Attacks on government Web sites, break-ins at Internet service providers, electronic credit card fraud, invasion of personal privacy by merchants as well as hackers--is this what the World Wide Web is really all about? Web Security & Commerce cuts through the hype and the front page stories. It tells you what the real risks are and explains how you can minimize them. Whether you're a casual (but concerned) Web surfer or a system administrator responsible for the security of a critical Web server, this book will tell you what you need to know. Entertaining as well as illuminating, it looks behind the headlines at the technologies, risks, and benefits of the Web. Whatever browser or server you are using, you and your system will benefit from this book. Topics include:
Digital certificates--what they are, how they assure identity in a networked environment, how certification authorities and server certificates work, and what code signing all about.
Cryptography--an overview of how encryption works on the Internet and how different algorithms and programs are being used today.
Web server security--detailed technical information about SSL (Secure Socket Layer), TLS (Transport Layer Security), host security, server access methods, and secure CGI/API programming.
Commerce and society--how digital payments work, what blocking software and censorship technology (e.g., PICS and RSACi) is about, and what civil and criminal issues you need to understand.
Table of Contents
Web Security & Commerce
1. The Web Security Landscape
- Web Security in a Nutshell
- The Web Security Problem
- Credit Cards, Encryption, and the Web
- Firewalls: Part of the Solution
- Risk Management
- 1. The Web Security Landscape
II. User Safety
- 2. The Buggy Browser: Evolution of Risk
- Java the Language
- Java Safety
- Java Security
- Java Security Policy
- Java Security Problems
- Java Security Future
- Denial-of-Service Attacks
4. Downloading Machine Code with ActiveX and Plug-Ins
- When Good Browsers Go Bad
- Netscape Plug-Ins
- ActiveX and Authenticode
- The Risks of Downloaded Code
- Is Authenticode a Solution?
- Improving the Security of Downloaded Code
- 5. Privacy
III. Digital Certificates
6. Digital Identification Techniques
- The Need for Identification Today
- Credentials-Based Identification Systems
- Computerized Identification Techniques
- Using Digital Signatures for Identification
- Public Key Infrastructure
Problems Building a Public Key Infrastructure
- Private Keys Are Not People
- Distinguished Names Are Not People
- There Are Too Many Robert Smiths
- Today’s Digital Certificates Don’t Tell Enough
- X.509 v3 Does Not Allow Selective Disclosure
- Digital Certificates Allow For Easy Data Aggregation
- How Many CAs Does Society Need?
- How Do You Loan a Key?
- Are There Better Suited Alternatives to Public Key Digital Signatures?
- Why Do These Questions Matter?
Ten Policy Questions
- Is legislation necessary at all?
- Where should PKI legislation occur?
- Is licensing of certification authorities the right approach?
- Should legislation endorse public key cryptography, or be “technology neutral”?
- Should legislation endorse the X.509 paradigm?
- How should liability and risk be allocated in a PKI?
- What mechanisms should be used to allocate risk?
- Should digitally signed documents be considered “writings” for all legal purposes?
- How much evidentiary weight should a digitally signed document carry?
- Should governments act as CAs?
7. Certification Authorities and Server Certificates
- Certificates Today
- Certification Authority Certificates
- Server Certificates
8. Client-Side Digital Certificates
- Client Certificates
- A Tour of the VeriSign Digital ID Center
9. Code Signing and Microsoft’s Authenticode
- Why Code Signing?
- Microsoft’s Authenticode Technology
- Obtaining a Software Publisher’s Certificate
- Other Code Signing Methods
- 6. Digital Identification Techniques
10. Cryptography Basics
- Understanding Cryptography
- Symmetric Key Algorithms
- Public Key Algorithms
- Message Digest Functions
- Public Key Infrastructure
11. Cryptography and the Web
- Cryptography and Web Security
- Today’s Working Encryption Systems
- U.S. Restrictions on Cryptography
- Foreign Restrictions on Cryptography
- 12. Understanding SSL and TLS
- 10. Cryptography Basics
V. Web Server Security
13. Host and Site Security
- Historically Unsecure Hosts
Current Major Host Security Problems
- Password Sniffing
- Security Tools
- Faults, Bugs, and Programming Errors
- Minimizing Risk by Minimizing Services
- Secure Content Updating
- Back-End Databases
- Physical Security
14. Controlling Access to Your Web Server
- Access Control Strategies
- Implementing Access Controls with <Limit> Blocks
- A Simple User Management System
15. Secure CGI/API Programming
- The Danger of Extensibility
- Rules To Code By
- Specific Rules for Specific Programming Languages
- Tips on Writing CGI Scripts That Run with Additional Privileges
- 13. Host and Site Security
VI. Commerce and Society
16. Digital Payments
- Charga-Plates, Diners Club, and Credit Cards
- Internet-Based Payment Systems
- How to Evaluate a Credit Card Payment System
- 17. Blocking Software and Censorship Technology
- 18. Legal Issues: Civil
19. Legal Issues: Criminal
- Your Legal Options After a Break-In
- Criminal Hazards That May Await You
- Criminal Subject Matter
- Play it Safe . . .
- Laws and Activism
- 16. Digital Payments
A. Lessons from Vineyard.NET
Planning and Preparation
- Lesson: Whenever you are pulling wires, pull more than you need.
- Lesson: Pull all your wires in a star configuration, from a central point out to each room, rather than daisy-chained from room to room. Wire both your computers and your telephone networks as stars. It makes it much easier to expand or rewire in the future.
- Lesson: Use centrally located punch-down blocks or 10Base-T wiring blocks for both your computer networks and your telephone networks.
- Lesson: Don’t go overboard.
- Lesson: Plan your computer room carefully: you will have to live with its location for a long time.
- IP Connectivity
- Working with the Phone Company
- Incorporating Vineyard.NET
- Initial Expansion
- Accounting Software
- Publicity and Privacy
- Lesson: Don’t run programs with a history of security problems (e.g., sendmail).
- Lesson: Make frequent backups.
- Lesson: Limit logins to your servers.
- Lesson: Beware of TCP/IP spoofing.
- Lesson: Defeat packet sniffing.
- Lesson: Restrict logins.
- Lesson: Tighten up your system beyond manufacturer recommendations.
- Lesson: Eschew free software.
- Phone Configuration and Billing Problems
Credit Cards and ACH
- Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
- Lesson: Live credit card numbers are dangerous.
- Lesson: Encrypt sensitive information and be careful with your decryption keys.
- Lesson: Log everything, and have lots of reports.
- Lesson: Explore a variety of payment systems.
- Lesson: Make it easy for your customers to save you money.
- Monitoring Software
- Security Concerns
- Planning and Preparation
- B. Creating and Installing WebServer Certificates
C. The SSL 3.0 Protocol
- SSL 3.0 Record Layer
- SSL 3.0 Protocols
- SSL 3.0 Handshake
- D. The PICS Specification
- Mailing Lists
- Usenet Groups
- WWW Pages
- Software Resources
- Paper References
- Electronic References
- A. Lessons from Vineyard.NET
- Title: Web Security and Commerce
- Release date: June 1997
- Publisher(s): O'Reilly Media, Inc.
- ISBN: 1565922697