UKUUG home


(the UK's Unix & Open Systems User Group)






Book Discounts

Other Discounts

Mailing lists






Web Security, Privacy and Commerce (2nd edition) Simson Garfinkel with Gene Spafford
Published by O'Reilly and Associates
786 pages
£ 31.95
Published: 26th November 2001
reviewed by Andrew Cormack
   in the September 2002 issue (pdf), (html)

This second edition of Simson Garfinkel's book on web security and commerce has added Privacy to the title, which indicates a significant change to the content. Privacy, or the lack of it, now seems to be the major press concern about the Internet and as a result seems to be the main reason why people are starting to take network and server security more seriously. The book identifies three groups of people who may have security concerns about the Web - users, service providers and content providers - and has a section for each of them.

The first section, presumably intended for all readers, is an introduction to web and security technology. The first two chapters, on the landscape and architecture of the web, provide a good introduction, however there are then five chapters on cryptography and identification. The information is well presented, but I suspect it will be off-putting, and not particularly relevant, to many of the book's intended readers. In fact some of the information, for example that on PGP and S/MIME, is barely relevant to the web at all. If this were moved to a reference section later in the book then there would be a better chance of readers making it through to the sections of direct interest to them.

It would be a shame if web users did not get as far as their section, as it contains a good and wide-ranging selection of information about protecting their privacy on-line. There is a short description of how much information can be collected by a server during a browsing session; this is followed by behavioural and technical ways in which the user can control this. The book recognises that even though the legal status of personal data is very different in the USA and Europe, individuals have the same concerns wherever in the world they live. Also, as most of us do not restrict our browsing to web sites in our own country, it makes sense to learn to take precautions at the user end rather than relying on the server to do the right thing with our data.

The server section covers all the levels at which a web service can be attacked. Most books on security concentrate on the operating system and server programs, but this one also deals with physical security, the problems of applications and the need to provide reliable network and DNS services for the site. Many of these areas could fill a book on their own so although there are step-by-step instructions for installing digital certificates on Apache and IIS servers, elsewhere the text highlights things to think about rather than providing full details. There is a chapter on what to do if you become a victim of computer crime, but this deals only with the US legal system.

Finally there is a collection of topics likely to be of interest to web content providers, including access control by IP address, password or client certificates, digital payments and, returning to the privacy theme, policies for handling personal data. This notes the existence of a very different data protection regime in Europe, but only describes in detail the voluntary codes and limited statutory protection provided by US law. There are two chapters on filtering software but, since these conclude that attempts to rate content at the server end have largely failed, it would be more useful to cover this from the user perspective.

Web Security, Privacy and Commerce is now a large book, and contains a great deal of useful information. However readers with specific needs may need to expend time, mental and physical effort, as the volume of information has outgrown the original simple structure of the book. This is not helped by a tendency to wander off the topic of the book: the thirty page biography of would be of great interest to someone setting up a local ISP, but is out of place in this title. The publishers could help by expanding the existing ``Organisation of this Book'' section to map out paths through the material for particular types of reader, or perhaps by splitting the book into volumes for users and operators.

Back to reviews list

Tel: 01763 273 475
Fax: 01763 273 255
Web: Webmaster
Queries: Ask Here
Join UKUUG Today!

UKUUG Secretariat
More information

Page last modified 03 Apr 2007
Copyright © 1995-2011 UKUUG Ltd.