Web Security, Privacy & Commerce, 2nd Edition

Book description

Since the first edition of this classic reference was published, World Wide Web use has exploded and e-commerce has become a daily part of business and personal life. As Web use has grown, so have the threats to our security and privacy--from credit card fraud to routine invasions of privacy by marketers to web site defacements to attacks that shut down popular web sites. Web Security, Privacy & Commerce goes behind the headlines, examines the major security risks facing us today, and explains how we can minimize them. It describes risks for Windows and Unix, Microsoft Internet Explorer and Netscape Navigator, and a wide range of current programs and products. In vast detail, the book covers:

  • Web technology--The technological underpinnings of the modern Internet and the cryptographic foundations of e-commerce are discussed, along with SSL (the Secure Sockets Layer), the significance of the PKI (Public Key Infrastructure), and digital identification, including passwords, digital signatures, and biometrics.

  • Web privacy and security for users--Learn the real risks to user privacy, including cookies, log files, identity theft, spam, web logs, and web bugs, and the most common risk, users' own willingness to provide e-commerce sites with personal information. Hostile mobile code in plug-ins, ActiveX controls, Java applets, and JavaScript, Flash, and Shockwave programs are also covered.

  • Web server security--Administrators and service providers discover how to secure their systems and web services. Topics include CGI, PHP, SSL certificates, law enforcement issues, and more.

  • Web content security--Zero in on web publishing issues for content providers, including intellectual property, copyright and trademark issues, P3P and privacy policies, digital payments, client-side digital signatures, code signing, pornography filtering and PICS, and other controls on web content.

  • Nearly double the size of the first edition, this completely updated volume is destined to be the definitive reference on Web security risks and the techniques and technologies you can use to protect your privacy, your organization, your system, and your network.

    Table of contents

