You are previewing Web Security and Commerce.
O'Reilly logo
Web Security and Commerce

Book Description

Attacks on government Web sites, break-ins at Internet service providers, electronic credit card fraud, invasion of personal privacy by merchants as well as hackers--is this what the World Wide Web is really all about? Web Security & Commerce cuts through the hype and the front page stories. It tells you what the real risks are and explains how you can minimize them. Whether you're a casual (but concerned) Web surfer or a system administrator responsible for the security of a critical Web server, this book will tell you what you need to know. Entertaining as well as illuminating, it looks behind the headlines at the technologies, risks, and benefits of the Web. Whatever browser or server you are using, you and your system will benefit from this book. Topics include:

  • User safety--browser vulnerabilities (with an emphasis on Netscape Navigator and Microsoft Internet Explorer), privacy concerns, issues with Java, JavaScript, ActiveX, and plug-ins.

  • Digital certificates--what they are, how they assure identity in a networked environment, how certification authorities and server certificates work, and what code signing all about.

  • Cryptography--an overview of how encryption works on the Internet and how different algorithms and programs are being used today.

  • Web server security--detailed technical information about SSL (Secure Socket Layer), TLS (Transport Layer Security), host security, server access methods, and secure CGI/API programming.

  • Commerce and society--how digital payments work, what blocking software and censorship technology (e.g., PICS and RSACi) is about, and what civil and criminal issues you need to understand.

