Web Security and Commerce


Attacks on government Web sites, break-ins at Internet service providers, electronic credit card fraud, invasion of personal privacy by merchants as well as hackers—is this what the World Wide Web is really all about?

Web Security & Commerce cuts through the hype and the front page stories. It tells you what the real risks are and explains how you can minimize them. Whether you're a casual but concerned Web surfer or a system administrator responsible for the security of a ...

See more details below
Available through our Marketplace sellers.
Other sellers (Paperback)
  • All (38) from $1.99   
  • New (3) from $19.25   
  • Used (35) from $1.99   
Sort by
Page 1 of 1
Showing All
Note: Marketplace items are not eligible for any BN.com coupons and promotions
Seller since 2009

Feedback rating:



New — never opened or used in original packaging.

Like New — packaging may have been opened. A "Like New" item is suitable to give as a gift.

Very Good — may have minor signs of wear on packaging but item works perfectly and has no damage.

Good — item is in good condition but packaging may have signs of shelf wear/aging or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Acceptable — item is in working order but may show signs of wear such as scratches or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Used — An item that has been opened and may show signs of wear. All specific defects should be noted in the Comments section associated with each item.

Refurbished — A used item that has been renewed or updated and verified to be in proper working condition. Not necessarily completed by the original manufacturer.

1565922697 *BRAND NEW* Ships Same Day or Next!

Ships from: Springfield, VA

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
  • Express, 48 States
  • Express (AK, HI)
Seller since 2014

Feedback rating:


Condition: New
Brand new.

Ships from: acton, MA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Seller since 2014

Feedback rating:


Condition: New
Brand new.

Ships from: acton, MA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Page 1 of 1
Showing All
Sort by
Sending request ...


Attacks on government Web sites, break-ins at Internet service providers, electronic credit card fraud, invasion of personal privacy by merchants as well as hackers—is this what the World Wide Web is really all about?

Web Security & Commerce cuts through the hype and the front page stories. It tells you what the real risks are and explains how you can minimize them. Whether you're a casual but concerned Web surfer or a system administrator responsible for the security of a critical Web server, this book will tell you what you need to know. Entertaining as well as illuminating, it looks behind the headlines at the technologies, risks, and benefits of the Web. Whatever browser or server you are using, you and your system will benefit from this book.

Topics include:

  • User safety—browser vulnerabilities with an emphasis on Netscape Navigator and Microsoft Internet Explorer, privacy concerns, issues with Java, JavaScript, ActiveX, and plug-ins.
  • Digital certificates—what they are, how they assure identity in a networked environment, how certification authorities and server certificates work, and what code signing all about.
  • Cryptography—an overview of how encryption works on the Internet and how different algorithms and programs are being used today.
  • Web server security—detailed technical information about SSL Secure Socket Layer, TLS Transport Layer Security, host security, server access methods, and secure CGI/API programming.
  • Commerce and society—how digital payments work, what blocking software and censorship technology e.g., PICS and RSACi is about, and what civil and criminal issues you need to understand.

Ignorance is not bliss when it comes to Web security. Hackers are attacking government sites, breaking into Internet service providers, and may be your site. Not to mention electronic credit card fraud, another thing that you need to worry about. Web Security and Commerce, written by the best-selling authors of Practical UNIX & Internet Security, discusses real risks on the Web, and explains how you can minimize them. Written for Net surfers accessing information as well as for the organizations that are running Web servers, making data and services available on the World Wide Web. Learn about the new Internet protocols and products, and find out risks, threats, and benefits of the online world. Discover the specific risks that can result from Java and JavaScript! In an entertaining approach, the book gives you an insight into digital certificates, digital identification techniques, cryptography, SSL and TLS, legal issues, and more. The appendices include SSL 3.0 Protocol, PICS Specification, and references for more information. Although the book covers the basics of Web security, this text is not meant to be a primer on computer security.