    1. Web Security, Privacy & Commerce, 2nd Edition
      1. Preface
        1. Web Security: Is Our Luck Running Out?
          1. Beyond the Point of No Return
          2. Building in Security
        2. About This Book
          1. Organization of This Book
          2. What You Should Know
          3. Web Software Covered by This Book
        3. Conventions Used in This Book
        4. Comments and Questions
        5. History and Acknowledgments
          1. Second Edition
          2. First Edition
      2. I. Web Technology
        1. 1. The Web Security Landscape
          1. The Web Security Problem
            1. Securing the Web Server
              1. Simplification of services
              2. Policing copyright
            2. Securing Information in Transit
            3. Securing the User’s Computer
          2. Risk Analysis and Best Practices
        2. 2. The Architecture of the World Wide Web
          1. History and Terminology
            1. Building the Internet
              1. Packets and postcards
              2. Protocols
              3. Hosts, gateways, and firewalls
              4. The client/server model
            2. Weaving the Web
          2. A Packet’s Tour of the Web
            1. Booting Up Your PC
            2. PC to LAN to Internet
              1. Dialing up the Internet
              2. Connected by LAN
              3. The Walden Network
            3. The Domain Name Service
              1. How DNS works
            4. Engaging the Web
          3. Who Owns the Internet?
            1. Your Local Internet Service Provider
            2. Network Access Points and Metropolitan Area Exchanges
              1. Peering
              2. Transit
            3. The Root and Top-Level Nameservers
              1. Who runs the root?
              2. An example
            4. The Domain Registrars
            5. Internet Number Registries
            6. The Internet Corporation for Assigned Names and Numbers
        3. 3. Cryptography Basics
          1. Understanding Cryptography
            1. Roots of Cryptography
            2. Cryptography as a Dual-Use Technology
            3. A Cryptographic Example
            4. Cryptographic Algorithms and Functions
          2. Symmetric Key Algorithms
            1. Cryptographic Strength of Symmetric Algorithms
            2. Key Length with Symmetric Key Algorithms
            3. Common Symmetric Key Algorithms
            4. Attacks on Symmetric Encryption Algorithms
              1. Key search (brute force) attacks
              2. Cryptanalysis
              3. Systems-based attacks
          3. Public Key Algorithms
            1. Uses of Public Key Encryption
              1. Encrypted messaging
              2. Digital signatures
            2. Attacks on Public Key Algorithms
              1. Key search attacks
              2. Analytic attacks
              3. Known versus published methods
          4. Message Digest Functions
            1. Message Digest Algorithms at Work
            2. Uses of Message Digest Functions
            3. HMAC
            4. Attacks on Message Digest Functions
        4. 4. Cryptography and the Web
          1. Cryptography and Web Security
            1. Roles for Cryptography
          2. Working Cryptographic Systems and Protocols
            1. Offline Encryption Systems
              1. PGP/OpenPGP
              2. S/MIME
            2. Online Cryptographic Protocols and Systems
              1. SSL
              2. PCT
              3. SET
              4. DNSSEC
              5. IPsec and IPv6
              6. Kerberos
              7. SSH
          3. What Cryptography Can’t Do
          4. Legal Restrictions on Cryptography
            1. Cryptography and the Patent System
              1. The public key patents
              2. Other patented algorithms
              3. The outlook for patents
            2. Cryptography and Trade Secret Law
            3. Regulation of Cryptography by International and National Law
              1. U.S. regulatory efforts and history
              2. The Digital Millennium Copyright Act
              3. International agreements on cryptography
              4. National regulations of cryptography throughout the world
        5. 5. Understanding SSL and TLS
          1. What Is SSL?
            1. SSL Versions
            2. SSL/TLS Features
            3. What Does SSL Really Protect?
            4. Digital Certificates
            5. SSL Implementations
              1. SSL Netscape
              2. SSLRef and Mozilla Network Security Services
              3. SSLeay and OpenSSL
              4. SSL Java
            6. SSL Performance
          2. SSL: The User’s Point of View
            1. Browser Preferences
              1. Navigator preferences
              2. Internet Explorer preferences
            2. Browser Alerts
        6. 6. Digital Identification I: Passwords, Biometrics, and Digital Signatures
          1. Physical Identification
            1. The Need for Identification Today
            2. Paper-Based Identification Techniques
