Web Security, Privacy & Commerce

Summary Table of Contents

PART 1 --- Web Technology

Chapter 1 - The Web Security Landscape (3)

The Web Security Problem
Risk Analysis and Best Practices

Chapter 2- The Architecture of the World Wide Web (13)

History and Terminology
A Packet's Tour of the Web
Who Owns the Internet?

Chapter 3- Cryptography Basics (46)

Understanding Cryptography
Symmetric Key Algorithms
Public Key Algorithms
Message Digest Functions

Chapter 4- Cryptography and the Web (78)

Cryptography and Web Security
Working Cryptographic Systems and Protocols
What Cryptography Can't Do
Legal Restrictions on Cryptography

Chapter 5- Understanding SSL and TLS (107)

What Is SSL?
SSL: The User's Point of View

Chapter 6- Digital Identification I: Passwords, Biometrics and Digital Signatures (119)

Physical Identification
Using Public Keys for Identification
Real-World Public Key Examples

Chapter 7- Digital Identification II: Digital Certificates, CAs and PKI (153)

Understanding Digital Certificates with PGP
Certification Authorities: Third-Party Registrars
Public Key Infrastructure
Open Policy Issues

PART II --- Privacy and Security for Users

Chapter 8- The Web?s War on Privacy (203)

Understanding Privacy
User-Provided Information
Log Files
Understanding Cookies
Web Bugs
Conclusion

Chapter 9- Privacy-Protecting Techniques (230)

Choosing a Good Service Provider
Picking a Great Password
Cleaning Up After Yourself
Avoiding Spam and Junk Email
Identity Theft

Chapter 10- Privacy-Protecting Techniques (262)

Blocking Ads and Crushing Cookies
Anonymous Browsing
Secure Email

Chapter 11- Backups and Antitheft (284)

Using Backups to Protect Your Data
Preventing Theft

Chapter 12- Mobile Code I: Plug-Ins, ActiveX, and Visual Basic (298)

When Good Browsers Go Bad
Helper Applications and Plug-ins
Microsoft's ActiveX
The Risks of Downloaded Code
Conclusion

Chapter 13- Mobile Code II: Java, Java Script, Flash and Shockwave (327)

Java
JavaScript
Flash and Shockwave
Conclusion

PART III --- Web Server Security

Chapter 14- Physical Security for Servers (363)

Planning for the Forgotten Threats
Protecting Computer Hardware
Protecting Your Data
Personnel
Story: A Failed Site Inspection

Chapter 15- Host Security for Servers (396)

Current Host Security Problems
Securing the Host Computer
Minimizing Risk by Minimizing Services
Operating Securely
Secure Remote Access and Content Updating
Firewalls and the Web
Conclusion

Chapter 16- Security Web Applications (435)

A Legacy of Extensibility and Risk
Rules to Code By
Securely Using Fields, Hidden Fields, and Cookies
Rules for Programming Languages
Using PHP Securely
Writing Scripts That Run with Additional Privileges
Connecting to Databases
Conclusion

Chapter 17- Deploying SSL Server Certificates (472)

Planning for Your SSL Server
Creating SSL Servers with FreeBSD
Installing an SSL Certificate on Microsoft IIS
Obtaining a Certificate from a Commercial CA
When Things Go Wrong

Chapter 18- Securing your Web Service (510)

Protecting Via Redundancy
Protecting Your DNS
Protecting Your Domain Registration

Chapter 19- Computer Crime (517)

Your Legal Options After a Break-In
Criminal Hazards
Criminal Subject Matter

PART IV --- Security for Content Providers

Chapter 20 - Controlling Access to Your Web Content (533)

Access Control Strategies
Controlling Access with Apache
Controlling Access with Microsoft IIS

Chapter 21 - Client-Side Digital Signatures (550)

Client Certificates
A Tour of the VeriSign Digital ID Center

Chapter 22 - Code Signing and Microsoft?s Authenticode (560)

Why Code Signing?
Microsoft's Authenticode Technology
Obtaining a Software Publishing Certificate
Other Code Signing Methods

Chapter 23 - Pornography, Filtering Software and Censorship (579)

Pornography Filtering
PICS
RSACi
Conclusion

Chapter 24 - Privacy Policies, Legislation, and P3P (592)

