Web Security and Commerce (Nutshell Handbooks): Simson Garfinkel, Gene Spafford: 0636920922698: Amazon.com: Books

Web Security and Commerce (Nutshell Handbooks) 1st Edition

by Simson Garfinkel (Author), Gene Spafford (Author)

4 ratings

ISBN-13: 978-1565922693

ISBN-10: 1565922697

Why is ISBN important?

Share

Paperback

$6.82 - $45.98

Other Sellers

See all 2 versions

Used: Good | Details

Sold by WonderBook

Access codes and supplements are not guaranteed with used items.

$8.98 delivery October 18 - 25. Details

Deliver to Canada

Only 1 left in stock - order soon.

Sold by ExpressWizard and Fulfilled by Amazon.

Available at a lower price from other sellers that may not offer free Prime shipping.

Delivery Wednesday, October 26. Order within 15 hrs 51 mins

Or fastest delivery Tuesday, October 18

Deliver to Canada

Available at a lower price from other sellers that may not offer free Prime shipping.

There is a newer edition of this item:

Web Security, Privacy and Commerce, 2nd Edition

Web Security, Privacy and Commerce, 2nd Edition
$36.00
(13)
Only 1 left in stock - order soon.

Attacks on government Web sites, break-ins at Internet service providers, electronic credit card fraud, invasion of personal privacy by merchants as well as hackers--is this what the World Wide Web is really all about?Web Security & Commerce cuts through the hype and the front page stories. It tells you what the real risks are and explains how you can minimize them. Whether you're a casual (but concerned) Web surfer or a system administrator responsible for the security of a critical Web server, this book will tell you what you need to know. Entertaining as well as illuminating, it looks behind the headlines at the technologies, risks, and benefits of the Web. Whatever browser or server you are using, you and your system will benefit from this book.Topics include:

User safety--browser vulnerabilities (with an emphasis on Netscape Navigator and Microsoft Internet Explorer), privacy concerns, issues with Java, JavaScript, ActiveX, and plug-ins.
Digital certificates--what they are, how they assure identity in a networked environment, how certification authorities and server certificates work, and what code signing all about.
Cryptography--an overview of how encryption works on the Internet and how different algorithms and programs are being used today.
Web server security--detailed technical information about SSL (Secure Socket Layer), TLS (Transport Layer Security), host security, server access methods, and secure CGI/API programming.
Commerce and society--how digital payments work, what blocking software and censorship technology (e.g., PICS and RSACi) is about, and what civil and criminal issues you need to understand.

Editorial Reviews

Amazon.com Review

Garfinkel and Spafford, longtime Net veterans, overturn a lot of misconceptions about online security in a commonsense book that is easily accessible to even nontechnical readers. They make it clear that any commercial Web site requires careful attention to security-even if the site doesn't carry any sensitive information. Furthermore, the authors show that there's a lot more to security than merely encrypting transmissions. Their goal is to lay the foundation for securing the three parts of a system: the Web server and its data; the information that travels between server and user; and the user's own computer and the information stored there.

Because of the rapidly evolving nature of Web security, Garfinkel and Spafford are not specific in terms of security flaws and tools to fix them. Instead, they emphasize laying out the Web-security principles that will be applicable throughout several generations of hardware and software change. In the process, they give extensive coverage to user safety, digital certificates, cryptography, Web-server security, and the larger issues of commerce and society. Appendix A shows the lessons of the book in action as it details Garfinkel's experience running and securing the Vineyard.net Internet service provider. --Elizabeth Lewis

