Organizations

• IETFÀÇ application º¸¾È °ü·Ã Ç¥ÁØ, Future System Á¤¸®
• IMC(Internet Mail Consortium)
  • S/MIME and OpenPGP
• MIT Distribution Center for PGP

Resources

• W3C Security Resources, W3C.org
• DevEdge Online - Netscape Developer site, Netscape
• Netscape Security Notes, Netscape
• IMP Web Mail Solution, Horde.org
• Application-level Security Products, Esecurityplanet

• Watermarking World - Webring
• DataHidingTM / Rights Management - related to watermarking
• Mozilla Security Projects, Mozilla.org
  • Component Security for Mozilla, Mozilla.org
  
  
  
• Java Developer Connection, Sun Microsystems
• Java Security, Sun Microsystems - Java Security API, News, Software, Documentation, User Guides, Man pages, FAQ, Whitepapers, Articles, Presentation
  • JavaTM Security Architecture (JDK1.2), Lee Gong, October 2, 1998
  • JavaTM Cryptography Architecture, Dec, 6, 1999
  • Summary of JDK 1.2 Security Tools, Oct, 19, 1998
• IBM JAVA Research section, IBM
• Java Security Resources, JavaWorld
• Java Security related Articles, Java World

• Microsoft Security, Microsoft
  • Web Site Security, Microsoft
  • Security Bulletin and Search, Microsoft
• Exchange Server/Email Security, Microsoft

• The International PGP Home Page
  • PGP documentation
  • Download
• Tom McCune's page for Pretty Good Privacy(PGP)
• The PGP4Pine homepage

• SSH: The Secure Shell, The Definitive Guite
• FreeSSH - SSH Product Client / Server Links
• OpenSSH - Free SSH Server/Client Implemenation

• GNU TLS Library
• Netscape SSL Page, Netscape
• OpenSSL - Free SSL / TLS Implementation
• SSL Resource Center, Phaos Technology Corporation
• Apache-SSL - Apache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL.
• modSSL - The Apache Interface to OpenSSL

Papers and Articles

[Web]

• Bulletproof, Mike Bobbitt, Information Security, May 3, 2002.
  - Different Approaches, Same Goal,
  - The Attacker's Arsenal
• Content Security for the Enterprise, Authentica Inc., Whitepaper, April 2, 2002. (local copy)
• Statistical Identifcation of Encrypted Web Browsing Traffic, Venkata N. Padmanabhan, Lili Qiu, Wilf Russell, Daniel R. Simon, Qixiang Sun & Yi-Min Wang, MS Technical Report, March 2002. (local copy)
• Collaborative Filtering with Privacy, John Canny, UC Berkely, 2002. (local copy)
• Collaborative Filtering with Privacy via Factor Analysis, John Canny, UC Berkely, 2002. (local copy)
• P5: A Protocol for Scalable Anonymous Communication, Bobby Bhattacharjee, Rob Sherwood & Aravind Srinivasan, University of Meryland, 2002. (local copy)
• Security at the Next Level: Are Your Web Applications Vulnerable?, SPI Dynamics, Whitepaper, February 1, 2002. (local copy)
• J2EE and .Net security, Ger Mulcahy, SecurityFocus, February 2002. (local copy)
• Preventing Web Site Defacements, Ryan C. Barnett, SecurityFocus, 2001 (local copy)
• Microsoft .Net strategy pushes the Web application development envelope, Arthur English, NetworkWorld, November 05, 2001.
• Web services can simplify Web apps, David Weller, NetworkWorld, November 05, 2001.
• Brute-Forcing Exploitation of Web Application Session IDs, David Endler, IDefense Labs, November 01, 2001. (local copy)
• Companies At Risk Over Proliferation Of Web Bugs, InternetWeek, August 14, 2001.
• Hardening HTAccess, Part Three, Security Focus, August 6, 2001.
• Hardening HTAccess, Part Two , Security Focus, July 25, 2001.
• Hardening HTAccess, Part One , Security Focus, July 11, 2001.
• Webjacking, Lexis-Nexis, July 2001.
• The Web-Bug Boondoggle, InformationWeek, June 25, 2001.
• Examining Web Content Security Software, Curtis Franklin Jr., Planet IT, March 13, 2001
• Report: Many federal Web sites use cookies to track users, Lucas Mearian, Computer World, April 17, 2001.
• Taking the Web Server Down when the Firewall is Sound , VIGILANTe.com, 2001
• Web Spoofing : An Internet Con Game, Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach at Department of Computer Science, Princeton University
• Security for Web Database Applications, John Paul Ashenfelter, April 13, 2001
• Examining Web Content Security Software, Curtis Franklin Jr., PlanetIT, Mar, 13 2001
• Securing your IIS 4.0 server, Troy Thompson, TechRepublic, Jan 24, 2001 ( You must create your Free account )
• Risks of the Passport Single Signon Protocol, David P. Kormann and Aviel D. Rubin, IEEE Computer Networks, volume 33, pages 51-58, 2000.
• Best Practices for Secure Web Development, Razvan Peteanu, July 18, 2000 (local copy)
• Secure Internet Information Services 5 Checklist , Microsoft, June 29, 2000
• Microsoft Internet Information Server 4.0 Security Checklist, Microsoft, Mar. 15,2000
• Web server round-up, part 2, Kurt Seifried, Security Portal, December 12, 1999.
• Web server round-up, part 1, availability, Kurt Seifried, Security Portal, November 10, 1999.
  
