Simson Garfinkel is a journalist, entrepreneur, and international authority on computer security. He is chief
technology officer at Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security
tools. Garfinkel is also a columnist for Technology Review Magazine and a frequent contributor to Wired Magazine.
His articles have appeared in more than 50 publications, including ComputerWorld, Forbes, and The New York Times.
Spafford, Gene : Purdue University / CERIAS
Gene Spafford is a professor at Purdue University and director of CERIAS, the world's premier multi-disciplinary
academic center for information security. Spafford is a Fellow of the AAAS, ACM, and IEEE, and has additionally
been recognized for his research and teaching in infosec with the National Computer Systems Security Award, the
William Hugh Murray Medal of the NCISSE, election to the ISSA Hall of Fame, and the Charles Murphy Award at Purdue.
He was named as a CISSP, honoris causa in 2000.
Review
From the First Edition:
"Web Security...is an oasis in a sea of Internet security misinformation. Practical, evenhanded, comprehensive
and platform-neutral, this new book is the best source for Web security wisdom....[It's] the best single-volume
guide to the dangers of life on the Web and the technologies and strategies that can help users and publishers
enjoy the benefits and advantages of the Web."
--ENT, October 1997
"Garfinkel and Spafford deal head on with key elements of Internet and enterprise security. Web Security and
Commerce addresses modern security technologies and applications in a comprehensive fashion, and is an important
work in the explosive, fast-moving, and highly visible security field."
--Eric Greenberg, Group Security Product Manager, Netscape Communications Corporation
"This is a truly useful book which can help people avoid a lot of the risks in Webware. It is intelligently
written, timely, informative, accurate, comprehensive, understandable, and a great pleasure to read. It is the
Web-ster's definitive guide to security."
--Peter G. Neumann, moderator of ACM "RISKS" Forum and author of Computer-Related Risks
"This book is packed with useful information and solid advice for Web users, Webmasters, and developers. Garfinkel
and Spafford skip the usual marketing hype and tell us how and why Web security works--or breaks down--in the real
world."
--Dr. Edward Felten, head of Princeton University's Secure Internet Programming Group and author of Java Security.
"This book is for Web users and Webmasters who want or need to know about how and why Web security works -
or doesn't. The authors cut through the hype and tell you how to minimize the risks of using the Web, with an informative
and comprehensive discussion of browser vulnerabilities, issues with Java, Javascript, ActiveX, and plug-ins, cryptography,
digital certificates, Web server security, legal issues and more."
--Geoff Choo, Director Solutions WEBzine, http://space.tin.it/internet/gchoo/html/books_web.html
"If you have a business, and you want to learn how to protect the security of your Web site, or if you're
a Web surfer and want to know more about privacy on the Web, a new book, Web Security & Commerce by Simson
Garfinkel with Gene Spafford, is the best I've seen."
--Michael Ketcher, Bull & Bear Financial Report, March 1998
"Garfinkel and Spafford provide a thorough, engrossing, and disconcerting overview of all the relevant security
issues...an excellent book all around--generous with technical detail and practical examples, yet accessible and
fascinating to read. It's recommended for anyone who's interested in the subject."
--John Frazer Dobson, Computer Shopper June 1998
"If you're looking for practical and real-world information on Web Security, then this book covers a lot."
--Bob Swart, Developer Magazine, Oct 2000
O'Reilly & Associates, Inc. Web Site, November, 2001
Summary
Since the first edition of this classic reference was published, World Wide Web use has exploded and e-commerce
has become a daily part of business and personal life. As Web use has grown, so have the threats to our security
and privacy--from credit card fraud to routine invasions of privacy by marketers to web site defacements to attacks
that shut down popular web sites.
Web Security, Privacy & Commerce goes behind the headlines, examines the major security risks facing us today,
and explains how we can minimize them. It describes risks for Windows and Unix, Microsoft Internet Explorer and
Netscape Navigator, and a wide range of current programs and products. In vast detail, the book covers:
Web technology--The technological underpinnings of the modern Internet and the cryptographic foundations of
e-commerce are discussed, along with SSL (the Secure Sockets Layer), the significance of the PKI (Public Key Infrastructure),
and digital identification, including passwords, digital signatures, and biometrics.
