- Web Security & Commerce
- Preface
- I. Introduction
- II. User Safety
- 2. The Buggy Browser: Evolution of Risk
- 3. Java and JavaScript
- 4. Downloading Machine Code with ActiveX and Plug-Ins
- 5. Privacy
- III. Digital Certificates
- 6. Digital Identification Techniques
- Ten Policy Questions
- Is legislation necessary at all?
- Where should PKI legislation occur?
- Is licensing of certification authorities the right approach?
- Should legislation endorse public key cryptography, or be “technology neutral”?
- Should legislation endorse the X.509 paradigm?
- How should liability and risk be allocated in a PKI?
- What mechanisms should be used to allocate risk?
- Should digitally signed documents be considered “writings” for all legal purposes?
- How much evidentiary weight should a digitally signed document carry?
- Should governments act as CAs?
- 7. Certification Authorities and Server Certificates
- 8. Client-Side Digital Certificates
- 9. Code Signing and Microsoft’s Authenticode
- IV. Cryptography
- 10. Cryptography Basics
- 11. Cryptography and the Web
- 12. Understanding SSL and TLS
- V. Web Server Security
- 13. Host and Site Security
- 14. Controlling Access to Your Web Server
- 15. Secure CGI/API Programming
- VI. Commerce and Society
- 16. Digital Payments
- 17. Blocking Software and Censorship Technology
- 18. Legal Issues: Civil
- 19. Legal Issues: Criminal
- VII. Appendixes
- A. Lessons from Vineyard.NET
- Planning and Preparation
- Lesson: Whenever you are pulling wires, pull more than you need.
- Lesson: Pull all your wires in a star configuration, from a central point out to each room, rather than daisy-chained from room to room. Wire both your computers and your telephone networks as stars.
- Lesson: Use centrally located punch-down blocks or 10Base-T wiring blocks for both your computer networks and your telephone networks.
- Lesson: Don’t go overboard.
- Lesson: Plan your computer room carefully: you will have to live with its location for a long time.
- IP Connectivity
- Commercial Start-Up
- Ongoing Operations
- Security Concerns
- Lesson: Don’t run programs with a history of security problems (e.g., sendmail).
- Lesson: Make frequent backups.
- Lesson: Limit logins to your servers.
- Lesson: Beware of TCP/IP spoofing.
- Lesson: Defeat packet sniffing.
- Lesson: Restrict logins.
- Lesson: Tighten up your system beyond manufacturer recommendations.
- Lesson: Eschew free software.
- Phone Configuration and Billing Problems
- Credit Cards and ACH
- Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
- Lesson: Live credit card numbers are dangerous.
- Lesson: Encrypt sensitive information and be careful with your decryption keys.
- Lesson: Log everything, and have lots of reports.
- Lesson: Explore a variety of payment systems.
- Lesson: Make it easy for your customers to save you money.
- Monitoring Software
- Security Concerns
- Conclusion
- Planning and Preparation
- B. Creating and Installing WebServer Certificates
- C. The SSL 3.0 Protocol
- D. The PICS Specification
- E. References
- A. Lessons from Vineyard.NET
- Index
- Colophon
Physical security is almost everything that happens before you (or an attacker) start typing commands on the keyboard. It’s the alarm system that calls the police department when a late -night thief tries to break into your building. It’s the key lock on the computer’s power supply that makes it harder for unauthorized people to turn the machine off. And it’s the surge protector that keeps a computer from being damaged by power surges.
Assuring the physical security of a web site is similar to assuring the physical security of any other computer at your location. As with other security measures, you must defend your computer against accidents and intentional attacks. You must defend your computer against both insiders and outsiders.
It is beyond the scope of this chapter to show you how to develop a comprehensive physical security plan. Nevertheless, you may find the following recommendations helpful:
Create a physical security plan, detailing what you are protecting and what you are protecting it against. Make a complete inventory.
Make sure that there is adequate protection against fire, smoke, explosions, humidity, and dust.
Protect against earthquake, storms, and other natural disasters.
Protect against electrical noise and lightning.
Protect against vibration.
Provide adequate ventilation.
Keep food and drink away from mission-critical computers.
Restrict physical access to your computers.
Physically secure your computers so that they cannot be stolen or vandalized. Mark them with indelible inventory control markings.
Protect your network cables against destruction and eavesdropping.
Create a list of standard operating procedures for your site. These procedures should include telephone numbers and account numbers for all of your vendors; service contract information; and contact information for your most critical employees. This information should be printed out and made available in two separate locations. Do not have your online copy as your only copy.
For a much more comprehensive list, replete with explanations, we suggest that you consult one of the comprehensive guides to computer security listened in Appendix E.
-
No Comment