Read More Show Less

Product Details

  • ISBN-13: 9781565922693
  • Publisher: O'Reilly Media, Incorporated
  • Publication date: 6/8/1997
  • Series: Nutshell Handbooks Series
  • Edition description: Older Edition
  • Edition number: 1
  • Pages: 506
  • Product dimensions: 7.03 (w) x 9.20 (h) x 1.15 (d)

Meet the Author

Simson Garfinkel, CISSP, is a journalist, entrepreneur, and international authority on computer security. Garfinkel is chief technology officer at Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security tools. Garfinkel is also a columnist for Technology Review Magazine and has written for more than 50 publications, including Computerworld, Forbes, and The New York Times. He is also the author of Database Nation; Web Security, Privacy, and Commerce; PGP: Pretty Good Privacy; and seven other books. Garfinkel earned a master's degree in journalism at Columbia University in 1988 and holds three undergraduate degrees from MIT. He is currently working on his doctorate at MIT's Laboratory for Computer Science.

Gene Spafford, Ph.D., CISSP, is an internationally renowned scientist and educator who has been working in information security, policy, cybercrime, and software engineering for nearly two decades. He is a professor at Purdue University and is the director of CERIAS, the world's premier multidisciplinary academic center for information security and assurance. Professor Spafford and his students have pioneered a number of technologies and concepts well-known in security today, including the COPS and Tripwire tools, two-stage firewalls, and vulnerability databases. Spaf, as he is widely known, has achieved numerous professional honors recognizing his teaching, his research, and his professional service. These include being named a fellow of the AAAS, the ACM, and the IEEE; receiving the National Computer Systems Security Award; receiving the William Hugh Murray Medal of the NCISSE; election to the ISSA Hall of Fame; and receiving the Charles Murphy Award at Purdue. He was named a CISSP, honoris causa in 2000. In addition to over 100 technical reports and articles on his research, Spaf is also the coauthor of Web Security, Privacy, and Commerce, and was the consulting editor for Computer Crime: A Crimefighters Handbook (both from O'Reilly).

Read More Show Less

Read an Excerpt

Chapter 11: Cryptography and the Web

Encryption is the fundamental technology that protects information as it travels over the Internet. Although strong host security can prevent people from breaking into your computer-or at least prevent them from doing much damage once they have broken in-there is no way to safely transport the information that resides on your computer to another computer over a public network without using encryption.

But as the last chapter explained, there is not merely one cryptographic technology: there are many of them, each addressing a different need. In some cases, the differences between encryption systems represent technical differences-after all, no one solution can answer every problem. Other times, the differences are the result of restrictions resulting from patents or trade secrets. And finally, restrictions on cryptography sometimes result from political decisions.

Cryptography and Web Security

Security professionals have identified four keywords that are used to describe all "I" of the different functions that encryption plays in modem information systems. The different functions are these:

Confidentiality Encryption is used to scramble information sent over the Internet and stored on servers so that eavesdroppers cannot access the data's content. Some people call this quality "privacy," but most professionals reserve that word to refer to the protection of personal information (whether confidential or not) from aggregation and improper use.

Authentication Digital signatures are used to identify the author of a message; people who receive the message can verify the identity of the person who signed them. They can be used in conjunction with passwords or as an alternative to them.

Integrity Methods are used to verify that a message has not been modified while in transit. Often, this is done with digitally signed message digest codes.

Nonrepudiation Cryptographic receipts are created so that an author of a message cannot falsely deny sending a message.

Strictly speaking, there is some overlap among these areas. For example, when the DES encryption algorithm is used to provide confidentiality, it frequently provides integrity as a byproduct. That's because if an encrypted message is altered, it will not decrypt properly. In practice, however, it is better engineering to use different algorithms that are specifically designed to assure integrity for this purpose, rather than relying on the byproduct of other algorithms. That way, if the user decides to not include one aspect (such as encryption) because of efficiency or legal reasons, the user will still have a standard algorithm to use for the other system requirements.

What Cryptography Can't Do

Cryptography plays such an important role in web security that many people use the phrase secure web server when they really mean cryptographically enabled web server. indeed, it is difficult to imagine securing data and transactions sent over the Internet without the use of cryptography.

