| Preface | p. xi |
| Web Technology | |
| The Web Security Landscape | p. 3 |
| The Web Security Problem | p. 3 |
| Risk Analysis and Best Practices | p. 10 |
| The Architecture of the World Wide Web | p. 13 |
| History and Terminology | p. 13 |
| A Packet's Tour of the Web | p. 20 |
| Who Owns the Internet? | p. 33 |
| Cryptography Basics | p. 46 |
| Understanding Cryptography | p. 46 |
| Symmetric Key Algorithms | p. 53 |
| Public Key Algorithms | p. 65 |
| Message Digest Functions | p. 71 |
| Cryptography and the Web | p. 78 |
| Cryptography and Web Security | p. 78 |
| Working Cryptographic Systems and Protocols | p. 81 |
| What Cryptography Can't Do | p. 88 |
| Legal Restrictions on Cryptography | p. 90 |
| Understanding SSL and TLS | p. 107 |
| What Is SSL? | p. 107 |
| SSL: The User's Point of View | p. 115 |
| Digital Identification I: Passwords, Biometrics, and Digital Signatures | p. 119 |
| Physical Identification | p. 119 |
| Using Public Keys for Identification | p. 130 |
| Real-World Public Key Examples | p. 140 |
| Digital Identification II: Digital Certificates, CAs, and PKI | p. 153 |
| Understanding Digital Certificates with PGP | p. 153 |
| Certification Authorities: Third-Party Registrars | p. 160 |
| Public Key Infrastructure | p. 174 |
| Open Policy Issues | p. 187 |
| Privacy and Security for Users | |
| The Web's War on Your Privacy | p. 203 |
| Understanding Privacy | p. 204 |
| User-Provided Information | p. 207 |
| Log Files | p. 210 |
| Understanding Cookies | p. 216 |
| Web Bugs | p. 225 |
| Conclusion | p. 229 |
| Privacy-Protecting Techniques | p. 230 |
| Choosing a Good Service Provider | p. 230 |
| Picking a Great Password | p. 231 |
| Cleaning Up After Yourself | p. 242 |
| Avoiding Spam and Junk Email | p. 252 |
| Identity Theft | p. 256 |
| Privacy-Protecting Technologies | p. 262 |
| Blocking Ads and Crushing Cookies | p. 262 |
| Anonymous Browsing | p. 268 |
| Secure Email | p. 275 |
| Backups and Antitheft | p. 284 |
| Using Backups to Protect Your Data | p. 284 |
| Preventing Theft | p. 295 |
| Mobile Code I: Plug-Ins, ActiveX, and Visual Basic | p. 298 |
| When Good Browsers Go Bad | p. 299 |
| Helper Applications and Plug-ins | p. 304 |
| Microsoft's ActiveX | p. 308 |
| The Risks of Downloaded Code | p. 318 |
| Conclusion | p. 326 |
| Mobile Code II: Java, JavaScript, Flash, and Shockwave | p. 327 |
| Java | p. 327 |
| JavaScript | p. 346 |
| Flash and Shockwave | p. 358 |
| Conclusion | p. 359 |
| Web Server Security | |
| Physical Security for Servers | p. 363 |
| Planning for the Forgotten Threats | p. 363 |
| Protecting Computer Hardware | p. 366 |
| Protecting Your Data | p. 381 |
| Personnel | p. 392 |
| Story: A Failed Site Inspection | p. 392 |
| Host Security for Servers | p. 396 |
| Current Host Security Problems | p. 397 |
| Securing the Host Computer | p. 405 |
| Minimizing Risk by Minimizing Services | p. 411 |
| Operating Securely | p. 413 |
| Secure Remote Access and Content Updating | p. 423 |
| Firewalls and the Web | p. 431 |
| Conclusion | p. 433 |
| Securing Web Applications | p. 435 |
| A Legacy of Extensibility and Risk | p. 435 |
| Rules to Code By | p. 443 |
| Securely Using Fields, Hidden Fields, and Cookies | p. 448 |
| Rules for Programming Languages | p. 454 |
| Using PHP Securely | p. 457 |
| Writing Scripts That Run with Additional Privileges | p. 467 |
| Connecting to Databases | p. 468 |
| Conclusion | p. 471 |
| Deploying SSL Server Certificates | p. 472 |
| Planning for Your SSL Server | p. 472 |
| Creating SSL Servers with FreeBSD | p. 477 |
| Installing an SSL Certificate on Microsoft IIS | p. 501 |
| Obtaining a Certificate from a Commercial CA | p. 503 |
| When Things Go Wrong | p. 506 |
| Securing Your Web Service | p. 510 |
| Protecting Via Redundancy | p. 510 |
| Protecting Your DNS | p. 514 |
| Protecting Your Domain Registration | p. 515 |
| Computer Crime | p. 517 |
| Your Legal Options After a Break-In | p. 517 |
| Criminal Hazards | p. 523 |
| Criminal Subject Matter | p. 526 |
| Security for Content Providers | |
| Controlling Access to Your Web Content | p. 533 |
| Access Control Strategies | p. 533 |
| Controlling Access with Apache | p. 538 |
| Controlling Access with Microsoft IIS | p. 545 |
| Client-Side Digital Certificates | p. 550 |
| Client Certificates | p. 550 |
| A Tour of the VeriSign Digital ID Center | p. 553 |
| Code Signing and Microsoft's Authenticode | p. 560 |
| Why Code Signing? | p. 560 |
| Microsoft's Authenticode Technology | p. 564 |
| Obtaining a Software Publishing Certificate | p. 577 |
| Other Code Signing Methods | p. 577 |
| Pornography, Filtering Software, and Censorship | p. 579 |
| Pornography Filtering | p. 579 |
| PICS | p. 582 |
| RSACi | p. 589 |
| Conclusion | p. 591 |
| Privacy Policies, Legislation, and P3P | p. 592 |
| Policies That Protect Privacy and Privacy Policies | p. 592 |
| Children's Online Privacy Protection Act | p. 601 |
| P3P | p. 606 |
| Conclusion | p. 609 |
| Digital Payments | p. 610 |
| Charga-Plates, Diners Club, and Credit Cards | p. 610 |
| Internet-Based Payment Systems | p. 620 |
| How to Evaluate a Credit Card Payment System | p. 640 |
| Intellectual Property and Actionable Content | p. 642 |
| Copyright | p. 642 |
| Patents | p. 645 |
| Trademarks | p. 646 |
| Actionable Content | p. 650 |
| Appendixes | |
| Lessons from Vineyard.NET | p. 655 |
| The SSL/TLS Protocol | p. 688 |
| P3P: The Platform for Privacy Preferences Project | p. 699 |
| The PICS Specification | p. 708 |
| References | p. 716 |
| Index | p. 735 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
