[ISN] REVIEW: "Web Security, Privacy and Commerce", Simson Garfinkel/Gene Spafford

From: InfoSec News (isnat_private)
Date: Wed Jan 15 2003 - 23:10:18 PST

  • Next message: InfoSec News: "[ISN] MS plays the security card in Gov shared source retread"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    
    BKWBSPCM.RVW   20021106
    
    "Web Security, Privacy and Commerce", Simson Garfinkel/Gene Spafford,
    2002, 0-596-00045-6, U$44.95/C$67.95
    %A   Simson Garfinkel simsongat_private
    %A   Gene Spafford spafat_private
    %C   103 Morris Street, Suite A, Sebastopol, CA   95472
    %D   2002
    %G   0-596-00045-6
    %I   O'Reilly & Associates, Inc.
    %O   U$44.95/C$67.95 800-998-9938 707-829-0515 nutsat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/0596000456/robsladesinterne
    %P   756 p.
    %T   "Web Security, Privacy and Commerce"
    
    Anyone who does not know the names Spafford and Garfinkel simply does
    not know the field of data security.  The authors, therefore, are well
    aware that data security becomes more complex with each passing week. 
    This is, after all, the second edition of what was originally
    published under the title "Web Security and Commerce," and, while it
    is still recognizable as such, the work is essentially completely re-
    written.  The authors note, in the Preface, that the book cannot hope
    to cover all aspects of Web security, and therefore they concentrate
    on those topics that are absolutely central to the concept, and/or not
    widely available elsewhere.  Works on related issues are suggested
    both at the beginning and end of the book.
    
    A greatly expanded part one introduces the topic, and the various
    factors involved in Web security.  Chapter one is a very brief
    overview of Web security considerations and requirements, with some
    material on general security concepts and risk analysis.  The
    underlying architecture of the Web is examined in chapter two,
    although this is basically limited to Internet structures.  (While the
    material is quite informative, perhaps some examples of HTTP
    [HyperText Transfer Protocol] would add value.)  Cryptography is
    explained reasonably well in chapter three: there is no in-depth
    discussion of cryptographic algorithms, but these details can be
    readily found in other works.  Chapter four deals with cryptographic
    uses, and also with legal restrictions.  The concepts and limitations
    of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are
    given in chapter five, although the operational details are not
    covered.  Chapter six starts out with a general discussion of
    identification and authentication,but then gets bogged down in the
    details of using PGP (Pretty Good Privacy).  The coverage of digital
    certificates, in chapter seven, is likewise constricted by a
    dependence upon system technicalities.
    
    Part two concerns the user.  
    
    Chapter two looks at the various possible problems with browsers, not
    all of which are related to Web page programming.  Chapter eight looks
    analytically at the possible invasions of privacy that can occur on
    the Web.  Some non-technical techniques of protecting your privacy,
    such as good password choice, are described in chapter nine, with
    various technical means listed in chapter ten.  Chapter eleven reviews
    backups and some physical protection systems.  ActiveX and the
    limitations of authentication certificates, as well as plugins and
    Visual Basic, are thoroughly explored in chapter twelve.  Java
    security is only marginally understood by many "experts," and not at
    all by users, so the coverage in chapter thirteen is careful to point
    out the difference between safety, security, and the kind of security
    risks that can occur even if the sandbox *is* secure.
    
    Part three details technical aspects of securing Web servers.  Chapter
    fourteen looks at physical security and disaster recovery measures. 
    Traditional host security weaknesses are reviewed in chapter fifteen. 
    Rules for secure CGI (Common Gateway Interface) and API (Application
    Programmer Interface) programming are promulgated in chapter sixteen,
    along with tips for various languages.  More details on the server-
    side use of SSL is given in chapter seventeen.  Chapter eighteen looks
    at specific strengthening measures for Web servers.  You legal options
    for prosecuting a computer crime is reviewed in chapter nineteen.
    
    Commercial and societal concerns in regard to content are major areas
    in Web security, so part six reviews a number of topics related to
    commerce, as well as other social factors.  Chapter twenty discusses a
    number of technical access control technologies, by system.  Obtaining
    a client-side certificate is described in chapter twenty one. 
    Microsoft's Authenticode system is reviewed yet again in chapter
    twenty two.  Censorship and site blocking are carefully examined in
    chapter twenty three.  Privacy policies, systems, and legislation are
    reviewed in chapter twenty four.  Chapter twenty five looks at current
    non-cash payment systems, and the various existing, and proposed,
    digital payment systems for online commerce.  Having already studied
    criminal problems earlier, the book now turns to civil and
    intellectual property issues, such as copyright, in chapter twenty
    six.
    
    Although it has almost nothing to do with Web security as such, I very
    much enjoyed Appendix A, Garfinkel's recounting of the lessons learned
    in setting up a small ISP (Internet Service Provider).  (I suppose
    that this could be considered valid coverage of Web commerce.)  The
    other appendices are more directly related to the topic, including the
    SSL protocol, the PICS (Platform for Internet Content Selection)
    specification, and references.
    
    Although the material has been valuably expanded and updated, some of
    the new content is less worthwhile.  The extensive space given to
    specific products will probably date quickly, although the surrounding
    conceptual text will continue to provide helpful guidance.  Certainly
    for anyone dealing with Web servers or running ISPs, this is a
    reference to consider seriously.
    
    copyright Robert M. Slade, 1998, 2002   BKWBSPCM.RVW   20021106
    
    -- 
    ======================
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
        February 10, 2003   February 14, 2003   St. Louis, MO
        March 31, 2003      April 4, 2003       Indianapolis, IN
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 16 2003 - 01:12:33 PST