| |
| |
Preface | |
| |
| |
| |
Web Technology | |
| |
| |
| |
The Web Security Landscape | |
| |
| |
The Web Security Problem | |
| |
| |
Risk Analysis and Best Practices | |
| |
| |
| |
The Architecture of the World Wide Web | |
| |
| |
History and Terminology | |
| |
| |
A Packet's Tour of the Web | |
| |
| |
Who Owns the Internet? | |
| |
| |
| |
Cryptography Basics | |
| |
| |
Understanding Cryptography | |
| |
| |
Symmetric Key Algorithms | |
| |
| |
Public Key Algorithms | |
| |
| |
Message Digest Functions | |
| |
| |
| |
Cryptography and the Web | |
| |
| |
Cryptography and Web Security | |
| |
| |
Working Cryptographic Systems and Protocols | |
| |
| |
What Cryptography Can't Do | |
| |
| |
Legal Restrictions on Cryptography | |
| |
| |
| |
Understanding SSL and TLS | |
| |
| |
What Is SSL? | |
| |
| |
SSL: The User's Point of View | |
| |
| |
| |
Digital Identification I: Passwords, Biometrics, and Digital Signatures | |
| |
| |
Physical Identification | |
| |
| |
Using Public Keys for Identification | |
| |
| |
Real-World Public Key Examples | |
| |
| |
| |
Digital Identification II: Digital Certificates, CAs, and PKI | |
| |
| |
Understanding Digital Certificates with PGP | |
| |
| |
Certification Authorities: Third-Party Registrars | |
| |
| |
Public Key Infrastructure | |
| |
| |
Open Policy Issues | |
| |
| |
| |
Privacy and Security for Users | |
| |
| |
| |
The Web's War on Your Privacy | |
| |
| |
Understanding Privacy | |
| |
| |
User-Provided Information | |
| |
| |
Log Files | |
| |
| |
Understanding Cookies | |
| |
| |
Web Bugs | |
| |
| |
Conclusion | |
| |
| |
| |
Privacy-Protecting Techniques | |
| |
| |
Choosing a Good Service Provider | |
| |
| |
Picking a Great Password | |
| |
| |
Cleaning Up After Yourself | |
| |
| |
Avoiding Spam and Junk Email | |
| |
| |
Identity Theft | |
| |
| |
| |
Privacy-Protecting Technologies | |
| |
| |
Blocking Ads and Crushing Cookies | |
| |
| |
Anonymous Browsing | |
| |
| |
Secure Email | |
| |
| |
| |
Backups and Antitheft | |
| |
| |
Using Backups to Protect Your Data | |
| |
| |
Preventing Theft | |
| |
| |
| |
Mobile Code I: Plug-Ins, ActiveX, and Visual Basic | |
| |
| |
When Good Browsers Go Bad | |
| |
| |
Helper Applications and Plug-ins | |
| |
| |
Microsoft's ActiveX | |
| |
| |
The Risks of Downloaded Code | |
| |
| |
Conclusion | |
| |
| |
| |
Mobile Code II: Java, JavaScript, Flash, and Shockwave | |
| |
| |
Java | |
| |
| |
JavaScript | |
| |
| |
Flash and Shockwave | |
| |
| |
Conclusion | |
| |
| |
| |
Web Server Security | |
| |
| |
| |
Physical Security for Servers | |
| |
| |
Planning for the Forgotten Threats | |
| |
| |
Protecting Computer Hardware | |
| |
| |
Protecting Your Data | |
| |
| |
Personnel | |
| |
| |
Story: A Failed Site Inspection | |
| |
| |
| |
Host Security for Servers | |
| |
| |
Current Host Security Problems | |
| |
| |
Securing the Host Computer | |
| |
| |
Minimizing Risk by Minimizing Services | |
| |
| |
Operating Securely | |
| |
| |
Secure Remote Access and Content Updating | |
| |
| |
Firewalls and the Web | |
| |
| |
Conclusion | |
| |
| |
| |
Securing Web Applications | |
| |
| |
A Legacy of Extensibility and Risk | |
| |
| |
Rules to Code By | |
| |
| |
Securely Using Fields, Hidden Fields, and Cookies | |
| |
| |
Rules for Programming Languages | |
| |
| |
Using PHP Securely | |
| |
| |
Writing Scripts That Run with Additional Privileges | |
| |
| |
Connecting to Databases | |
| |
| |
Conclusion | |
| |
| |
| |
Deploying SSL Server Certificates | |
| |
| |
Planning for Your SSL Server | |
| |
| |
Creating SSL Servers with FreeBSD | |
| |
| |
Installing an SSL Certificate on Microsoft IIS | |
| |
| |
Obtaining a Certificate from a Commercial CA | |
| |
| |
When Things Go Wrong | |
| |
| |
| |
Securing Your Web Service | |
| |
| |
Protecting Via Redundancy | |
| |
| |
Protecting Your DNS | |
| |
| |
Protecting Your Domain Registration | |
| |
| |
| |
Computer Crime | |
| |
| |
Your Legal Options After a Break-In | |
| |
| |
Criminal Hazards | |
| |
| |
Criminal Subject Matter | |
| |
| |
| |
Security for Content Providers | |
| |
| |
| |
Controlling Access to Your Web Content | |
| |
| |
Access Control Strategies | |
| |
| |
Controlling Access with Apache | |
| |
| |
Controlling Access with Microsoft IIS | |
| |
| |
| |
Client-Side Digital Certificates | |
| |
| |
Client Certificates | |
| |
| |
A Tour of the VeriSign Digital ID Center | |
| |
| |
| |
Code Signing and Microsoft's Authenticode | |
| |
| |
Why Code Signing? | |
| |
| |
Microsoft's Authenticode Technology | |
| |
| |
Obtaining a Software Publishing Certificate | |
| |
| |
Other Code Signing Methods | |
| |
| |
| |
Pornography, Filtering Software, and Censorship | |
| |
| |
Pornography Filtering | |
| |
| |
PICS | |
| |
| |
RSACi | |
| |
| |
Conclusion | |
| |
| |
| |
Privacy Policies, Legislation, and P3P | |
| |
| |
Policies That Protect Privacy and Privacy Policies | |
| |
| |
Children's Online Privacy Protection Act | |
| |
| |
P3P | |
| |
| |
Conclusion | |
| |
| |
| |
Digital Payments | |
| |
| |
Charga-Plates, Diners Club, and Credit Cards | |
| |
| |
Internet-Based Payment Systems | |
| |
| |
How to Evaluate a Credit Card Payment System | |
| |
| |
| |
Intellectual Property and Actionable Content | |
| |
| |
Copyright | |
| |
| |
Patents | |
| |
| |
Trademarks | |
| |
| |
Actionable Content | |
| |
| |
| |
Appendixes | |
| |
| |
| |
Lessons from Vineyard.NET | |
| |
| |
| |
The SSL/TLS Protocol | |
| |
| |
| |
P3P: The Platform for Privacy Preferences Project | |
| |
| |
| |
The PICS Specification | |
| |
| |
| |
References | |
| |
| |
Index | |