Nevertheless, encryption isn't all-powerful. You can use the best cryptography that's theoretically possible, but if you're not careful, you'll still be vulnerable to having your confidential documents and messages published on the front page of the San Jose Mercury News if an authorized recipient of the message faxes a copy to one of the reporters. Likewise, cryptography isn't an appropriate solution for many problems, including the following:

Cryptography can't protect your unencrypted documents. Even if you set up your web server so that it only sends files to people using 1024-bit SSL, remember that the unencrypted originals still reside on your web server. Unless you separately encrypt them, those files are vulnerable. Somebody breaking into the computer on which your server is located will have access to the data.

Cryptography can't protect against stolen encryption keys. The whole point of using encryption is to make it possible for people who have your encryption keys to decrypt your files or messages. Thus, any attacker who can steal or purchase your keys can decrypt your files and messages. That's important to remember when using SSL, because SSL keeps copies of the server's secret key on the computer's hard disk. (Normally it's encrypted, but it doesn't have to be.)

Cryptography can't protect against denial-of-service attacks. Cryptographic protocols such as SSL are great for protecting information from eavesdropping. Unfortunately, attackers can have goals other than eavesdropping. In banking and related fields, an attacker can cause great amounts of damage and lost funds by simply disrupting your communications or deleting your encrypted files.

Cryptography can't protect you against the record of a message or the fact that a message was sent. Suppose that you send an encrypted message to Blake Johnson, and Blake murders your lover's spouse, and then Blake sends you an encrypted message back. A reasonable person might suspect that you have some involvement in the murder, even if that person can't read the contents of your messages. Or suppose there is a record of your sending large, encrypted messages from work to your competitor. If there is a mysterious deposit to your bank account two days after each transmission, an investigator is likely to draw some conclusions from this behavior.

Cryptography can't protect against a booby-trapped encryption program. Someone can modify your encryption program to make it worse than worthless. For example, an attacker could modify your copy of Netscape Navigator so that it always uses the same encryption key. (This is one of the attacks that was developed at the University of California at Berkeley.)

Fundamentally, unless you write all of the programs that run on your computer, there is no way to completely eliminate these possibilities. They exist whether you are using encryption or not. However, you can minimize the risks by getting your cryptographic programs through trusted channels and minimizing the opportunity for your program to be modified. You can also use digital signatures and techniques like code signing to detect changes to your encryption programs.

Cryptography can't protect you against a traitor or a mistake. Humans are the weakest link in your system. Your cryptography system can't protect you if your correspondent is taking your messages and sending them to the newspapers after legitimately decrypting them. Your system also may not protect against one of your system administrators being tricked into revealing a password by a phone call purporting to be from the FBI.

Thus, while cryptography is an important element of web security, it is not the only part. Cryptography can't guarantee the security of your computer if people can break into it through other means. But cryptography will shield your data, which should help to minimize the impact of a penetration if it does occur. Today's Working Encryption Systems

Although encryption is a technology that will be widespread in the future, it is already hard at work on the World Wide Web today. In recent years, more than a dozen cryptographic systems have been developed and fielded on the Internet.

Working cryptographic systems can be divided into two categories. The first group are programs and protocols that are used for encryption of email messages. These programs take a plaintext message, encrypt it, and either store the ciphertext or transmit it to another user on the Internet. Such programs can also be used to encrypt files that are stored on computers to give these files added protection. Some popular systems that fall into this category include the following:

  • PGP
  • S/MIME

The second category of cryptographic systems are network protocols used for providing confidentiality, authentication, integrity, and nonrepudiation in a networked environment. Such systems require real-time interplay between a client and a server to work properly. Some popular systems that fall into this category include the following:

  • SSL
  • PCT
  • S-HTTP
  • SET and CyberCash
  • IPsec and IPv6
  • Kerberos
  • SSH

All of these systems are summarized in Table 11-1 and are described in the sections that follow. For detailed instructions on using these systems, please refer to the references listed in the Appendixes.


One of the first widespread public key encryption programs was Pretty Good Privacy (PGP), written by Phil Zimmermann and released on the Internet in June 1991. PGP is a complete working system for the cryptographic protection of electronic mail and files. PGP is also a set of standards that describe the formats for encrypted messages, keys, and digital signatures.

