be reproduced
or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or by any
information storage and retrieval system, without permission in writing from the publisher.
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately
capitalized. Artech House cannot attest to the accuracy of this information. Use of a term in this book should not
be regarded as affecting the validity of any trademark or service mark.
International Standard Book Number: 1-58053-348-5
Library of Congress Catalog Card Number: 2002032665
10987654321
To my daughter, Lara

Contents
Preface . . xv
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
Acknowledgments . . xxiii
1 Introduction . . . 1
1.1 Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 WWW 5
1.3 Vulnerabilities, threats, and countermeasures . . . . . . . . . . . . . 8
1.4 Generic security model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.4.1 Security policy 12
1.4.2 Host security. 13

1.4.3 Network security 13
1.4.4 Organizational security 16
1.4.5 Legal security 17
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2 HTTP Security . . 21
2.1 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2 User authentication, authorization,
and access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
vii
2.3 Basic authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.4 Digest access authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.5 Certificate-based authentication . . . . . . . . . . . . . . . . . . . . . . . 41
2.6 Server configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.6.1 Configuring HTTP basic authentication 42
2.6.2 Configuring HTTP digest access authentication 45
2.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3 Proxy Servers and Firewalls 49
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.2 Static packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.3 Dynamic packet filtering or stateful inspection. . . . . . . . . . . . . 57
3.4 Circuit-level gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.5 Application-level gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.6 Firewall configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.6.1 Dual-homed firewall 69
3.6.2 Screened host firewall . . . 71
3.6.3 Screened subnet firewall. . 72
3.7 Network address translation . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.8 Configuring the browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3.9 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4 Cryptographic Techniques 87
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.2 Cryptographic hash functions . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.3 Secret key cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.3.1 DES 93
4.3.2 Triple-DES 93
4.3.3 IDEA 95
4.3.4 SAFER 95
4.3.5 Blowfish 95
viii
4.3.6 CAST-128 95
4.3.7 RC2, RC4, RC5, and RC6 95
4.3.8 AES 96
4.4 Public key cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.4.1 RSA 100
4.4.2 Diffie-Hellman 101
4.4.3 ElGamal 102
4.4.4 DSS 102
4.4.5 ECC 102
4.5 Digital envelopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.6 Protection of cryptographic keys . . . . . . . . . . . . . . . . . . . . . . 105
4.7 Generation of pseudorandom bit sequences . . . . . . . . . . . . . . 107
4.8 Legal issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.8.1 Patent claims 108
4.8.2 Regulations 109
4.8.3 Electronic and digital signature legislation 110
4.9 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5 Internet Security Protocols . . 117

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
5.2 Network access layer security protocols . . . . . . . . . . . . . . . . . 118
5.2.1 Layer 2 Forwarding Protocol 121
5.2.2 Point-to-Point Tunneling Protocol 122
5.2.3 Layer 2 Tunneling Protocol 124
5.2.4 Virtual private networking 124
5.3 Internet layer security protocols . . . . . . . . . . . . . . . . . . . . . . 125
5.3.1 IP security architecture 128
5.3.2 IPsec protocols 131
5.3.3 IKE Protocol 136
5.3.4 Implementations 141
5.4 Transport layer security protocols . . . . . . . . . . . . . . . . . . . . . 143
5.5 Application layer security protocols. . . . . . . . . . . . . . . . . . . . 143
5.5.1 Security-enhanced application protocols 144
ix
5.5.2 Authentication and key distribution systems 144
5.5.3 Layering security protocols above the
application layer 145
5.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6 SSL and TLS Protocols 153
6.1 SSL Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
6.1.1 History 153
6.1.2 Architecture 155
6.1.3 SSL Record Protocol 159
6.1.4 SSL Handshake Protocol . 161
6.1.5 Security analysis 167
6.1.6 Implementations 169
6.2 TLS Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
6.3 SSL and TLS certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