  
• HTML Form Protocol Attack(Ver 1.0), Jochen Topf, Remote.org, August 14, 2001. (local copy)
• Microsoft Passport to Trouble, Marc Slemko, znep.com, November 05, 2001
  
  
• Secrecy in Multiagent Systems, Joseph Halpern & Kevin O'Neill, 2002. (local copy)
• Keeping Secrets in Hardware: the Microsoft XBox Case Study, Andrew "bunnie" Huang, Massachusetts institute of technology, May 26, 2002. (local copy)
• Cyclone: A Safe Dialect of C, Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney and Yanling Wang, 2002. (local copy)
• Types and Effects for Asymmetric Cryptographic Protocols, Andrew D. Gordon & Alan Jeffrey, January 28, 2002. (local copy)
  
  [CGI Security]
  
• CGI Security Tutorial, Genrep, 1996
• CGI Security : Better Safe than Sorry, Pankaj Kamthan, 1999
• CGI Security Compilation, Markus Hubner
• CGI security: Avoiding common pitfalls, Kevin Paulisse, 1999
• Server Side Includes and CGI Security, Jason Nugent, 1999
• Security Issues When Installing and Customizing Pre-Built Web Scripts, Selena Sol, 1998
• CGI-script security 101, Andrew Wild
• CGI Vulnerabilities, Aleksandar Stancin, Help Net Security, 2001.
• Header Based Exploitation: Web Statistical Software Threats, Zenomorph, CGIsecurity, January 2002.
  
  [PHP Security]
  
• On the Security of PHP, Part 2, Jordan Dimov, Earthweb, November 14, 2001.
• On the Security of PHP, Part 1, Jordan Dimov, Earthweb, November 09, 2001.
• Using PHP Securely, SecuriTeam, July 04, 2001.
• Understanding functions and classes in PHP, Shelley Doll, TechRepublic, July 2, 2001.
• Tutorial: Getting started with PHP, Shelley Doll, TechRepublic, May 7, 2001.
• PHP Manual : Security, The PHP Development Team, 2000
  
  [Java Security]
  
