Garfinkel and Spafford, longtime Net veterans, overturn a lot of misconceptions about online security in a commonsense book that is easily accessible to even nontechnical readers. They make it clear that any commercial Web site requires careful attention to security-even if the site doesn't carry any sensitive information. Furthermore, the authors show that there's a lot more to security than merely encrypting transmissions. Their goal is to lay the foundation for securing the three parts of a system: the Web server and its data; the information that travels between server and user; and the user's own computer and the information stored there.
Because of the rapidly evolving nature of Web security, Garfinkel and Spafford are not specific in terms of security flaws and tools to fix them. Instead, they emphasize laying out the Web-security principles that will be applicable throughout several generations of hardware and software change. In the process, they give extensive coverage to user safety, digital certificates, cryptography, Web-server security, and the larger issues of commerce and society. Appendix A shows the lessons of the book in action as it details Garfinkel's experience running and securing the Vineyard.net Internet service provider. --Elizabeth Lewis
The World Wide Web is the fastest growing part of the Internet -- and the part that is the most vulnerable to attack. There are a number of reasons: Commerce: The Internet is becoming increasingly commercialized; browsers are being used to look at material available for purchase, and people are sending credit card information via the Web. This sensitive financial information is an attractive target for attackers. Proprietary information: Organizations are using the Web more and more to distribute information both internally and externally. This information is also a tempting target for economic competitors. Network access: Web servers are an ideal target since a compromised web server can be used to further attack networked computers within an organization. Extensibility: New technologies allow both servers (CGI) and browsers (Java and ActiveX) to be extended. Unfortunately, web extensibility can become a backdoor for attackers. Too many organizations are rushing headlong into using the Web without considering the potential for attack and compromise. Web Security & Commerce looks at the vulnerabilities of WWW servers, browsers, and a variety of new technologies that increase the power and scope of the Web, but which unfortunately may also put it at risk. This book examines the technologies and the risks, and it describes the best available strategies for minimizing those risks. Topics include basic web, host, and site security, CGI/API programming, cryptography, the Secure Socket Layer (SSL), digital IDs, web servers (e.g., Apache-SSL, Netscape), Java, JavaScript, ActiveX, code signing, electronic commerce, and legal issues. A detailed table of contents follows: Preface The Web: Promises and Threats This book Acknowledgements I:Web Security Basics 1:Introduction Web Security in a Nutshell The Web Security Problem Credit-Cards, Encryption and Netscape Firewalls: Who Needs Them? Web Security is not "All or nothing." 2:Controlling Access to Web-Based Information Controlling Access to Files on Your Server Website Users Host Users 3:Host And Site Security Common Problems Minimizing Web Server Risk Host Security Site Security 4:Secure CGI/API Programming The Danger of Extensibility. A Common Problem Rules To Code By Specific Rules for Specific Programming Languages Tips on Writing SUID/SGID CGI Scripts Tips on Using Passwords Environment Variables II:Enhanced Web Security 5:Cryptography Basics Understanding Cryptography Cryptographic Algorithms and Functions Key Length and Cryptographic Strength Key Escrow Legal Restrictions on Cryptography 6:Cryptography and the Web Encryption and Web Security Working Cryptosystems 7:Understanding SSL Overview The SSL v3.0 Protocol Support for SSL SSL: The User's Point of View 8:Digital IDs Identity Cards for Cyberspace Public Key Infrastructure Using Digital IDs Digital IDs and the Web 9:Apache-SSL Apache-SSL SSLeay 10:Netscape WWW Servers 11:WebSite Pro 12:WebStar: A Secure Macintosh Web Server 13:Java Browser History: An Evolution of Risk Java Security JavaScript Security Plug-ins and ActiveX Code Signing Implementation Flaws III:Browsers and Beyond 14:JavaScript 15:ActiveX: 16:Code Signing IV:Commerce and Society 17:Parental Controls 18:Getting Paid Credit Cards Digital Cash How to Evaluate a Payment System 19:Legal Issues Intellectual Property Torts Criminal Subject Matter