PGP is a hybrid encryption system, using RSA public key encryption for key management and the IDEA symmetric cipher for the bulk encryption of data.

Referring to the encryption checklist at the beginning of this chapter, PGP offers confidentiality, through the use of the IDEA encryption algorithm; integrity, through the use of the MD5 cryptographic hash function; authentication, through the use of public key certificates; and nonrepudiation, through the use of cryptographically signed messages.

PGP is available in two ways, as a standalone application and as an integrated email program available from PGP, Inc. The standalone program runs on many more platforms than the integrated system but is more difficult to use. PGP, Inc., is also developing plug-ins for popular email systems to allow them to send and receive PGP-encrypted messages.

A problem with PGP is the management and certification of public keys. PGP keys never expire: instead, when the keys are compromised, it is up to the keyholder to distribute a special PGP key revocation certificate to everyone with whom he or she communicates. Correspondents who do not learn of a compromised key and use it weeks, months, or years later to send an encrypted message do so at their own risk. As a side effect, if you create and distribute a PGP public key, you must hold onto the secret key for all time because the key never expires.

PGP public keys are validated by a web of trust. Each PGP user can certify any key that he or she wishes, meaning that the user believes the key actually belongs to the person named in the key certificate. But PGP also allows users to say that they trust particular individuals to vouch for the authenticity of still more keys. PGP users sign each other's keys, vouching for the authenticity of the key's apparent holder.

The web of trust works for small communities of users, but not large ones. For example, one way that PGP users sign each other's keys is by holding ritualistic key signing parties. Users gather, exchange floppy disks containing public keys, show each other their driver's licenses, whip out their private keys, and then have an orgy of public key encryptions as their private keys are pressed against each other. It's a lot of fun, especially in mixed company. Key signings are a great way to meet people, as they are usually followed by trips to establishments involving the consumption of large amounts of alcohol, pizza, and/or chocolate. Unfortunately, this is not a practical way to create a national infrastructure of public keys.

Another way that PGP public keys are distributed is by the PGP public key servers located on the Internet. Any user on the Internet can submit a public key to the server, and the server will dutifully hold the key, send a copy of the key to all of the other servers, and give out the key to anybody who wishes it. Although there are many legitimate keys in the key server, there are also many keys that are clearly fictitious. Although the key servers work as advertised, in practice they are ignored by most PGP users. Instead of putting their keys on the key servers, most PGP users distribute their public keys on their own personal web pages. PGP's ability to certify identity reliably is severely hampered by the lack of a public key infrastructure....

Read More Show Less

Table of Contents

  • Preface
  • Introduction
    • Chapter 1: The Web Security Landscape

  • User Safety
    • Chapter 2: The Buggy Browser: Evolution of Risk
    • Chapter 3: Java and JavaScript
    • Chapter 4: Downloading Machine Code with ActiveX and Plug-Ins
    • Chapter 5: Privacy

  • Digital Certificates
    • Chapter 6: Digital Identification Techniques
    • Chapter 7: Certification Authorities and Server Certificates
    • Chapter 8: Client-Side Digital Certificates
    • Chapter 9: Code Signing and Microsoft’s Authenticode

  • Cryptography
    • Chapter 10: Cryptography Basics
    • Chapter 11: Cryptography and the Web
    • Chapter 12: Understanding SSL and TLS

  • Web Server Security
    • Chapter 13: Host and Site Security
    • Chapter 14: Controlling Access to Your Web Server
    • Chapter 15: Secure CGI/API Programming

  • Commerce and Society
    • Chapter 16: Digital Payments
    • Chapter 17: Blocking Software and Censorship Technology
    • Chapter 18: Legal Issues: Civil
    • Chapter 19: Legal Issues: Criminal

  • Appendixes
    • Lessons from Vineyard.NET
    • Creating and Installing WebServer Certificates
    • The SSL 3.0 Protocol
    • The PICS Specification
    • References

  • Colophon

Read More Show Less


In the early morning hours of Saturday, August 17, 1996, a computer system at the U.S. Department of Justice was attacked. The target of the attack was the Department of Justice's web server, www.usdoj.gov The attackers compromised the server's security and modified its home page--adding swastikas, obscene pictures, and a diatribe against the Communications Decency Act (which, ironically, had recently been declared unconstitutional by a federal court in Philadelphia).