              1. Verifying identity with physical documents
              2. Reputation of the issuing organization
              3. Tamper-proofing the document
            3. Computer-Based Identification Techniques
              1. Password-based systems: something that you know
              2. Physical tokens: something that you have
              3. Biometrics: something that you are
              4. Location: someplace where you are
          2. Using Public Keys for Identification
            1. Replay Attacks
            2. Stopping Replay Attacks with Public Key Cryptography
              1. PGP public keys
            3. Creating and Storing the Private Key
              1. Creating a public key/private key pair with PGP
              2. Smart cards
          3. Real-World Public Key Examples
            1. Document Author Identification Using PGP
              1. CERT/CC’s PGP signatures
              2. Obtaining CERT/CC’s PGP key
              3. Verifying the PGP-signed file
              4. PGP certification
            2. Public Key Authentication Using SSH
        7. 7. Digital Identification II: Digital Certificates, CAs, and PKI
          1. Understanding Digital Certificates with PGP
            1. Certifying Your Own Key
            2. Certifying Other People’s Keys: PGP’s “Web of Trust”
              1. Trust and validity
              2. The Web of Trust and the key servers
              3. Key signing parties
          2. Certification Authorities: Third-Party Registrars
            1. Certification Practices Statement (CPS)
            2. The X.509 v3 Certificate
              1. Exploring the X.509 v3 certificate
            3. Types of Certificates
              1. Minimal disclosure certificates
            4. Revocation
              1. Certificate revocation lists
              2. Real-time certificate validation
              3. Short-lived certificates
          3. Public Key Infrastructure
            1. Certification Authorities: Some History
            2. Internet Explorer Preinstalled Certificates
            3. Netscape Navigator Preinstalled Certificates
            4. Multiple Certificates for a Single CA
            5. Shortcomings of Today’s CAs
              1. Lack of permanence for Certificate Policies field
              2. Inconsistencies for “Subject” and “Issuer” fields
              3. Unrealistic expiration dates
          4. Open Policy Issues
            1. Private Keys Are Not People
            2. Distinguished Names Are Not People
            3. There Are Too Many Robert Smiths
            4. Today’s Digital Certificates Don’t Tell Enough
            5. X.509 v3 Does Not Allow Selective Disclosure
            6. Digital Certificates Allow for Easy Data Aggregation
            7. How Many CAs Does Society Need?
            8. How Do You Loan a Key?
            9. Why Do These Questions Matter?
            10. Brad Biddle on Digital Signatures and E-SIGN
              1. E-SIGN and UETA
              2. Electronic contracting—it’s more than just “signatures”!
              3. “Signed writing” requirements
              4. Proof
      3. II. Privacy and Security for Users
        1. 8. The Web’s War on Your Privacy
          1. Understanding Privacy
            1. The Tort of Privacy
            2. Personal, Private, and Personally Identifiable Information
          2. User-Provided Information
          3. Log Files
            1. Retention and Rotation
            2. Web Logs
              1. What’s in a web log?
              2. The refer link field
              3. Obscuring web logs
            3. RADIUS Logs
            4. Mail Logs
            5. DNS Logs
          4. Understanding Cookies
            1. The Cookie Protocol
              1. An example
            2. Cookie Uses
            3. Cookie Jars
            4. Cookie Security
            5. Disabling Cookies
          5. Web Bugs
            1. Web Bugs on Web Pages
            2. Web Bugs in Email Messages and Word Files
            3. Uses of Web Bugs
          6. Conclusion
        2. 9. Privacy-Protecting Techniques
          1. Choosing a Good Service Provider
          2. Picking a Great Password
            1. Why Use Passwords?
            2. Bad Passwords: Open Doors
            3. Smoking Joes
            4. Good Passwords: Locked Doors
            5. Writing Down Passwords
            6. Strategies for Managing Multiple Usernames and Passwords
              1. Password classes
              2. Password bases
              3. Password rotation
              4. Password keepers
            7. Sharing Passwords
              1. Be careful when you share your password with others!
              2. Change your password when the person no longer needs it
              3. Resist social engineering attacks
            8. Beware of Password Sniffers and Stealers
              1. Password sniffers
              2. Keystroke recorders and keyboard sniffers
              3. Beware of public terminals
          3. Cleaning Up After Yourself
            1. Browser Cache
              1. Managing your cache with Internet Explorer