From the Publisher

The World Wide Web is the fastest growing part of the Internet -- and the part that is the most vulnerable to attack. There are a number of reasons: Commerce: The Internet is becoming increasingly commercialized; browsers are being used to look at material available for purchase, and people are sending credit card information via the Web. This sensitive financial information is an attractive target for attackers. Proprietary information: Organizations are using the Web more and more to distribute information both internally and externally. This information is also a tempting target for economic competitors. Network access: Web servers are an ideal target since a compromised web server can be used to further attack networked computers within an organization. Extensibility: New technologies allow both servers (CGI) and browsers (Java and ActiveX) to be extended. Unfortunately, web extensibility can become a backdoor for attackers. Too many organizations are rushing headlong into using the Web without considering the potential for attack and compromise. Web Security & Commerce looks at the vulnerabilities of WWW servers, browsers, and a variety of new technologies that increase the power and scope of the Web, but which unfortunately may also put it at risk. This book examines the technologies and the risks, and it describes the best available strategies for minimizing those risks. Topics include basic web, host, and site security, CGI/API programming, cryptography, the Secure Socket Layer (SSL), digital IDs, web servers (e.g., Apache-SSL, Netscape), Java, JavaScript, ActiveX, code signing, electronic commerce, and legal issues. A detailed table of contents follows: Preface The Web: Promises and Threats This book Acknowledgements I:Web Security Basics 1:Introduction Web Security in a Nutshell The Web Security Problem Credit-Cards, Encryption and Netscape Firewalls: Who Needs Them? Web Security is not "All or nothing." 2:Controlling Access to Web-Based Information Controlling Access to Files on Your Server Website Users Host Users 3:Host And Site Security Common Problems Minimizing Web Server Risk Host Security Site Security 4:Secure CGI/API Programming The Danger of Extensibility. A Common Problem Rules To Code By Specific Rules for Specific Programming Languages Tips on Writing SUID/SGID CGI Scripts Tips on Using Passwords Environment Variables II:Enhanced Web Security 5:Cryptography Basics Understanding Cryptography Cryptographic Algorithms and Functions Key Length and Cryptographic Strength Key Escrow Legal Restrictions on Cryptography 6:Cryptography and the Web Encryption and Web Security Working Cryptosystems 7:Understanding SSL Overview The SSL v3.0 Protocol Support for SSL SSL: The User's Point of View 8:Digital IDs Identity Cards for Cyberspace Public Key Infrastructure Using Digital IDs Digital IDs and the Web 9:Apache-SSL Apache-SSL SSLeay 10:Netscape WWW Servers 11:WebSite Pro 12:WebStar: A Secure Macintosh Web Server 13:Java Browser History: An Evolution of Risk Java Security JavaScript Security Plug-ins and ActiveX Code Signing Implementation Flaws III:Browsers and Beyond 14:JavaScript 15:ActiveX: 16:Code Signing IV:Commerce and Society 17:Parental Controls 18:Getting Paid Credit Cards Digital Cash How to Evaluate a Payment System 19:Legal Issues Intellectual Property Torts Criminal Subject Matter

About the Author

Simson Garfinkel, CISSP, is a journalist, entrepreneur, and international authority on computer security. Garfinkel is chief technology officer at Sandstorm Enterprises, a Boston-based firm that develops state-of-the-art computer security tools. Garfinkel is also a columnist for Technology Review Magazine and has written for more than 50 publications, including Computerworld, Forbes, and The New York Times. He is also the author of Database Nation; Web Security, Privacy, and Commerce; PGP: Pretty Good Privacy; and seven other books. Garfinkel earned a master's degree in journalism at Columbia University in 1988 and holds three undergraduate degrees from MIT. He is currently working on his doctorate at MIT's Laboratory for Computer Science.

Gene Spafford, Ph.D., CISSP, is an internationally renowned scientist and educator who has been working in information security, policy, cybercrime, and software engineering for nearly two decades. He is a professor at Purdue University and is the director of CERIAS, the world's premier multidisciplinary academic center for information security and assurance. Professor Spafford and his students have pioneered a number of technologies and concepts well-known in security today, including the COPS and Tripwire tools, two-stage firewalls, and vulnerability databases. Spaf, as he is widely known, has achieved numerous professional honors recognizing his teaching, his research, and his professional service. These include being named a fellow of the AAAS, the ACM, and the IEEE; receiving the National Computer Systems Security Award; receiving the William Hugh Murray Medal of the NCISSE; election to the ISSA Hall of Fame; and receiving the Charles Murphy Award at Purdue. He was named a CISSP, honoris causa in 2000. In addition to over 100 technical reports and articles on his research, Spaf is also the coauthor of Web Security, Privacy, and Commerce, and was the consulting editor for Computer Crime: A Crimefighters Handbook (both from O'Reilly).

Product details

Publisher ‏ : ‎ O'Reilly Media; 1st edition (June 11, 1997)
Language ‏ : ‎ English
Paperback ‏ : ‎ 506 pages
ISBN-10 ‏ : ‎ 1565922697
ISBN-13 ‏ : ‎ 978-1565922693
Item Weight ‏ : ‎ 1.76 pounds
Dimensions ‏ : ‎ 7 x 1.15 x 9.19 inches

Customer Reviews:
4 ratings

About the author

Follow authors to get new release updates, plus improved recommendations.

Simson L. Garfinkel

Brief content visible, double tap to read full content.

Full content visible, double tap to read brief content.