The defaced web site was on the Internet for hours, until FBI technicians discovered the attack and pulled the plug. For the rest of the weekend, people trying to access the Department's home page saw nothing, because Justice didn't have a spare server.

The defaced web server publicly embarrassed the Department of Justice on national radio, TV, and in the nation's newspapers. The Department later admitted that it had not paid much attention to the security of its web server because the server didn't contain any sensitive information. After all, the web server was simply filled with publicly available information about the Department itself; it didn't have sensitive information about ongoing investigations.

By getting on the Web, the Department of Justice had taken advantage of a revolutionary new means of distributing information to the public--a system that lowers costs while simultaneously making information more useful and more accessible. But after the attack, it became painfully clear that the information on the web server didn't have to be secret to be sensitive. The web server was the Department's public face to the online world. Allowing it to be altereddamaged the Department's credibility.

It was not an isolated incident. On September 18, 1996, a group of Swedish Hackers broke into the Central Intelligence Agency's web site (http://www.odci.gov/cia). The Agency's response was the same as the FBI's: pull the plug first and ask questions later. A few months later, when a similar incident resulted in modification of the U.S. Air Force's home page, the Department of Defense shut down all of its externally available web servers for several days while seeking to secure its servers and repair the damage.

Then on Monday, March 3, 1997, a different kind of web threat reared its head. Paul Greene, a student at Worcester Polytechnic Institute, discovered that a specially written web page could trick Microsoft's Internet Explorer into executing practically any program with any input on a target computer. An attacker could use this bug to trash a victim's computer, infect it with a virus, or capture supposedly private information from the computer's hard drive. The bug effectively gave webmasters total control over any computer that visited a web site with Internet Explorer.

Microsoft posted a fix to Greene's bug within 48 hours on its web site, demonstrating both the company's ability to respond and the web's effectiveness at distributing bug fixes. But before the end of the week, another flaw with the same potentially devastating effects had been discovered in Internet Explorer. And the problems weren't confined only to Microsoft: within a week, other researchers reported discovering a new bug in Sun Microsystem's Java environment used in Netscape Navigator.

The Web: Promises and Threats

The Department of Justice, the Air Force, and the CIA were lucky. Despite the public humiliation resulting from the break-ins, none of these organizations had sensitive information on their web servers. A few days later, the systems were up and running again--this time, we hope, with the security problems fixed. But things could have been very different. Microsoft and the millions of users of Internet Explorer were lucky too. Despite the fact that the Internet Explorer bug was widely publicized, there were no attacks resulting in widespread data loss.

Instaed of the heavy-handed intrusion, the anti-government hackers could have let their intrusion remain hidden and used the compromised computer as a base for attacking other government machines. Or they could have simply altered the pages a tiny bit--for example, changing phone numbers, fabricating embarrassing quotations, or even placing information on the web site that was potentially libelous or pointed to other altered pages. The attackers could have installed software for sniffing the organization's networks, helping them to break into other, even more sensitive machines.

A few days before the break-in at www.usdoj.gov, the Massachusetts state government announced that drivers could now pay their speeding tickets and traffic violations over the World Wide Web. Simply jump to the Registry of Motor Vehicles' web site, click on a few links, and pay your speeding ticket with a credit card number. "We believe the public would rather be online than in line," said one state official.

To accept credit cards safely over the Internet, the RMV web site uses a "secure" web server. Here, the word secure refers to the link between the web server and the web browser. It means that the web server implements certain Cryptographic protocols so that when a person's credit card number is sent over the Internet, it is scrambled so the number cannot be intercepted along the way.