Web privacy and security for users--Learn the real risks to user privacy, including cookies, log files, identity
theft, spam, web logs, and web bugs, and the most common risk, users' own willingness to provide e-commerce sites
with personal information. Hostile mobile code in plug-ins, ActiveX controls, Java applets, and JavaScript, Flash,
and Shockwave programs are also covered.
Web server security--Administrators and service providers discover how to secure their systems and web services.
Topics include CGI, PHP, SSL certificates, law enforcement issues, and more.
Web content security--Zero in on web publishing issues for content providers, including intellectual property,
copyright and trademark issues, P3P and privacy policies, digital payments, client-side digital signatures, code
signing, pornography filtering and PICS, and other controls on web content.
Nearly double the size of the first edition, this completely updated volume is destined to be the definitive
reference on Web security risks and the techniques and technologies you can use to protect your privacy, your organization,
your system, and your network.
Table of Contents
Preface
Part I. Web Technology
1. The Web Security Landscape
The Web Security Problem
Risk Analysis and Best Practices
2. The Architecture of the World Wide Web
History and Terminology
A Packet's Tour of the Web
Who Owns the Internet?
4. Cryptography and the Web
Cryptography and Web Security
Working Cryptographic Systems and Protocols
What Cryptography Can't Do
Legal Restrictions on Cryptography
5. Understanding SSL and TLS
What Is SSL?
SSL: The User's Point of View
6. Digital Identification I: Passwords, Biometrics, and Digital Signatures
Physical Identification
Using Public Keys for Identification
Real-World Public Key Examples
7. Digital Identification II: Digital Certificates, CAs, and PKI
Understanding Digital Certificates with PGP
Certification Authorities: Third-Party Registrars
Public Key Infrastructure
Open Policy Issues
Part II. Privacy and Security for Users
8. The Web's War on Your Privacy
Understanding Privacy
User-Provided Information
Log Files
Understanding Cookies
Web Bugs
Conclusion
9. Privacy-Protecting Techniques
Choosing a Good Service Provider
Picking a Great Password
Cleaning Up After Yourself
Avoiding Spam and Junk Email
Identity Theft
10. Privacy-Protecting Technologies
Blocking Ads and Crushing Cookies
Anonymous Browsing
Secure Email
11. Backups and Antitheft
Using Backups to Protect Your Data
Preventing Theft
12. Mobile Code I: Plug-Ins, ActiveX, and Visual Basic
When Good Browsers Go Bad
Helper Applications and Plug-ins
Microsoft's ActiveX
The Risks of Downloaded Code
Conclusion
13. Mobile Code II: Java, JavaScript, Flash, and Shockwave
Java
JavaScript
Flash and Shockwave
Conclusion
Part III. Web Server Security
14. Physical Security for Servers
Planning for the Forgotten Threats
Protecting Computer Hardware
Protecting Your Data
Personnel
Story: A Failed Site Inspection
15. Host Security for Servers
Current Host Security Problems
Securing the Host Computer
Minimizing Risk by Minimizing Services
Operating Securely
Secure Remote Access and Content Updating
Firewalls and the Web
Conclusion
16. Securing Web Applications
A Legacy of Extensibility and Risk
Rules to Code By
Securely Using Fields, Hidden Fields, and Cookies
Rules for Programming Languages
Using PHP Securely
Writing Scripts That Run with Additional Privileges
Connecting to Databases
Conclusion
17. Deploying SSL Server Certificates
Planning for Your SSL Server
Creating SSL Servers with FreeBSD
Installing an SSL Certificate on Microsoft IIS
Obtaining a Certificate from a Commercial CA
When Things Go Wrong
18. Securing Your Web Service
Protecting Via Redundancy
Protecting Your DNS
Protecting Your Domain Registration
19. Computer Crime
Your Legal Options After a Break-In
Criminal Hazards
Criminal Subject Matter
Part IV. Security for Content Providers
20. Controlling Access to Your Web Content
Access Control Strategies
Controlling Access with Apache
Controlling Access with Microsoft IIS
21. Client-Side Digital Certificates
Client Certificates
A Tour of the VeriSign Digital ID Center
22. Code Signing and Microsoft's Authenticode
Why Code Signing?
Microsoft's Authenticode Technology
Obtaining a Software Publishing Certificate
Other Code Signing Methods
