Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Web Security, Privacy & Commerce, 2nd Edition
Preface
Web Security: Is Our Luck Running Out?
Beyond the Point of No Return
Building in Security
About This Book
Organization of This Book
What You Should Know
Web Software Covered by This Book
Conventions Used in This Book
Comments and Questions
History and Acknowledgments
Second Edition
First Edition
I. Web Technology
1. The Web Security Landscape
The Web Security Problem
Securing the Web Server
Simplification of services
Policing copyright
Securing Information in Transit
Securing the User’s Computer
Risk Analysis and Best Practices
2. The Architecture of the World Wide Web
History and Terminology
Building the Internet
Packets and postcards
Protocols
Hosts, gateways, and firewalls
The client/server model
Weaving the Web
A Packet’s Tour of the Web
Booting Up Your PC
PC to LAN to Internet
Dialing up the Internet
Connected by LAN
The Walden Network
The Domain Name Service
How DNS works
Engaging the Web
Who Owns the Internet?
Your Local Internet Service Provider
Network Access Points and Metropolitan Area Exchanges
Peering
Transit
The Root and Top-Level Nameservers
Who runs the root?
An example
The Domain Registrars
Internet Number Registries
The Internet Corporation for Assigned Names and Numbers
3. Cryptography Basics
Understanding Cryptography
Roots of Cryptography
Cryptography as a Dual-Use Technology
A Cryptographic Example
Cryptographic Algorithms and Functions
Symmetric Key Algorithms
Cryptographic Strength of Symmetric Algorithms
Key Length with Symmetric Key Algorithms
Common Symmetric Key Algorithms
Attacks on Symmetric Encryption Algorithms
Key search (brute force) attacks
Cryptanalysis
Systems-based attacks
Public Key Algorithms
Uses of Public Key Encryption
Encrypted messaging
Digital signatures
Attacks on Public Key Algorithms
Key search attacks
Analytic attacks
Known versus published methods
Message Digest Functions
Message Digest Algorithms at Work
Uses of Message Digest Functions
HMAC
Attacks on Message Digest Functions
4. Cryptography and the Web
Cryptography and Web Security
Roles for Cryptography
Working Cryptographic Systems and Protocols
Offline Encryption Systems
PGP/OpenPGP
S/MIME
Online Cryptographic Protocols and Systems
SSL
PCT
SET
DNSSEC
IPsec and IPv6
Kerberos
SSH
What Cryptography Can’t Do
Legal Restrictions on Cryptography
Cryptography and the Patent System
The public key patents
Other patented algorithms
The outlook for patents
Cryptography and Trade Secret Law
Regulation of Cryptography by International and National Law
U.S. regulatory efforts and history
The Digital Millennium Copyright Act
International agreements on cryptography
National regulations of cryptography throughout the world
5. Understanding SSL and TLS
What Is SSL?
SSL Versions
SSL/TLS Features
What Does SSL Really Protect?