              2. Managing your cache with Netscape Navigator
            2. Cookies
              1. Crushing Internet Explorer’s cookies
              2. Crushing Netscape’s cookies
            3. Browser History
              1. Clearing Internet Explorer’s browser history
              2. Clearing Netscape Navigator’s browser history
            4. Passwords, Form-Filling, and AutoComplete Settings
              1. Clearing AutoComplete with Internet Explorer
              2. Clearing sensitive information with Netscape Navigator
          4. Avoiding Spam and Junk Email
            1. Protect Your Email Address
            2. Use Address Munging
            3. Use an Antispam Service or Software
          5. Identity Theft
            1. Protecting Yourself From Identity Theft
        3. 10. Privacy-Protecting Technologies
          1. Blocking Ads and Crushing Cookies
            1. Local HTTP Proxies
            2. Using Ad Blockers
          2. Anonymous Browsing
            1. Simple Approaches to Protecting Your IP Address
            2. Anonymous Web Browsing Services
          3. Secure Email
            1. Hotmail, Yahoo Mail, and Other Web-Based Email Services
            2. Hushmail
            3. Omniva’s Self-Destructing Email
        4. 11. Backups and Antitheft
          1. Using Backups to Protect Your Data
            1. Make Backups!
            2. Why Make Backups?
            3. What Should You Back Up?
            4. Types of Backups
            5. Guarding Against Media Failure
            6. How Long Should You Keep a Backup?
            7. Security for Backups
              1. Physical security for backups
              2. Write-protect your backups
              3. Data security for backups
            8. Legal Issues
            9. Deciding upon a Backup Strategy
          2. Preventing Theft
            1. Understanding Computer Theft
            2. Locks
            3. Tagging
            4. Laptop Recovery Software and Services
            5. Awareness
        5. 12. Mobile Code I: Plug-Ins, ActiveX,and Visual Basic
          1. When Good Browsers Go Bad
            1. Card Shark
            2. David.exe
            3. The Chaos Quicken Checkout
            4. ILOVEYOU
          2. Helper Applications and Plug-ins
            1. The History of Helpers
            2. Getting the Plug-In
            3. Evaluating Plug-In Security
          3. Microsoft’s ActiveX
            1. The <OBJECT> Tag
            2. Authenticode
            3. Does Authenticode Work?
            4. Internet Exploder
            5. Risky Controls
          4. The Risks of Downloaded Code
            1. Programs That Spend Your Money
              1. Telephone billing records
              2. Electronic funds transfers
            2. Programs That Violate Privacy and Steal Confidential Information
              1. A wealth of private data
            3. Signed Code Is Not Safe Code
            4. Signed Code Can Be Hijacked
            5. Reconstructing an Attack
            6. Recovering from an Attack
          5. Conclusion
        6. 13. Mobile Code II: Java, JavaScript, Flash, and Shockwave
          1. Java
            1. A Little Java Demonstration
            2. Java’s History
            3. Java, the Language
            4. Java Safety
            5. Java Security
              1. Safety is not security
            6. Java Security Policy
              1. Internet Explorer’s “security zones”
              2. Setting Java policy in Microsoft Internet Explorer
              3. Setting Java policy in Netscape Navigator
            7. Java Security Problems
          2. JavaScript
            1. A Touch of JavaScript
            2. JavaScript Security Overview
            3. JavaScript Security Flaws
            4. JavaScript Denial-of-Service Attacks
              1. Can’t break a running script
              2. Window system attacks
              3. CPU and stack attacks
            5. JavaScript Spoofing Attacks
              1. Spoofing username/password pop-ups with Java
              2. Spoofing browser status with JavaScript
              3. Mirror worlds
          3. Flash and Shockwave
          4. Conclusion
      4. III. Web Server Security
        1. 14. Physical Security for Servers
          1. Planning for the Forgotten Threats
            1. The Physical Security Plan
            2. The Disaster Recovery Plan
            3. Other Contingencies
          2. Protecting Computer Hardware
            1. The Environment
              1. Fire
              2. Smoke
              3. Dust
              4. Earthquake
              5. Explosion
              6. Temperature extremes
              7. Bugs (biological)
              8. Electrical noise
              9. Lightning
              10. Vibration
              11. Humidity
              12. Water
              13. Environmental monitoring
            2. Preventing Accidents
              1. Food and drink
            3. Physical Access
              1. Raised floors and dropped ceilings
              2. Entrance through air ducts
              3. Glass walls
