web security privacy and commerce 2nd ed 99 ppt

• Reviews • Reader Reviews • Errata Web Security, Privacy & Commerce, 2nd Edition By Simson Garfinkel Publisher: O'Reilly Pub Date: November 2001 ISBN: 0-596-00045-6 Pages: 786 Copyright Preface Web Security: Is Our Luck Running Out? About This Book Conventions Used in This Book Comments and Questions History and Acknowledgments Part I: Web Technology Chapter 1. The Web Security Landscape Section 1.1. The Web Security Problem Section 1.2. Risk Analysis and Best Practices Chapter 2. The Architecture of the World Wide Web Section 2.1. History and Terminology Section 2.2. A Packet's Tour of the Web Section 2.3. Who Owns the Internet? Chapter 3. Cryptography Basics Section 3.1. Understanding Cryptography Section 3.2. Symmetric Key Algorithms Section 3.3. Public Key Algorithms Section 3.4. Message Digest Functions Chapter 4. Cryptography and the Web Section 4.1. Cryptography and Web Security Section 4.2. Working Cryptographic Systems and Protocols Section 4.3. What Cryptography Can't Do Section 4.4. Legal Restrictions on Cryptography Chapter 5. Understanding SSL and TLS Section 5.1. What Is SSL? Section 5.2. SSL: The User's Point of View Chapter 6. Digital Identification I: Passwords, Biometrics, and Digital Signatures Section 6.1. Physical Identification Section 6.2. Using Public Keys for Identification Section 6.3. Real-World Public Key Examples Chapter 7. Digital Identification II: Digital Certificates, CAs, and PKI Section 7.1. Understanding Digital Certificates with PGP Section 7.2. Certification Authorities: Third-Party Registrars Section 7.3. Public Key Infrastructure Section 7.4. Open Policy Issues Part II: Privacy and Security for Users Chapter 8. The Web's War on Your Privacy Section 8.1. Understanding Privacy Section 8.2. User-Provided Information Section 8.3. Log Files Section 8.4. Understanding Cookies Section 8.5. Web Bugs Section 8.6. Conclusion Chapter 9. Privacy-Protecting Techniques Section 9.1. Choosing a Good Service Provider Section 9.2. Picking a Great Password Section 9.3. Cleaning Up After Yourself Section 9.4. Avoiding Spam and Junk Email Section 9.5. Identity Theft Chapter 10. Privacy-Protecting Technologies Section 10.1. Blocking Ads and Crushing Cookies Section 10.2. Anonymous Browsing Section 10.3. Secure Email Chapter 11. Backups andAntitheft Section 11.1. Using Backups to Protect Your Data Section 11.2. Preventing Theft Chapter 12. Mobile Code I:Plug-Ins, ActiveX,and Visual Basic Section 12.1. When Good Browsers Go Bad Section 12.2. Helper Applications and Plug-ins Section 12.3. Microsoft's ActiveX Section 12.4. The Risks of Downloaded Code Section 12.5. Conclusion Chapter 13. Mobile Code II: Java, JavaScript, Flash, and Shockwave Section 13.1. Java Section 13.2. JavaScript Section 13.3. Flash and Shockwave Section 13.4. Conclusion Part III: Web Server Security Chapter 14. Physical Securityfor Servers Section 14.1. Planning for the Forgotten Threats Section 14.2. Protecting Computer Hardware Section 14.3. Protecting Your Data Section 14.4. Personnel Section 14.5. Story: A Failed Site Inspection Chapter 15. Host Security for Servers Section 15.1. Current Host Security Problems Section 15.2. Securing the Host Computer Section 15.3. Minimizing Risk by Minimizing Services Section 15.4. Operating Securely Section 15.5. Secure Remote Access and Content Updating Section 15.6. Firewalls and the Web Section 15.7. Conclusion Chapter 16. Securing Web Applications Section 16.1. A Legacy of Extensibility and Risk Section 16.2. Rules to Code By Section 16.3. Securely Using Fields, Hidden Fields, and Cookies Section 16.4. Rules for Programming Languages Section 16.5. Using PHP Securely Section 16.6. Writing Scripts That Run with Additional Privileges Section 16.7. Connecting to Databases Section 16.8. Conclusion Chapter 17. Deploying SSL Server Certificates Section 17.1. Planning for Your SSL Server Section 17.2. Creating SSL Servers with FreeBSD Section 17.3. Installing an SSL Certificate on Microsoft IIS Section 17.4. Obtaining a Certificate from a Commercial CA Section 17.5. When Things Go Wrong Chapter 18. Securing YourWeb Service Section 18.1. Protecting Via Redundancy Section 18.2. Protecting Your DNS Section 18.3. Protecting Your Domain Registration Chapter 19. Computer Crime Section 19.1. Your Legal Options After a Break-In Section 19.2. Criminal Hazards Section 19.3. Criminal Subject Matter Part IV: Security for Content Providers Chapter 20. Controlling Access to Your Web Content Section 20.1. Access Control Strategies Section 20.2. Controlling Access with Apache Section 20.3. Controlling Access with Microsoft IIS Chapter 21. Client-Side Digital Certificates Section 21.1. Client Certificates