Since the first edition of this classic reference was published, World Wide Web use has exploded and e-commerce has become a daily part of business and personal life. As Web use has grown, so have the threats to our security and privacy--from credit card fraud to routine invasions of privacy by marketers to web site defacements to attacks that shut down popular web sites. Web Security, Privacy & Commerce goes behind the headlines, examines the major security risks facing us today, and explains how we can minimize them. It describes risks for Windows and Unix, Microsoft Internet Explorer and Netscape Navigator, and a wide range of current programs and products. In vast detail, the book covers:
Web technology--The technological underpinnings of the modern Internet and the cryptographic foundations of e-commerce are discussed, along with SSL (the Secure Sockets Layer), the significance of the PKI (Public Key Infrastructure), and digital identification, including passwords, digital signatures, and biometrics.
Web server security--Administrators and service providers discover how to secure their systems and web services. Topics include CGI, PHP, SSL certificates, law enforcement issues, and more.
Web content security--Zero in on web publishing issues for content providers, including intellectual property, copyright and trademark issues, P3P and privacy policies, digital payments, client-side digital signatures, code signing, pornography filtering and PICS, and other controls on web content.
Nearly double the size of the first edition, this completely updated volume is destined to be the definitive reference on Web security risks and the techniques and technologies you can use to protect your privacy, your organization, your system, and your network.
Table of Contents
Web Security, Privacy & Commerce, 2nd Edition
I. Web Technology
- 1. The Web Security Landscape
2. The Architecture of the World Wide Web
- History and Terminology
- A Packet’s Tour of the Web
- Who Owns the Internet?
3. Cryptography Basics
- Understanding Cryptography
- Symmetric Key Algorithms
- Public Key Algorithms
- Message Digest Functions
4. Cryptography and the Web
- Cryptography and Web Security
- Working Cryptographic Systems and Protocols
- What Cryptography Can’t Do
Legal Restrictions on Cryptography
- Cryptography and the Patent System
- Cryptography and Trade Secret Law
- Regulation of Cryptography by International and National Law
5. Understanding SSL and TLS
- What Is SSL?
- SSL: The User’s Point of View
6. Digital Identification I: Passwords, Biometrics, and Digital Signatures
- The Need for Identification Today
- Paper-Based Identification Techniques
- Computer-Based Identification Techniques
- Using Public Keys for Identification
- Real-World Public Key Examples
- Physical Identification
7. Digital Identification II: Digital Certificates, CAs, and PKI
- Understanding Digital Certificates with PGP
- Certification Authorities: Third-Party Registrars
Public Key Infrastructure
- Certification Authorities: Some History
- Internet Explorer Preinstalled Certificates
- Netscape Navigator Preinstalled Certificates
- Multiple Certificates for a Single CA
- Shortcomings of Today’s CAs
Open Policy Issues
- Private Keys Are Not People
- Distinguished Names Are Not People
- There Are Too Many Robert Smiths
- Today’s Digital Certificates Don’t Tell Enough
- X.509 v3 Does Not Allow Selective Disclosure
- Digital Certificates Allow for Easy Data Aggregation
- How Many CAs Does Society Need?
- How Do You Loan a Key?
- Why Do These Questions Matter?
- Brad Biddle on Digital Signatures and E-SIGN
II. Privacy and Security for Users
8. The Web’s War on Your Privacy
- Understanding Privacy
- User-Provided Information
- Log Files
- Understanding Cookies
- Web Bugs
9. Privacy-Protecting Techniques
- Choosing a Good Service Provider
Picking a Great Password
- Why Use Passwords?