• Working with Java security features, Lotus.com
• Securing Java Code, Thomas Gutschmidt, Software Development
  • Part 1, April 12, 2001.
  • Part 2, May 1, 2001.
  • Part 3, May 17, 2001.
  • Part 4 : Decompilers, June 12, 2001.
• The Java Security Web Site, Gary McGraw and Edward Felten, 1999
• JavaScript Security in Mozilla, Mozilla.org, 2001
• Archives of java-security@sun.com, Sun Microsystems
• Java security evolution and concepts, Part 3: Applet security, Raghavan N. Srinivas, Java World, Dec, 2000
• Java security: How to install the security manager and customize your security policy , Bill Venners, Java World, Nov, 1997
• A Comparison between Java and ActiveX Security, David Hopwood , Oct, 1997
• Java technology trends through 2004, M. Driver, TechRepublic, August 08, 2001.
• JSP Security, Jordan Dimov, September 13, 2001.
• Stack Inspection: Theory and Variants, C¢¥edric Fournet & Andrew D. Gordon, Microsoft Research, 2002. (local copy)
  
  [Browser Security]
  
• Mozilla Cookie Exploit(Analysis Report), Marc Slemko, Znep.com, January 22, 2002.
• Protect your network by customizing IE's desktop security settings, Brien M. Posey, TechRepublic, October 1, 2001.
• Block unauthorized sites and malicious code with Internet Explorer, Brien M. Posey, TechRepublic, September 12, 2001.
• Eliminate threats to your network by securing Internet Explorer's security zones, Brien M. Posey, TechRepublic, September 5, 2001.
• HotJava(tm): The Security Story, Sun Microsystems
• Microsoft's Internet Explorer security Center, Scott Schnoll
  
  [Cookie Security]
  
• Have Web bugs invaded your systems?, John McCormick, TechRepublic, June 25, 2001.
• How Internet Cookies Work, HowStuffWorks
• Changing Your Cookie Settings, EarthLink
• Cookie Central, Cookie Central, - related with Cookie stuff
• The Unofficial Cookie FAQ v2.54, David Whalen, 2000
• INFORMATION BULLETIN I-034: Internet Cookies, CIAC, March 12, 1998
• Persistent Client State HTTP Cookies by Netscape
• HTTP Cookie Library - Cookie Resources
• ºê¶ó¿ìÀú ÄíÅ° Ãë¾àÁ¡, ÀÓ´ëÈ£
  
  [Active X Control]
  
• ActiveX Control Tutorial, Microsoft
• Designing Safe ActiveX Controls, Microsoft
• Safe Initialization and Scripting for ActiveX Controls, Microsoft
  
  [Microsoft's Authenticode]
  
• Certificates and Authenticode page, Microsoft
• Authenticode White Paper, Microsoft, 1996
• Frequently Asked Questions About Authenticode, Microsoft, May 2000
  
  [DNS Security]
  
• Running the BIND9 DNS Server Securely, Sean Boran, SecurityPortal, April 30, 2001
• DNS and BIND, 4th Edition, Chapter 11: Security, Paul Albitz & Cricket Liu.
• DNS Security Extention, ACME Byte & Wire, 1999
• DNS Security, by Diane Davidowicz, 1999
  
  [Mail Security]
  