But the web server operated by the Massachusetts Registry isn't necessarily more secure than the web server operated by the Department of Justice. Merely using cryptography to send credit card numbers over the Internet doesn't mean the computer can't be broken into. And if the computer were compromised, the results could be far more damaging than a public relations embarrassment. Instead of altering web pages, the cooks could install software into the server that would surreptitiously capture credit card numbers after they had been decrypted. The credit card numbers could be silently passed back to the outside and used for committing credit fraud. It could take months for credit card companies to discover the source of the credit card number theft. By then, the thieves could have moved on to other victims.*

Alternatively, the next time a web server is compromised, the attackers could simply plant violent HTML code that exploits the now well-known bugs in Netscape Navigator or Microsoft Internet Explorer.

These stories illustrate both the promise and the danger of the World Wide Web. The promise is that the Web can dramatically lower costs to organizations for distributing information, products, and services. The danger is that the computers that make up the Web are vulnerable. They can and have been compromised. Even worse: the more things the Web is used for, the more value organizations put online, and the more people are using it, the more inviting targets all of these computers become.

Security is the primary worry of companies that want to do business on the World Wide Web, according to a 1997 study of 400 information systems managers in the U.S. by strategic Focus, Inc., a Milpitas, California, consulting firm, "For any kind of electronic commerce, security is a major concern and will continue to be for some time," said Jay Prakash, the firm's president, who found security to be an issue for 55 percent of the surveyed companies.

About This Book

This is a book about World Wide Web security and commerce. In its pages, we will show you the threats facing people in the outline world and ways of minimizing them.

This book is written both for individuals who are using web browsers to access information on the Internet and organizations that are running web servers to make data and services available. It contains a general overview of Internet-based computer security issues, as well as many chapters on the new protocols and products that have been created to assist in the rapid commercialization of the World Wide Web.

Topics in this book that will receive specific attention include:

  • The risks, threats, and benefits of the online world
  • How to control access to information on your web server

    How to lessen the chances that your server will be broken into

  • Procedures that you should institute so that you can recover quickly if your server is compromised
  • What encryption is, and how you can use it to protect both your users and your systems
  • Security issues arising from the use of Java, JavaScript, ActiveX, and Netscape plug-ins
  • Selected legal issues

This book covers the fundamentals of web security, but it is not designed to be a primer on computer security, operating systems, or the World Wide Web. For that, we recommend many of the other fine books published by O'Reilly & Associates, including Æleen Frisch's Essential System Administration, Chuck Musciano and Bill Kennedy's HTML: The Definitive Guide, Shishir Gundavaram's CGI Programming on the World Wide Web, Deborah Russel and G.T. Gangemi's Computer Security Basics, and finally our book, Practical UNIX & Internet Security. An in-depth discussion of cryptography can be found in Bruce Schneier's Applied Cryptography (John Wiley & Sons).


This book is divided into seven parts; it includes 19 chapters and five appendixes:

Part I, Introduction, describes the basics of computer security for computers connected to the Internet.

Chapter 1, The Web Security Landscape, gives a brief history of the Web, introduces the terminology of web security, and provides some examples of the risks you will face doing business on the Web.

Part II, User Safety, looks at the particular security risks that users of particular web browsers face. It provides information on the two current browsers used most frequently: Microsoft's Internet Explorer and Netscape Navigator. This part of the book is aimed at users.

Chapter 2, The Buggy Browser: Evolution of Risk, explains the history of browsers and looks at the biggest security threat of all: careless and hasty implementation leading to faults.

Chapter 3, Java and JavaScript, looks at the specific security risks that can result from Java and JavaScript.

Chapter 4, Downloading Machine Code with ActiveX and Plug-Ins, looks at the serious dangers of running arbitrary code on your computer.

Chapter 5, Privacy, looks at the questions of online privacy, cookies, and the disclosure of secrets.

Part III, Digital Certificates, explains what digital certificates are and how they are used to establish identity and trust on the Web.

Chapter 6, Digital Identification Techniques, explains how cryptography is sued to assure identity in a networked environment.

Chapter 7, Certification Authorities and Server Certificates, gives a hands-on view of the particular kinds of digital certificates that are used to establish the identity of web servers.