Simson Garfinkel received undergraduate degrees in Chemistry, Political Science, and the Science, Technology and Society program from the Massachusetts Institute of Technology in 1987; a MS in Journalism from Columbia University in 1988; and a PhD in Computer Science from MIT in 2005. He has over 30 years of research and development experience with over 50 publications in peer-reviewed journals and conferences. His research interests include digital forensics, usable security, and technology transfer. In 2017 Garfinkel was appointed the the Senior Computer Scientist for Confidentiality and Data Access at the US Census Bureau, where he chairs the Bureau's Disclosure Review Board; he was previously a Senior Advisor at the US National Institute of Standards and Technology, and an Associate Professor in the Computer Science Department at the Naval Postgraduate School. He is a fellow of the Association for Computing Machinery, holds a PhD in Computer Science from MIT, and teaches as an adjunct faculty member at the George Mason University in Vienna, Virginia.

Garfinkel shared the 2017 NIST Information Technology Laboratory Outstanding Standards Document Award for NIST SP 800-188, Trustworthy Email, and the 2011 Department of Defense Value Engineering Achievement Award for his leadership in the Bulk Extractor Program. He has received three Best Paper awards at the DFRWS digital forensics research symposium, as well as multiple national awards for his work in technology journalism.

Garfinkel is the author or co-author of fourteen books on computing. His book Database Nation: The Death of Privacy in the 21st Century (O'Reilly, 2000) discussed the impact of technology on privacy in the 20th and 21st centuries. His book Practical UNIX and Internet Security (co-authored with Gene Spafford and Alan Schwartz), has sold more than 250,000 copies and been translated into more than a dozen languages since the first edition was published in 1991.

Customer reviews

5 star		50%
4 star		50%
3 star 0% (0%)		0%
2 star 0% (0%)		0%
1 star 0% (0%)		0%

How customer reviews and ratings work

Top reviews from the United States

There was a problem filtering reviews right now. Please try again later.

Web Security, Privacy & Commerce

Reviewed in the United States on March 6, 2003

The Internet is an unsecured communication system; it was not designed to be inherently secure. A simple act of browsing a Web page on a remote computer can involve sending packets of information to and receiving them from more than a dozen different computers operated by just as many different organizations.
The division of responsibility among multiple organizations make it possible for each of these organizations and more to eavesdrop on your communication or even to disrupt them. There is no privacy once you visit a Website because the Internet explorer stores cookies in a folder in the history directory, these cookies can be very powerful, anyone who can gain access to your cookies can learn information about you.
In today�s World Wide Web environment, you must stay abreast of newly discovered vulnerabilities if you wish to maintain a secure computer that is connected to the Internet. The day has long passed when security vulnerabilities were kept quiet. These days vulnerabilities are usually publicized with a breath taking speed once they are discovered. What�s more once vulnerability is known exploits are quickly developed and distributed across the Internet. In many cases system administrators only have a few hours between the time that a vulnerability is first publicized and the time when they will start to be attacked with it. Also some flaws exploit protocols you need to allow through your firewall. Despite all the new vulnerabilities been created and discovered, the underlying concept of web security have changed very little and as such this book concentrated on teaching concept and principles rather than specific commands and key strokes its done a good job out of it.
FIREWALLS are thought to improve computer security because they can exercise precise control over what information is passed between two networks. Firewalls do nothing to protect against insider misuse, virus or other internal problems. It only provides the illusion of better security.
A good computing infrastructure will continue to function in the face of adversity, being man made or natural disaster. Building a secure computing environment is requires careful planning and continued vigilance. There is no substitute for vigilance.
A secure server is not a server that implements cryptographic protocols so that data transfer cannot be eavesdropped upon or a Web server that will safeguard any personal information received or collected, not subverting browsers to download viruses or other rogue programs onto user computers.
Simson Garffinkel and Gene Spafford, concludes that a Secure Web Server is one that is resistant to a determined attack over the Internet or from corporate insider.
Generally accepted principles in the computer Security consist of recommendations, procedures and policies that are known as Best Practices.
But even the Best Practices has its own problems, the biggest problem is that there is no really one set of best practices that is applicable to all websites and Web users, the authors of this book recommends a combination of Risk Analysis and Best Practices.
Unfortunately Simson Garfinkel knows that the application of risk analysis to the field of computer networks has been less successful.
It is impossible to calculate the risk that an attacker will be able to obtain System Administrator privileges on your Web Server?
I have never seen a book packed with so much information on Web security as this book I will recommend it to anyone who wants to have a good foundation in Web security, the understanding that I have gained reading this book is unbeliveable.
This book is about Web Security, privacy and commerce the World Wide Web.
Organized into five parts it examines the security policies in use on the Web today and the strategies available to minimize the risk in using the World Wide Web.
Part 1. WEB TECHNOLOGY: -Examines the underlying Technology that makes up today�s World Wide Web and how the Internet works in general.
The Architecture of the World Wide Web, Cryptography basics, What Cryptography can�t do, Legal Restrictions on Cryptography, Understanding Secure Sockets Layer (SSL) and Transport Layer Security(TSL), What does SSL/TSL Really Protect:- actually it does little to protect against the real attacks that consumer and the merchants have experienced on the Internet. Digital Identification:-{Passwords, Biometrics, Digital Signatures, Digital Certificates, CAs, and Public Key Infrastructure (PKI). Part 2. Privacy and Security for Users,
Understanding Cookies, Privacy Protecting Techniques, Choosing a Good Service Provider, Avoiding Spam and Junk Email, Identity Theft, Privacy-Protecting Techniques, Blocking Ads and Crushing Cookies, Backups and Antitheft, Mobile Code Plug-Ins, ActiveX, and Visual Basic, The Risk of Downloaded Code, Java, JavaScript, Flash, and Shockwave. Part 3. Web Server Security:
Physical Security for Servers, Protecting Computer Hardware, Protecting Your Data, Host Security for Servers, Secure Remote Access and Content Updating, Firewalls and the Web, Securing Web Applications, Deploying SSL Server Certificates, When things go Wrong, Securing Your Web Service, Protecting Your DNS, Computer Crime, Your Legal Options After Break-In. Part 3. Security For Content Providers:
Controlling Access To Your Web Content, Access Control Strategies, Client-Side Digital Certificates, Code signing and Microsoft�s Authenticode, Why Code Signing, Pornography, Filtering Software and Censorship, Privacy Policies, Legislation, and P3P, Children Online Privacy Protection Act, Digital Payments, Internet-Base Payment Systems, How to Evaluate Credit Card Payment System,
Intellectual Property and Actionable Content, Copyright, Patent, Trademarks,
Part 5. Appendixes: Lessons From Vineyard.NET, the Platform for Privacy Preferences Projects.