Digital Certificates
SSL Implementations
SSL Netscape
SSLRef and Mozilla Network Security Services
SSLeay and OpenSSL
SSL Java
SSL Performance
SSL: The User’s Point of View
Browser Preferences
Navigator preferences
Internet Explorer preferences
Browser Alerts
6. Digital Identification I: Passwords, Biometrics, and Digital Signatures
Physical Identification
The Need for Identification Today
Paper-Based Identification Techniques
Verifying identity with physical documents
Reputation of the issuing organization
Tamper-proofing the document
Computer-Based Identification Techniques
Password-based systems: something that you know
Physical tokens: something that you have
Biometrics: something that you are
Location: someplace where you are
Using Public Keys for Identification
Replay Attacks
Stopping Replay Attacks with Public Key Cryptography
PGP public keys
Creating and Storing the Private Key
Creating a public key/private key pair with PGP
Smart cards
Real-World Public Key Examples
Document Author Identification Using PGP
CERT/CC’s PGP signatures
Obtaining CERT/CC’s PGP key
Verifying the PGP-signed file
PGP certification
Public Key Authentication Using SSH
7. Digital Identification II: Digital Certificates, CAs, and PKI
Understanding Digital Certificates with PGP
Certifying Your Own Key
Certifying Other People’s Keys: PGP’s “Web of Trust”
Trust and validity
The Web of Trust and the key servers
Key signing parties
Certification Authorities: Third-Party Registrars
Certification Practices Statement (CPS)
The X.509 v3 Certificate
Exploring the X.509 v3 certificate
Types of Certificates
Minimal disclosure certificates
Revocation
Certificate revocation lists
Real-time certificate validation
Short-lived certificates
Public Key Infrastructure
Certification Authorities: Some History
Internet Explorer Preinstalled Certificates
Netscape Navigator Preinstalled Certificates
Multiple Certificates for a Single CA
Shortcomings of Today’s CAs
Lack of permanence for Certificate Policies field
Inconsistencies for “Subject” and “Issuer” fields
Unrealistic expiration dates
Open Policy Issues
Private Keys Are Not People
Distinguished Names Are Not People
There Are Too Many Robert Smiths
Today’s Digital Certificates Don’t Tell Enough
X.509 v3 Does Not Allow Selective Disclosure
Digital Certificates Allow for Easy Data Aggregation
How Many CAs Does Society Need?
How Do You Loan a Key?
Why Do These Questions Matter?
Brad Biddle on Digital Signatures and E-SIGN
E-SIGN and UETA
Electronic contracting—it’s more than just “signatures”!
“Signed writing” requirements
Proof
II. Privacy and Security for Users
8. The Web’s War on Your Privacy
Understanding Privacy
The Tort of Privacy
Personal, Private, and Personally Identifiable Information
User-Provided Information
Log Files
Retention and Rotation
Web Logs
What’s in a web log?
The refer link field
Obscuring web logs
RADIUS Logs
Mail Logs
DNS Logs
Understanding Cookies
The Cookie Protocol
An example
Cookie Uses
Cookie Jars
Cookie Security
Disabling Cookies
Web Bugs
Web Bugs on Web Pages
Web Bugs in Email Messages and Word Files
Uses of Web Bugs
Conclusion
9. Privacy-Protecting Techniques
Choosing a Good Service Provider
Picking a Great Password
Why Use Passwords?
Bad Passwords: Open Doors
Smoking Joes
Good Passwords: Locked Doors
Writing Down Passwords
Strategies for Managing Multiple Usernames and Passwords
Password classes
Password bases
Password rotation
Password keepers
Sharing Passwords
Be careful when you share your password with others!
Change your password when the person no longer needs it
Resist social engineering attacks
Beware of Password Sniffers and Stealers
Password sniffers
Keystroke recorders and keyboard sniffers
Beware of public terminals
Cleaning Up After Yourself
Browser Cache
Managing your cache with Internet Explorer
Managing your cache with Netscape Navigator
Cookies
Crushing Internet Explorer’s cookies
Crushing Netscape’s cookies
Browser History
Clearing Internet Explorer’s browser history
Clearing Netscape Navigator’s browser history
Passwords, Form-Filling, and AutoComplete Settings
Clearing AutoComplete with Internet Explorer
Clearing sensitive information with Netscape Navigator
Avoiding Spam and Junk Email
Protect Your Email Address
Use Address Munging
Use an Antispam Service or Software
Identity Theft
Protecting Yourself From Identity Theft
10. Privacy-Protecting Technologies
Blocking Ads and Crushing Cookies
Local HTTP Proxies
Using Ad Blockers
Anonymous Browsing
Simple Approaches to Protecting Your IP Address
Anonymous Web Browsing Services
Secure Email
Hotmail, Yahoo Mail, and Other Web-Based Email Services
Hushmail
Omniva’s Self-Destructing Email
11. Backups and Antitheft
Using Backups to Protect Your Data
Make Backups!