Table of Contents

  1. Web Security & Commerce
    1. Preface
      1. The Web: Promises and Threats
      2. About This Book
        1. Chapter-by-Chapter
        2. What You Should Know
        3. Web Software Covered by This Book
        4. Why Another Book on Computer Security?
      3. Conventions Used in This Book
      4. Comments and Questions
      5. Acknowledgments
    2. I. Introduction
      1. 1. The Web Security Landscape
        1. Web Security in a Nutshell
          1. Why Worry about Web Security?
          2. Terminology
          3. What’s a “Secure Web Server” Anyway?
        2. The Web Security Problem
          1. Securing the Web Server
          2. Securing Information in Transit
          3. Securing the User’s Computer
        3. Credit Cards, Encryption, and the Web
          1. A Typical Transaction
          2. New Lessons from the Credit Card Example
        4. Firewalls: Part of the Solution
          1. Locating Your Web Server with Respect to Your Firewall
        5. Risk Management
    3. II. User Safety
      1. 2. The Buggy Browser: Evolution of Risk
        1. Browser History
          1. The Return of Block Mode
          2. <blink>
          3. Animation
          4. Helper Applications
          5. Programmability
        2. Data-Driven Attacks
          1. Social Engineering
          2. Bug Exploitations
          3. Web-Based Programming Languages
        3. Implementation Flaws: A Litany of Bugs
      2. 3. Java and JavaScript
        1. Java
          1. Java the Language
          2. Java Safety
          3. Java Security
            1. Safety is not security
            2. Sandbox
            3. SecurityManager class
            4. Class Loader
            5. Bytecode Verifier
          4. Java Security Policy
            1. Setting Java policy from Netscape Navigator 2.3
            2. Setting Java policy from Internet Explorer 3.0
            3. Setting Java policy from Netscape Navigator 4.0
            4. Setting Java policy from Internet Explorer 4.0
          5. Java Security Problems
            1. Java implementation errors
            2. Java design flaws
            3. The Java DNS policy dispute
          6. Java Security Future
        2. JavaScript
          1. JavaScript Security
          2. JavaScript and Resource Management
          3. JavaScript and Privacy
        3. Denial-of-Service Attacks
          1. Do Denial-of-Service Attacks Matter?
          2. Kinds of Denial-of-Service Attacks
            1. CPU and stack attacks
            2. Can’t break a running script
            3. Swap space attacks
            4. Window system attacks
          3. Can Denial-of-Service Attacks Be Stopped?
        4. JavaScript-Enabled Spoofing Attacks
          1. Spoofing Username/Password Pop-Ups with Java
          2. Spoofing Browser Status with JavaScript
          3. Mirror Worlds
        5. Conclusion
      3. 4. Downloading Machine Code with ActiveX and Plug-Ins
        1. When Good Browsers Go Bad
          1. Card Shark
          2. The Sexy Girls Pornography Viewer
        2. Netscape Plug-Ins
          1. Getting the Plug-In
          2. Evaluating Plug-In Security
          3. When Security Fails: Macromedia Shockwave
          4. Tactical Plug-In Attacks
        3. ActiveX and Authenticode
          1. Kinds of ActiveX Controls
          2. The <OBJECT> Tag
          3. Authenticode
          4. Internet Exploder
        4. The Risks of Downloaded Code
          1. Programs That Can Spend Your Money
            1. Telephone billing records
            2. Electronic funds transfers
          2. Programs That Violate Privacy and Steal Confidential Information
            1. A wealth of private data
        5. Is Authenticode a Solution?
          1. Signed Code is Not Safe Code
          2. Signed Code Can Be Hijacked
          3. Reconstructing After an Attack
          4. Recovering from an Attack
        6. Improving the Security of Downloaded Code
          1. Trusted Vendors
          2. Separate Execution Contexts
      4. 5. Privacy
        1. Log Files
          1. The Refer Link
          2. Looking at the Logs
        2. Cookies
          1. Anatomy of a Cookie
          2. Cookies for Tracking
          3. Disabling Cookies
          4. Cookies That Protect Privacy
        3. Personally Identifiable Information
        4. Anonymizers
        5. Unanticipated Disclosure
          1. Violating Trade Secrets
          2. Revealing Disparaging Remarks
    4. III. Digital Certificates
      1. 6. Digital Identification Techniques
        1. Identification
          1. The Need for Identification Today
          2. Credentials-Based Identification Systems
            1. Forgery-proof IDs
            2. Using a document-based ID system
          3. Computerized Identification Techniques
            1. Password-based systems: something that you know
            2. Physical tokens: something that you have
            3. Biometrics: something that you are
            4. Location: someplace where you are
          4. Using Digital Signatures for Identification
            1. Physical devices for digital signatures
            2. Veritas: digital signatures for physical credentials
        2. Public Key Infrastructure
          1. Certification Authorities
            1. Revocation
            2. Certification practices statement (CPS)
          2. The X.509 v3 Certificate
        3. Problems Building a Public Key Infrastructure
          1. Private Keys Are Not People
