Web Security & Commerce (O'Reilly Nutshell) (Paperback)

~ Simson Garfinkel (Author), Gene Spafford (Author)

Editorial Reviews

Amazon.com Review

Garfinkel and Spafford, longtime Net veterans, overturn a lot of misconceptions about online security in a commonsense book that is easily accessible to even nontechnical readers. They make it clear that any commercial Web site requires careful attention to security­-even if the site doesn't carry any sensitive information. Furthermore, the authors show that there's a lot more to security than merely encrypting transmissions. Their goal is to lay the foundation for securing the three parts of a system: the Web server and its data; the information that travels between server and user; and the user's own computer and the information stored there.

Because of the rapidly evolving nature of Web security, Garfinkel and Spafford are not specific in terms of security flaws and tools to fix them. Instead, they emphasize laying out the Web-security principles that will be applicable throughout several generations of hardware and software change. In the process, they give extensive coverage to user safety, digital certificates, cryptography, Web-server security, and the larger issues of commerce and society. Appendix A shows the lessons of the book in action as it details Garfinkel's experience running and securing the Vineyard.net Internet service provider. --Elizabeth Lewis

Product Description

Attacks on government Web sites, break-ins at Internet service providers, electronic credit card fraud, invasion of personal privacy by merchants as well as hackers -- is this what the World Wide Web is really all about? Web Security & Commerce explains the real risks of the Web and how you can minimize them. Whether you're a casual (but concerned) Web surfer or a system administrator responsible for the security of a critical Web server, this book will tell you what you need to know. Entertaining as well as illuminating, it looks behind the headlines at the technologies, risks, and benefits of the Web. Topics include:

• User safety--browser vulnerabilities, privacy concerns, issues with Java, JavaScript, ActiveX, and plug-ins
• Digital certificates--what they are, how they assure identity in a networked environment, how certification authorities and server certificates work, and what code signing all about
• Cryptography--an overview of how encryption works on the Internet and how different algorithms and programs are being used today
• Web server security--detailed technical information about SSL (Secure Socket Layer), TLS (Transport Layer Security), host security, server access methods, and secure CGI/API programming
• Commerce and society--how digital payments work, what blocking software and censorship technology (e.g., PICS and RSACi) is about, and what civil and criminal issues you need to understand

See all Editorial Reviews

Product Details

• Paperback: 500 pages
• Publisher: O'Reilly Media; 1st edition (June 1, 1997)
• Language: English
• ISBN-10: 1565922697
• ISBN-13: 978-1565922693
• Product Dimensions: 9.1 x 7 x 1.1 inches
• Shipping Weight: 1.8 pounds
• Average Customer Review: 4.4 out of 5 stars  See all reviews (10 customer reviews)
• Amazon.com Sales Rank: #1,698,100 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

25 of 25 people found the following review helpful:

4.0 out of 5 stars Definitive Guide for Internet Security, February 7, 2000

By	Travis M. Owens (Rochester, NY USA) - See all my reviews (REAL NAME)

This books not only explains system security, it goes into technical detail, something that 95% of books always lack. I shouldn't have to say this book is good, its from O'Reilly. It covers PGP and how it works (not jsut what it is), SSL, TLS, login security, CGI security (they give actual code examples not ideals), hardware based security such with things like smart cards. There is also a chapter that explains what to do after you have been broken into and explains your legal routes of actions also. I also liked the fact that there is a chapter that explains the author's route of actions while working at an ISP . This book is a good buy if you need to learn about security and e-commerence and all the options you have relating to security. I've read alot of books, and its rare to find a book that explains things and also gives technical details. I know I'm not the only person who is sick of seeing every book being written for people who have never used a computer before and do not give code examples and real world implimentation. The only bad thing I have to say about this book is that there isn't a chapter that explains creating your own encryption method for Perl/C/PHP/ASP or the math behind it, but the material they do have does a good job of getting you very near this subject.

7 of 7 people found the following review helpful:

4.0 out of 5 stars A good overview, but aging, January 15, 2001

By A Customer

I spent quite a bit of time going through this book. It's not a bad book. Very comprehensive and thorough, and generally a pretty well balanced point of view. It acknowledges security is a trade off, and looks at many different options.

I have 2 main problems with it. Firstly, it's simply getting a little old. While 85% of it is still relevant, I'd like to see a second edition. They spend too much time talking about Netscape 3 problems for my liking.

Second is the reason it lost a star. The guys who wrote this obviously know their stuff, but in some ways know it a little too well. The result of this is when they go to explain a subject (public key infrastructure for example) they have a tendency to jump straight into the details, implementation issues, problems, etc, without ever giving you a big picture of it first - or only very briefly if they do. If you understand the basic principles of all security concepts, then this is great, but if like me, you bought this book to learn about fundamentals, I found myself on several occassions doing research on the web to understand the big picture before going back to the book.

But for a good overview for people who are at least semi-technical, it's not bad.

8 of 10 people found the following review helpful:

5.0 out of 5 stars Right on the mark!, April 14, 2000

By	Geoffrey Brown (Taconic, CT United States) - See all my reviews

Having spent a dozen years in what used to be called EDP security, but not having concentrated in the area recently, I found that the book was perfect. It avoids belaboring what is now obvious to everyone, and succeeds in covering the whole spectrum of web security issues in a single volume. It is hard to write about the history of monetized plastic (credit, debit, and smart cards) without either going into great detail or sounding like there is a great new world dawning, but Garfinkel and Spafford tread that narrow line. Similarly, the nuances of PKI very quickly can dominate anything written about it, and the authors succeed in avoiding this trap. It was interesting to see that the authors basically dealt with Denial of Service attacks a couple of years before the "famous" DOS attacks on Yahoo and E-Trade. In short, reading the book won't make you a web security maven, but it most likely will prompt you to ask the right questions about the subject, and can certainly make you sound like one! Super book!