Why Make Backups?
What Should You Back Up?
Types of Backups
Guarding Against Media Failure
How Long Should You Keep a Backup?
Security for Backups
Physical security for backups
Write-protect your backups
Data security for backups
Legal Issues
Deciding upon a Backup Strategy
Preventing Theft
Understanding Computer Theft
Locks
Tagging
Laptop Recovery Software and Services
Awareness
12. Mobile Code I: Plug-Ins, ActiveX,and Visual Basic
When Good Browsers Go Bad
Card Shark
David.exe
The Chaos Quicken Checkout
ILOVEYOU
Helper Applications and Plug-ins
The History of Helpers
Getting the Plug-In
Evaluating Plug-In Security
Microsoft’s ActiveX
The <OBJECT> Tag
Authenticode
Does Authenticode Work?
Internet Exploder
Risky Controls
The Risks of Downloaded Code
Programs That Spend Your Money
Telephone billing records
Electronic funds transfers
Programs That Violate Privacy and Steal Confidential Information
A wealth of private data
Signed Code Is Not Safe Code
Signed Code Can Be Hijacked
Reconstructing an Attack
Recovering from an Attack
Conclusion
13. Mobile Code II: Java, JavaScript, Flash, and Shockwave
Java
A Little Java Demonstration
Java’s History
Java, the Language
Java Safety
Java Security
Safety is not security
Java Security Policy
Internet Explorer’s “security zones”
Setting Java policy in Microsoft Internet Explorer
Setting Java policy in Netscape Navigator
Java Security Problems
JavaScript
A Touch of JavaScript
JavaScript Security Overview
JavaScript Security Flaws
JavaScript Denial-of-Service Attacks
Can’t break a running script
Window system attacks
CPU and stack attacks
JavaScript Spoofing Attacks
Spoofing username/password pop-ups with Java
Spoofing browser status with JavaScript
Mirror worlds
Flash and Shockwave
Conclusion
III. Web Server Security
14. Physical Security for Servers
Planning for the Forgotten Threats
The Physical Security Plan
The Disaster Recovery Plan
Other Contingencies
Protecting Computer Hardware
The Environment
Fire
Smoke
Dust
Earthquake
Explosion
Temperature extremes
Bugs (biological)
Electrical noise
Lightning
Vibration
Humidity
Water
Environmental monitoring
Preventing Accidents
Food and drink
Physical Access
Raised floors and dropped ceilings
Entrance through air ducts
Glass walls
Vandalism
Ventilation holes
Network cables
Network connectors
Defending Against Acts of War and Terrorism
Preventing Theft
Physically secure your computer
RAM theft
Encryption
Laptops and portable computers
Protecting Your Data
Eavesdropping
Wiretapping
Eavesdropping over local area networks (Ethernet and twisted pair)
Eavesdropping on 802.11 wireless LANs
Eavesdropping by radio and using TEMPEST
Fiber optic cable
Keyboard monitors
Protecting Backups
Verify your backups
Protect your backups
Sanitizing Media Before Disposal
Sanitizing Printed Media
Protecting Local Storage
Printer buffers
Printer output
X terminals
Function keys
Unattended Terminals
Built-in shell autologout
Screensavers
Key Switches
Personnel
Story: A Failed Site Inspection
What We Found
Fire hazards
Potential for eavesdropping and data theft
Easy pickings
Physical access to critical computers
Possibilities for sabotage
Nothing to Lose?