            4. Vandalism
              1. Ventilation holes
              2. Network cables
              3. Network connectors
            5. Defending Against Acts of War and Terrorism
            6. Preventing Theft
              1. Physically secure your computer
              2. RAM theft
              3. Encryption
              4. Laptops and portable computers
          3. Protecting Your Data
            1. Eavesdropping
              1. Wiretapping
              2. Eavesdropping over local area networks (Ethernet and twisted pair)
              3. Eavesdropping on 802.11 wireless LANs
              4. Eavesdropping by radio and using TEMPEST
              5. Fiber optic cable
              6. Keyboard monitors
            2. Protecting Backups
              1. Verify your backups
              2. Protect your backups
            3. Sanitizing Media Before Disposal
            4. Sanitizing Printed Media
            5. Protecting Local Storage
              1. Printer buffers
              2. Printer output
              3. X terminals
              4. Function keys
            6. Unattended Terminals
              1. Built-in shell autologout
              2. Screensavers
            7. Key Switches
          4. Personnel
          5. Story: A Failed Site Inspection
            1. What We Found
              1. Fire hazards
              2. Potential for eavesdropping and data theft
              3. Easy pickings
              4. Physical access to critical computers
              5. Possibilities for sabotage
            2. Nothing to Lose?
        2. 15. Host Security for Servers
          1. Current Host Security Problems
            1. A Taxonomy of Attacks
            2. Frequency of Attack
            3. Understanding Your Adversaries
              1. Script kiddies
              2. Industrial spies
              3. Ideologues and national agents
              4. Organized crime
              5. Rogue employees and insurance fraud
            4. What the Attacker Wants
            5. Tools of the Attacker’s Trade
          2. Securing the Host Computer
            1. Security Through Policy
            2. Keeping Abreast of Bugs and Flaws
            3. Choosing Your Vendor
            4. Installation I: Inventory Your System
            5. Installation II: Installing the Software and Patches
          3. Minimizing Risk by Minimizing Services
          4. Operating Securely
            1. Keep Abreast of New Vulnerabilities
            2. Logging
              1. Setting up a log server
              2. Logging on Unix
              3. Logging on Windows 2000
            3. Backups
            4. Using Security Tools
              1. Snapshot tools
              2. Change-detecting tools
              3. Network scanning programs
              4. Intrusion detection systems
              5. Virus scanners
              6. Network recording and logging tools
          5. Secure Remote Access and Content Updating
            1. The Risk of Password Sniffing
            2. Using Encryption to Protect Against Sniffing
            3. Secure Content Updating
            4. Dialup Modems
          6. Firewalls and the Web
            1. Types of Firewalls
            2. Protecting LANs with Firewalls
            3. Protecting Web Servers with Firewalls
          7. Conclusion
        3. 16. Securing Web Applications
          1. A Legacy of Extensibility and Risk
            1. Programs That Should Not Be CGIs
            2. Unintended Side Effects
              1. The problem with the script
              2. Fixing the problem
          2. Rules to Code By
            1. General Principles for Writing Secure Scripts
          3. Securely Using Fields, Hidden Fields, and Cookies
            1. Using Fields Securely
            2. Hidden Fields and Compound URLs
            3. Using Cookies
            4. Using Cryptography to Strengthen Hidden Fields, Compound URLs, and Cookies
          4. Rules for Programming Languages
            1. Rules for Perl
            2. Rules for C
            3. Rules for the Unix Shell
          5. Using PHP Securely
            1. Introduction to PHP
            2. Controlling PHP
            3. Understanding PHP Security Issues
            4. PHP Installation Issues
            5. PHP Variables
              1. Attacks with global variables
              2. register_globals = off
            6. Database Authentication Credentials
            7. URL fopen( )
            8. Hide Your Scripts
            9. PHP Safe Mode
              1. Controlling safe mode
              2. Safe mode restrictions
          6. Writing Scripts That Run with Additional Privileges
          7. Connecting to Databases
            1. Protect Account Information
            2. Use Filtering and Quoting to Screen Out Raw SQL
            3. Protect the Database Itself
          8. Conclusion
        4. 17. Deploying SSL Server Certificates
          1. Planning for Your SSL Server
            1. Choosing a Server
            2. Deciding on the Private Key Store
            3. Server Certificates
              1. The SSL certificate format
