[ISN] Book Review: Web Security and Commerce

From: mea culpa (jerichoat_private)
Date: Thu Jun 25 1998 - 14:06:26 PDT

  • Next message: mea culpa: "[ISN] NSA Declassifies Algorithms"

    Forwarded From: "Jay D. Dyson" <jdysonat_private>
    Courtesy of RISKS-DIGEST.
    Posted by Rob Slade <rsladeat_private>
    BKWBSCCM.RVW   980411
    "Web Security and Commerce", Simson Garfinkel/Gene Spafford, 1997,
         1-56592-269-7, U$32.95/C$46.95
    %A   Simson Garfinkel simsongat_private
    %A   Gene Spafford spafat_private
    %C   103 Morris Street, Suite A, Sebastopol, CA   95472
    %D   1997
    %G   1-56592-269-7
    %I   O'Reilly & Associates, Inc.
    %O   U$32.95/C$46.95 800-998-9938 707-829-0515 nutsat_private
    %P   483 p.
    %T   "Web Security and Commerce"
    Anyone who does not know the names Spafford and Garfinkel simply does not
    know the field of data security.  The authors, therefore, are well aware
    that data security becomes more complex with each passing week.  They
    note, in the Preface, that the book cannot hope to cover all aspects of
    Web security, and therefore they concentrate on those topics that are
    absolutely central to the concept, and/or not widely available elsewhere. 
    Works on related issues are suggested both at the beginning and end of the
    Chapter one, which is also part one, introduces the topic, and the various
    factors involved in Web security.  The topic is examined from the
    perspective of the user and vendor, and also looks at vulnerabilities at
    the server site, client computer, and the network in between. 
    Part two concerns the user.  Chapter two looks at the various possible
    problems with browsers, not all of which are related to Web page
    programming.  Java security is only marginally understood by many
    "experts,"  and not at all by users, so the coverage in chapter three is
    careful to point out the difference between safety, security, and the kind
    of security risks that can occur even if the sandbox *is* secure.  ActiveX
    and the limitations of authentication certificates are thoroughly explored
    in chapter four.  Chapter five looks briefly but analytically at the
    possible invasions of privacy that can occur on the Web. 
    Part three deals more completely with the question of digital
    certificates.  Chapter six explains the various techniques for
    identification confirmation.  The use of certification authorities is
    reviewed in chapter seven, including the activity this can generate on Web
    browsers.  Chapter eight covers the steps needed to obtain a client-side
    digital certificate from Verisign.  Microsoft's Authenticode code signing
    system is detailed in chapter nine. 
    Cryptography must be invoked at some point for any kind of data security,
    and particularly for security over insecure networks, so part four invests
    some depth in the topic.  Chapter ten starts with cryptographic basics,
    simply in terms of the various functions cryptography can provide. 
    Functional limitations of cryptography, various existing systems, and US
    and international regulation with respect to the technology are discussed
    in chapter eleven.  SSL (Secure Sockets Layer) and TLS (Transport Layer
    Security) are described in chapter twelve. 
    Part five details technical aspects of securing Web servers.  Traditional
    host security weaknesses are reviewed in chapter thirteen.  Chapter
    fourteen looks at specific strengthening measures for Web servers.  Rules
    for secure CGI (Common Gateway Interface) and API (Application Programmer
    Interface)  programming are promulgated in chapter fifteen, along with
    tips for various languages. 
    Commercial and societal concerns are major areas in Web security, so part
    six reviews a number of topics related to commerce, as well as other
    social factors.  Chapter sixteen looks at current non-cash payment
    systems, and the various existing, and proposed, digital payment systems
    for online commerce.  Censorship and site blocking are carefully examined
    in chapter seventeen.  A variety of legal issues are discussed, civil in
    chapter eighteen, and criminal in nineteen. 
    In reviewing books I very often find that appendices are often filler. 
    The most useful tend to be bibliographies or lists of vendor contacts. 
    Too many seem to be mere self-indulgent filler used by the author to pad
    out the book.  Although it has almost nothing to do with Web security as
    such, I very much enjoyed Appendix A, Garfinkel's recounting of the
    lessons learned in setting up a small ISP (Internet Service Provider).  (I
    suppose that this could be considered valid coverage of Web commerce.) 
    The other appendices are more directly related to the topic, including
    information on the installation of Web server certificates, the SSL
    protocol, the PICS (Platform for Internet Content Selection)
    specification, and references. 
    In comparison to Stein's "Web Security" (cf. BKWEBSEC.RVW) I find it very
    difficult to choose between the two.  Each is readable, and each is aimed
    pretty much at the same target audience.  There is little to choose
    between them for technical depth: each has useful information that the
    other does not.  Both are excellent: what the heck, buy two, they're
    copyright Robert M. Slade, 1998   BKWBSCCM.RVW   980411
    Version: 2.6.2
    -----END PGP SIGNATURE-----
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:52 PDT