6.4 Firewall traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
6.4.1 SSL/TLS tunneling 179
6.4.2 SSL/TLS proxy servers . . . 181
6.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
7 Certificate Management and Public Key
Infrastructures 185
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
7.2 Public key certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.2.1 PGP certificates 188
7.2.2 X.509 certificates 190
7.3 IETF PKIX WG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.4 Certificate revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.4.1 CRLs 198
7.4.2 OCSP 199
7.4.3 Alternative schemes 200
x
TEAMFLY























































Team-Fly
®

7.5 Certificates for the WWW. . . . . . . . . . . . . . . . . . . . . . . . . . . 201
7.5.1 CA certificates 201
7.5.2 Server or site certificates 203
7.5.3 Personal certificates 204
7.5.4 Software publisher certificates 205
7.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
8 Authentication and Authorization Infrastructures 213
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.2 Microsoft .NET Passport . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
8.2.1 Overview 217
8.2.2 .NET Passport user accounts 219
8.2.3 .NET Passport SSI service 222
8.2.4 Complementary services 228
8.2.5 Security analysis 230
8.3 Kerberos-based AAIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

8.3.1 Kerberos 231
8.3.2 SESAME 240
8.3.3 Windows 2000 240
8.4 PKI-based AAIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
8.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
9 Electronic Payment Systems . 249
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
9.2 Electronic cash systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
9.3 Electronic checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
9.4 Electronic credit-card payments . . . . . . . . . . . . . . . . . . . . . . 259
9.5 Micropayment systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
9.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
xi
10 Client-side Security 267
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
10.2 Binary mail attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . 271
10.3 Helper applications and plug-ins . . . . . . . . . . . . . . . . . . . . . 272
10.4 Scripting languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
10.5 Java applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
10.5.1 Security architecture . . 279
10.5.2 Security policy 281
10.5.3 Code signing 281
10.6 ActiveX controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
10.7 Security zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
10.8 Implications for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 291
10.9 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
11 Server-side Security 297

11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
11.2 CGI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
11.3 Server APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
11.4 FastCGI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
11.5 Server-side includes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
11.6 ASP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
11.7 JSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
11.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
12 Privacy Protection and Anonymity Services . . 317
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
12.2 Early work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
12.3 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
12.4 Anonymous browsing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
12.4.1 Anonymizing HTTP proxy servers 329
12.4.2 JAP 330
xii
12.4.3 Crowds 330
12.4.4 Onion routing 333
12.4.5 Freedom network 336
12.5 Anonymous publishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
12.5.1 JANUS and the rewebber service 336
12.5.2 TAZ servers and the rewebber network 338
12.5.3 Publius 340
12.6 Voluntary privacy standards . . . . . . . . . . . . . . . . . . . . . . . . 341
12.6.1 Privacy seals 341
12.6.2 P3P 342
12.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
13 Intellectual Property Protection . . . 347

13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
13.2 Usage control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
13.3 Digital copyright labeling . . . . . . . . . . . . . . . . . . . . . . . . . . 351
13.3.1 Introduction 351
13.3.2 Categories of watermarking techniques 352
12.3.3 Attacks 355
13.4 Digital Millinium Copyright Act . . . . . . . . . . . . . . . . . . . . . 356
13.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
14 Censorship on the WWW . . . 359
14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
14.2 Content blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
14.2.1 IP address blocking 361
14.2.2 URL blocking 363
14.3 Content rating and self-determination . . . . . . . . . . . . . . . . . 365
14.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
xiii
15 Risk Management . . 375
15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
15.2 Formal risk analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
15.3 Alternative approaches and technologies . . . . . . . . . . . . . . . 379
15.3.1 Security Scanning 379
15.3.2 Intrusion Detection . . . 381
15.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
16 Conclusions and Outlook . 385
Abbreviations and Acronyms 389
About the Author 403
Index 405