Policies That Protect Privacy and Privacy
Policies Children's Online Privacy Protection Act
P3P
Conclusion

Chapter 25 - Digital Payments (610)

Charga-Plates, Diners Club, and Credit Cards
Internet-Based Payment Systems
How to Evaluate a Credit Card Payment System

Chapter 26 - Intellectual Property and Actionable Content (642)

Copyright
Patents
Trademarks
Actionable Content

Appendices (655)

A. Lessons from Vineyard.NET
B. The SSL/TLS Protocol
C. P3P: The Platform for Privacy Preferences Project
D. The PICS Specification
E. References

Web Security, Privacy & Commerce Summary Table of Contents

PART 1 --- Web Technology

Chapter 1 - The Web Security Landscape (3)

The Web Security Problem Risk Analysis and Best Practices

Chapter 2- The Architecture of the World Wide Web (13)

History and Terminology A Packet's Tour of the Web Who Owns the Internet?

Chapter 3- Cryptography Basics (46)

Understanding Cryptography Symmetric Key Algorithms Public Key Algorithms Message Digest Functions

Chapter 4- Cryptography and the Web (78)

Cryptography and Web Security Working Cryptographic Systems and Protocols What Cryptography Can't Do Legal Restrictions on Cryptography

Chapter 5- Understanding SSL and TLS (107)

What Is SSL? SSL: The User's Point of View

Chapter 6- Digital Identification I: Passwords, Biometrics and Digital Signatures (119)

Physical Identification Using Public Keys for Identification Real-World Public Key Examples

Chapter 7- Digital Identification II: Digital Certificates, CAs and PKI (153)

Understanding Digital Certificates with PGP Certification Authorities: Third-Party Registrars Public Key Infrastructure Open Policy Issues

PART II --- Privacy and Security for Users

Chapter 8- The Web?s War on Privacy (203)

Understanding Privacy User-Provided Information Log Files Understanding Cookies Web Bugs Conclusion

Chapter 9- Privacy-Protecting Techniques (230)

Choosing a Good Service Provider Picking a Great Password Cleaning Up After Yourself Avoiding Spam and Junk Email Identity Theft

Chapter 10- Privacy-Protecting Techniques (262)

Blocking Ads and Crushing Cookies Anonymous Browsing Secure Email

Chapter 11- Backups and Antitheft (284)

Using Backups to Protect Your Data Preventing Theft

Chapter 12- Mobile Code I: Plug-Ins, ActiveX, and Visual Basic (298)

When Good Browsers Go Bad Helper Applications and Plug-ins Microsoft's ActiveX The Risks of Downloaded Code Conclusion

Chapter 13- Mobile Code II: Java, Java Script, Flash and Shockwave (327)

Java JavaScript Flash and Shockwave Conclusion

PART III --- Web Server Security

Chapter 14- Physical Security for Servers (363)

Planning for the Forgotten Threats Protecting Computer Hardware Protecting Your Data Personnel Story: A Failed Site Inspection

Chapter 15- Host Security for Servers (396)

Current Host Security Problems Securing the Host Computer Minimizing Risk by Minimizing Services Operating Securely Secure Remote Access and Content Updating Firewalls and the Web Conclusion

Chapter 16- Security Web Applications (435)

A Legacy of Extensibility and Risk Rules to Code By Securely Using Fields, Hidden Fields, and Cookies Rules for Programming Languages Using PHP Securely Writing Scripts That Run with Additional Privileges Connecting to Databases Conclusion

Chapter 17- Deploying SSL Server Certificates (472)

Planning for Your SSL Server Creating SSL Servers with FreeBSD Installing an SSL Certificate on Microsoft IIS Obtaining a Certificate from a Commercial CA When Things Go Wrong

Chapter 18- Securing your Web Service (510)

Protecting Via Redundancy Protecting Your DNS Protecting Your Domain Registration

Chapter 19- Computer Crime (517)

Your Legal Options After a Break-In Criminal Hazards Criminal Subject Matter

PART IV --- Security for Content Providers

Chapter 20 - Controlling Access to Your Web Content (533)

Access Control Strategies Controlling Access with Apache Controlling Access with Microsoft IIS

