Loading ...
Sorry, an error occurred while loading the content.
 

REVIEW: "Web Security, Privacy and Commerce", Simson Garfinkel/Gene Spafford

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKWBSPCM.RVW 20021106 Web Security, Privacy and Commerce , Simson Garfinkel/Gene Spafford, 2002, 0-596-00045-6, U$44.95/C$67.95 %A Simson Garfinkel
    Message 1 of 1 , Jan 15, 2003
      BKWBSPCM.RVW 20021106

      "Web Security, Privacy and Commerce", Simson Garfinkel/Gene Spafford,
      2002, 0-596-00045-6, U$44.95/C$67.95
      %A Simson Garfinkel simsong@...
      %A Gene Spafford spaf@...
      %C 103 Morris Street, Suite A, Sebastopol, CA 95472
      %D 2002
      %G 0-596-00045-6
      %I O'Reilly & Associates, Inc.
      %O U$44.95/C$67.95 800-998-9938 707-829-0515 nuts@...
      %O http://www.amazon.com/exec/obidos/ASIN/0596000456/robsladesinterne
      %P 756 p.
      %T "Web Security, Privacy and Commerce"

      Anyone who does not know the names Spafford and Garfinkel simply does
      not know the field of data security. The authors, therefore, are well
      aware that data security becomes more complex with each passing week.
      This is, after all, the second edition of what was originally
      published under the title "Web Security and Commerce," and, while it
      is still recognizable as such, the work is essentially completely re-
      written. The authors note, in the Preface, that the book cannot hope
      to cover all aspects of Web security, and therefore they concentrate
      on those topics that are absolutely central to the concept, and/or not
      widely available elsewhere. Works on related issues are suggested
      both at the beginning and end of the book.

      A greatly expanded part one introduces the topic, and the various
      factors involved in Web security. Chapter one is a very brief
      overview of Web security considerations and requirements, with some
      material on general security concepts and risk analysis. The
      underlying architecture of the Web is examined in chapter two,
      although this is basically limited to Internet structures. (While the
      material is quite informative, perhaps some examples of HTTP
      [HyperText Transfer Protocol] would add value.) Cryptography is
      explained reasonably well in chapter three: there is no in-depth
      discussion of cryptographic algorithms, but these details can be
      readily found in other works. Chapter four deals with cryptographic
      uses, and also with legal restrictions. The concepts and limitations
      of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are
      given in chapter five, although the operational details are not
      covered. Chapter six starts out with a general discussion of
      identification and authentication,but then gets bogged down in the
      details of using PGP (Pretty Good Privacy). The coverage of digital
      certificates, in chapter seven, is likewise constricted by a
      dependence upon system technicalities.

      Part two concerns the user.

      Chapter two looks at the various possible problems with browsers, not
      all of which are related to Web page programming. Chapter eight looks
      analytically at the possible invasions of privacy that can occur on
      the Web. Some non-technical techniques of protecting your privacy,
      such as good password choice, are described in chapter nine, with
      various technical means listed in chapter ten. Chapter eleven reviews
      backups and some physical protection systems. ActiveX and the
      limitations of authentication certificates, as well as plugins and
      Visual Basic, are thoroughly explored in chapter twelve. Java
      security is only marginally understood by many "experts," and not at
      all by users, so the coverage in chapter thirteen is careful to point
      out the difference between safety, security, and the kind of security
      risks that can occur even if the sandbox *is* secure.

      Part three details technical aspects of securing Web servers. Chapter
      fourteen looks at physical security and disaster recovery measures.
      Traditional host security weaknesses are reviewed in chapter fifteen.
      Rules for secure CGI (Common Gateway Interface) and API (Application
      Programmer Interface) programming are promulgated in chapter sixteen,
      along with tips for various languages. More details on the server-
      side use of SSL is given in chapter seventeen. Chapter eighteen looks
      at specific strengthening measures for Web servers. You legal options
      for prosecuting a computer crime is reviewed in chapter nineteen.

      Commercial and societal concerns in regard to content are major areas
      in Web security, so part six reviews a number of topics related to
      commerce, as well as other social factors. Chapter twenty discusses a
      number of technical access control technologies, by system. Obtaining
      a client-side certificate is described in chapter twenty one.
      Microsoft's Authenticode system is reviewed yet again in chapter
      twenty two. Censorship and site blocking are carefully examined in
      chapter twenty three. Privacy policies, systems, and legislation are
      reviewed in chapter twenty four. Chapter twenty five looks at current
      non-cash payment systems, and the various existing, and proposed,
      digital payment systems for online commerce. Having already studied
      criminal problems earlier, the book now turns to civil and
      intellectual property issues, such as copyright, in chapter twenty
      six.

      Although it has almost nothing to do with Web security as such, I very
      much enjoyed Appendix A, Garfinkel's recounting of the lessons learned
      in setting up a small ISP (Internet Service Provider). (I suppose
      that this could be considered valid coverage of Web commerce.) The
      other appendices are more directly related to the topic, including the
      SSL protocol, the PICS (Platform for Internet Content Selection)
      specification, and references.

      Although the material has been valuably expanded and updated, some of
      the new content is less worthwhile. The extensive space given to
      specific products will probably date quickly, although the surrounding
      conceptual text will continue to provide helpful guidance. Certainly
      for anyone dealing with Web servers or running ISPs, this is a
      reference to consider seriously.

      copyright Robert M. Slade, 1998, 2002 BKWBSPCM.RVW 20021106

      --
      ======================
      rslade@... rslade@... slade@... p1@...
      Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
      Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
      February 10, 2003 February 14, 2003 St. Louis, MO
      March 31, 2003 April 4, 2003 Indianapolis, IN
    Your message has been successfully submitted and would be delivered to recipients shortly.