Web Security: A Step-by-Step Reference Guide - Softcover

From the Author

Web Security: What's to Worry About?

Unfortunately, there's a lot to worry about. If you are an end user, you might think that Web surfing is safe and entirely anonymous. It's not. Active content, such as ActiveX controls and Java applets, introduces the possibility that Web browsing will introduce viruses and other types of malicious software into your system. Even without active content, the very act of browsing leaves an electronic record of your surfing history from which unscrupulous individuals can reconstruct a very accurate profile of the your tastes and habits.

If you are a Webmaster, an attack on your site can threaten your job security. Whether motivated by thrills or financial gain, Internet vandals break into Web sites with unnerving regularity. The results can range from the merely embarassing (when you discover one morning that your site's home page has been replaced by an obscene parody), to the acutely damaging (when you suffer the theft of your entire database of customer information.)

If you are the network administrator, a Web server represents yet another way that your local network's security can be compromised. A poorly configured Web server can punch a hole in the most carefully designed firewall system. Conversely, a poorly configured firewall can make a Web site impossible to use. Things are particularly complicated in intranet environments, where the Web server must be configured to recognize and authenticate various groups of users, each with distinct access privileges. Active content also has implications for network administrators, as Web browsers provide a pathway by which malicious software can bypass the firewall system and enter the local area network.

Finally, both end users and Webmasters need to worry about the confidentiality of the data transmitted across the Web. The TCP/IP protocol was not designed with security in mind; hence it is vulnerable to network eavesdropping. When confidential documents are transmitted from the Web server to the browser, or when the end-user sends private information back to the server inside a fill-out form, someone may be listening in.

This book started out life some years ago as the World Wide Web Security FAQ (Frequently Asked Questions -- with answers), a practical on-line list of do's and don'ts for Webmasters. It was an instant hit, and soon grew to cover the topics of end user privacy, safe CGI scripting, cryptography, site access control, operating system security, certificate server management, remote authoring, firewall configuration and an ever-expanding list of security holes in popular Web servers and authoring tools. When the FAQ got too large to easily maintain in on-line form, I transformed it into this book, which still retains the down to earth flavor of the original.

Table of Contents:

Preface
1. What Is Web Security?
2. Basic Cryptography
3. SSL, SET, and Digital Payment Systems
4. Using SSL
5. Active Content
6. Web Privacy
7. Server Security
8. UNIX Web Servers
9. Windows NT Web Servers
10. Access Control
11. Encryption and Certificate-Based Access Control
12. Safe CGI Scripting
13. Remote Authoring and Administration
14. Web Servers and Firewalls
Index

From the Back Cover

Written for Web site administrators, developers, and end users, this book is a readable, real-world guide to securing your Web site with the latest in security technology, techniques, and tools. Lincoln D. Stein, keeper of the official Web Security FAQ, addresses your most pressing concerns and tells you exactly what you need to know to make your site more secure. He offers concise explanations of essential theory; helps you analyze and evaluate the risks that threaten your site and the privacy of your clients; and provides concrete, step-by-step solutions, checklists of do's and don'ts, on-line and off-line resources, and hardware and software tools that guard your site against security breaches.

Web Security approaches the topic from three different points of view--protecting the end user's confidentiality and the integrity of his or her machine, protecting the Web site from intrusion and sabotage, and protecting both from third-party eavesdropping and tampering.

You will learn about

• securing credit card transactions with the SET protocol
• document encryption with the SSL protocol
• how to guard end users against the dangers of active content and cookies
• monitoring and log tools
• controlling access with passwords, client certificates, and advanced login protocols
• remote authoring
• firewalls

In addition, the book offers practical advice on configuring the operating system securely and eliminating unnecessary features that increase vulnerability. CGI scripts introduce many of the security problems that plague the Web, and this book shows how to avoid these breaches with safe CGI-scripting techniques. You will also learn how to avoid denial-of-service attacks and prevent LAN break-ins through the Web server.

After reading this book, you will have the practical knowledge you need to ensure that your Web site, and your clients' interests, are safe from attack.