Chapter 8, Client-Side Digital Certificates, discusses the pros and cons of digital certificates that are used to establish the identity of users on the World Wide Web.

Chapter 9, Code Signing and Microsoft's Authenticode, explains how digital certificates can be used to sign executable programs and how those signatures are verified.

Part IV, Cryptography, gives an overview of cryptography and discusses how it pertains to the Web today. This part is especially useful to individuals and organizations interested in publishing and doing business on the World Wide Web.

Chapter 10, Crytography Basics, discusses the role of encryption and message digests.

Chapter 11, Cryptography and the Web, discusses the role of encryption on the Internet.

Chapter 12, Understanding SSL and TLS, is a general overview of the Secure Socket Layer and Transport Layer Security protocols.

Part v, Web Server Security, explores techniques for securing web servers.

Chapter 13, Host and Site Security, contains information about basic UNIX and Windows NT security* as well as physical security.

Chapter 14, Controlling Access to Your Web Server, discuses how you can restrict information on a web server to particular users by access control systems built into web servers.

Chapter 15, Secure CGI/API Programming, discusses security issue when writing CGI scripts and taking advantage of web server APIs.

Part VI, Commerce and Society, takes a look at the critical issues involving money and society on the World Wide Web. This part of the book is of general interest.

Chapter 16, Digital Payments, looks at credit cards, digital cash, and other ways of paying for things online.

Chapter 17, Blocking Software and Censorship Technology, examines at technologies that are used for controlling access to the Internet by children and people living in totalitarian countries.

Chapter 18, Legal Issues: Civil, looks at a number of civil concerns involved with publishing information on the World Wide Web.

Chapter 19, Legal Issues: Criminal, continues our survey of legal issues by looking at criminal problems that can arise from web content.

Part VII, Appendixes, contains summary and technical information.

Appendix A, Lessons from Vineyard.NET, is a personal account of creating and running an Internet service provider and trying to ensure its security.

Appendix B, Creating and Installing Web Server Certificates, shows the installation of the Apache-SSL web server and the certificate procurement and installation process. Although the specific technical information contained in this chapter may be obsolete by the time this book is printed, the procedure illustrates the process that must be followed for most web servers in use.

Appendix C, The SSL 3.0 Protocol, is a technical walk through the details of the SSL 3.0 protocol. It includes sample code for creating a SSL (Secure Socket Layer) client and server and information on SSLeay.

Appendix D, The PICS Specification, is a technical walkthrough of the details of the PICS standard.

Appendix E, References, tells you where you can go for more information. It covers both electronic and paper sources. We have tried to keep it short so that it will be approachable.

What You Should Know

Web security is a complex topic that touches on many aspects of traditional computer security, computer architectures, system design, software engineering, Internet technology, mathematics, and the law. To keep the size of this book under control, we have focused on conveying information and techniques that will not readily be found elsewhere

To get the most out of this book, you should already be familiar with the operation and management of a networked computer. You should know how to connect your computer to the Internet; how to obtain, install, and maintain computer software; and how to perform routine system management tasks, such as backups. You should have a working knowledge of the World Wide Web, and you should know how to install and maintain your organization's web server.

That is not to say that this is a book written solely for "propeller-heads" and security geeks. Great effort has been taken to make this book useful for people who have a working familiarity with computers and the web, but are not familiar with the nitty-gritty details of computer security. That's why we have the introductory chapters on cryptography and SSL.

Web Software Covered by This Book

A major difficulty in writing a book on web security is that the field is moving incredibly quickly. While we were working on this book, Netscape released three generations of web servers and browsers; Microsoft released its Internet Explorer 3.0 web browser and previewed its 4.0 browser; and WebTV Networks released a set-top box that allows people to surf the web without a PC and was eventually bought by Microsoft. At least three "secure" web servers were announced and released during that time period as well.

It is extremely difficult to track the field of web security, and it is impossible to do so in a printed publication such as this. So instead of providing detailed technical information regarding the installation and configuration of particular software that is sure to become obsolete shortly after the publication of this volume, we have instead written about concepts and techniques that should be generally applicable for many years to come.

