Lesson 8 B Configure Browser Security Flashcards
Microsoft’s Internet Explorer (IE)
used to be dominant in the browser market, but alternatives such as Google’s Chrome, Mozilla Firefox, and Opera have replaced it. IE itself is no longer supported. Edge, Microsoft’s replacement browser, now uses the same underlying Chromium codebase as Google Chrome. Apple’s Safari browser is tightly integrated with macOS and iOS.
In some scenarios, it might be appropriate to choose a browser that is different from these mainstream versions. Alternative browsers may claim to feature strong privacy controls, for instance.
Trusted Sources
As the browser is a security-critical type of software, it is particularly important to use a trusted source , such as an app store. If installed as a desktop application, care should be taken to use a reputable vendor. The integrity of the installer should also be verified, either by checking the vendor’s code-signing certificate or by manually comparing the hash file published by the developer with one computed for the download file.
Untrusted Sources
Using a browser from an untrusted source where the installer cannot be verified through a digital signature or hash is a security risk and likely to expose the user to unwanted adverts, search engines, and even spyware and redirection attacks. Some PC vendors bundle browsers that promote various types of adware. Though it is less common these days, such bloatware should be uninstalled as part of deploying a new PC. Adware browsers are also often bundled with other software, either covertly or as a checkable option. This type of potentially unwanted application (PUA) should also be removed from the computer.
A browser add-on
is some type of code that adds to the basic functionality of the software.
Extensions
A browser add-on. add or change a browser feature via its application programming interface (API). For example, an extension might install a toolbar or change menu options. The extension must be granted specific permissions to make configuration changes. With sufficient permissions, they can run scripts to interact with the pages you are looking at. These scripts could compromise security or privacy, making it essential that only trusted extensions be installed.
Plug-ins
A browser add-on. play or show some sort of content embedded in a web page, such as Flash, Silverlight, or another video/multimedia format. The plug-in can only interact with the multimedia object placed on the page, so it is more limited than an extension, in theory. However, plug-ins have been associated with numerous vulnerabilities over the years and are now rarely used or supported. Dynamic and interactive content is now served using the improved functionality of HTML version 5.
Apps
A browser add-on. support document editing in the context of the browser. They are essentially a means of opening a document within a cloud app version of a word processor or spreadsheet.
Default search
A browser add-on. provider sets the site used to perform web searches directly from the address bar. The principal risk is that a malicious provider will redirect results to spoofed sites.
Themes
A browser add-on. change the appearance of the browser using custom images and color schemes. The main risk from a malicious theme is that it could expose the browser to coding vulnerabilities via specially crafted image files.
Any extension or plug-in could potentially pose
a security and/or privacy risk. As with the browser software itself, you must distinguish between trusted and untrusted sources when deciding whether to install an add-on. Each browser vendor maintains a store of extensions, apps, and themes. This code should be subjected to a review process and use signing/hashing to ensure its integrity. There are instances of malicious extensions being included in stores, however.
BROWSER SETTINGS
Each browser maintains its own settings that are accessed via its Meatball (…) or Hamburger (☰) menu button. Alternatively, you can open the internal URL, such as chrome://settings, edge://settings , or about:preferences (Firefox). The settings configure options such as startup and home pages, tab behavior, and choice of search engine and search behavior.
Browsers also have advanced settings that are accessed via a URL such as chrome://flags or about:config.
Sign-in and Browser Data Synchronization
A browser sign-in allows the user to synchronize settings between instances of the browser software on different devices. As well as the browser settings, items that can be synced include bookmarks, history, saved autofill entries, and passwords.
Password Manager
A typical user might be faced with having to remember dozens of sign-ins for different services and resort to using the same password for each. This is unsecure because just one site breach could result in the compromise of all the user’s digital identities. Each major browser now supports password manager functionality. This can suggest a strong password at each new account sign-up or credential reset and autofill this value when the user needs to authenticate to the site. If the user signs-in to the browser, the passwords will be available on each device.
One drawback of password managers is that not all sites present the sign-in form in a way that the password manager will recognize and trust as secure. Most of them allow you to copy and paste the string as a fallback mechanism.
SECURE CONNECTIONS AND VALID CERTIFICATES
The web uses Transport Layer Security (TLS) and digital certificates to implement a secure connection. A secure connection validates the identity of the host running a site and encrypts communications to protect against snooping. The identity of a web server computer for a given domain is validated by a certificate authority (CA), which issues the subject a digital certificate. The digital certificate contains a public key associated with the subject embedded in it. The certificate has also been signed by the CA, guaranteeing its validity. Therefore, if a client trusts the signing CA by installing its root certificate in a trusted store, the client can also trust the server presenting the certificate.
When you browse a site using an HTTPS URL, the browser displays the information about the certificate in the address bar.
If the certificate is valid and trusted, a padlock icon is shown. Select the icon to view information about the certificate and the CA guaranteeing it.
CA root certificates must be trusted implicitly, so it would obviously be highly advantageous if a malicious user could install a bogus root certificate and become a trusted root CA. Installing a trusted root certificate requires administrative privileges. On a Windows PC, most root certificate updates are performed as part of Windows Update or installed by domain controllers or administrators as part of running Active Directory. There have been instances of stolen certificates and root certificates from CAs being exploited because of weaknesses in the key used in the certificate.
While Edge uses the Windows certificate store, third-party browsers maintain a separate store of trusted and personal certificates. When using enterprise certificates for internal sites and a third-party browser, you must ensure that the internal CA root certificate is added to the browser.
BROWSER PRIVACY SETTINGS
The marketing value of online advertising has created an entire industry focused on creating profiles of individual search and browsing habits. The main function of privacy controls is to govern sites’ use of these tracking tools, such as cookies. A cookie is a text file used to store session data. For example, if you log on to a site, the site might use a cookie to remember who you are. A modern website is likely to use components from many different domains. These components might try to set third-party cookies that could create tracking information that is available to a different host than the site owner.
The browser’s privacy settings can be set to enable or disable all cookies or just third-party cookies and to configure exceptions to these rules for chosen sites. Most browsers also have a tracking protection feature that can be set to strict or standard/balanced modes.
As well as cookies, sites can use the header information submitted in requests plus scripted queries to perform browser fingerprinting and identify source IP. Several other analytics techniques are available to track individuals as they visit different websites and use search engines. Tracking protection can mitigate some of these techniques but not all of them.