          2. Distinguished Names Are Not People
          3. There Are Too Many Robert Smiths
          4. Today’s Digital Certificates Don’t Tell Enough
          5. X.509 v3 Does Not Allow Selective Disclosure
          6. Digital Certificates Allow For Easy Data Aggregation
          7. How Many CAs Does Society Need?
          8. How Do You Loan a Key?
          9. Are There Better Suited Alternatives to Public Key Digital Signatures?
          10. Why Do These Questions Matter?
        4. Ten Policy Questions
          1. Is legislation necessary at all?
          2. Where should PKI legislation occur?
          3. Is licensing of certification authorities the right approach?
          4. Should legislation endorse public key cryptography, or be “technology neutral”?
          5. Should legislation endorse the X.509 paradigm?
          6. How should liability and risk be allocated in a PKI?
          7. What mechanisms should be used to allocate risk?
          8. Should digitally signed documents be considered “writings” for all legal purposes?
          9. How much evidentiary weight should a digitally signed document carry?
          10. Should governments act as CAs?
      2. 7. Certification Authorities and Server Certificates
        1. Certificates Today
          1. Different Kinds of Certificates
        2. Certification Authority Certificates
          1. Bootstrapping the PKI
        3. Server Certificates
          1. The SSL Certificate Format
          2. Obtaining a Certificate for Your Server
            1. Certificate renewal
          3. Viewing a Site’s Certificate
          4. When Things Go Wrong
            1. Not yet valid and expired certificates
            2. Wrong server address
          5. Netscape Navigator 3.0’s New Certificate Wizard
          6. Adding a New Site Certificate with Internet Explorer
        4. Conclusion
      3. 8. Client-Side Digital Certificates
        1. Client Certificates
          1. Support for Client-Side Digital Certificates
        2. A Tour of the VeriSign Digital ID Center
          1. Generating a VeriSign Digital ID
          2. Installing Your Digital Certificate
          3. Behind the Scenes
            1. Behind the scenes with Netscape Navigator
            2. Behind the scenes with Internet Explorer
          4. Finding a Digital ID
          5. Revoking a Digital ID
          6. VeriSign’s Class System
      4. 9. Code Signing and Microsoft’s Authenticode
        1. Why Code Signing?
          1. Code Signing in Theory
          2. Code Signing Today
          3. Code Signing and U.S. Export Controls
        2. Microsoft’s Authenticode Technology
          1. The “Pledge”
          2. Publishing with Authenticode
            1. Signing a program
            2. The Code Signing Wizard
          3. Verifying Authenticode Signatures
          4. Support for Authenticode in Internet Explorer
            1. Controlling Authenticode in Internet Explorer
        3. Obtaining a Software Publisher’s Certificate
        4. Other Code Signing Methods
    5. IV. Cryptography
      1. 10. Cryptography Basics
        1. Understanding Cryptography
          1. Roots of Cryptography
          2. Terminology
          3. A Cryptographic Example
          4. Is Cryptography a Military or Civilian Technology?
          5. Cryptographic Algorithms and Functions
        2. Symmetric Key Algorithms
          1. Cryptographic Strength
          2. Attacks on Symmetric Encryption Algorithms
            1. Key search (brute force) attacks
            2. Cryptanalysis
            3. Systems-based attacks
        3. Public Key Algorithms
          1. Attacks on Public Key Algorithms
            1. Factoring attacks
            2. Algorithmic attacks
            3. Known versus published methods
        4. Message Digest Functions
          1. Message Digest Algorithms at Work
          2. Uses of Message Digest Functions
          3. Attacks on Message Digest Functions
        5. Public Key Infrastructure
      2. 11. Cryptography and the Web
        1. Cryptography and Web Security
          1. What Cryptography Can’t Do
        2. Today’s Working Encryption Systems
          1. PGP
          2. S/MIME
          3. SSL
          4. PCT
          5. S-HTTP
          6. SET
          7. CyberCash
          8. DNSSEC
          9. IPsec and IPv6
          10. Kerberos
          11. SSH
        3. U.S. Restrictions on Cryptography
          1. Cryptography and the U.S. Patent System
            1. The public key patents
            2. History of the public key patents
            3. The public key patents today
            4. Public key patents overseas
          2. Cryptography and the U.S. Trade Secret Law
            1. Trade secrets under U.S. Law
            2. RC2, RC4, and trade secret law
          3. Cryptography and U.S. Export Control Law
        4. Foreign Restrictions on Cryptography
      3. 12. Understanding SSL and TLS
        1. What Is SSL?
          1. SSL Versions
          2. Features
          3. Digital Certificates
          4. U.S. Exportability
          5. SSL Implementations
            1. SSL Netscape
            2. SSLRef
            3. SSLeay
            4. SSL Java
          6. Performance
        2. TLS Standards Activities
        3. SSL: The User’s Point of View
          1. Browser Preferences
            1. Navigator preferences
            2. Internet Explorer preferences
          2. Browser Alerts and Indicators
    6. V. Web Server Security