- Bad Passwords: Open Doors
- Smoking Joes
- Good Passwords: Locked Doors
- Writing Down Passwords
- Strategies for Managing Multiple Usernames and Passwords
- Sharing Passwords
- Beware of Password Sniffers and Stealers
Cleaning Up After Yourself
- Browser Cache
- Browser History
- Passwords, Form-Filling, and AutoComplete Settings
- Avoiding Spam and Junk Email
- Identity Theft
- 10. Privacy-Protecting Technologies
11. Backups and Antitheft
- Using Backups to Protect Your Data
- Preventing Theft
12. Mobile Code I: Plug-Ins, ActiveX,and Visual Basic
- When Good Browsers Go Bad
- Helper Applications and Plug-ins
- Microsoft’s ActiveX
- The Risks of Downloaded Code
- Flash and Shockwave
- 8. The Web’s War on Your Privacy
III. Web Server Security
14. Physical Security for Servers
- Planning for the Forgotten Threats
Protecting Computer Hardware
- The Environment
- Preventing Accidents
- Physical Access
- Defending Against Acts of War and Terrorism
- Preventing Theft
Protecting Your Data
- Protecting Backups
- Sanitizing Media Before Disposal
- Sanitizing Printed Media
- Protecting Local Storage
- Unattended Terminals
- Key Switches
- Story: A Failed Site Inspection
15. Host Security for Servers
- Current Host Security Problems
- Securing the Host Computer
- Minimizing Risk by Minimizing Services
- Operating Securely
- Secure Remote Access and Content Updating
- Firewalls and the Web
16. Securing Web Applications
- A Legacy of Extensibility and Risk
- Rules to Code By
- Securely Using Fields, Hidden Fields, and Cookies
- Rules for Programming Languages
- Using PHP Securely
- Writing Scripts That Run with Additional Privileges
- Connecting to Databases
17. Deploying SSL Server Certificates
- Planning for Your SSL Server
Creating SSL Servers with FreeBSD
- Obtaining the Programs
- Installing Apache and mod_ssl on FreeBSD
- Verifying the Initial Installation
- Signing Your Keys with Your Own Certification Authority
- Securing Other Services
- Installing an SSL Certificate on Microsoft IIS
- Obtaining a Certificate from a Commercial CA
- When Things Go Wrong
- 18. Securing Your Web Service
19. Computer Crime
- Your Legal Options After a Break-In
- Criminal Hazards
- Criminal Subject Matter
- 14. Physical Security for Servers
IV. Security for Content Providers
20. Controlling Access to Your Web Content
- Access Control Strategies
Controlling Access with Apache
- Enforcing Access Control Restrictions with the .htaccess File
- Enforcing Access Control Restrictions with the Web Server’s Configuration File
- Commands Before the <Limit>. . . </Limit> Directive
- Commands Within the <Limit>. . . </Limit> Block
- <Limit> Examples
- Manually Setting Up Web Users and Passwords
- Advanced User Management
- Controlling Access with Microsoft IIS
- 21. Client-Side Digital Certificates
22. Code Signing and Microsoft’s Authenticode
- Why Code Signing?
- Microsoft’s Authenticode Technology
- Obtaining a Software Publishing Certificate
- Other Code Signing Methods
- 23. Pornography, Filtering Software, and Censorship
24. Privacy Policies, Legislation, and P3P
- Policies That Protect Privacy and Privacy Policies
- Children’s Online Privacy Protection Act
25. Digital Payments
- Charga-Plates, Diners Club, and Credit Cards
Internet-Based Payment Systems
- Virtual PIN
- Gator Wallet
- Microsoft Passport
- Other Payment Systems
- How to Evaluate a Credit Card Payment System
- 26. Intellectual Property and Actionable Content
- 20. Controlling Access to Your Web Content
A. Lessons from Vineyard.NET
- In the Beginning
Planning and Preparation
- Lesson: Whenever you are pulling wires, pull more than you need.
- Lesson: Pull all your wires in a star configuration, from a central point out to each room, rather than daisy-chained from room to room. Wire both your computers and your telephone networks as stars. It makes it much easier to expand or rewire in the future.
- Lesson: Use centrally located punch-down blocks for computer and telephone networks.
- Lesson: Don’t go overboard.
- Lesson: Plan your computer room carefully; you will have to live with its location for a long time.
- IP Connectivity
- Working with the Phone Company
- Incorporating Vineyard.NET
- Initial Expansion
- Accounting Software
- Publicity and Privacy
- Lesson: Don’t run programs with a history of security problems.
- Lesson: Make frequent backups.
- Lesson: Limit logins to your servers.
- Lesson: Beware of TCP/IP spoofing.
- Lesson: Defeat packet sniffing.
- Lesson: Restrict logins.
- Lesson: Tighten up your system beyond manufacturer recommendations.
- Lesson: Remember, the “free” in “free software” refers to “freedom.”
- Phone Configuration and Billing Problems
Credit Cards and ACH
- Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
- Lesson: Live credit card numbers are dangerous.
- Lesson: Encrypt sensitive information and be careful with your decryption keys.
- Lesson: Log everything, and have lots of reports.
- Lesson: Explore a variety of payment systems.
- Lesson: Make it easy for your customers to save you money.
- Lesson: Have a backup supplier.
- Monitoring Software
- Security Concerns
- Redundancy and Wireless
- The Big Cash-Out
B. The SSL/TLS Protocol
- TLS Record Layer
- SSL/TLS Protocols
- SSL 3.0/TLS Handshake
- C. P3P: The Platform for Privacy Preferences Project
- D. The PICS Specification
- Mailing Lists
- Usenet Groups
- Web Pages and FTP Repository
- Software Resources
- Computer Crime and Law
- Computer-Related Risks
- Computer Viruses and Programmed Threats
- General Computer Security
- System Administration, Network Technology, and Security
- Security Products and Services Information
- Miscellaneous References
- Electronic References
- A. Lessons from Vineyard.NET
- About the Authors