Section 21.2. A Tour of the VeriSign Digital ID Center Chapter 22. Code Signing and Microsoft's Authenticode Section 22.1. Why Code Signing? Section 22.2. Microsoft's Authenticode Technology Section 22.3. Obtaining a Software Publishing Certificate Section 22.4. Other Code Signing Methods Chapter 23. Pornography, Filtering Software, and Censorship Section 23.1. Pornography Filtering Section 23.2. PICS Section 23.3. RSACi Section 23.4. Conclusion Chapter 24. Privacy Policies, Legislation, and P3P Section 24.1. Policies That Protect Privacy and Privacy Policies Section 24.2. Children's Online Privacy Protection Act Section 24.3. P3P Section 24.4. Conclusion Chapter 25. Digital Payments Section 25.1. Charga-Plates, Diners Club, and Credit Cards Section 25.2. Internet-Based Payment Systems Section 25.3. How to Evaluate a Credit Card Payment System Chapter 26. Intellectual Propertyand Actionable Content Section 26.1. Copyright Section 26.2. Patents Section 26.3. Trademarks Section 26.4. Actionable Content Part V: Appendixes Appendix A. Lessons from Vineyard.NET Section A.1. In the Beginning Section A.2. Planning and Preparation Section A.3. IP Connectivity Section A.4. Commercial Start-Up Section A.5. Ongoing Operations Section A.6. Redundancy and Wireless Section A.7. The Big Cash-Out Section A.8. Conclusion Appendix B. The SSL/TLS Protocol Section B.1. History Section B.2. TLS Record Layer Section B.3. SSL/TLS Protocols Section B.4. SSL 3.0/TLS Handshake Appendix C. P3P: The Platform for Privacy Preferences Project Section C.1. How P3P Works Section C.2. Deploying P3P Section C.3. Simple P3P-Enabled Web Site Example Appendix D. The PICS Specification Section D.1. Rating Services Section D.2. PICS Labels Appendix E. References Section E.1. Electronic References Section E.2. Paper References Colophon Index Book: Web Security, Privacy & Commerce, 2nd Edition Copyright © 2001 O'Reilly & Associates, Inc. All rights reserved. Printed in the United States of America. Published by O'Reilly & Associates, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O'Reilly & Associates books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safari.oreilly. com). For more information contact our corporate/institutional sales department: 800-998- 9938 or corporate@oreilly.com. Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly & Associates, Inc. Appendix C was contributed by Lorrie Cranor of AT&T Labs-Research. It is copyright AT&T and reprinted with permission. The section entitled "Brad Biddle on Digital Signatures and E-SIGN" (Section 7.4.10) was contributed by Brad Biddle. It is copyright Brad Biddle and reprinted with permission. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O'Reilly & Associates, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. The association between the image of a whale shark and the topic of web security, privacy, and commerce is a trademark of O'Reilly & Associates, Inc. While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. Book: Web Security, Privacy & Commerce, 2nd Edition Preface The World Wide Web has changed our world. More than half the people in the United States now use the Web on a regular basis. We use it to read today's news, to check tomorrow's weather, and to search for events that have happened in the distant past. And increasingly, the Web is the focus of the 21st century economy. Whether it's the purchase of a $50 radio or the consummation of a $5 million business-to-business transaction, the Web is where the action is. But the Web is not without its risks. Hand-in-hand with stories of the Internet's gold rush are constant reminders that the 21st century Internet has all the safety and security of the U. S. Wild West of the 1860s. Consider: ● In February 2000, web sites belonging to Yahoo, Buy.com, Amazon.com, CNN, E*Trade, and others were shut down for hours, the result of a massive coordinated attack launched simultaneously from thousands of different computers. Although most of the sites were back up within hours, the attacks were quite costly. Yahoo, for instance, claimed to have lost more than a million dollars per minute in advertising revenue during the attack. ● In December 1999, an attacker identifying himself as a 19-year-old Russian named "Maxim" broke into the CDUniverse web store operated by eUniverse Inc. and copied more than 300,000 credit card numbers. Maxim then sent a fax to eUniverse threatening to post the stolen credit cards on the Internet if the store didn't pay him $100,000. [] On December 25, when the company refused to bow to the blackmail attack, Maxim posted more than 25,000 of the numbers on the hacker web site "Maxus Credit Card Pipeline." [] This led to instances of credit card fraud and