• Fighting back against spam, Suzanne Gaspar, NetworkWorld, May 13, 2002.
• Application-Level Defense: The Email Battlefield, Jay Chaudhry, SCmagazine, May 2002.
• Untangling Security Issues to Enable Web-based Email Access, Joseph Steinberg, SCmagazine, May 2002.
• EMAIL SECURITY : Juggling the Risks, Illena Armstrong, SCmagazine, May 2002.
• MailRecall: Secure E-Mail for the Enterprise, Authentica Inc., Whitepaper, May 1, 2002. (local copy).
• Securing Exchange 2000, Part 2, Chris Weber, SecurityFocus, May 8, 2002.
• Securing Exchange 2000, Part 1, Chris Weber, SecurityFocus, April 23, 2002.
• Email security, Help-net Security, April 2002.
• Mobile Email: Still Hindered By What Users Need Most, David A. Zimmer and Art Rosenberg, Commweb, April 1, 2002.
• Email security, GFI.com, Whitepaper, 2002.
• Protecting your network against email threats: How to block email attacks & viruses, GFI.com, Whitepaper, 2002.
• Using PGP to Verify Digital Signatures, Shawn Herman & Linda Pesante, CERT Cordination Center, March 19, 2002. (local copy).
• Guide to the Secure Configuration and Administration of Microsoft Exchange(Ver. 3.0), NSA Security Recommendation Guides, January 2002. (local copy).
• Email Tampering - This Time, The Good Guys Won, Michael Weingarten & Adam Weingarten, Business Communicatio Review, January 2002. (local copy).
• Certified Email with a Light Online Trusted Third Party: Design and Implementation, Martin Abadi, Neal Glew, Bill Horne & Benny Pinkas, 2001. (local copy).
• qmail Anti-Spam HOWTO(Version 0.33), Chris Hardie, Summersault.com, November 2001.
• Building an E-mail Virus Detection System for Your Network, Dave Jones, LinuxJournal, November 16, 2001
• Products to ensure e-mail security, Brian Fonseca, InfoWorld, September 21, 2001
• How to install GnuPG, Joe Barr, LinuxWorld, September 19, 2001
• A security analysis of Pretty Good Privacy, Sieuwert van Otterloo, SecurityFocus, September 4, 2001 (local copy)
• E-mail Security in the Wake of Recent Malicious Code Incidents(Ver. 2.5), NSA Security Recommendation Guides, August 2001. (local copy).
• Securing Sendmail with TLS, Jose Nazario, Linux Journal, August 15, 2001
• GPG: the Best Free Crypto You Aren't Using, Part I of II, Mick Bauer, Linux Journal, August 15, 2001
• Email Login Security, Ric Steinberger, SecurityPortal, June 25, 2001
• Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML, Don Davis, USENIX annual technical conference 2001 (June 25-30), 2001. (local copy)
• Email Login Security, Ric Steinberger, Security Portal, June 25, 2001.
• Attack on Private Signature Keys of the OpenPGP format, PGP programs and other applications compatible with OpenPGP, Vlastimil Klima and Tomas Rosa, Help Net Security, 2001. (local copy)
• E-MAIL SECURITY, Fred Avolio and David Piscitello, Information Security, May 16, 2001.
• A Brief Comparison of Email Encryption Protocols, Raph Levien, Arraydev, 2001.
• ¸ÞÀÏÇÊÅ͸µÀ» ÅëÇÑ E-mail º¸¾È, Á¤º¸º¸È£¼¾ÅÍ, 2001
• Allowing controlled SMTP relaying in Sendmail 8.9 by Sendmail.org
• Anti-Spam Provisions in Sendmail 8.8 by Sendmail.org
• Enhancing E-Mail Security With Procmail the E-mail Sanitizer, Home
  • E-mail based Attacks: Active Content attacks, Buffer Overflow attacks, Trojan Horse attacks, Shell Script attacks,
• A Chosen Ciphertext Attack Against Several E-mail Encryption Protocols , Jonathan Katz and Bruce Schneier, June 23, 2000
• Microsoft's E-mail Security Resources, Microsoft
• Customizing the Outlook 98/2000 E-mail Security Update, Microsoft Office Resource Kit Journal, June 7, 2000
• PGP documentation, The International PGP Home Page - documentation secction
  • How PGP works at The International PGP home
• The Postfix Home Page
  • Postfix Frequently Asked Questions
• The Qmail homepage
  • Qmail Çѱ¹ ¹èÆ÷ ¿î¿µ»çÀÌÆ® - À§»çÀÌÆ®ÀÇ ¹®¼­ ÇѱÛÈ­ / âÀÛ¹®¼­
  • qmail-HOWTO v2, Adam McKenna, Feb 20 2001