In writing this book, we used a wide variety of software. Examples in this book are drawn from these web servers:


Apache-SSL is a cryptographically enabled web server that runs on a variety of UNIX operating systems. It is freely available worldwide (although its use may be restricted by local laws), and it supports military-grade 128-bit encryption. Because Apache-SSL uses a variety of patented technologies, Apache-SSL must be licensed for commercial use within the United States. Community ConneXion sells a properly licensed version of this server called Stronghold.

Microsoft Internet Information Server

IIS is Microsoft's cryptographically enabled web server that is bundled with the Windows NT Server operating system.

Netscape FastTrack Server

The Netscape FastTrack server is a low-cost cryptographically enabled web server manufactured by Netscape Communications, Inc. Two versions of the FastTrack server are available: a U.S. version that includes 128-bit encryption and an expert version that supports encryption with 40 bits of secret key.

WebStar Pro

WebStar Pro is a web server that runs on the Apple MacOS operating system. Originally based on the popular MacHTTP web server, WebStar Pro includes a cryptographic module. It is sold today by Star Nine Technologies, a division of Quarterdeck.

WebSite Pro

WebSite Pro is a cryptographically enabled web server that runs on the Windows 95 and Windows NT operating systems. WebSite Pro is sold by O'Reilly & Associates.

The following web browsers were used in the creation of this book:

Netscape Navigator

Netscape Navigator is the web browser that ignited the commercialization of the Internet. Versions 1, 2, 3, and 4 were used in the preparation of this book.

Microsoft Internet Explorer

The Microsoft Internet Explorer is a crytographically enabled web browser that is deeply interconnected with the Microsoft Windows 95 operating system. Versions 3 and 4 were used in the preparation of this book.

Spry Real Mosaic

Spry's Real Mosaic web browser is a descendant of the original Mosaic browser. The browser engine is widely licensed by other companies, including Microsoft and WebTV Networks.

Why Another Book on Computer Security?

In June 1991, O'Reilly & Associates published our first book, Practical UNIX Security. The book was 450 pages and contained state-of-the-art information for securing UNIX computers on the Internet. Five years later, we published the revised edition of our book, now entitled Practical UNIX & Internet Security. During the intervening years, the field of computer security had grown substantially. Not surprisingly, so had our page count. The new volume was 1000 pages long.

Some people joked that the second edition was so big and took so long to read that its most likely use in the field of computer security was that of a weapon--if anybody tried to break into your computer, simply hit them on the head with the corner of the three-pound opus. It would stop them cold.

Perhaps. For the serious computer security administrator, 1000 detailed pages on running secure UNIX and Internet servers is a godsend. Unfortunately, much of the information in the book is simply not relevant for the administrator who is seeking to manage a small web site securely. At the same time, the book misses key elements that are useful and important to the web administrator--technology developed in the year following the book's publication. Moreover, our 1996 book focuses on UNIX servers; not every site uses UNIX, and not every person is a system administrator.

Clearly, there is a need for a book that would give time-pressed computer users and system managers the "skinny" on what they need to know about using the Web securely. Likewise, there is a need for a new book that covers the newest developments in web security: SSL encryption, client-side digital signature certificates, special issues pertaining to electronic commerce. This is that book.

Conventions Used in This Book

The following conventions are used in this book:

Italic is used for file and directory names and for URLs. It is also used to emphasize new terms and concepts when they are introduced.

Constant Width is used for code examples and any system output.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted March 27, 2001

    Security is serious business this book is all fluff

    The content contained within the book was very obvious. Too obvious even if the book was a Dummies title book. Also, this book while 400+ pages long contained about 50 pages of useful information. Each topic contained dozens of analogies to describe them. One or two analogies would have been sufficient for most people. I am convinced the list of these analogies were solely there to increase the size of this book. One topic in particular, Digital Certificates, included 8 pages of analogies including the explanation to readers that most computers don't have cameras that can identify a users face visually and that drivers licenses and passports are used to identify people in the real world. I was very disappointed I expect a lot more from O'Reilly.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)