Since the first edition of this classic reference was published, World Wide Web use has exploded and e-commerce has become a daily part of business and personal life. As Web use has grown, so have the threats to our security and privacy--from credit card fraud to routine invasions of privacy by marketers to web site defacements to attacks that shut down popular web sites.Web Security, Privacy & Commerce goes behind the headlines, examines the major security risks facing us today, and explains how we can minimize them. It describes risks for Windows and Unix, Microsoft Internet Explorer and Netscape Navigator, and a wide range of current programs and products. In vast detail, the book covers:
* Web technology--The technological underpinnings of the modern Internet and the cryptographic foundations of e-commerce are discussed, along with SSL (the Secure Sockets Layer), the significance of the PKI (Public Key Infrastructure), and digital identification, including passwords, digital signatures, and biometrics.
* Web privacy and security for users--Learn the real risks to user privacy, including cookies, log files, identity theft, spam, web logs, and web bugs, and the most common risk, users' own willingness to provide e-commerce sites with personal information. Hostile mobile code in plug-ins, ActiveX controls, Java applets, and JavaScript, Flash, and Shockwave programs are also covered.
* Web server security--Administrators and service providers discover how to secure their systems and web services. Topics include CGI, PHP, SSL certificates, law enforcement issues, and more.
* Web content security--Zero in on web publishing issues for content providers, including intellectual property, copyright and trademark issues, P3P and privacy policies, digital payments, client-side digital signatures, code signing, pornography filtering and PICS, and other controls on web content.
Nearly double the size of the first edition, this completely updated volume is destined to be the definitive reference on Web security risks and the techniques and technologies you can use to protect your privacy, your organization, your system, and your network.
Simson Garfinkel, CISSP, is a journalist, entrepreneur, and international authority on computer security. Garfinkel is chief technology officer at Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security tools. Garfinkel is also a columnist for Technology Review Magazine and has written for more than 50 publications, including Computerworld, Forbes, and The New York Times. He is also the author of Database Nation; Web Security, Privacy, and Commerce; PGP: Pretty Good Privacy; and seven other books. Garfinkel earned a master's degree in journalism at Columbia University in 1988 and holds three undergraduate degrees from MIT. He is currently working on his doctorate at MIT's Laboratory for Computer Science.
Preface;
Web Security: Is Our Luck Running Out?;
About This Book;
Conventions Used in This Book;
Comments and Questions;
History and Acknowledgments;
Web Technology;
Chapter 1: The Web Security Landscape;
1.1 The Web Security Problem;
1.2 Risk Analysis and Best Practices;
Chapter 2: The Architecture of the World Wide Web;
2.1 History and Terminology;
2.2 A Packet's Tour of the Web;
2.3 Who Owns the Internet?;
Chapter 3: Cryptography Basics;
3.1 Understanding Cryptography;
3.2 Symmetric Key Algorithms;
3.3 Public Key Algorithms;
3.4 Message Digest Functions;
Chapter 4: Cryptography and the Web;
4.1 Cryptography and Web Security;
4.2 Working Cryptographic Systems and Protocols;
4.3 What Cryptography Can't Do;
4.4 Legal Restrictions on Cryptography;
Chapter 5: Understanding SSL and TLS;
5.1 What Is SSL?;
5.2 SSL: The User's Point of View;
Chapter 6: Digital Identification I: Passwords, Biometrics, and Digital Signatures;
6.1 Physical Identification;
6.2 Using Public Keys for Identification;
6.3 Real-World Public Key Examples;
Chapter 7: Digital Identification II: Digital Certificates, CAs, and PKI;
7.1 Understanding Digital Certificates with PGP;
7.2 Certification Authorities: Third-Party Registrars;
7.3 Public Key Infrastructure;
7.4 Open Policy Issues;
Privacy and Security for Users;
Chapter 8: The Web's War on Your Privacy;
8.1 Understanding Privacy;
8.2 User-Provided Information;
8.3 Log Files;
8.4 Understanding Cookies;
8.5 Web Bugs;
8.6 Conclusion;
Chapter 9: Privacy-Protecting Techniques;
9.1 Choosing a Good Service Provider;
9.2 Picking a Great Password;
9.3 Cleaning Up After Yourself;
9.4 Avoiding Spam and Junk Email;
9.5 Identity Theft;