xiv
Preface
D
uring the past decade, I have been heavily involved in security issues
related to TCP/IP-based networks.
1
The results of this work are
summarized in Authentication Systems for Secure Networks [1], Secure Messaging
with PGP and S/MIME [2], and—most importantly—the second edition of
Internet and Intranet Security [3]. The three books overview and fully discuss
the technologies that are available today and that can be used in TCP/IP-
based networks to provide access control and communication security
services. They are mainly written for computer scientists, electrical
engineers, and network practitioners with some background in computer
and communication security.
Some time ago, I was asked whether one of the books could be used to
educate World Wide Web (WWW) professionals (e.g., Webmasters and Web
server administrators) in security matters. Unfortunately, I realized that
while the books cover most technologies used to secure applications for the
WWW, they are written in a language that is inappropriate for Web
professionals. Note that these folks are generally familiar with network
operating system issues and communication protocols, but they are neither
security experts nor cryptographic specialists. They may not even be
interested in architectural details and design considerations for crypto-
graphic technologies and protocols that are widely deployed.
Having in mind the Web professional who must be educated in security
matters within a relatively short period of time, I decided to write a book
that may serve as a security primer. While writing the book, I realized that
1. TCP/IP-based networks are networks that are based on the communications protocol suite. This protocol suite,
in turn, is centered around the Transport Control Protocol (TCP) and the Internet Protocol (IP).

xv
the result could also be used by Web users and application software
developers. The resulting book, Security Technologies for the World Wide Web,
was published in 2000. It overviewed and briefly discussed all major topics
that are relevant for Web security. Unfortunately, and due to the dynamic
nature of the field, it has become necessary to update the book and come up
with a second edition after only a relatively short period of time. There are
many new terms and buzzwords that need to be explained and put into
perspective. Consequently, Security Technologies for the World Wide Web,
Second Edition elaborates on some well-known security technologies that
have already been covered in the first edition, as well as some more recent
developments in the field.
First of all, it is important to note that the term ‘‘WWW security’’ means
different things to different people:
w
For Webmasters, it means confidence that their sites won’t be hacked
and vandalized or used as a gateway to break into their local area
networks (LANs);
w
For Web users, it means the ability to browse securely through the
Web, knowing that no one is looking into their communications;
w
Finally, for proponents of electronic commerce applications, it means
the ability to conduct commercial and financial transactions in a safe
and secure way.
According to [4], Web security refers to ‘‘a set of procedures, practices,
and technologies for protecting Web servers, Web users, and their
surrounding organizations.’’ In this book, we mainly focus on the
technologies that can be used to provide security services for the WWW.
Some of these technologies are covered in detail, whereas others are only

briefly introduced and left for further study. For example, most security
problems and corresponding exploits that make press headlines are due to
bugs and flawed configurations of specific Web servers, such as Microsoft’s
Internet Information Server (IIS). Due to their transient nature, however,
bugs and configuration flaws are not addressed in this book. There are many
books mainly on computer security and hacking that address these issues.
All of these books suffer the problem that they generally obsolesce faster
than new editions can be produced. Also, an increasingly large number of
CERT
2
advisories, incident notes, and vulnerability notes can be used to
provide this type of information.
2. The acronym CERT stands for Computer Emergency Response Team.
xvi
The reader of Security Technologies for the World Wide Web, Second Edition
gets an overview of all major topics that are relevant for the WWW and its
security properties. As such, the book is intended for anyone who is
concerned about security on the Web, is in charge of security for a network,
or manages an organization that uses the WWW as a platform for providing
information. It can be used for lectures, courses, and tutorials. It can also be
used for self-study or serve as a handy reference for Web professionals.
Further information can also be found in other books on WWW security.
Among these books, I particularly recommend [4–6].
3
There are also some
books that focus entirely on one specific cryptographic security protocol
(i.e., the Secure Sockets Layer or Transport Layer Security protocol) that is
widely deployed on the WWW [7, 8]. These books are recommended
reading but are more narrow in scope than Security Technologies for the World
Wide Web. Finally, there is also a frequently asked questions (FAQ)