          2. Creating SSL Servers with FreeBSD
            1. History
            2. Obtaining the Programs
            3. Installing Apache and mod_ssl on FreeBSD
            4. Verifying the Initial Installation
            5. Signing Your Keys with Your Own Certification Authority
              1. The Apache mod_ssl configuration file
              2. Installing the key and certificate on the web server
              3. Installing the Nitroba CA certificate into Internet Explorer
              4. Installing the Nitroba CA certificate into Netscape Navigator
            6. Securing Other Services
          3. Installing an SSL Certificate on Microsoft IIS
          4. Obtaining a Certificate from a Commercial CA
          5. When Things Go Wrong
            1. Not Yet Valid and Expired Certificates
            2. Certificate Renewal
            3. Wrong Server Address
        5. 18. Securing Your Web Service
          1. Protecting Via Redundancy
            1. Price and Performance Versus Redundancy
            2. Providing for Redundancy
          2. Protecting Your DNS
          3. Protecting Your Domain Registration
        6. 19. Computer Crime
          1. Your Legal Options After a Break-In
            1. Filing a Criminal Complaint
              1. Choosing jurisdiction
              2. Local jurisdiction
              3. Federal jurisdiction
            2. Federal Computer Crime Laws
            3. Hazards of Criminal Prosecution
            4. The Responsibility to Report Crime
          2. Criminal Hazards
          3. Criminal Subject Matter
            1. Access Devices and Copyrighted Software
            2. Pornography, Indecency, and Obscenity
              1. Amateur Action
              2. Communications Decency Act
              3. Mandatory blocking
              4. Child pornography
            3. Devices that Circumvent Technical Measures that Control Access to Copyrighted Works
            4. Cryptographic Programs and Export Controls
      5. IV. Security for Content Providers
        1. 20. Controlling Access to Your Web Content
          1. Access Control Strategies
            1. Hidden URLs
            2. Host-Based Restrictions
              1. Using firewalls to implement host-based access control
              2. Caveats with host-based access control
            3. Identity-Based Access Controls
          2. Controlling Access with Apache
            1. Enforcing Access Control Restrictions with the .htaccess File
            2. Enforcing Access Control Restrictions with the Web Server’s Configuration File
            3. Commands Before the <Limit>. . . </Limit> Directive
            4. Commands Within the <Limit>. . . </Limit> Block
            5. <Limit> Examples
            6. Manually Setting Up Web Users and Passwords
            7. Advanced User Management
              1. Use a database
              2. Use RADIUS or LDAP
              3. Use PKI and digital certificates
          3. Controlling Access with Microsoft IIS
            1. Installing IIS
            2. Downloading and Installing the IIS Patches
            3. Controlling Access to IIS Web Pages
            4. Restricting Access to IIS Directories
        2. 21. Client-Side Digital Certificates
          1. Client Certificates
            1. Why Client Certificates?
            2. Support for Client-Side Digital Certificates
          2. A Tour of the VeriSign Digital ID Center
            1. Generating a VeriSign Digital ID
            2. Finding a Digital ID
            3. Revoking a Digital ID
        3. 22. Code Signing and Microsoft’s Authenticode
          1. Why Code Signing?
            1. Code Signing in Theory
            2. Code Signing Today
            3. Code Signing and Legal Restrictions on Cryptography
          2. Microsoft’s Authenticode Technology
            1. The “Pledge”
            2. Publishing with Authenticode
              1. The Authenticode SDK
              2. Making the certificate
              3. Adding the certificate to the store
              4. Signing a program
              5. Code signing from the command line
          3. Obtaining a Software Publishing Certificate
          4. Other Code Signing Methods
        4. 23. Pornography, Filtering Software, and Censorship
          1. Pornography Filtering
            1. Architectures for Filtering
            2. Problems with Filtering Software
          2. PICS
            1. What Is PICS?
            2. PICS Applications
            3. PICS and Censorship
              1. Access controls become tools for censorship
              2. Censoring the network
          3. RSACi
          4. Conclusion
        5. 24. Privacy Policies, Legislation, and P3P
          1. Policies That Protect Privacy and Privacy Policies
            1. The Code of Fair Information Practices
            2. OECD Guidelines
            3. Other National and International Regulations
            4. “Voluntary Regulation” Privacy Policies
              1. Seal programs
              2. FTC enforcement
              3. “Notice, Choice, Access, and Security”