Chapter 10: Privacy-Protecting Technologies;
10.1 Blocking Ads and Crushing Cookies;
10.2 Anonymous Browsing;
10.3 Secure Email;
Chapter 11: Backups and Antitheft;
11.1 Using Backups to Protect Your Data;
11.2 Preventing Theft;
Chapter 12: Mobile Code I: Plug-Ins, ActiveX,and Visual Basic;
12.1 When Good Browsers Go Bad;
12.2 Helper Applications and Plug-ins;
12.3 Microsoft's ActiveX;
12.4 The Risks of Downloaded Code;
12.5 Conclusion;
Chapter 13: Mobile Code II: Java, JavaScript, Flash, and Shockwave;
13.1 Java;
13.2 JavaScript;
13.3 Flash and Shockwave;
13.4 Conclusion;
Web Server Security;
Chapter 14: Physical Security for Servers;
14.1 Planning for the Forgotten Threats;
14.2 Protecting Computer Hardware;
14.3 Protecting Your Data;
14.4 Personnel;
14.5 Story: A Failed Site Inspection;
Chapter 15: Host Security for Servers;
15.1 Current Host Security Problems;
15.2 Securing the Host Computer;
15.3 Minimizing Risk by Minimizing Services;
15.4 Operating Securely;
15.5 Secure Remote Access and Content Updating;
15.6 Firewalls and the Web;
15.7 Conclusion;
Chapter 16: Securing Web Applications;
16.1 A Legacy of Extensibility and Risk;
16.2 Rules to Code By;
16.3 Securely Using Fields, Hidden Fields, and Cookies;
16.4 Rules for Programming Languages;
16.5 Using PHP Securely;
16.6 Writing Scripts That Run with Additional Privileges;
16.7 Connecting to Databases;
16.8 Conclusion;
Chapter 17: Deploying SSL Server Certificates;
17.1 Planning for Your SSL Server;
17.2 Creating SSL Servers with FreeBSD;
17.3 Installing an SSL Certificate on Microsoft IIS;
17.4 Obtaining a Certificate from a Commercial CA;
17.5 When Things Go Wrong;
Chapter 18: Securing Your Web Service;
18.1 Protecting Via Redundancy;
18.2 Protecting Your DNS;
18.3 Protecting Your Domain Registration;
Chapter 19: Computer Crime;
19.1 Your Legal Options After a Break-In;
19.2 Criminal Hazards;
19.3 Criminal Subject Matter;
Security for Content Providers;
Chapter 20: Controlling Access to Your Web Content;
20.1 Access Control Strategies;
20.2 Controlling Access with Apache;
20.3 Controlling Access with Microsoft IIS;
Chapter 21: Client-Side Digital Certificates;
21.1 Client Certificates;
21.2 A Tour of the VeriSign Digital ID Center;
Chapter 22: Code Signing and Microsoft's Authenticode;
22.1 Why Code Signing?;
22.2 Microsoft's Authenticode Technology;
22.3 Obtaining a Software Publishing Certificate;
22.4 Other Code Signing Methods;
Chapter 23: Pornography, Filtering Software, and Censorship;
23.1 Pornography Filtering;
23.2 PICS;
23.3 RSACi;
23.4 Conclusion;
Chapter 24: Privacy Policies, Legislation, and P3P;
24.1 Policies That Protect Privacy and Privacy Policies;
24.2 Children's Online Privacy Protection Act;
24.3 P3P;
24.4 Conclusion;
Chapter 25: Digital Payments;
25.1 Charga-Plates, Diners Club, and Credit Cards;
25.2 Internet-Based Payment Systems;
25.3 How to Evaluate a Credit Card Payment System;
Chapter 26: Intellectual Property and Actionable Content;
26.1 Copyright;
26.2 Patents;
26.3 Trademarks;
26.4 Actionable Content;
Appendixes;
Lessons from Vineyard.NET;
In the Beginning;
Planning and Preparation;
IP Connectivity;
Commercial Start-Up;
Ongoing Operations;
Redundancy and Wireless;
The Big Cash-Out;
Conclusion;
The SSL/TLS Protocol;
History;
TLS Record Layer;
SSL/TLS Protocols;
SSL 3.0/TLS Handshake;
P3P: The Platform for Privacy Preferences Project;
How P3P Works;
Deploying P3P;
Simple P3P-Enabled Web Site Example;
The PICS Specification;
Rating Services;
PICS Labels;
References;
Electronic References;
Paper References;
Colophon;
Since the first edition of this classic reference was published, World Wide Web use has exploded and e-commerce has become a daily part of business and personal life. As Web use has grown, so have the threats to our security and privacy--from credit card fraud to routine invasions of privacy by marketers to web site defacements to attacks that shut down popular web sites.Web Security, Privacy & Commerce goes behind the headlines, examines the major security risks facing us today, and explains how we can minimize them. It describes risks for Windows and Unix, Microsoft Internet Explorer and Netscape Navigator, and a wide range of current programs and products. In vast detail, the book covers:
* Web technology--The technological underpinnings of the modern Internet and the cryptographic foundations of e-commerce are discussed, along with SSL (the Secure Sockets Layer), the significance of the PKI (Public Key Infrastructure), and digital identification, including passwords, digital signatures, and biometrics.