document available on the Web.
4
While it is not intended that this book be read linearly from front to
back, the material has been arranged so that doing so has some merit. In
particular, Security Technologies for the World Wide Web, Second Edition has been
organized in 15 chapters, summarized as follows:
w
In Chapter 1, we introduce the topic and elaborate on the Internet,
the WWW, vulnerabilities, threats, and countermeasures, as well as a
model that can be used to discuss various aspects of security.
w
In Chapter 2, we elaborate on the security features of the Hypertext
Transfer Protocol (H T T P). Most importantly, we address the user
authentication and authorization schemes provided by HTTP and
some implementations thereof.
w
In Chapter 3, we explain and address the implications of proxy
servers and firewalls for Web-based applications.
w
In Chapter 4, we introduce cryptographic techniques that are
employed by many security technologies for the WWW. These
techniques will be used in subsequent chapters.
w
In Chapter 5, we overview and briefly discuss the cryptographic
security protocols that have been proposed and partly implemented
for the Internet (and that can also be used for the WWW).
3. Among these books only [6] has been updated in a second edition so far.
4. />xvii
w
In Chapter 6, we focus on two transport layer security protocols,

namely the Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols. These protocols are particularly important to secure
Web-based applications.
w
In Chapter 7, we address the problem of how to manage certificates
and discuss the issues that surround public key infrastructures (PKIs).
w
In Chapter 8, we broaden the topic addressed in Chapter 7 and
discuss authentication and authorization infrastructures (AAIs).
w
In Chapter 9, we overview and briefly discuss some electronic
payment systems that can be used in e-commerce applications for the
Internet or WWW.
w
In Chapter 10, we focus on client-side security and the security
implications of executable (or active) content (e.g., Java applets and
ActiveX controls).
w
In Chapter 11, we address server-side security and the security
implications of some widely deployed server programming technol-
ogies (e.g., CGI and API scripts).
w
In Chapter 12, we address the increasingly important field of privacy
protection and anonymity services for the WWW.
w
In Chapter 13, we overview and discuss some technologies that can
be used for intellectual property protection.
w
In Chapter 14, we address the politically relevant issues that
surround censorship on the Internet or WWW.

w
In Chapter 15, we elaborate on risk management.
w
In Chapter 16, we draw conclusions and predict some future
developments in the field.
Unlike the first edition, Security Technologies for the World Wide Web, Second
Edition does not include a glossary. This is because in May 2000, an Internet
Security Glossary was published as informational RFC 2828 (or FYI 36,
respectively) [9]. This document can be used as a reference for anyone
working in the field.
5
However, Security Technologies for the World Wide Web,
5. There are many other glossaries available on the Internet. Examples include a glossay compiled by Networks
Associates, Inc. at and another glossary compiled by Rob Slade at
/>xviii
Second Edition still includes a list of abbreviations and acronyms. References
are included at the end of each chapter. This is also true for the various RFC
documents that are relevant for WWW security.
6
At the end of the book, an
About the Author section is included to tell you a little bit about me. Finally,
there is an Index to help you find particular terms.
Some authors make a clear distinction between client-side security,
server-side security, and document security, and structure their books
accordingly (e.g., [4]). This book does not follow this approach but uses a
functional organization instead. More precisely, the various chapters
outlined above address zero, one, or even more than one of the above-
mentioned classes of security issues.
There has been a long tradition in the computer and network security
literature of providing various kinds of checklists. Again, Security Technologies

for the World Wide Web, Second Edition breaks with this tradition, mainly
because security is more than checking off items on checklists. The single
most important thing in security is to understand the underlying concepts
and technological approaches. If you understand them, it is a simple
exercise to formulate and implement your own checklist(s).
While time brings new technologies and outdates current technologies, I
have attempted to focus primarily on the conceptual approaches to providing
security services for the WWW. The Web is changing so rapidly that any
book is out of date by the time it hits the shelves in the bookstores (that’s
why this book had to go into a second edition after a relatively short period of
time). By the time you read this book, several of my comments will probably
have moved from the future to the present, and from the present to the past,
resulting in inevitable anachronisms.
Due to the nature of this book, it is necessary to mention company,
product, and service names. It is, however, important to note that the
presence or absence of a specific name implies neither any criticism or
endorsement, nor does it imply that the corresponding company, product, or
service is necessarily the best available. For a more comprehensive products
overview, I particularly recommend the Computer Security Products Buyer’s
Guide that’s compiled and published annually by the Computer Security
Institute (CSI) based in San Francisco, California.
7
Whenever possible, I add some uniform resource locators (URLs) as
footnotes to the text. The URLs point to corresponding information pages
6. There are many RFC archives available. For example, RFC documents can be downloaded from http://
www.ietf.org/rfc.
7.
xix
provided on the Web. While care has been taken to ensure that the URLs are
valid, due to the dynamic nature of the Web, these URLs as well as their