abuse. Many of those credit card numbers were then canceled by the issuing banks, causing inconvenience to the legitimate holders of those cards. [] Similar break-ins and credit card thefts that year affected RealNames, [] CreditCards.com, EggHead.Com, and many other corporations. [] http://www.wired.com/news/technology/0,1282,33539,00.html [] http://www.cnn.com/2000/TECH/computing/01/10/credit.card.crack.2/ [] Including one of the authors of this book. [] http://www.thestandard.com/article/display/0,1151,9743,00.html ● In October 2000, a student at Harvard University discovered that he could view the names, addresses, and phone numbers of thousands of Buy.com's customers by simply modifying a URL that the company sent to customers seeking to return merchandise. "This blatant disregard for security seems pretty inexcusable," the student, Ben Edelman, told Wired News. [] [] http://www.wired.com/news/technology/0,1282,39438,00.html ● Attacks on the Internet aren't only limited to e-commerce sites. A significant number of high-profile web sites have had their pages rewritten during attacks. Those attacked include the U.S. Department of Justice, the U.S. Central Intelligence Agency (see Figure P-1), the U.S. Air Force, UNICEF, and the New York Times. An archive of more than 325 hacked home pages is online at http://www.antionline. com/. On September 18, 1996, a group of Swedish hackers broke into the Central Intelligence Agency's web site (http://www.odci.gov/) and altered the home page, proclaiming that the Agency was the Central Stupidity Agency. Attacks on web servers are not the only risks we face on the electronic frontier: ● On August 25, 2000, a fraudulent press release was uploaded to the computer of Internet Wire, an Internet news agency. The press release claimed to be from Emulex Corporation, a maker of computer hardware, and claimed that the company's chief executive officer had resigned and that the company would have to adjust its most recent quarterly earnings to reflect a loss, instead of a profit. The next morning, Emulex's share price plunged by more than 60%: within a few hours, the multi-billion-dollar company had lost roughly half its value. A few days later, authorities announced the Emulex caper had been pulled off by a single person-an ex-employee of the online news service, who had made a profit of nearly $250,000 by selling Emulex stock short before the release was issued. ● Within hours of its release on May 4, 2000, a fast-moving computer worm called the "Love Bug" touched tens of millions of computers throughout the Internet and caused untold damage. Written in Microsoft Visual Basic Scripting Language (VBS), the worm was spread by people running the Microsoft Outlook email program. When executed, the worm would mail copies of itself to every email address in the victim's address book, then destroy every MP3 and JPEG file that it could locate on the victim's machine. ● A growing number of computer "worms" scan the victim's hard disk for Microsoft Word and Excel files. These files are infected and then sent by email to recipients in the victim's address book. Not only are infections potentially started more often, but confidential documents may be sent to inappropriate recipients. The Web doesn't merely represent a threat for corporations. There are cyberstalkers, who use the Web to learn personal information and harass their victims. There are pedophiles, who start relationships with children and lure them away from home. Even users of apparently anonymous chat services aren't safe: In February 1999, the defense contracting giant Raytheon filed suit against 21 unnamed individuals who made disparaging comments about the company on one of Yahoo's online chat boards. Raytheon insisted that the 21 were current employees who had leaked confidential information; the company demanded that the Yahoo company reveal the identities behind the email addresses. Yahoo complied in May 1999. A few days later, Raytheon announced that four of the identified employees had "resigned," and the lawsuit was dropped. [] [] http://www.netlitigation.com/netlitigation/cases/raytheon.html Even using apparently "anonymous" services on the Web may jeopardize your privacy and personal information. A study of the 21 most visited health-related web sites on the Internet (prepared for the California HealthCare Foundation) discovered that personal information provided at many of the sites was being inadvertently leaked to third-parties, including advertisers. In many cases, these data transfers were in violation of the web sites' own stated privacy policies. [] A similar information leak, which sent the results of home mortgage calculations to the Internet advertising firm DoubleClick, was discovered on Intuit's [...]