  [abridged version of Professional WAP]

• Professional WAP I, Network Computing, July 3, 2000.
  • WAP and E-Mail
  • Key Elements of E-mail
• Professional WAP II, Network Computing, July 10, 2000.
  • Introduction to the Java Mail API
  • Simplifying WML Generation
• Professional WAP III, Network Computing, July 17, 2000
  • E-mail and E-commerce Sites
  • A WAP Based E-mail Application
  • Summary
  
  
  [NFS Security]
  
• NFS Security, Samuel Sheinin, May 2, 2000
• NFS and NIS Security, Kristy Westphal, Jan 22, 2001
• NFS Security -Sun Whitepaper, Sun Microsystems
• NFS HOWTO : Security and NFS, Linux Online, 2000
• Introduction to NFS Security - Technical Report, Paul Ashley, Dec, 1996
  
  [NIS/NIS+ Security]
  
• Securing NIS (formerly YP), Doug Hughes
• Network Information Services (NIS and NIS+) Guide - Chapter 7. Security, University of California
• NIS+ part 1: What's in a Name (Service)?, SunWorld, Oct, 1996
• NIS+ part 2: Not your father's name service, SunWorld, Oct, 1996
  
  [X-window Security]
  
• Securing X Windows, John Fisher, CIAC-2316, August, 1995
• X Security, Lionel Cons, It's a part of CERN Security Handbook, Dec. 1996
• X Security, Francois Staes
• X Security, University of Cambridge
• Crash Course in X Window Security, Beckman Institute System Services

  [SSL/TLS]

• The Risks of Short RSA Keys for secure communications using SSL, Nicko van Someren, nCipher, April 2002. (local copy)
• Using Client Puzzles to Protect TLS, Drew Dean, Adam Stubblefield, November, 2001. (local copy)
• An Introduction OpenSSL, Part Four: The SSL and TLS Protocols, Holt Sorenson, SecurityFocus, October 03, 2001.
• An Introduction to OpenSSL, Part Three: PKI- Public Key Infrastructure, Holt Sorenson, SecurityFocus, September 19, 2001.
• An Introduction to OpenSSL, Part Two: Cryptographic Functions Continued, Holt Sorenson, SecurityFocus, September 5, 2001.
• An Introduction to OpenSSL, Part One: Cryptographic Functions, Holt Sorenson, SecurityFocus, August 22, 2001.
• Using a Cryptographic Hardware Token with Linux: the OpenSSL Project's New Engine, Paul Friberg, Linux Journal, June, 2001.
• Architectural Impact of Secure Socket Layer on Internet Servers, Krishna Kant and Ravishankar Iyer, Intel Corporation and Prasant Mohapatra, Michigan State University 1998
• Netscape's SSL 3.0 Spec resource
• Andes ASICs bypass TCP layer to secure transactions, Loring Wirbel, EE Times, Feb. 15, 2001.
• Can IPv6 replace SSL?, Reto Haeni, RootPrompt, May 29, 2000.
• Inductive analysis of the internet protocol TLS, L.C.Paulson, ACM Trans. on Info. And Sys. Sec. Vol. 2(3), 1999, pp 332-351. (local copy)
• Introduction to SSL, Netscape tutorial, Oct. 9, 1998.
• Finite-state analysis of SSL 3.0, J.C.Mitchell, V.Shmatikov and U.Stern, 7th USENIX Security Symp. 1998, pp 201-216. (local copy)
• Analysis of the SSL 3.0 protocol, D.Wagner and B.Schneier, 2nd USENIX Electronic Commerce, 1996, revised 1997. (local copy)
  • Introducing SSL and Certificates using SSLeay, Frederick J. Hirsch, The Open Group Research Institute, 1997
  • About Stunnel, Stunnel.org
  • Stunnel FAQ, Stunnel.org
  • The Official Stunnel Home
  
  
  