      1. 13. Host and Site Security
        1. Historically Unsecure Hosts
        2. Current Major Host Security Problems
          1. Policies
          2. Password Sniffing
            1. Protection against sniffing
              1. Use a token-based authentication system.
              2. Use a non-reusable password system.
              3. Use a system that relies on encryption.
          3. Security Tools
            1. Snapshot tools
            2. Change-detecting tools
            3. Network scanning programs
            4. Intrusion detection programs
          4. Faults, Bugs, and Programming Errors
            1. Initial purchase
            2. Bugs and flaws
          5. Logging
          6. Backups
        3. Minimizing Risk by Minimizing Services
        4. Secure Content Updating
        5. Back-End Databases
        6. Physical Security
      2. 14. Controlling Access to Your Web Server
        1. Access Control Strategies
          1. Hidden URLs
          2. Host-Based Restrictions
            1. Firewalls
          3. Identity-Based Access Controls
        2. Implementing Access Controls with <Limit> Blocks
          1. Commands Before the <Limit>. . . </Limit> Directive
          2. Commands Within the <Limit>. . . </Limit> Block
          3. <Limit> Examples
          4. Manually Setting Up Web Users and Passwords
        3. A Simple User Management System
          1. The newuser Script
      3. 15. Secure CGI/API Programming
        1. The Danger of Extensibility
          1. Programs That Should Not Be CGIs
          2. CGIs with Unintended Side Effects
            1. The problem with the script
            2. Fixing the problem
        2. Rules To Code By
        3. Specific Rules for Specific Programming Languages
          1. Rules for Perl
          2. Rules for C
          3. Rules for the UNIX Shell
        4. Tips on Writing CGI Scripts That Run with Additional Privileges
        5. Conclusion
    7. VI. Commerce and Society
      1. 16. Digital Payments
        1. Charga-Plates, Diners Club, and Credit Cards
          1. A Very Short History of Credit
          2. Payment Cards in the United States
          3. The Interbank Payment Card Transaction
            1. The charge card check digit algorithm
            2. The charge slip
            3. Charge card fees
          4. Refunds and Charge-Backs
          5. Using Credit Cards on the Internet
        2. Internet-Based Payment Systems
          1. DigiCash
            1. Enrollment
            2. Purchasing
            3. Security and privacy
          2. Virtual PIN
            1. Enrollment
            2. Purchasing
            3. Security and privacy
          3. CyberCash/CyberCoin
            1. Enrollment
            2. Purchasing
            3. Security and privacy
          4. SET
            1. Two channels: one for the merchant, one for the bank
          5. Smart Cards
          6. Mondex
        3. How to Evaluate a Credit Card Payment System
      2. 17. Blocking Software and Censorship Technology
        1. Blocking Software
          1. Problems with Blocking Software
        2. PICS
          1. What Is PICS?
          2. PICS Applications
          3. PICS and Censorship
            1. Access controls become tools for censorship
            2. Censoring the network
        3. RSACi
      3. 18. Legal Issues: Civil
        1. Intellectual Property
          1. Copyright Law
            1. Copyright infringement
            2. Software piracy and the SPA
            3. Warez
          2. Patent Law
          3. Cryptography and the U.S. Patent System
          4. Trademark Law
            1. Obtaining a trademark
            2. Trademark violations
            3. Trademarks and domain names
        2. Torts
          1. Libel and Defamation
          2. Liability for Damage
          3. Incorporation
      4. 19. Legal Issues: Criminal
        1. Your Legal Options After a Break-In
          1. Filing a Criminal Complaint
            1. Local jurisdiction
            2. Federal jurisdiction
          2. Federal Computer Crime Laws
          3. Hazards of Criminal Prosecution
        2. Criminal Hazards That May Await You
          1. If You or One of Your Employees Is a Target of an Investigation . . .
          2. The Responsibility To Report Crime
        3. Criminal Subject Matter
          1. Access Devices and Copyrighted Software
          2. Pornography, Indecency, and Obscenity
          3. Cryptographic Programs and Export Controls
        4. Play it Safe . . .
        5. Laws and Activism
    8. VII. Appendixes
      1. A. Lessons from Vineyard.NET
        1. Planning and Preparation
          1. Lesson: Whenever you are pulling wires, pull more than you need.
          2. Lesson: Pull all your wires in a star configuration, from a central point out to each room, rather than daisy-chained from room to room. Wire both your computers and your telephone networks as stars. It makes it much easier to expand or rewire in the future.
          3. Lesson: Use centrally located punch-down blocks or 10Base-T wiring blocks for both your computer networks and your telephone networks.
          4. Lesson: Don’t go overboard.
          5. Lesson: Plan your computer room carefully: you will have to live with its location for a long time.
        2. IP Connectivity
          1. Lesson: Set milestones and stick to them.
          2. Lesson: Get your facilities in order.
        3. Commercial Start-Up
