Web Security & Commerce cuts through the hype and the front page stories. It tells you what the real risks are and explains how you can minimize them. Whether you're a casual (but concerned) Web surfer or a system administrator responsible for the security of a critical Web server, this book will tell you what you need to know. Entertaining as well as illuminating, it looks behind the headlines at the technologies, risks, and benefits of the Web. Whatever browser or server you are using, you and your system will benefit from this book.

Topics include:

• User safety--browser vulnerabilities (with an emphasis on Netscape Navigator and Microsoft Internet Explorer), privacy concerns, issues with Java, JavaScript, ActiveX, and plug-ins.

• Digital certificates--what they are, how they assure identity in a networked environment, how certification authorities and server certificates work, and what code signing all about.

• Cryptography--an overview of how encryption works on the Internet and how different algorithms and programs are being used today.

• Web server security--detailed technical information about SSL (Secure Socket Layer), TLS (Transport Layer Security), host security, server access methods, and secure CGI/API programming.

• Commerce and society--how digital payments work, what blocking software and censorship technology (e.g., PICS and RSACi) is about, and what civil and criminal issues you need to understand.

Preface

I. Introduction

1. The Web Security Landscape
     Web Security in a Nutshell
     The Web Security Problem
     Credit Cards, Encryption, and the Web
     Firewalls: Part of the Solution
     Risk Management

II. User Safety

2. The Buggy Browser: Evolution of Risk
     Browser History
     Data-Driven Attacks
     Implementation Flaws: A Litany of Bugs

3. Java and JavaScript
     Java
     JavaScript
     Denial-of-Service Attacks
     JavaScript-Enabled Spoofing Attacks
     Conclusion

4. Downloading Machine Code with ActiveX and Plug-Ins
     When Good Browsers Go Bad
     Netscape Plug-Ins
     ActiveX and Authenticode
     The Risks of Downloaded Code
     Is Authenticode a Solution?
     Improving the Security of Downloaded Code

5. Privacy
     Log Files
     Cookies
     Personally Identifiable Information
     Anonymizers
     Unanticipated Disclosure

III. Digital Certificates

6. Digital Identification Techniques
     Identification
     Public Key Infrastructure
     Problems Building a Public Key Infrastructure
     Ten Policy Questions

7. Certification Authorities and Server Certificates
     Certificates Today
     Certification Authority Certificates
     Server Certificates
     Conclusion

8. Client-Side Digital Certificates
     Client Certificates
     A Tour of the VeriSign Digital ID Center

9. Code Signing and Microsoft's Authenticode
     Why Code Signing?
     Microsoft's Authenticode Technology
     Obtaining a Software Publisher's Certificate

IV. Cryptography

10. Cryptography Basics
     Understanding Cryptography
     Symmetric Key Algorithms
     Public Key Algorithms
     Message Digest Functions
     Public Key Infrastructure

11. Cryptography and the Web
     Cryptography and Web Security
     Today's Working Encryption Systems
     U.S. Restrictions on Cryptography
     Foreign Restrictions on Cryptography

12. Understanding SSL and TLS
     What Is SSL?
     TLS Standards Activities
     SSL: The User's Point of View

V. Web Server Security

13. Host and Site Security
     Historically Unsecure Hosts
     Current Major Host Security Problems
     Minimizing Risk by Minimizing Services
     Secure Content Updating
     Back-End Databases
     Physical Security

14. Controlling Access to Your Web Server
     Access Control Strategies
     Implementing Access Controls with <Limit> Blocks
     A Simple User Management System

15. Secure CGI/API Programming
     The Danger of Extensibility
     Rules To Code By
     Specific Rules for Specific Programming Languages
     Tips on Writing CGI Scripts That Run with Additional Privileges
     Conclusion

VI. Commerce and Society

16. Digital Payments
     Charga-Plates, Diners Club, and Credit Cards
     Internet-Based Payment Systems
     How to Evaluate a Credit Card Payment System

17. Blocking Software and Censorship Technology
     Blocking Software
     PICS
     RSACi

18. Legal Issues: Civil
     Intellectual Property
     Torts

19. Legal Issues: Criminal
     Your Legal Options After a Break-In
     Criminal Hazards That May Await You
     Criminal Subject Matter
     Play it Safe . . .
     Laws and Activism

VII. Appendixes

A. Lessons from Vineyard.NET

B. Creating and Installing Web Server Certificates

C. The SSL 3.0 Protocol

D. The PICS Specification

E. References