contents may not remain valid forever. Similarly, I use screen shots to
illustrate some aspects related to the graphical user interfaces (GUIs). Unlike
in the first edition, I use Microsoft Internet Explorer version 5.5 and Opera
version 6.0 (instead of Netscape Navigator). Keep in mind, however, that
software vendors, including Microsoft and Opera Software, tend to update
and modify their GUIs periodically. Therefore, chances are that the GUI you
currently use looks (slightly or completely) different than the one replicated
in this book.
Finally, I would like to take the opportunity to invite you as a reader of
this book to let me know your opinion and thoughts. If you have something
to correct or add, please let me know. If I haven’t expressed myself clearly
please also let me know. I appreciate and sincerely welcome any comment or
suggestion, in order to update the book periodically. The best way to reach
me is to send an e-mail to You can also visit
the home page
8
of my company eSECURITY Technologies Rolf Oppliger and
drop a message there. In addition, I have also established a home page for
this book. The page is located at URL />WWWsec2e.html.
References
[1] Oppliger, R., Authentication Systems for Secure Networks, Artech House, Norwood,
MA, 1996.
[2] Oppliger, R., Secure Messaging with PGP and S/MIME, Artech House, Norwood,
MA, 2001.
[3] Oppliger, R., Internet and Intranet Security, Second Edition, Artech House,
Norwood, MA, 2002.
[4] Stein, L. D., Web Security: A Step-by-Step Reference, Addison-Wesley, Reading,
MA, 1998.
[5] Rubin, A. D., D. Geer, and M. J. Ranum, Web Security Sourcebook, John Wiley &
Sons, Inc., New York, NY, 1997.

[6] Garfinkel, S., with E. H. Spafford, Web Security, Privacy & Commerce, Second
Edition, O’Reilly & Associates, Sebastopol, CA, 2001.
[7] Thomas, S. A., SSL & TLS Essentials: Securing the Web, John Wiley & Sons, Inc.,
New York, NY, 2000.
8.
xx
TEAMFLY























































Team-Fly
®

[8] Rescorla, E., SSL and TLS: Designing and Building Secure Systems, Addison-
Wesley, Reading, MA, 2000.
[9] Shirey, R., ‘‘Internet Security Glossary,’’ Request for Comments 2828, May
2000.
xxi

Acknowledgments
F
irst, I want to express my thanks to all people who contributed to and
were involved in the writing, publishing, and selling of the first edition of
this book. Among these people, I am particularly grateful for the interest and
support of Kurt Bauknecht, Dieter Hogrefe, Hansju
¨
rg Mey, and Gu
¨
nther
Pernul. Also, I want to thank all buyers of the first edition; they have made it
possible for me to update the book and to develop a second edition. Since
publication of the first edition, many security professionals, colleagues,
customers, and students have provided valuable comments, suggestions,
pointers, and further material to me. I hope that this input was taken into
proper consideration. Ruedi Rytz and my brother, Hans Oppliger, have been
particularly helpful in finding mistakes and making the book more
comprehensive and understandable. The same is true for John Yesberg,
who has thoroughly reviewed the entire manuscript and provided many
useful comments and hints. As with the first edition the staff at Artech House
was enormously helpful in producing the second edition of this book.

Among these people, I’d like to thank Tim Pitts, Ruth Harris, Judi Stone, and
Jen Kelland. Above all, I want to thank my family—my wife Isabelle and our
beloved children Marc and Lara—for their encouragement, support, and
patience during the writing of the book. Once again, they have tolerated the
long writing hours into the night, the scattered papers and manuscripts, the
numerous business trips, and many other inconveniences while I completed
this edition of the book. Soon before the book went into production, our
daughter Lara was born. Consequently, it is dedicated to her.
xxiii