Chapter 21 - Client-Side Digital Signatures (550)

Client Certificates A Tour of the VeriSign Digital ID Center

Chapter 22 - Code Signing and Microsoft?s Authenticode (560)

Why Code Signing? Microsoft's Authenticode Technology Obtaining a Software Publishing Certificate Other Code Signing Methods

Chapter 23 - Pornography, Filtering Software and Censorship (579)

Pornography Filtering PICS RSACi Conclusion

Chapter 24 - Privacy Policies, Legislation, and P3P (592)

Policies That Protect Privacy and Privacy Policies Children's Online Privacy Protection Act P3P Conclusion

Chapter 25 - Digital Payments (610)

Charga-Plates, Diners Club, and Credit Cards Internet-Based Payment Systems How to Evaluate a Credit Card Payment System

Chapter 26 - Intellectual Property and Actionable Content (642)

Copyright Patents Trademarks Actionable Content

Appendices (655)

A. Lessons from Vineyard.NET B. The SSL/TLS Protocol C. P3P: The Platform for Privacy Preferences Project D. The PICS Specification E. References

Index (735)

Web Security, Privacy & Commerce

Summary Table of Contents

The Web Security Problem
Risk Analysis and Best Practices

History and Terminology
A Packet's Tour of the Web
Who Owns the Internet?

Understanding Cryptography
Symmetric Key Algorithms
Public Key Algorithms
Message Digest Functions

Cryptography and Web Security
Working Cryptographic Systems and Protocols
What Cryptography Can't Do
Legal Restrictions on Cryptography

What Is SSL?
SSL: The User's Point of View

Physical Identification
Using Public Keys for Identification
Real-World Public Key Examples

Understanding Digital Certificates with PGP
Certification Authorities: Third-Party Registrars
Public Key Infrastructure
Open Policy Issues

Understanding Privacy
User-Provided Information
Log Files
Understanding Cookies
Web Bugs
Conclusion

Choosing a Good Service Provider
Picking a Great Password
Cleaning Up After Yourself
Avoiding Spam and Junk Email
Identity Theft

Blocking Ads and Crushing Cookies
Anonymous Browsing
Secure Email

Using Backups to Protect Your Data
Preventing Theft

When Good Browsers Go Bad
Helper Applications and Plug-ins
Microsoft's ActiveX
The Risks of Downloaded Code
Conclusion

Java
JavaScript
Flash and Shockwave
Conclusion

Planning for the Forgotten Threats
Protecting Computer Hardware
Protecting Your Data
Personnel
Story: A Failed Site Inspection

Current Host Security Problems
Securing the Host Computer
Minimizing Risk by Minimizing Services
Operating Securely
Secure Remote Access and Content Updating
Firewalls and the Web
Conclusion

A Legacy of Extensibility and Risk
Rules to Code By
Securely Using Fields, Hidden Fields, and Cookies
Rules for Programming Languages
Using PHP Securely
Writing Scripts That Run with Additional Privileges
Connecting to Databases
Conclusion

Planning for Your SSL Server
Creating SSL Servers with FreeBSD
Installing an SSL Certificate on Microsoft IIS
Obtaining a Certificate from a Commercial CA
When Things Go Wrong

Protecting Via Redundancy
Protecting Your DNS
Protecting Your Domain Registration

Your Legal Options After a Break-In
Criminal Hazards
Criminal Subject Matter

Access Control Strategies
Controlling Access with Apache
Controlling Access with Microsoft IIS

Client Certificates
A Tour of the VeriSign Digital ID Center

Why Code Signing?
Microsoft's Authenticode Technology
Obtaining a Software Publishing Certificate
Other Code Signing Methods

Pornography Filtering
PICS
RSACi
Conclusion

Policies That Protect Privacy and Privacy
Policies Children's Online Privacy Protection Act
P3P
Conclusion

Charga-Plates, Diners Club, and Credit Cards
Internet-Based Payment Systems
How to Evaluate a Credit Card Payment System

Copyright
Patents
Trademarks
Actionable Content

A. Lessons from Vineyard.NET
B. The SSL/TLS Protocol
C. P3P: The Platform for Privacy Preferences Project
D. The PICS Specification
E. References