Aviel Rubin, Dan Geer, and Marcus Ranum
Web Security Sourcebook
John Wiley & Sons, 1997. ISBN 0-471-18148-X. Pp. 350. $30.

Simson Garfinkel and Gene Spafford
Web Security and Commerce
O'Reilly and Associates, 1997. ISBN 1-56592-269-7. Pp. 483. $33.

Reviewed by Rik Farrow
<rik@spirit.com>

I was just finishing up a report for a client who wanted to expose a Web server to the Internet and provide controlled access to some confidential data, but I delayed my final report until I could check these new books. I was concerned that I might have overlooked something or missed some new ideas that would make their Web server safer.

The first book I received was the Web Security Sourcebook. As I know two of the three authors, I really looked forward to reading it. Also, I had specific requirements relating to Web server security, so I started near the back, looking particularly for information about where they would put the Web server in relation to the firewall, how SSL works, and other Web server configuration tips.

Generally, this book is well written. I especially enjoyed reading the sections that compared and contrasted methods for making secure payments, which were clear and show a good understanding of the major players and protocols. Keep in mind that whoever controls electronic exchange stands to make money any time digital cash changes hands. This is big business.

I was less satisfied with specific information about SLL and Web server configuration. As for location of an exposed server with regards to the firewall, the book gently tends to suggest using a third network, a DMZ, connected to the firewall itself. For configuration of the Web server, things get confused. In one paragraph (page 138), you are advised to create a special user account and make its home directory the document root. In the very next paragraph, the same account is supposed to use the server root for its home directory. The instructions do suggest making root the owner of the server root instead of the special user account (an excellent idea).

Other small inconsistencies marred this book for me. In the section about adding a password to Netscape Navigator, the authors say, "the password does not appear to be stored on disk." This annoyed me ­ where else would a persistent password be stored? A little experimentation found that changing the Navigator password caused the file key.db to be modified. The nobody user account (-2 in the book) is described as an "otherwise illegal UID." The length of time given to crack a 40-bit RC4 key was 18 hours, but this was done in 3.5 hours in January of 1997 (<http://www.rsa.com/rsalabs/97challenge>).

Web Security and Commerce covers pretty much the same territory but in more detail. Both books talk about browser security (just Internet Explorer and Navigator), active content, digital certificates, cryptography, Web server security, CGI scripts, and on-line payments. The difference is in the level of detail. I had wanted to know more about SSL. Web Security and Commerce includes a chapter on SSL, with an appendix detailing the actual protocol. Web Security and Commerce explains that SSL uses port 433 and that to use SSL in a form, you must specify https as the protocol type in the URL.

The Garfinkel and Spafford book also takes more time to deal with active content. Coverage of Java is fairly similar in both books, with many of the same papers being cited and explained in each book. Web Security and Commerce spends an entire chapter on ActiveX, while the Rubin et. al. book has a half a page. Authenticode gets another half page there.

Both books talk in detail about digital certificates. Server certificates are used with SSL (for encrypting the content of forms, and the results of a query when SSL v3 is used), and the reasons for having a certificate signed by a Certificate Authority are clearly explained. Both books explain how to view site certificates when they have been cached by your browser (your browser will have at least the certificates for some certification authorities or CAs).

Web Security and Commerce recommends putting the Web server on the firewall's DMZ. I agree. Recommendations for administering this exposed Web server would have been nice to find in either book. The Web Security Sourcebook does provide some details about creating a bastion host and suggests using encrypted links for remote administration. I had hoped to find suggestions on how to set up and run mirrored Web servers. In this approach, your Web administrators manage an internal Web server, and software automatically and securely mirrors it to the external Web server. Bill Cheswick had written stage to do this work <http://cm.bell-labs.com/who/ches/>. You can find an encrypting file transfer tool on Marcus Ranum's Web site <www.clark.net/pub/mjr>. I have recently learned of rsync <ftp://samba.anu.edu.au/pub/rsync>, which can use SSH as an encrypted link. Neither book mentions any of these mirroring techniques.

Having said all that, you might be surprised to hear that I liked both books. The Rubin, Geer, and Ranum book simply has less detail than the Garfinkel and Spafford book. There are times when Garfinkel's writing can be a bit annoying, like when he describes a PGP key signing party: ". . . whip out their private keys, and then have an orgy of public key encryptions as their private keys are pressed against each other." I suggest that you get both books; they do make good reading and provide good resources, regardless of my nitpicking. But if your budget supports buying only one book, Web Security and Commerce would be the better choice.