* Web privacy and security for users--Learn the real risks to user privacy, including cookies, log files, identity theft, spam, web logs, and web bugs, and the most common risk, users' own willingness to provide e-commerce sites with personal information. Hostile mobile code in plug-ins, ActiveX controls, Java applets, and JavaScript, Flash, and Shockwave programs are also covered.
* Web server security--Administrators and service providers discover how to secure their systems and web services. Topics include CGI, PHP, SSL certificates, law enforcement issues, and more.
* Web content security--Zero in on web publishing issues for content providers, including intellectual property, copyright and trademark issues, P3P and privacy policies, digital payments, client-side digital signatures, code signing, pornography filtering and PICS, and other controls on web content.
Nearly double the size of the first edition, this completely updated volume is destined to be the definitive reference on Web security risks and the techniques and technologies you can use to protect your privacy, your organization, your system, and your network.
Simson Garfinkel, CISSP, is a journalist, entrepreneur, and international authority on computer security. Garfinkel is chief technology officer at Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security tools. Garfinkel is also a columnist for Technology Review Magazine and has written for more than 50 publications, including Computerworld, Forbes, and The New York Times. He is also the author of Database Nation; Web Security, Privacy, and Commerce; PGP: Pretty Good Privacy; and seven other books. Garfinkel earned a master's degree in journalism at Columbia University in 1988 and holds three undergraduate degrees from MIT. He is currently working on his doctorate at MIT's Laboratory for Computer Science.
Preface;
Web Security: Is Our Luck Running Out?;
About This Book;
Conventions Used in This Book;
Comments and Questions;
History and Acknowledgments;
Web Technology;
Chapter 1: The Web Security Landscape;
1.1 The Web Security Problem;
1.2 Risk Analysis and Best Practices;
Chapter 2: The Architecture of the World Wide Web;
2.1 History and Terminology;
2.2 A Packet's Tour of the Web;
2.3 Who Owns the Internet?;
Chapter 3: Cryptography Basics;
3.1 Understanding Cryptography;
3.2 Symmetric Key Algorithms;
3.3 Public Key Algorithms;
3.4 Message Digest Functions;
Chapter 4: Cryptography and the Web;
4.1 Cryptography and Web Security;
4.2 Working Cryptographic Systems and Protocols;
4.3 What Cryptography Can't Do;
4.4 Legal Restrictions on Cryptography;
Chapter 5: Understanding SSL and TLS;
5.1 What Is SSL?;
5.2 SSL: The User's Point of View;
Chapter 6: Digital Identification I: Passwords, Biometrics, and Digital Signatures;
6.1 Physical Identification;
6.2 Using Public Keys for Identification;
6.3 Real-World Public Key Examples;
Chapter 7: Digital Identification II: Digital Certificates, CAs, and PKI;
7.1 Understanding Digital Certificates with PGP;
7.2 Certification Authorities: Third-Party Registrars;
7.3 Public Key Infrastructure;
7.4 Open Policy Issues;
Privacy and Security for Users;
Chapter 8: The Web's War on Your Privacy;
8.1 Understanding Privacy;
8.2 User-Provided Information;
8.3 Log Files;
8.4 Understanding Cookies;
8.5 Web Bugs;
8.6 Conclusion;
Chapter 9: Privacy-Protecting Techniques;
9.1 Choosing a Good Service Provider;
9.2 Picking a Great Password;
9.3 Cleaning Up After Yourself;
9.4 Avoiding Spam and Junk Email;
9.5 Identity Theft;
Chapter 10: Privacy-Protecting Technologies;
10.1 Blocking Ads and Crushing Cookies;
10.2 Anonymous Browsing;
10.3 Secure Email;
Chapter 11: Backups and Antitheft;
11.1 Using Backups to Protect Your Data;
11.2 Preventing Theft;
Chapter 12: Mobile Code I: Plug-Ins, ActiveX,and Visual Basic;
12.1 When Good Browsers Go Bad;
12.2 Helper Applications and Plug-ins;
12.3 Microsoft's ActiveX;
12.4 The Risks of Downloaded Code;
12.5 Conclusion;
Chapter 13: Mobile Code II: Java, JavaScript, Flash, and Shockwave;
