| |
| |
| Preface | |
| |
| |
| |
| Web Technology | |
| |
| |
| |
| The Web Security Landscape | |
| |
| |
| The Web Security Problem | |
| |
| |
| Risk Analysis and Best Practices | |
| |
| |
| |
| The Architecture of the World Wide Web | |
| |
| |
| History and Terminology | |
| |
| |
| A Packet's Tour of the Web | |
| |
| |
| Who Owns the Internet? | |
| |
| |
| |
| Cryptography Basics | |
| |
| |
| Understanding Cryptography | |
| |
| |
| Symmetric Key Algorithms | |
| |
| |
| Public Key Algorithms | |
| |
| |
| Message Digest Functions | |
| |
| |
| |
| Cryptography and the Web | |
| |
| |
| Cryptography and Web Security | |
| |
| |
| Working Cryptographic Systems and Protocols | |
| |
| |
| What Cryptography Can't Do | |
| |
| |
| Legal Restrictions on Cryptography | |
| |
| |
| |
| Understanding SSL and TLS | |
| |
| |
| What Is SSL? | |
| |
| |
| SSL: The User's Point of View | |
| |
| |
| |
| Digital Identification I: Passwords, Biometrics, and Digital Signatures | |
| |
| |
| Physical Identification | |
| |
| |
| Using Public Keys for Identification | |
| |
| |
| Real-World Public Key Examples | |
| |
| |
| |
| Digital Identification II: Digital Certificates, CAs, and PKI | |
| |
| |
| Understanding Digital Certificates with PGP | |
| |
| |
| Certification Authorities: Third-Party Registrars | |
| |
| |
| Public Key Infrastructure | |
| |
| |
| Open Policy Issues | |
| |
| |
| |
| Privacy and Security for Users | |
| |
| |
| |
| The Web's War on Your Privacy | |
| |
| |
| Understanding Privacy | |
| |
| |
| User-Provided Information | |
| |
| |
| Log Files | |
| |
| |
| Understanding Cookies | |
| |
| |
| Web Bugs | |
| |
| |
| Conclusion | |
| |
| |
| |
| Privacy-Protecting Techniques | |
| |
| |
| Choosing a Good Service Provider | |
| |
| |
| Picking a Great Password | |
| |
| |
| Cleaning Up After Yourself | |
| |
| |
| Avoiding Spam and Junk Email | |
| |
| |
| Identity Theft | |
| |
| |
| |
| Privacy-Protecting Technologies | |
| |
| |
| Blocking Ads and Crushing Cookies | |
| |
| |
| Anonymous Browsing | |
| |
| |
| Secure Email | |
| |
| |
| |
| Backups and Antitheft | |
| |
| |
| Using Backups to Protect Your Data | |
| |
| |
| Preventing Theft | |
| |
| |
| |
| Mobile Code I: Plug-Ins, ActiveX, and Visual Basic | |
| |
| |
| When Good Browsers Go Bad | |
| |
| |
| Helper Applications and Plug-ins | |
| |
| |
| Microsoft's ActiveX | |
| |
| |
| The Risks of Downloaded Code | |
| |
| |
| Conclusion | |
| |
| |
| |
| Mobile Code II: Java, JavaScript, Flash, and Shockwave | |
| |
| |
| Java | |
| |
| |
| JavaScript | |
| |
| |
| Flash and Shockwave | |
| |
| |
| Conclusion | |
| |
| |
| |
| Web Server Security | |
| |
| |
| |
| Physical Security for Servers | |
| |
| |
| Planning for the Forgotten Threats | |
| |
| |
| Protecting Computer Hardware | |
| |
| |
| Protecting Your Data | |
| |
| |
| Personnel | |
| |
| |
| Story: A Failed Site Inspection | |
| |
| |
| |
| Host Security for Servers | |
| |
| |
| Current Host Security Problems | |
| |
| |
| Securing the Host Computer | |
| |
| |
| Minimizing Risk by Minimizing Services | |
| |
| |
| Operating Securely | |
| |
| |
| Secure Remote Access and Content Updating | |
| |
| |
| Firewalls and the Web | |
| |
| |
| Conclusion | |
| |
| |
| |
| Securing Web Applications | |
| |
| |
| A Legacy of Extensibility and Risk | |
| |
| |
| Rules to Code By | |
| |
| |
| Securely Using Fields, Hidden Fields, and Cookies | |
| |
| |
| Rules for Programming Languages | |
| |
| |
| Using PHP Securely | |
| |
| |
| Writing Scripts That Run with Additional Privileges | |
| |
| |
| Connecting to Databases | |
| |
| |
| Conclusion | |
| |
| |
| |
| Deploying SSL Server Certificates | |
| |
| |
| Planning for Your SSL Server | |
| |
| |
| Creating SSL Servers with FreeBSD | |
| |
| |
| Installing an SSL Certificate on Microsoft IIS | |
| |
| |
| Obtaining a Certificate from a Commercial CA | |
| |
| |
| When Things Go Wrong | |
| |
| |
| |
| Securing Your Web Service | |
| |
| |
| Protecting Via Redundancy | |
| |
| |
| Protecting Your DNS | |
| |
| |
| Protecting Your Domain Registration | |
| |
| |
| |
| Computer Crime | |
| |
| |
| Your Legal Options After a Break-In | |
| |
| |
| Criminal Hazards | |
| |
| |
| Criminal Subject Matter | |
| |
| |
| |
| Security for Content Providers | |
| |
| |
| |
| Controlling Access to Your Web Content | |
| |
| |
| Access Control Strategies | |
| |
| |
| Controlling Access with Apache | |
| |
| |
| Controlling Access with Microsoft IIS | |
| |
| |
| |
| Client-Side Digital Certificates | |
| |
| |
| Client Certificates | |
| |
| |
| A Tour of the VeriSign Digital ID Center | |
| |
| |
| |
| Code Signing and Microsoft's Authenticode | |
| |
| |
| Why Code Signing? | |
| |
| |
| Microsoft's Authenticode Technology | |
| |
| |
| Obtaining a Software Publishing Certificate | |
| |
| |
| Other Code Signing Methods | |
| |
| |
| |
| Pornography, Filtering Software, and Censorship | |
| |
| |
| Pornography Filtering | |
| |
| |
| PICS | |
| |
| |
| RSACi | |
| |
| |
| Conclusion | |
| |
| |
| |
| Privacy Policies, Legislation, and P3P | |
| |
| |
| Policies That Protect Privacy and Privacy Policies | |
| |
| |
| Children's Online Privacy Protection Act | |
| |
| |
| P3P | |
| |
| |
| Conclusion | |
| |
| |
| |
| Digital Payments | |
| |
| |
| Charga-Plates, Diners Club, and Credit Cards | |
| |
| |
| Internet-Based Payment Systems | |
| |
| |
| How to Evaluate a Credit Card Payment System | |
| |
| |
| |
| Intellectual Property and Actionable Content | |
| |
| |
| Copyright | |
| |
| |
| Patents | |
| |
| |
| Trademarks | |
| |
| |
| Actionable Content | |
| |
| |
| |
| Appendixes | |
| |
| |
| |
| Lessons from Vineyard.NET | |
| |
| |
| |
| The SSL/TLS Protocol | |
| |
| |
| |
| P3P: The Platform for Privacy Preferences Project | |
| |
| |
| |
| The PICS Specification | |
| |
| |
| |
| References | |
| |
| |
| Index | |