Valuable to Technical & Non-Technical Readers

Reviewed in the United States on March 14, 2001

This book is an ideal introduction to the broad landscape of security methods and technologies for non-technical users. It is also an excellent resource for IT professionals who need to quickly get up-to-speed on web security.
My background is mostly "big iron", consisting of 24 years of mainframe and mid-range experience and a little more than a year in distributed computing (UNIX/Linux, network, etc.). In the good old days security consisted of RACF, ACLs, and some common sense rules about physical and logical access controls. Not so today, and until I read this book I had a nagging feeling that there was a large gap in my professional knowledge. Moreover, as a home user who spent a lot of time on the web I would get frustrated by messages issued by my browser about certificates. This book came to my rescue on all counts.
The first two sections, The Web Security Landscape and User Safety, were illuminating. If a non-technical user only read these parts of the book he or she would come away with a good understanding of the risks faced on the web, and how to mitigate or eliminate them. The one complaint I have about these two sections is the material is woefully out of date. I subtracted a star from my rating for this reason.
The next three sections of the book is a wide survey of security technologies that cover digital certificates, cryptography, web server security. These provided me with a basic understanding of technologies that I need to know as an IT professional working in distributed environments. When comparing what I needed to know about security in the mainframe world to what I need to know as an IT consultant I could not help thinking, "We're not in Kansas anymore!" The material was clear and easy to understand and built my personal self-confidence. This part of the book will not make you an expert by any means, but you will come away with a good grasp of the elements of web security and a very basic understanding of how everything works and fits together.
Commerce and Society is the title of the book's last section and contains thought-provoking information on topics such as digital payments, censorship technology and the such. I especially liked the two chapters that addressed civil and criminal legal issues. Despite the fact that this book is out of date with respect to specific products it is a great introduction to web security. Unlike other O'Reilly books that are deeply technical, this one can be easily understood by home and business users as well as IT professionals. I personally gained a lot from the book and highly recommend it.

5 people found this helpful

Right on the mark!

Reviewed in the United States on April 14, 2000

Having spent a dozen years in what used to be called EDP security, but not having concentrated in the area recently, I found that the book was perfect. It avoids belaboring what is now obvious to everyone, and succeeds in covering the whole spectrum of web security issues in a single volume. It is hard to write about the history of monetized plastic (credit, debit, and smart cards) without either going into great detail or sounding like there is a great new world dawning, but Garfinkel and Spafford tread that narrow line. Similarly, the nuances of PKI very quickly can dominate anything written about it, and the authors succeed in avoiding this trap. It was interesting to see that the authors basically dealt with Denial of Service attacks a couple of years before the "famous" DOS attacks on Yahoo and E-Trade. In short, reading the book won't make you a web security maven, but it most likely will prompt you to ask the right questions about the subject, and can certainly make you sound like one! Super book!

8 people found this helpful

Get to Know Us

Make Money with Us

Amazon Payment Products

Let Us Help You

English $USD - U.S. Dollar United States

© 1996-2022, Amazon.com, Inc. or its affiliates