13.1 Java;
13.2 JavaScript;
13.3 Flash and Shockwave;
13.4 Conclusion;
Web Server Security;
Chapter 14: Physical Security for Servers;
14.1 Planning for the Forgotten Threats;
14.2 Protecting Computer Hardware;
14.3 Protecting Your Data;
14.4 Personnel;
14.5 Story: A Failed Site Inspection;
Chapter 15: Host Security for Servers;
15.1 Current Host Security Problems;
15.2 Securing the Host Computer;
15.3 Minimizing Risk by Minimizing Services;
15.4 Operating Securely;
15.5 Secure Remote Access and Content Updating;
15.6 Firewalls and the Web;
15.7 Conclusion;
Chapter 16: Securing Web Applications;
16.1 A Legacy of Extensibility and Risk;
16.2 Rules to Code By;
16.3 Securely Using Fields, Hidden Fields, and Cookies;
16.4 Rules for Programming Languages;
16.5 Using PHP Securely;
16.6 Writing Scripts That Run with Additional Privileges;
16.7 Connecting to Databases;
16.8 Conclusion;
Chapter 17: Deploying SSL Server Certificates;
17.1 Planning for Your SSL Server;
17.2 Creating SSL Servers with FreeBSD;
17.3 Installing an SSL Certificate on Microsoft IIS;
17.4 Obtaining a Certificate from a Commercial CA;
17.5 When Things Go Wrong;
Chapter 18: Securing Your Web Service;
18.1 Protecting Via Redundancy;
18.2 Protecting Your DNS;
18.3 Protecting Your Domain Registration;
Chapter 19: Computer Crime;
19.1 Your Legal Options After a Break-In;
19.2 Criminal Hazards;
19.3 Criminal Subject Matter;
Security for Content Providers;
Chapter 20: Controlling Access to Your Web Content;
20.1 Access Control Strategies;
20.2 Controlling Access with Apache;
20.3 Controlling Access with Microsoft IIS;
Chapter 21: Client-Side Digital Certificates;
21.1 Client Certificates;
21.2 A Tour of the VeriSign Digital ID Center;
Chapter 22: Code Signing and Microsoft's Authenticode;
22.1 Why Code Signing?;
22.2 Microsoft's Authenticode Technology;
22.3 Obtaining a Software Publishing Certificate;
22.4 Other Code Signing Methods;
Chapter 23: Pornography, Filtering Software, and Censorship;
23.1 Pornography Filtering;
23.2 PICS;
23.3 RSACi;
23.4 Conclusion;
Chapter 24: Privacy Policies, Legislation, and P3P;
24.1 Policies That Protect Privacy and Privacy Policies;
24.2 Children's Online Privacy Protection Act;
24.3 P3P;
24.4 Conclusion;
Chapter 25: Digital Payments;
25.1 Charga-Plates, Diners Club, and Credit Cards;
25.2 Internet-Based Payment Systems;
25.3 How to Evaluate a Credit Card Payment System;
Chapter 26: Intellectual Property and Actionable Content;
26.1 Copyright;
26.2 Patents;
26.3 Trademarks;
26.4 Actionable Content;
Appendixes;
Lessons from Vineyard.NET;
In the Beginning;
Planning and Preparation;
IP Connectivity;
Commercial Start-Up;
Ongoing Operations;
Redundancy and Wireless;
The Big Cash-Out;
Conclusion;
The SSL/TLS Protocol;
History;
TLS Record Layer;
SSL/TLS Protocols;
SSL 3.0/TLS Handshake;
P3P: The Platform for Privacy Preferences Project;
How P3P Works;
Deploying P3P;
Simple P3P-Enabled Web Site Example;
The PICS Specification;
Rating Services;
PICS Labels;
References;
Electronic References;
Paper References;
Colophon;
Preface Part I. Web Technology 1. The Web Security Landscape The Web Security Problem Risk Analysis and Best Practices 2. The Architecture of the World Wide Web History and Terminology A Packet's Tour of the Web Who Owns the Internet? 3. Cryptography Basics Understanding Cryptography Symmetric Key Algorithms Public Key Algorithms Message Digest Functions 4. Cryptography and the Web Cryptography and Web Security Working Cryptographic Systems and Protocols What Cryptography Can't Do Legal Restrictions on Cryptography 5 Understanding SSL and TLS What Is SSL? SSL: The User's Point of View 6 Digital Identification I: Passwords, Biometrics, and Digital Signatures Physical Identification Using Public Keys for Identification Real-World Public Key Examples 7. Digital Identification II: Digital tificates, CAs, and PKI Understanding Digital Certificates with PGP Certification Authorities: Third-Party Registrars Public