- Web Security, Privacy & Commerce, 2nd Edition
- Message Digest Functions
- 4. Cryptography and the Web
- What Cryptography Can’t Do
- Legal Restrictions on Cryptography
- 5. Understanding SSL and TLS
- 6. Digital Identification I: Passwords, Biometrics, and Digital Signatures
- 7. Digital Identification II: Digital Certificates, CAs, and PKI
- Understanding Digital Certificates with PGP
- Certification Authorities: Third-Party Registrars
- Public Key Infrastructure
- Open Policy Issues
- Private Keys Are Not People
- Distinguished Names Are Not People
- There Are Too Many Robert Smiths
- Today’s Digital Certificates Don’t Tell Enough
- X.509 v3 Does Not Allow Selective Disclosure
- Digital Certificates Allow for Easy Data Aggregation
- How Many CAs Does Society Need?
- How Do You Loan a Key?
- Why Do These Questions Matter?
- Brad Biddle on Digital Signatures and E-SIGN
- E-SIGN and UETA
- Electronic contracting—it’s more than just “signatures”!
- “Signed writing” requirements
- Proof
- II. Privacy and Security for Users
- 8. The Web’s War on Your Privacy
- 9. Privacy-Protecting Techniques
- Choosing a Good Service Provider
- Picking a Great Password
- Cleaning Up After Yourself
- Avoiding Spam and Junk Email
- Identity Theft
- 10. Privacy-Protecting Technologies
- 11. Backups and Antitheft
- 12. Mobile Code I: Plug-Ins, ActiveX,and Visual Basic
- 13. Mobile Code II: Java, JavaScript, Flash, and Shockwave
- III. Web Server Security
- 14. Physical Security for Servers
- Planning for the Forgotten Threats
- Protecting Computer Hardware
- Protecting Your Data
- Personnel
- Story: A Failed Site Inspection
- 15. Host Security for Servers
- 16. Securing Web Applications
- 17. Deploying SSL Server Certificates
- Planning for Your SSL Server
- Creating SSL Servers with FreeBSD
- Installing an SSL Certificate on Microsoft IIS
- Obtaining a Certificate from a Commercial CA
- When Things Go Wrong
- 18. Securing Your Web Service
- 19. Computer Crime
- 14. Physical Security for Servers
- IV. Security for Content Providers
- 20. Controlling Access to Your Web Content
- Access Control Strategies
- Controlling Access with Apache
- Enforcing Access Control Restrictions with the .htaccess File
- Enforcing Access Control Restrictions with the Web Server’s Configuration File
- Commands Before the <Limit>. . . </Limit> Directive
- Commands Within the <Limit>. . . </Limit> Block
- <Limit> Examples
- Manually Setting Up Web Users and Passwords
- Advanced User Management
- Controlling Access with Microsoft IIS
- 21. Client-Side Digital Certificates
- 22. Code Signing and Microsoft’s Authenticode
- 23. Pornography, Filtering Software, and Censorship
- 24. Privacy Policies, Legislation, and P3P
- 25. Digital Payments
- 26. Intellectual Property and Actionable Content
- 20. Controlling Access to Your Web Content
- V. Appendixes
- A. Lessons from Vineyard.NET
- In the Beginning
- Planning and Preparation
- Lesson: Whenever you are pulling wires, pull more than you need.
- Lesson: Pull all your wires in a star configuration, from a central point out to each room, rather than daisy-chained from room to room. Wire both your computers and your telephone networks as stars.
- Lesson: Use centrally located punch-down blocks for computer and telephone networks.
- Lesson: Don’t go overboard.
- Lesson: Plan your computer room carefully; you will have to live with its location for a long time.
- IP Connectivity
- Commercial Start-Up
- Ongoing Operations
- Security Concerns
- Lesson: Don’t run programs with a history of security problems.
- Lesson: Make frequent backups.
- Lesson: Limit logins to your servers.
- Lesson: Beware of TCP/IP spoofing.
- Lesson: Defeat packet sniffing.
- Lesson: Restrict logins.
- Lesson: Tighten up your system beyond manufacturer recommendations.
- Lesson: Remember, the “free” in “free software” refers to “freedom.”
- Phone Configuration and Billing Problems
- Credit Cards and ACH
- Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
- Lesson: Live credit card numbers are dangerous.
- Lesson: Encrypt sensitive information and be careful with your decryption keys.
- Lesson: Log everything, and have lots of reports.
- Lesson: Explore a variety of payment systems.
- Lesson: Make it easy for your customers to save you money.
- Lesson: Have a backup supplier.
- Monitoring Software
- Security Concerns
- Redundancy and Wireless
- The Big Cash-Out
- Conclusion
- B. The SSL/TLS Protocol
- C. P3P: The Platform for Privacy Preferences Project
- D. The PICS Specification
- E. References
- Electronic References
- Paper References
- A. Lessons from Vineyard.NET
- Index
- About the Authors
- Colophon
This part of the book examines the underlying technology that makes up today’s World Wide Web and the Internet in general.
Chapter 1 looks at the basics of web security—the risks inherent in running a web server, in using the Web to distribute information or services, and finally, the risks of being a user on the Internet.
Chapter 2 is a detailed exploration of computers, communications links, and protocols that make up the Web. It provides a technical introduction to the systems that will be discussed throughout the rest of the book and that underlie web security concepts.
Chapter 3 introduces the science and mathematics of cryptography, with a particular emphasis on public key encryption.
Chapter 4 specifically looks at the encryption algorithms that are used on the Web today.
Chapter 5 looks more closely at the Secure Sockets Layer (SSL) and the Transport Layer Security (TLS) system that are used by “secure” web servers.
Chapter 6 introduces the topic of authentication and gives an overview of several classes of authentication systems in use on the Internet.
Chapter 7 focuses on the use of digital certificates for authentication and introduces certification authorities (CAs) and the public key infrastructure (PKI).
-
No Comment