BKWEBSEC.RVW 980201 "Web Security: A Step-by-Step Reference Guide", Lincoln D. Stein, 1998, 0-201-62489-9, U$29.95 %A Lincoln D. Stein stein@genome.wi.mit.edu %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 1998 %G 0-201-62489-9 %I Addison-Wesley Publishing Co. %O U$29.95 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %P 448 p. %T "Web Security: A Step-by-Step Reference Guide" As it happened, this book came off the stack on a night when I wanted nothing more than to wander off to bed. Despite my sleep deprivation I managed not only to finish the book, but even to enjoy it. Any technical book with security in the title that can hold interest like that has to have something going for it. The book covers all aspects of Web security, as laid out in chapter one: the client or browser concern for privacy and safety of active content, the Web server concern for availability of service and prevention of intrusion, and the concern that both share for confidentiality and fraud. Chapter two provides a brief but accurate overview of cryptography as the backbone of secure systems operating over unsecured channels. (There is only one oddity that I noted, when 512 bit RSA public key encryption was compared in strength with 40 bit RC2 and RC4 systems.) More of the basics like Secure Sockets Layer (SSL) and Secure Electronic Transactions (SET) are described in chapter three, along with various forms of digital cash. Part two looks at client-side security, with further discussions of the use of SSL in chapter four. Chapter five details active content, with particular attention to ActiveX and Java. "Web Privacy," in chapter six, is an excellent and practical guide to the realities and myths about information that can be gleaned from your browsing activities. Included are practical tips about keeping your system from finking on you. (Windows users should note that the files referred to are not always in the paths specified, due to the variety of ways that Windows programs can be installed.) The bulk of the book, as might be expected, deals with server-side security, this being the slightly more complex side of the issue. Chapter seven provides an overview of the various vulnerabilities and loopholes to watch and plug. UNIX and Windows NT servers are dealt with in chapters eight and nine respectively. These chapters don't assume much familiarity with the system security functions of the systems, but do stick primarily to the server specific topics. Access control is a major part of any security setup, and is covered in chapter ten. Encryption and certificates are revisited in chapter eleven, concentrating on use in access control. CGI (Common Gateway Interface) scripting has been a major source of Web security risks, and chapter twelve points out safe, and unsafe, practices in programming scripts. Chapter thirteen discusses remote authoring and administration. Firewalls are often seen as the be-all and end-all of Internet security, and Stein covers the reality in chapter fourteen. Each chapter contains references to both online and printed sources of information, and these resources are all of high quality and useful. As noted, the book is not only readable, but even enjoyable. The writing is clear and accurate, giving the reader both concepts and practical tasks in minimum time with maximum comprehension. Although the bulk of the book is for Webmasters, the casual user can not only read it but get a great deal of value from it. Any ISP that does not have it on their customer support bookshelf should held criminally negligent. copyright Robert M. Slade, 1998 BKWEBSEC.RVW 980201