15. Host Security for Servers
Current Host Security Problems
A Taxonomy of Attacks
Frequency of Attack
Understanding Your Adversaries
Script kiddies
Industrial spies
Ideologues and national agents
Organized crime
Rogue employees and insurance fraud
What the Attacker Wants
Tools of the Attacker’s Trade
Securing the Host Computer
Security Through Policy
Keeping Abreast of Bugs and Flaws
Choosing Your Vendor
Installation I: Inventory Your System
Installation II: Installing the Software and Patches
Minimizing Risk by Minimizing Services
Operating Securely
Keep Abreast of New Vulnerabilities
Logging
Setting up a log server
Logging on Unix
Logging on Windows 2000
Backups
Using Security Tools
Snapshot tools
Change-detecting tools
Network scanning programs
Intrusion detection systems
Virus scanners
Network recording and logging tools
Secure Remote Access and Content Updating
The Risk of Password Sniffing
Using Encryption to Protect Against Sniffing
Secure Content Updating
Dialup Modems
Firewalls and the Web
Types of Firewalls
Protecting LANs with Firewalls
Protecting Web Servers with Firewalls
Conclusion
16. Securing Web Applications
A Legacy of Extensibility and Risk
Programs That Should Not Be CGIs
Unintended Side Effects
The problem with the script
Fixing the problem
Rules to Code By
General Principles for Writing Secure Scripts
Securely Using Fields, Hidden Fields, and Cookies
Using Fields Securely
Hidden Fields and Compound URLs
Using Cookies
Using Cryptography to Strengthen Hidden Fields, Compound URLs, and Cookies
Rules for Programming Languages
Rules for Perl
Rules for C
Rules for the Unix Shell
Using PHP Securely
Introduction to PHP
Controlling PHP
Understanding PHP Security Issues
PHP Installation Issues
PHP Variables
Attacks with global variables
register_globals = off
Database Authentication Credentials
URL fopen( )
Hide Your Scripts
PHP Safe Mode
Controlling safe mode
Safe mode restrictions
Writing Scripts That Run with Additional Privileges
Connecting to Databases
Protect Account Information
Use Filtering and Quoting to Screen Out Raw SQL
Protect the Database Itself
Conclusion
17. Deploying SSL Server Certificates
Planning for Your SSL Server
Choosing a Server
Deciding on the Private Key Store
Server Certificates
The SSL certificate format
Creating SSL Servers with FreeBSD
History
Obtaining the Programs
Installing Apache and mod_ssl on FreeBSD
Verifying the Initial Installation
Signing Your Keys with Your Own Certification Authority
The Apache mod_ssl configuration file
Installing the key and certificate on the web server
Installing the Nitroba CA certificate into Internet Explorer
Installing the Nitroba CA certificate into Netscape Navigator
Securing Other Services
Installing an SSL Certificate on Microsoft IIS
Obtaining a Certificate from a Commercial CA
When Things Go Wrong
Not Yet Valid and Expired Certificates
Certificate Renewal
Wrong Server Address
18. Securing Your Web Service
Protecting Via Redundancy
Price and Performance Versus Redundancy
Providing for Redundancy
Protecting Your DNS
Protecting Your Domain Registration
19. Computer Crime
Your Legal Options After a Break-In
Filing a Criminal Complaint
Choosing jurisdiction
Local jurisdiction
Federal jurisdiction
Federal Computer Crime Laws
Hazards of Criminal Prosecution
The Responsibility to Report Crime
Criminal Hazards
Criminal Subject Matter
Access Devices and Copyrighted Software
Pornography, Indecency, and Obscenity
Amateur Action
Communications Decency Act
Mandatory blocking
Child pornography
Devices that Circumvent Technical Measures that Control Access to Copyrighted Works
Cryptographic Programs and Export Controls
IV. Security for Content Providers
20. Controlling Access to Your Web Content
Access Control Strategies
Hidden URLs
Host-Based Restrictions
Using firewalls to implement host-based access control
Caveats with host-based access control
Identity-Based Access Controls
Controlling Access with Apache
Enforcing Access Control Restrictions with the .htaccess File
Enforcing Access Control Restrictions with the Web Server’s Configuration File
Commands Before the <Limit>. . . </Limit> Directive
Commands Within the <Limit>. . . </Limit> Block
<Limit> Examples
Manually Setting Up Web Users and Passwords
Advanced User Management
Use a database
Use RADIUS or LDAP
Use PKI and digital certificates
Controlling Access with Microsoft IIS
Installing IIS
Downloading and Installing the IIS Patches
Controlling Access to IIS Web Pages
Restricting Access to IIS Directories
21. Client-Side Digital Certificates
Client Certificates
Why Client Certificates?
