Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Security, Privacy and Commerce

Posted by timothy on from the prying-eyes-need-removal-and-squashing dept.

Slashdot reader rw2 (aka Rich Wellner) writes: "I was excited about this book because rarely does one come out that so directly applies to what I do day to day. I work at a national research lab, help out at a web hosting facility and run poliglut in my spare time. So, I'm used to dealing with the cleanup that occurs after a successful attack." The book is O'Reilly's updated Web Security, Privacy and Commerce. Read on for more of Rich's take on it. Web Security, Privacy and Commerce author Simson Garfinkel, Gene Spafford (Contributor), Debby Russell pages 800 publisher O'Reillly & Associates rating 10 reviewer rw2 ISBN 0596000456 summary A needed update to a reliable classic by well respected security experts.

My single biggest problem is typically that, while highly technical , I don't do security as a full time job. Reading the literature needed to become really expert just isn't in the cards. It's enough to keep up with Java, Python, C++ and grid computing stuff. Even though there is substantial overlap between grids and security, much of grid thought is separate from the implementations that are dealt with in this book. Besides, my group does large-scale data storage. We leave the security infrastructure to specialists.

Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need. Even in areas that I understand pretty well, I found this book taught me new stuff. For example, in their section dealing with the history of browsers I had a handful of false memories corrected, despite having been around for longer than the web.

They've broken the book down into four sections, Web Technology, Privacy and Security for Users, Web Server Security and Security for Content Providers.

Web Technology

This section deals with the pieces that all the other sections depend on. Particularly interesting are the parts about the different kinds of cryptographic systems. They talk about symmetric and public key systems and message digest functions. These building blocks are then put to use in chapters on SSL/TLS and digital identification. This section also gives a brief history of the web and how it was assembled.

Privacy and Security for Users

These chapters are split between mobile code, Java, ActiveX, Flash and such and all other safety/privacy issues. In the chapter on backups, the authors tell an amusing story about backups that were being done by someone who hadn't been properly trained. She would start the job, then go and read a book. The backup would throw errors, but when the session timed out the errors were lost and the screen looked like a normal termination when she returned. This apparently went on for quite some time before being caught. So check your backups, kids!

This sections also has an interesting chapter on email privacy and a couple different services/methods for using encryption to secure your mail and, better yet, send email that cannot be read after a certain date.

Web Server Security

Every sysad in the business should make sure to read this section, which starts out talking about physical security (because if you don't have that the rest may not matter), and continues all the way down to deploying certificates.

Security for Content Providers

Finally, the book finishes up with a few chapters that are mostly about the legalities of running a site. This combines client authentication with privacy policies, digital payments and intellectual property into a good if less technical ending.

Overall

One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix security, but they have chapters on ActiveX issues and it isn't dealt with in the flip manner that Unix people often use toward other OSes. Even their screen shots are in Windows. You definitely get the feeling these guys know there stuff from more than one perspective.

We happen to be talking a lot about public key infrastructures at work lately, and the chapters on digital certificates were quite handy in getting up to speed on the different issues. As with other sections, they deal not only with the bit twiddling involved but also with history and policy. The human issues. Very useful stuff about an area that not many think about and about which the existing writing is fairly opaque.

So, if you're needing to learn more about this subject I can't think of another book I would recommend before it. I've been motivated enough to write a review on it, and for most of us that's probably a ringing endorsement by itself!

You can purchase Web Security, Privacy and Commerce at Fatbrain.

3 of 68 comments (clear)

  1. Web security? by brand+bendy · · Score: 0, Offtopic

    I can't believe they didn't use the obviously superior title: WEBCURITY!

    --
    I use phrases like "darn good" and "rootin' tootin'", but only when there's a darn good, rootin tootin' reason!
  2. Web-security by tomcio.s · · Score: 0, Offtopic

    Magic 8-ball says:
    "Outlook not so good"

  3. Spafford & Garfinkel !! by ReidMaynard · · Score: 0, Offtopic

    Man I love their music, esp "The Sound of Science".

    --
    -- www.globaltics.net

    Political discussion for a new world