Excerpt
This is the "how not to shoot yourself in the foot" book about Web security. Enough theory to be interesting, but not so much that it gets dry and academic. Enough war stories to be fun, but not so many that they overwhelm the rest. No political agenda. No favoritism. You'll find here nothing but practical, commonsense advice for sidestepping the hoard of little gotchas that currently plague the Web, plus you'll find a framework for deciding for yourself how to handle all the gotchas that are yet to be.
Who is this book for? The first third of the book deals with problems that are relevant to anyone who uses the Web: privacy threats, the potential of the Web to spread viruses and other malicious software, the practice and pitfalls of electronic commerce. The remainder gives advice directed to Webmasters, system administrators, system security officers, and others who worry that their organizations' Web sites might be broken into or that their local area network can be compromised by nasty stuff brought in by their employees' Web surfing. If you already run a Web site, you'll want to read this book through. If you're a casual Web surfer, read the first part now and save the rest for later. If current trends continue, everyone will have a Web site and will have to worry about keeping it safe.
Web Security: A Step-by-Step Reference Guide began life about two years ago as the World Wide Web Security FAQ. I was concerned that new Web sites were going up at an amazing rate, with little appreciation for the security implications. I was dismayed that much of the advice being dispensed was incomplete or simply misinformed. So I put together 30 or so frequently asked questions (with answers) to advise Webmasters on how to keep their sites safe from attack by unwanted intruders, and I posted it on my Web site. Over a period of months, the FAQ grew considerably as readers mailed in requests for more information, suggestions, and in some cases contributed their own questions and answers. To the original sections on server-side security, I added sections dealing with client-side (browser) security, privacy issues, sections on cryptography and digital money, and an ever-growing list of security holes in specific pieces of software. In 1996, the first of an epidemic of Web site break-ins shook the Web; in its aftermath, the number of "hits" on the FAQ grew tremendously. The FAQ is now mirrored on five continents and has been translated into Russian, Italian, and Chinese.
When my editor initially suggested I turn the FAQ into a book, I was skeptical. First of all, the information was already on line. Second, the Web is changing so rapidly that any book on security issues is out of date by the time it hits the shelves. Finally, the whole FAQ was less than 50 typeset pages and I was dubious that it could be bulked up into a full-length book. To the first two objections, my editor responded that printed books and the Web are complementary. Printed books provide depth and comprehensiveness. The Web provides vast breadth and information that is always (we hope) up to date. As for my last objection, the weighty answer to that is in your hands.
Acknowledgments
I am grateful to everyone who helped during the conception, research, writing, and production of this book. Bob Bagwill, Jim Carroll, Tom Christiansen, Ian Redfern, Laura Pearlman, Bob Denny, and countless others contributed substantially to the WWW Security FAQ. Their insight and understanding has enriched the FAQ and this book, as well. Many thanks to Lewis Geer at Microsoft Corporation, who helped me sort out the ins and outs of Internet Explorer and active content, and to Brian Kendig at Netscape Corporation, who performed a similar role with Java and JavaScript. My warmest thanks also to my technical reviewers Mike Stok, Tom Markham, and Fred Douglis, each of whom came through with many helpful corrections and suggestions, in record time.
At the MIT Genome Center, many thanks to Lois Bennett and Susan Alderman, two tirelessly cheerful system administrators who never seemed to mind my turning the Web site and LAN into a laboratory bench for every new scheme I wanted to try out. I gravely promise to them that I will never again rip out all the server software and replace it with "new and improved" code at the start of a four-day weekend.
At Addison Wesley Longman, I am indebted to Carol Long, my first editor and the one who convinced me to launch this project, to Karen Gettman, who took over the project when Carol's career took her elsewhere, and to Mary Harrington, who kept everything from unraveling during the transition. Thanks also to Marilyn Rash, who coordinated the production effort.
Last, many thanks to Jean Siao, who blinked not an eye as her Macintosh was slowly swallowed by tangled mats of network cabling and spare parts. Yes, you can play SimCity now without fear of electrocution.
Nanjing August 1997
0201634899P04062001