Web Security, Privacy & Commerce, 2/e (Paperback)

Since the first edition of this classic reference was published, World Wide Web use has exploded and e-commerce has become a daily part of business and personal life. As Web use has grown, so have the threats to our security and privacy--from credit card fraud to routine invasions of privacy by marketers to web site defacements to attacks that shut down popular web sites.

Web Security, Privacy & Commerce goes behind the headlines, examines the major security risks facing us today, and explains how we can minimize them. It describes risks for Windows and Unix, Microsoft Internet Explorer and Netscape Navigator, and a wide range of current programs and products. In vast detail, the book covers:

• Web technology--The technological underpinnings of the modern Internet and the cryptographic foundations of e-commerce are discussed, along with SSL (the Secure Sockets Layer), the significance of the PKI (Public Key Infrastructure), and digital identification, including passwords, digital signatures, and biometrics.
  
• Web privacy and security for users--Learn the real risks to user privacy, including cookies, log files, identity theft, spam, web logs, and web bugs, and the most common risk, users' own willingness to provide e-commerce sites with personal information. Hostile mobile code in plug-ins, ActiveX controls, Java applets, and JavaScript, Flash, and Shockwave programs are also covered.
  
• Web server security--Administrators and service providers discover how to secure their systems and web services. Topics include CGI, PHP, SSL certificates, law enforcement issues, and more.
  
• Web content security--Zero in on web publishing issues for content providers, including intellectual property, copyright and trademark issues, P3P and privacy policies, digital payments, client-side digital signatures, code signing, pornography filtering and PICS, and other controls on web content.
  

Nearly double the size of the first edition, this completely updated volume is destined to be the definitive reference on Web security risks and the techniques and technologies you can use to protect your privacy, your organization, your system, and your network.

Table of Contents

Preface 

Part I. Web Technology

1. The Web Security Landscape

      The Web Security Problem 

      Risk Analysis and Best Practices 

2. The Architecture of the World Wide Web

      History and Terminology 

      A Packet's Tour of the Web 

      Who Owns the Internet? 

3. Cryptography Basics

      Understanding Cryptography 

      Symmetric Key Algorithms 

      Public Key Algorithms 

      Message Digest Functions 

4. Cryptography and the Web

      Cryptography and Web Security 

      Working Cryptographic Systems and Protocols 

      What Cryptography Can't Do 

      Legal Restrictions on Cryptography 

5. Understanding SSL and TLS

      What Is SSL? 

      SSL: The User's Point of View 

6. Digital Identification I: Passwords, Biometrics, and Digital Signatures

      Physical Identification 

      Using Public Keys for Identification 

      Real-World Public Key Examples 

7. Digital Identification II: Digital Certificates, CAs, and PKI

      Understanding Digital Certificates with PGP 

      Certification Authorities: Third-Party Registrars 

      Public Key Infrastructure 

      Open Policy Issues 

Part II. Privacy and Security for Users

8. The Web's War on Your Privacy

      Understanding Privacy 

      User-Provided Information 

      Log Files 

      Understanding Cookies 

      Web Bugs 

      Conclusion 

9. Privacy-Protecting Techniques

      Choosing a Good Service Provider 

      Picking a Great Password 

      Cleaning Up After Yourself 

      Avoiding Spam and Junk Email 

      Identity Theft 

10. Privacy-Protecting Technologies

      Blocking Ads and Crushing Cookies 

      Anonymous Browsing 

      Secure Email 

11. Backups and Antitheft

      Using Backups to Protect Your Data 

      Preventing Theft 

12. Mobile Code I: Plug-Ins, ActiveX, and Visual Basic

      When Good Browsers Go Bad 

      Helper Applications and Plug-ins 

      Microsoft's ActiveX 

      The Risks of Downloaded Code 

      Conclusion 

13. Mobile Code II: Java, JavaScript, Flash, and Shockwave

      Java 

      JavaScript 

      Flash and Shockwave 

      Conclusion 

Part III. Web Server Security

14. Physical Security for Servers

      Planning for the Forgotten Threats 

      Protecting Computer Hardware 

      Protecting Your Data 

      Personnel 

      Story: A Failed Site Inspection 

15. Host Security for Servers

      Current Host Security Problems 

      Securing the Host Computer 

      Minimizing Risk by Minimizing Services 

      Operating Securely 

      Secure Remote Access and Content Updating 

      Firewalls and the Web 

      Conclusion 

16. Securing Web Applications

      A Legacy of Extensibility and Risk 

      Rules to Code By 

      Securely Using Fields, Hidden Fields, and Cookies 

      Rules for Programming Languages 

      Using PHP Securely 

      Writing Scripts That Run with Additional Privileges 

      Connecting to Databases 

      Conclusion 

17. Deploying SSL Server Certificates

      Planning for Your SSL Server 

      Creating SSL Servers with FreeBSD 

      Installing an SSL Certificate on Microsoft IIS 

      Obtaining a Certificate from a Commercial CA 

      When Things Go Wrong 

18. Securing Your Web Service

      Protecting Via Redundancy 

      Protecting Your DNS 

      Protecting Your Domain Registration 

19. Computer Crime

      Your Legal Options After a Break-In 

      Criminal Hazards 

      Criminal Subject Matter 

Part IV. Security for Content Providers

20. Controlling Access to Your Web Content

      Access Control Strategies 

      Controlling Access with Apache 

      Controlling Access with Microsoft IIS 

21. Client-Side Digital Certificates

      Client Certificates 

      A Tour of the VeriSign Digital ID Center 

22. Code Signing and Microsoft's Authenticode

      Why Code Signing? 

      Microsoft's Authenticode Technology 

      Obtaining a Software Publishing Certificate 

      Other Code Signing Methods 

23. Pornography, Filtering Software, and Censorship

      Pornography Filtering 

      PICS 

      RSACi 

      Conclusion 

24. Privacy Policies, Legislation, and P3P

      Policies That Protect Privacy and Privacy Policies 

      Children's Online Privacy Protection Act 

      P3P 

      Conclusion 

25. Digital Payments

      Charga-Plates, Diners Club, and Credit Cards 

      Internet-Based Payment Systems 

      How to Evaluate a Credit Card Payment System 

26. Intellectual Property and Actionable Content

      Copyright 

      Patents 

      Trademarks 

      Actionable Content 

Part V. Appendixes

A. Lessons from Vineyard.NET
B. The SSL/TLS Protocol
C. P3P: The Platform for Privacy Preferences Project
D. The PICS Specification
E. References

Index