... the Web to get information or participate in online communities And we'll look at the hype surrounding web security, analyze what companies (probably) mean when they use the phrase "secure web server," and discuss overall strategies for reducing the risks associated with the World Wide Web Book: Web Security, Privacy & Commerce, 2nd Edition Section: Chapter 1 The Web Security Landscape 1.1 The Web Security. .. include technology that needs to be created and deployed, procedures that need to be followed, and policies that need to be developed Security is not an additional feature that can be purchased after-the-fact and simply bolted on to an existing system Neither is security a set of policies that can be implemented within an organization by a single person who has the mandate to be Chief Security Officer Building... future editions You can access this page at: http://www.oreilly.com/catalog/websec2/ For more information about this book and others, see the O'Reilly web site: http://www.oreilly.com Book: Web Security, Privacy & Commerce, 2nd Edition Section: Preface History and Acknowledgments In June 1991 , O'Reilly & Associates published our first book, Practical Unix Security The book was 450 pages and contained state-of-the-art... authorities (CAs) and the public key infrastructure (PKI) Book: Web Security, Privacy & Commerce, 2nd Edition Section: Part I: Web Technology Chapter 1 The Web Security Landscape This chapter looks at the basics of web security We'll discuss the risks of running a web server on the Internet and give you a framework for understanding how to mitigate those risks We'll look at the risks that the Web poses for... books We looked them over and started on this project Originally we thought that we would simply remove the material from Web Security and Commerce that was no longer relevant-alternatives that had been rejected by the marketplace And certainly, some screen shots and configuration information needed to be revised But as we looked more deeply at the project, we realized that a total rewrite and a significant... the production editor for this book; Edie Freedman and Ellie Volckhausen, who designed the front cover; Emma Colby, who designed the back cover, David Futato, who designed the interior format; Audrey Doyle, the copyeditor; Mary Brady, Phil Dangler, Maureen Dempsey, Derek Di Matteo, Catherine Morris, and Edie Shapiro, who entered edits; and John Bickelhaupt, who indexed the book First Edition We want... enhance security, privacy, and commerce on the World Wide Web Information in this book is aimed at three distinct but related audiences: the ordinary users of the Web, the individuals who operate the Web' s infrastructure (web servers, hosts, routers, and long-distance data communications links), and finally, the people who publish information on the Web For users, this book explains: q q q q How the Web. .. with each passing year we are witnessing larger and larger crimes It used to be that hackers simply defaced web sites; then they started stealing credit card numbers and demanding ransom; in December 2000, a report by MSNBC detailed how thousands of consumers had been bilked of between $5 and $25 on their credit cards by a group of Russian telecommunications and Internet companies; the charges were []... reliable, predictable operation of web servers, web browsers, other programs that communicate with web servers, and the surrounding Internet infrastructure Unfortunately, the sheer scale and complexity of the Web makes the problem of web security dramatically more complex than the problem of Internet security in general Today's web security problem has three primary facets: Securing the web server and the... policy information, and to Bert-Jaap Koops, who let us use his table on export restrictions Book: Web Security, Privacy & Commerce, 2nd Edition Part I: Web Technology This part of the book examines the underlying technology that makes up today's World Wide Web and the Internet in general Chapter 1 looks at the basics of web security- the risks inherent in running a web server, in using the Web to distribute . contained herein. Book: Web Security, Privacy & Commerce, 2nd Edition Preface The World Wide Web has changed our world. More than half the people in the United States now use the Web on. become. Book: Web Security, Privacy & Commerce, 2nd Edition Section: Preface About This Book This is a book about how to enhance security, privacy, and commerce on the World Wide Web. Information. Conventions Used in This Book Comments and Questions History and Acknowledgments Part I: Web Technology Chapter 1. The Web Security Landscape Section 1.1. The Web Security Problem