156 lines
6.4 KiB
HTML
156 lines
6.4 KiB
HTML
<!--startcut ==========================================================-->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<title>Book Review: Web Security Sourcebook LG #27</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
|
ALINK="#FF0000">
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4>
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H2>Book Review: Web Security Sourcebook</H2>
|
|
<H4>By <a href="mailto:kirk@muppetlabs.com">Kirk Petersen</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
<img align="right" src="./gx/petersen/cover.gif">
|
|
<ul>
|
|
<li>Authors: Aviel D. Rubin, Daniel Geer and Marcus J. Ranum
|
|
<li>Publisher: John Wiley and Sons
|
|
<li>E-mail: <a href="mailto:info@qm.jwiley.com">info@qm.jwiley.com</a>
|
|
<li>URL: <a href="http://www.wiley.com/">http://www.wiley.com/</a>
|
|
<li>Price: $23.99 US
|
|
<li>ISBN: 047118148X
|
|
</ul><P>
|
|
<I>Web Security Sourcebook</I> claims to be "a serious security
|
|
source book for Web Professionals and users."
|
|
Each chapter
|
|
covers one aspect of security, ranging from basic browser security to
|
|
firewall design.
|
|
<P>
|
|
The material covered in <I>Web Security Sourcebook</I> is fairly
|
|
simple--I would expect that
|
|
any Linux user could easily understand everything
|
|
presented in the book.
|
|
The target audience for <I>Web Security Sourcebook</I>
|
|
is anyone with some computer experience but with little knowledge
|
|
of computer security. It is mostly a summary of beginning, and some
|
|
intermediate, topics.
|
|
<P>
|
|
<H4>Chapter Summary</H4>
|
|
<P>
|
|
The first chapter, "Caught in Our Own Web", is the introduction to
|
|
the book. The authors present a quick history of the Web split
|
|
into four stages: the beginning, HTTP, server-side scripts and
|
|
client-side scripts. Security features (authentication,
|
|
confidentiality, etc.) are quickly outlined.
|
|
<P>
|
|
Chapter two, "Basic Browser Security", outlines
|
|
the features of Netscape Navigator and Microsoft Internet Explorer. The
|
|
authors cover all of the preferences that deal with security and
|
|
comment on how they should be configured.
|
|
A section on Internet Explorer's Content
|
|
Advisor (basically a Web "ratings" system) is included.
|
|
<P>
|
|
The next chapter is mostly about user privacy. There is a
|
|
section that describes certificates, mostly describing their flaws,
|
|
a very brief section on passwords and a good description of cookies.
|
|
Then the authors turn to privacy and anonymity. Simple proxies, Chaum
|
|
mixes and anonymous remailers are also described.
|
|
<P>
|
|
Chapters four and five address the security concerns of client-
|
|
and server-side scripts. Security issues of Java, Javascript and
|
|
ActiveX are outlined. The section on server-side security covers system
|
|
security as well as web-server security. It is mostly aimed at
|
|
Unix users.
|
|
<P>
|
|
The next chapter, "Advanced Server-Side Security"
|
|
consists mainly of CGI scripts and server-side includes. Information about
|
|
code signing and auditing tools is also provided.
|
|
<P>
|
|
"Creating Secure CGI Scripts" is the name of chapter seven.
|
|
It informs the reader of a few common security holes in
|
|
CGI scripts. It also outlines Perl, Tcl and Python as three capable
|
|
CGI scripting languages.
|
|
<P>
|
|
Chapter eight is an introduction to firewalls. The authors
|
|
describe what firewalls can do and how they interact with various
|
|
protocols. The placement of the firewall is explained in the second
|
|
part of the chapter.
|
|
<P>
|
|
Chapters nine and ten outline transactions on the Web. IPSEC is
|
|
discussed in detail. Secure HTTP, SSL and PCT are explained. The
|
|
authors then explain several "digital money" standards. A good
|
|
comparison is done between six of the competing standards.
|
|
<P>
|
|
The final chapter outlines the future of security on the Web. It
|
|
explains the problem of building in security "after-the-fact". The authors
|
|
point out some issues that often affect security, although they aren't
|
|
always thought of in that sense (such as "deliberate
|
|
incompatibility").
|
|
The chapter ends with a section titled "What we need in the
|
|
future".
|
|
<P>
|
|
The book includes two appendices. The first one is a brief
|
|
description of encryption, hash functions, digital signatures and so on.
|
|
The second one is a list of all the books and URLs that the authors
|
|
mentioned in the book.
|
|
<P>
|
|
<H4>Conclusion</H4>
|
|
<P>
|
|
<I>Web Security Sourcebook</I>
|
|
is fairly light reading and can be finished quickly. The writing is
|
|
adequate, although there are places where I found the descriptions lacking
|
|
or imprecise.
|
|
<P>
|
|
One thing that I often find annoying about security-related writings
|
|
is the use of scare tactics.
|
|
<I>Web Security Sourcebook</I> does have its share of scare tactics, but
|
|
for the most part uses realistic stories that honestly try to
|
|
inform the reader.
|
|
<P>
|
|
The information that <I>Web Security Sourcebook</I> presents is useful although
|
|
a bit shallow. The book tries to cover a lot of ground and is only
|
|
350 pages. If the book had been devoted solely to practical security fixes,
|
|
it might have impressed me. However, it included only a few specifics and
|
|
then went on to describe firewalls and transaction standards (which would
|
|
also have been interesting in more detail).
|
|
<P>
|
|
If you want an introduction to Web security and you have very little
|
|
experience with any sort of computer security, you might be interested in
|
|
<I>Web Security Sourcebook</I>. If you know much about encryption, or have
|
|
studied firewalls, or know about quite a few Web client and/or server
|
|
security holes, you will probably be disappointed by this book.
|
|
<P>
|
|
If you want to learn everything that was covered
|
|
in this book and you have the money, I would suggest getting a specific
|
|
book on each of the three or four concepts that <I>Web Security
|
|
Sourcebook</I> covers.
|
|
|
|
<!--===================================================================-->
|
|
<P> <hr> <P>
|
|
<center><H5>Copyright © 1998, Kirk Petersen<BR>
|
|
Published in Issue 27 of <i>Linux Gazette</i>, April 1998</H5></center>
|
|
|
|
<!--===================================================================-->
|
|
<P> <hr> <P>
|
|
<A HREF="./index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif"
|
|
ALT="[ TABLE OF CONTENTS ]"></A>
|
|
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
|
|
ALT="[ FRONT PAGE ]"></A>
|
|
<A HREF="./mueller.html"><IMG SRC="../gx/back2.gif"
|
|
ALT=" Back "></A>
|
|
<A HREF="./wkndmech.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
|
|
<P> <hr> <P>
|
|
<!--startcut ==========================================================-->
|
|
</BODY>
|
|
</HTML>
|
|
<!--endcut ============================================================-->
|