          2. Children’s Online Privacy Protection Act
            1. Prelude to Regulation
            2. COPPA Requirements
              1. Who must follow the COPPA Rule?
              2. Basic provisions of COPPA
              3. Verifiable parental consent
              4. COPPA exceptions
              5. Enforcement
          3. P3P
            1. P3P and PICS
            2. Support for P3P in Internet Explorer 6.0
          4. Conclusion
        6. 25. Digital Payments
          1. Charga-Plates, Diners Club, and Credit Cards
            1. A Very Short History of Credit
            2. Payment Cards in the United States
            3. The Interbank Payment Card Transaction
              1. The charge card check digit algorithm
              2. The charge slip
              3. Charge card fees
            4. Refunds and Charge-Backs
            5. Additional Authentication Mechanisms
            6. Using Credit Cards on the Internet
          2. Internet-Based Payment Systems
            1. Virtual PIN
              1. Enrollment
              2. Purchasing
              3. Security and privacy
              4. Redux
            2. DigiCash
              1. Enrollment
              2. Purchasing
              3. Security and privacy
              4. Redux
            3. CyberCash/CyberCoin
              1. Enrollment
              2. Purchasing
              3. Security and privacy
              4. Redux
            4. SET
              1. Two channels: one for the merchant, one for the bank
              2. Why SET failed
              3. Redux
            5. PayPal
              1. Sending money
              2. Security and financial integration
            6. Gator Wallet
            7. Microsoft Passport
            8. Other Payment Systems
              1. Smart cards
              2. Mondex
          3. How to Evaluate a Credit Card Payment System
        7. 26. Intellectual Property and Actionable Content
          1. Copyright
            1. Copyright Infringement
            2. Software Piracy and the SPA
            3. Warez
          2. Patents
          3. Trademarks
            1. Obtaining a Trademark
            2. Trademark Violations
            3. Domain Names and Trademarks
          4. Actionable Content
            1. Libel and Defamation
            2. Liability for Damage
            3. Protection Through Incorporation
      6. V. Appendixes
        1. A. Lessons from Vineyard.NET
          1. In the Beginning
          2. Planning and Preparation
            1. Lesson: Whenever you are pulling wires, pull more than you need.
            2. Lesson: Pull all your wires in a star configuration, from a central point out to each room, rather than daisy-chained from room to room. Wire both your computers and your telephone networks as stars. It makes it much easier to expand or rewire in the future.
            3. Lesson: Use centrally located punch-down blocks for computer and telephone networks.
            4. Lesson: Don’t go overboard.
            5. Lesson: Plan your computer room carefully; you will have to live with its location for a long time.
          3. IP Connectivity
            1. Lesson: Set milestones and stick to them.
            2. Lesson: Get your facilities in order.
            3. Lesson: Test your facilities before going live.
            4. Lesson: Provide for backup facilities before, during, and after your transition.
          4. Commercial Start-Up
            1. Working with the Phone Company
              1. Lesson: Design your systems to fail gracefully.
              2. Lesson: Know your phone company. Know its terminology, the right contact people, the phone numbers for internal organizations, and everything else you can find out.
            2. Incorporating Vineyard.NET
            3. Initial Expansion
              1. Lesson: Build sensible business partnerships.
            4. Accounting Software
              1. Lesson: Make sure your programs are table-driven as often as possible.
              2. Lesson: Tailor your products for your customers.
              3. Lesson: Build systems that are extensible.
              4. Lesson: Automate everything you can.
              5. Lesson: Don’t reinvent the wheel unless you can build a better wheel.
            5. Publicity and Privacy
              1. Lesson: Always be friendly to the press.
              2. Lesson: Never give out your home phone number.
              3. Lesson: It is very difficult to change a phone number. So pick your company’s phone number early and use it consistently.