Support for Client-Side Digital Certificates
A Tour of the VeriSign Digital ID Center
Generating a VeriSign Digital ID
Finding a Digital ID
Revoking a Digital ID
22. Code Signing and Microsoft’s Authenticode
Why Code Signing?
Code Signing in Theory
Code Signing Today
Code Signing and Legal Restrictions on Cryptography
Microsoft’s Authenticode Technology
The “Pledge”
Publishing with Authenticode
The Authenticode SDK
Making the certificate
Adding the certificate to the store
Signing a program
Code signing from the command line
Obtaining a Software Publishing Certificate
Other Code Signing Methods
23. Pornography, Filtering Software, and Censorship
Pornography Filtering
Architectures for Filtering
Problems with Filtering Software
PICS
What Is PICS?
PICS Applications
PICS and Censorship
Access controls become tools for censorship
Censoring the network
RSACi
Conclusion
24. Privacy Policies, Legislation, and P3P
Policies That Protect Privacy and Privacy Policies
The Code of Fair Information Practices
OECD Guidelines
Other National and International Regulations
“Voluntary Regulation” Privacy Policies
Seal programs
FTC enforcement
“Notice, Choice, Access, and Security”
Children’s Online Privacy Protection Act
Prelude to Regulation
COPPA Requirements
Who must follow the COPPA Rule?
Basic provisions of COPPA
Verifiable parental consent
COPPA exceptions
Enforcement
P3P
P3P and PICS
Support for P3P in Internet Explorer 6.0
Conclusion
25. Digital Payments
Charga-Plates, Diners Club, and Credit Cards
A Very Short History of Credit
Payment Cards in the United States
The Interbank Payment Card Transaction
The charge card check digit algorithm
The charge slip
Charge card fees
Refunds and Charge-Backs
Additional Authentication Mechanisms
Using Credit Cards on the Internet
Internet-Based Payment Systems
Virtual PIN
Enrollment
Purchasing
Security and privacy
Redux
DigiCash
Enrollment
Purchasing
Security and privacy
Redux
CyberCash/CyberCoin
Enrollment
Purchasing
Security and privacy
Redux
SET
Two channels: one for the merchant, one for the bank
Why SET failed
Redux
PayPal
Sending money
Security and financial integration
Gator Wallet
Microsoft Passport
Other Payment Systems
Smart cards
Mondex
How to Evaluate a Credit Card Payment System
26. Intellectual Property and Actionable Content
Copyright
Copyright Infringement
Software Piracy and the SPA
Warez
Patents
Trademarks
Obtaining a Trademark
Trademark Violations
Domain Names and Trademarks
Actionable Content
Libel and Defamation
Liability for Damage
Protection Through Incorporation
V. Appendixes
A. Lessons from Vineyard.NET
In the Beginning
Planning and Preparation
Lesson: Whenever you are pulling wires, pull more than you need.
Lesson: Pull all your wires in a star configuration, from a central point out to each room, rather than daisy-chained from room to room. Wire both your computers and your telephone networks as stars. It makes it much easier to expand or rewire in the future.
Lesson: Use centrally located punch-down blocks for computer and telephone networks.
Lesson: Don’t go overboard.
Lesson: Plan your computer room carefully; you will have to live with its location for a long time.
IP Connectivity
Lesson: Set milestones and stick to them.
Lesson: Get your facilities in order.
Lesson: Test your facilities before going live.
Lesson: Provide for backup facilities before, during, and after your transition.
Commercial Start-Up
Working with the Phone Company
Lesson: Design your systems to fail gracefully.
Lesson: Know your phone company. Know its terminology, the right contact people, the phone numbers for internal organizations, and everything else you can find out.