• Smashing the SSL Speed Trap, Lori MacVittie, Network Computing, June 11, 2001
• Rainbow Scores a SSLam Dunk with NetSwift2012 , Lori MacVittie, Network Computing, August 20, 2001
• AEP Delivers a Quick and Inexpensive Contender for The Accelerator Market, Lori MacVittie, Network Computing, September 17, 2001

  [SSH]

• A Rough Year for SSH, Jose Nazario, Linux Journal, January 02, 2002.
• Using ssh Port Forwarding to Print at Remote Locations, Rory Krause, LinuxJournal, January 2002.
• ScanSSH - Scanning the Internet for SSH Servers, Peter Honeyman , Niels Provos, October 2, 2001. (local copy)
• Time and Tide Wait for No Protocol: The SSH Keystroke Timing Attack of Song, Wagner, and Tian, Richard Silverman, Oreillynet, November 08, 2001.
• OpenSSH key management, Part 2 - Introducing ssh-agent and keychain, IBM Developerworks, September 2001
• Timing Analysis of Keystrokes and Timing Attacks on SSH, Dawn X. Song, David Wagner and Xuqing Tian, SecurityFocus, August 2001 (local copy)
• Building and Deploying OpenSSH for the Solaris[tm] Operating Environment, Jason Reid and Keith Watson, Sun BluePrints¢â OnLine - July 2001 (local copy)
• OpenSSH key management, Part 1 - Understanding RSA/DSA authentication, IBM Developerworks, July 2001
• SSH Secure Shell - Whitpaper, SSH Communication Security
• PROTOCOLS : Sealing the Pipes, Feature article, Information Security Magazine, June 2001.
• Through the tunnel, Georges Tarbouriech, Linux Focus, May 2001.
• Encrypted Tunnels using SSH and MindTerm, Duane Dunston, Linux Security, May 14, 2001
• Choosing the Best Solution for Network Security - Secure Shell, TLS or IPSec, SSH - Whitepaper, Jan. 2001. (local copy)
• The End of SSL and SSH? Follow-up, Kurt Seifried, Security Portal, December 22, 2000.
• The End of SSL and SSH?, Kurt Seifried, Security Portal, December 18, 2000.
• SSH: From Secure Administration to Virtual Private Networking, Lisa Phifer, ISP-Planet, May 17, 2000.
• All About SSH - Part I/II, Sean Boran, Security Portal, Feb 14, 2000.
• All About SSH - Part II/II - OpenSSH, Sean Boran, Security Portal, Feb 28, 2000.
  
  Read more about Application/Web Security ...

FAQs

• Frequently Asked Questions: International PGP¿¡¼­ Á¦°øÇÏ´Â ¿©·¯°¡Áö PGP°ü·Ã FAQµéÀÇ ¸ðÀ½.
• PGP FAQ: www.faqs.org Á¦°ø.

• Frequently Asked Questions - Java Security, Sun Microsystems
• The World Wide Web Security FAQ : W3 Consortium¿¡¼­ Á¦°ø.
• FAQ: Web Bugs, Richard M. Smith.

• SSH Frequently Asked Questions, Barrett & Silverman, 2001.
• SSH (Secure Shell) FAQ - Frequently asked questions by Thomas König.

• The TLS & SSL FAQ maintained by Shannon Appel at Consensus Developement Corp (local copy).
• SSLeay and SSLapps FAQ , E A Yound and T J Hudson.
• SSL (Secure Sockets Layer) : SSLÀÇ °³³ä, ±â´É µî¿¡ °üÇÑ Áú¹®°ú ´äÀ» Æ÷ÇÔÇÏ°í ÀÖ´Ù.
• [SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 : SSL¿¡ ´ëÇÑ ÀϹÝÀûÀÎ ³»¿ë°ú À¯¿ëÇÑ link¸¦ Æ÷ÇÔÇÏ°í ÀÖ´Ù.