Key Infrastructure Open Policy Issues Part II. Privacy and Security for Users 8. The Web's War on Your Privacy Understanding Privacy User-Provided Information Log Files Understanding Cookies Web Bugs Conclusion 9. Privacy-Protecting Techniques Choosing a Good Service Provider Picking a Great Password Cleaning Up After Yourself Avoiding Spam and Junk Email Identity Theft 10. Privacy-Protecting Technologies Blocking Ads and Crushing Cookies Anonymous Browsing Secure Email 1. Backups and Antitheft Using Backups to Protect Your Data Preventing Theft 12. Mobile Code I: Plug-Ins, ActiveX, and Visual Basic When Good Browsers Go Bad Helper Applications and Plug-ins Microsoft's ActiveX The Risks of Downloaded Code Conclusion 1. Mobile Code II: Java, JavaScript, Flash, and Shockwave Java JavaScript Flash and Shockwave Conclusion Part III. Web Server Security 14. Physical Security for Servers Planning for the Forgotten Threats Protecting Computer Hardware Protecting Your Data Personnel Story: A Failed Site Inspection 15. Host Security for Servers Current Host Security Problems Securing the Host Computer Minimizing Risk by Minimizing Services Operating Securely Secure Remote Access and Content Updating Firewalls and the Web Conclusion 16. Securing Web Applications A Legacy of Extensibility and Risk Rules to Code By Securely Using Fields, Hidden Fields, and Cookies Rules for Programming Languages Using PHP Securely Writing Scripts That Run with Additional Privileges Connecting to Databases Conclusion 17. Deploying SSL Server Certificates Planning for Your SSL Server Creating SSL Servers with FreeBSD Installing an SSL Certificate on Microsoft IIS Obtaining a Certificate from a Commercial CA When Things Go Wrong 18. Securing Your Web Service Protecting Via Redundancy Protecting Your DNS Protecting Your Domain Registration 19. Computer Crime Your Legal Options After a Break-In Criminal Hazards Criminal Subject Matter Part IV. Security for Content Providers 20. Controlling Access to Your Web Content Access Control Strategies Controlling Access with Apache Controlling Access with Microsoft IIS 21. Client-Side Digital Certificates Client Certificates A Tour of the VeriSign Digital ID Center 22. Code Signing and Microsoft's Authenticode Why Code Signing? Microsoft's Authenticode Technology Obtaining a Software Publishing Certificate Other Code Signing Methods 23. Pornography, Filtering Software, and Censorship Pornography Filtering PICS RSACi Conclusion 24. Privacy Policies, Legislation, and P3P Policies That Protect Privacy and Privacy Policies Children's Online Privacy Protection Act P3P Conclusion 25. Digital Payments Charga-Plates, Diners Club, and Credit Cards Internet-Based Payment Systems How to Evaluate a Credit Card Payment System 26. Intellectual Property and Actionable Content Copyright Patents Trademarks Actionable Content Part V. Appendixes A. Lessons from Vineyard.NET B. The SSL/TLS Protocol C. P3P: The Platform for Privacy Preferences Project D. The PICS Specification E. References Index
Simson Garfinkel is a journalist, entrepreneur, and international authority on computer security. He is chief technology officer at Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security tools. Garfinkel is also a columnist for Technology Review Magazine and a frequent contributor to Wired Magazine. His articles have appeared in more than 50 publications, including ComputerWorld, Forbes, and The New York Times. Gene Spafford is a professor at Purdue University and director of CERIAS, the world's premier multi-disciplinary academic center for information security. Spafford is a Fellow of the AAAS, ACM, and IEEE, and has additionally been recognized for his research and teaching in infosec with the National Computer Systems Security Award, the William Hugh Murray Medal of the NCISSE, election to the ISSA Hall of Fame, and the Charles Murphy Award at Purdue. He was named as a CISSP, honoris causa in 2000.
|
Ask a Question About this Product More... |
|