Incorporating Vineyard.NET
Initial Expansion
Lesson: Build sensible business partnerships.
Accounting Software
Lesson: Make sure your programs are table-driven as often as possible.
Lesson: Tailor your products for your customers.
Lesson: Build systems that are extensible.
Lesson: Automate everything you can.
Lesson: Don’t reinvent the wheel unless you can build a better wheel.
Publicity and Privacy
Lesson: Always be friendly to the press.
Lesson: Never give out your home phone number.
Lesson: It is very difficult to change a phone number. So pick your company’s phone number early and use it consistently.
Ongoing Operations
Security Concerns
Lesson: Don’t run programs with a history of security problems.
Lesson: Make frequent backups.
Lesson: Limit logins to your servers.
Lesson: Beware of TCP/IP spoofing.
Lesson: Defeat packet sniffing.
Lesson: Restrict logins.
Lesson: Tighten up your system beyond manufacturer recommendations.
Lesson: Remember, the “free” in “free software” refers to “freedom.”
Phone Configuration and Billing Problems
Credit Cards and ACH
Lesson: If you have the time to write it, custom software always works better than what you can get off the shelf.
Lesson: Live credit card numbers are dangerous.
Lesson: Encrypt sensitive information and be careful with your decryption keys.
Lesson: Log everything, and have lots of reports.
Lesson: Explore a variety of payment systems.
Lesson: Make it easy for your customers to save you money.
Lesson: Have a backup supplier.
Monitoring Software
Lesson: Monitor your system.
Redundancy and Wireless
Linking Primary to Backup
Building the Backup Site
Failover—and Back!
The Big Cash-Out
Conclusion
B. The SSL/TLS Protocol
History
TLS Record Layer
SSL/TLS Protocols
Handshake Protocol
Alert Protocol
ChangeCipherSpec Protocol
SSL 3.0/TLS Handshake
Sequence of Events
1. ClientHello
2. ServerHello
3. Server certificate
4. Server key exchange
5. Certificate Request
6. The server sends a ServerHelloDone (TLS only)
7. Client sends certificate
8. ClientKeyExchange
9. CertificateVerify
10. ChangeCipherSpec
11. Finished
12. Application Data
C. P3P: The Platform for Privacy Preferences Project
How P3P Works
Deploying P3P
Creating a Privacy Policy
Generating a P3P Policy and Policy Reference File
Helping User Agents Find Your Policy Reference File
Compact Policies
Simple P3P-Enabled Web Site Example
D. The PICS Specification
Rating Services
PICS Labels
Labeled Documents
Requesting PICS Labels by HTTP
Requesting a Label from a Rating Service
E. References
Electronic References
Mailing Lists
Bugtraq
CERT-advisory
CIAC-notes and C-Notes
Firewalls
NTBugTraq
NT-security
RISKS
Usenet Groups
Web Pages and FTP Repository
Attrition.org
CERIAS
CIAC
DigiCrime
FIRST
IETF
Mozilla
NIH
NIST CSRC
Princeton SIP
Radius.Net Cryptography Archives
RSA Data Security
OpenSSL
SecurityFocus
System Administration, Networking, and Security (SANS) Institute
World Wide Web Consortium (W3C)
WWW Security
Software Resources
chrootuid
COPS (Computer Oracle and Password System)
Kerberos
MRTG
portmap
rsync
SATAN
SOCKS
SSH
Swatch
tcpwrapper
Tiger
TIS Internet Firewall Toolkit
Tripwire
UDP Packet Relayer
Paper References
Computer Crime and Law
Computer-Related Risks
Computer Viruses and Programmed Threats
Cryptography
General Computer Security
System Administration, Network Technology, and Security
Network Technology
Secure Programming
Security and Networking
Unix System Administration
Windows System Administration
Security Products and Services Information
Miscellaneous References
Index
About the Authors
Colophon
← Prev
Back
Next →
← Prev
Back
Next →