          1. Working with the Phone Company
            1. Lesson: Design your systems so that they will fail gracefully.
            2. Lesson: Know your phone company. Know its terminology, the right contact people, the phone numbers for internal organizations, and everything else you can find out.
          2. Incorporating Vineyard.NET
          3. Initial Expansion
            1. Lesson: Build sensible business partnerships.
          4. Accounting Software
            1. Lesson: Use your web server for as much as you can.
            2. Lesson: Have programs be table-driven as often as possible.
            3. Lesson: Tailor your products for your customers.
            4. Lesson: Build systems that are extensible, and always practice good software engineering.
            5. Lesson: Automate everything you possibly can.
          5. Publicity and Privacy
            1. Lesson: Always be friendly to the press.
            2. Lesson: Never give out your home phone number (and please don’t give out mine!).
            3. Lesson: It is very difficult to change a phone number. So pick your company’s phone number early and use it consistently.
        4. Ongoing Operations
          1. Security Concerns
            1. Lesson: Don’t run programs with a history of security problems (e.g., sendmail).
            2. Lesson: Make frequent backups.
            3. Lesson: Limit logins to your servers.
            4. Lesson: Beware of TCP/IP spoofing.
            5. Lesson: Defeat packet sniffing.
            6. Lesson: Restrict logins.
            7. Lesson: Tighten up your system beyond manufacturer recommendations.
            8. Lesson: Eschew free software.
          2. Phone Configuration and Billing Problems
          3. Credit Cards and ACH
            1. Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
            2. Lesson: Live credit card numbers are dangerous.
            3. Lesson: Encrypt sensitive information and be careful with your decryption keys.
            4. Lesson: Log everything, and have lots of reports.
            5. Lesson: Explore a variety of payment systems.
            6. Lesson: Make it easy for your customers to save you money.
          4. Monitoring Software
            1. Lesson: Monitor your system.
        5. Conclusion
      2. B. Creating and Installing WebServer Certificates
        1. Downloading and Installing Your Web Server
        2. Apache-SSL
          1. Obtaining Apache-SSL
          2. Installing Apache-SSL
          3. Installing Your VeriSign Certificate
          4. Server Key: To Encrypt or Not To Encrypt?
          5. Starting, Reloading, and Stopping Apache-SSL
      3. C. The SSL 3.0 Protocol
        1. History
        2. SSL 3.0 Record Layer
        3. SSL 3.0 Protocols
          1. Alert Protocol
          2. ChangeCipherSpec Protocol
          3. Handshake Protocol
        4. SSL 3.0 Handshake
          1. Sequence of Events
            1. 1. ClientHello
            2. 2. ServerHello
            3. 3. Server Certificate
            4. 4. Server Key Exchange
            5. 5. Certificate Request
            6. 6. Client Sends Certificate
            7. 7. ClientKeyExchange
            8. 8. CertificateVerify
            9. 9. ChangeCipherSpec
            10. 10. Finished
          2. Application Data
        5. SSLeay
          1. SSLeay Examples
            1. SSLeay Client
            2. SSLeay Server
            3. SSLeay CA
            4. Running the server
            5. Running the client
            6. SSLeay ca.conf file
      4. D. The PICS Specification
        1. Rating Services
        2. PICS Labels
          1. Labeled Documents
          2. Requesting PICS Labels by HTTP
          3. Requesting a Label From a Rating Service
      5. E. References
        1. Electronic References
          1. Mailing Lists
            1. Academic-Firewalls
            2. Best of security
            3. Bugtraq
            4. CERT-advisory
            5. CIAC-notes
            6. Computer underground digest
            7. Firewalls
            8. FWALL-user
            9. NT-security
            10. RISKS
            11. WWW-security
          2. Usenet Groups
          3. WWW Pages
            1. Applied Cryptography
            2. Apache change-password
            3. CIAC
            4. COAST
            5. DigiCrime
            6. FIRST
            7. NIH
            8. Princeton SIP
            9. RSA Data Security
            10. SSLeay and SSLapps FAQ
            11. Telstra
            12. WWW security
          4. Software Resources
            1. CERN HTTP daemon
            2. chrootuid
            3. COPS (Computer Oracle and Password System)
            4. ISS (Internet Security Scanner)
            5. Kerberos
            6. portmap
            7. SATAN
            8. SSH
            9. SOCKS
            10. Stel
            11. Swatch
            12. tcpwrapper
            13. Tiger
            14. TIS Internet Firewall Toolkit
            15. trimlog
            16. Tripwire
            17. UDP Packet Relayer
            18. wuarchive ftpd
        2. Paper References
          1. Computer Crime and Law
          2. Computer-Related Risks
          3. Computer Viruses and Programmed Threats
          4. Cryptography
          5. General Computer Security
          6. Network Technology and Security
          7. Security Products and Services Information
          8. Programming and System Administration
          9. Miscellaneous References
    9. Index
    10. Colophon