          5. Ongoing Operations
            1. Security Concerns
              1. Lesson: Don’t run programs with a history of security problems.
              2. Lesson: Make frequent backups.
              3. Lesson: Limit logins to your servers.
              4. Lesson: Beware of TCP/IP spoofing.
              5. Lesson: Defeat packet sniffing.
              6. Lesson: Restrict logins.
              7. Lesson: Tighten up your system beyond manufacturer recommendations.
              8. Lesson: Remember, the “free” in “free software” refers to “freedom.”
            2. Phone Configuration and Billing Problems
            3. Credit Cards and ACH
              1. Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
              2. Lesson: Live credit card numbers are dangerous.
              3. Lesson: Encrypt sensitive information and be careful with your decryption keys.
              4. Lesson: Log everything, and have lots of reports.
              5. Lesson: Explore a variety of payment systems.
              6. Lesson: Make it easy for your customers to save you money.
              7. Lesson: Have a backup supplier.
            4. Monitoring Software
              1. Lesson: Monitor your system.
          6. Redundancy and Wireless
            1. Linking Primary to Backup
            2. Building the Backup Site
            3. Failover—and Back!
          7. The Big Cash-Out
          8. Conclusion
        2. B. The SSL/TLS Protocol
          1. History
          2. TLS Record Layer
          3. SSL/TLS Protocols
            1. Handshake Protocol
            2. Alert Protocol
            3. ChangeCipherSpec Protocol
          4. SSL 3.0/TLS Handshake
            1. Sequence of Events
              1. 1. ClientHello
              2. 2. ServerHello
              3. 3. Server certificate
              4. 4. Server key exchange
              5. 5. Certificate Request
              6. 6. The server sends a ServerHelloDone (TLS only)
              7. 7. Client sends certificate
              8. 8. ClientKeyExchange
              9. 9. CertificateVerify
              10. 10. ChangeCipherSpec
              11. 11. Finished
              12. 12. Application Data
        3. C. P3P: The Platform for Privacy Preferences Project
          1. How P3P Works
          2. Deploying P3P
            1. Creating a Privacy Policy
            2. Generating a P3P Policy and Policy Reference File
            3. Helping User Agents Find Your Policy Reference File
            4. Compact Policies
          3. Simple P3P-Enabled Web Site Example
        4. D. The PICS Specification
          1. Rating Services
          2. PICS Labels
            1. Labeled Documents
            2. Requesting PICS Labels by HTTP
            3. Requesting a Label from a Rating Service
        5. E. References
          1. Electronic References
            1. Mailing Lists
              1. Bugtraq
              2. CERT-advisory
              3. CIAC-notes and C-Notes
              4. Firewalls
              5. NTBugTraq
              6. NT-security
              7. RISKS
            2. Usenet Groups
            3. Web Pages and FTP Repository
              1. Attrition.org
              2. CERIAS
              3. CIAC
              4. DigiCrime
              5. FIRST
              6. IETF
              7. Mozilla
              8. NIH
              9. NIST CSRC
              10. Princeton SIP
              11. Radius.Net Cryptography Archives
              12. RSA Data Security
              13. OpenSSL
              14. SecurityFocus
              15. System Administration, Networking, and Security (SANS) Institute
              16. World Wide Web Consortium (W3C)
              17. WWW Security
            4. Software Resources
              1. chrootuid
              2. COPS (Computer Oracle and Password System)
              3. Kerberos
              4. MRTG
              5. portmap
              6. rsync
              7. SATAN
              8. SOCKS
              9. SSH
              10. Swatch
              11. tcpwrapper
              12. Tiger
              13. TIS Internet Firewall Toolkit
              14. Tripwire
              15. UDP Packet Relayer
          2. Paper References
            1. Computer Crime and Law
            2. Computer-Related Risks
            3. Computer Viruses and Programmed Threats
            4. Cryptography
            5. General Computer Security
            6. System Administration, Network Technology, and Security
              1. Network Technology
              2. Secure Programming
              3. Security and Networking
              4. Unix System Administration
              5. Windows System Administration
            7. Security Products and Services Information
            8. Miscellaneous References
      7. Index
      8. About the Authors
      9. Colophon

    Product information

    • Title: Web Security, Privacy & Commerce, 2nd Edition
    • Author(s):
    • Release date: November 2001
    • Publisher(s): O'Reilly Media, Inc.
    • ISBN: 9780596000455