BKSCTCWW.RVW 20000113 "Security Technologies for the World Wide Web", Rolf Oppliger, 2000, 1-58053-045-1 %A Rolf Oppliger rolf.oppliger@acm.org,oppliger@computer.org %C 685 Canton St., Norwood, MA 02062 %D 2000 %G 1-58053-045-1 %I Artech House/Horizon %O 800-225-9977 fax: 617-769-6334 artech@artech-house.com %P 419 p. %T "Security Technologies for the World Wide Web" In the preface, the author states that the book is first intended for Webmasters, who need practical configuration information, then for users who have security concerns, and finally for Web and electronic commerce developers. He also says that the book can be used as an introduction, for self-study, as a course text, and as a reference. A pretty tall order, but, by and large, Oppliger does a reasonable job of fulfilling the entire mandate. Chapter one, as an introduction, is possibly more than most people want to know. However, the extra information (such as the explanation of HTTP [HyperText Transfer Protocol] requests and responses) does help provide an understanding of the underlying actions and concepts which are needed for a thorough view of security operations and requirements. There is a detailed presentation of HTTP access control methods in chapter two. The introduction to firewalls, in chapter three, is complete and helpful, with a wealth of user level information that is all too often omitted. Chapter four is a solid introduction to the basics of cryptography. Channel security at the data link, transfer, and application layers is the theme of chapter five, touching on tunneling, VPNs (Virtual Private Networks), IPsec, and various application protocols. Chapter six expands two of these with details on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Chapter seven gives an overview of electronic payment systems, with brief descriptions of the most common electronic cash, debit, and credit schemes. The management of certificates, in chapter eight, mostly covers ongoing work in key infrastructure, with a good discussion of the important and difficult question of certificate revocation. A fair and realistic review of active content is provided in chapter nine. For slightly less active content, chapter ten discusses and shows examples of more secure practices for CGI (Common Gateway Interface) and API (Application Programming Interface) work. Mobile code and agents are still really future technology, and so are the proposed security functions in Chapter eleven. The copyright discussion in chapter twelve is a little disappointing, since it seems primarily concerned with watermarking. Chapter thirteen looks at privacy, being dealt with by amateurs as usual, and, as usual, providing glimpses of fascinating work that is not widely known. There is a brief overview of censorship systems and problems in chapter fourteen. Chapter fifteen concludes with a somewhat pessimistic review of the situation. The bibliographies at the end of every chapter contain solid works, and can be useful to those wanting further information. They do, however, have a very definite academic flavour, in that most of the entries are articles or conference presentations, with books and online references making up a smaller portion of the whole. Oppliger's writing is rather dry and academic in tone, but the material presented is realistic, useful, and conceptually complete. Despite the disparate audience range, the author has managed to provide something of value for all. For the Web workers who are the primary audience, this book provides, if not a cookbook for security, a complete picture of the various aspects that must be addressed. copyright Robert M. Slade, 2000 BKSCTCWW.RVW 20000113