Lesson 8 B Configure Browser Security Flashcards

1
Q

Microsoft’s Internet Explorer (IE)

A

used to be dominant in the browser market, but alternatives such as Google’s Chrome, Mozilla Firefox, and Opera have replaced it. IE itself is no longer supported. Edge, Microsoft’s replacement browser, now uses the same underlying Chromium codebase as Google Chrome. Apple’s Safari browser is tightly integrated with macOS and iOS.

In some scenarios, it might be appropriate to choose a browser that is different from these mainstream versions. Alternative browsers may claim to feature strong privacy controls, for instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Trusted Sources

A

As the browser is a security-critical type of software, it is particularly important to use a trusted source , such as an app store. If installed as a desktop application, care should be taken to use a reputable vendor. The integrity of the installer should also be verified, either by checking the vendor’s code-signing certificate or by manually comparing the hash file published by the developer with one computed for the download file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Untrusted Sources

A

Using a browser from an untrusted source where the installer cannot be verified through a digital signature or hash is a security risk and likely to expose the user to unwanted adverts, search engines, and even spyware and redirection attacks. Some PC vendors bundle browsers that promote various types of adware. Though it is less common these days, such bloatware should be uninstalled as part of deploying a new PC. Adware browsers are also often bundled with other software, either covertly or as a checkable option. This type of potentially unwanted application (PUA) should also be removed from the computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A browser add-on

A

is some type of code that adds to the basic functionality of the software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Extensions

A

A browser add-on. add or change a browser feature via its application programming interface (API). For example, an extension might install a toolbar or change menu options. The extension must be granted specific permissions to make configuration changes. With sufficient permissions, they can run scripts to interact with the pages you are looking at. These scripts could compromise security or privacy, making it essential that only trusted extensions be installed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Plug-ins

A

A browser add-on. play or show some sort of content embedded in a web page, such as Flash, Silverlight, or another video/multimedia format. The plug-in can only interact with the multimedia object placed on the page, so it is more limited than an extension, in theory. However, plug-ins have been associated with numerous vulnerabilities over the years and are now rarely used or supported. Dynamic and interactive content is now served using the improved functionality of HTML version 5.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Apps

A

A browser add-on. support document editing in the context of the browser. They are essentially a means of opening a document within a cloud app version of a word processor or spreadsheet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Default search

A

A browser add-on. provider sets the site used to perform web searches directly from the address bar. The principal risk is that a malicious provider will redirect results to spoofed sites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Themes

A

A browser add-on. change the appearance of the browser using custom images and color schemes. The main risk from a malicious theme is that it could expose the browser to coding vulnerabilities via specially crafted image files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Any extension or plug-in could potentially pose

A

a security and/or privacy risk. As with the browser software itself, you must distinguish between trusted and untrusted sources when deciding whether to install an add-on. Each browser vendor maintains a store of extensions, apps, and themes. This code should be subjected to a review process and use signing/hashing to ensure its integrity. There are instances of malicious extensions being included in stores, however.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

BROWSER SETTINGS

A

Each browser maintains its own settings that are accessed via its Meatball (…) or Hamburger (☰) menu button. Alternatively, you can open the internal URL, such as chrome://settings, edge://settings , or about:preferences (Firefox). The settings configure options such as startup and home pages, tab behavior, and choice of search engine and search behavior.
Browsers also have advanced settings that are accessed via a URL such as chrome://flags or about:config.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Sign-in and Browser Data Synchronization

A

A browser sign-in allows the user to synchronize settings between instances of the browser software on different devices. As well as the browser settings, items that can be synced include bookmarks, history, saved autofill entries, and passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Password Manager

A

A typical user might be faced with having to remember dozens of sign-ins for different services and resort to using the same password for each. This is unsecure because just one site breach could result in the compromise of all the user’s digital identities. Each major browser now supports password manager functionality. This can suggest a strong password at each new account sign-up or credential reset and autofill this value when the user needs to authenticate to the site. If the user signs-in to the browser, the passwords will be available on each device.

One drawback of password managers is that not all sites present the sign-in form in a way that the password manager will recognize and trust as secure. Most of them allow you to copy and paste the string as a fallback mechanism.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SECURE CONNECTIONS AND VALID CERTIFICATES

A

The web uses Transport Layer Security (TLS) and digital certificates to implement a secure connection. A secure connection validates the identity of the host running a site and encrypts communications to protect against snooping. The identity of a web server computer for a given domain is validated by a certificate authority (CA), which issues the subject a digital certificate. The digital certificate contains a public key associated with the subject embedded in it. The certificate has also been signed by the CA, guaranteeing its validity. Therefore, if a client trusts the signing CA by installing its root certificate in a trusted store, the client can also trust the server presenting the certificate.

When you browse a site using an HTTPS URL, the browser displays the information about the certificate in the address bar.
If the certificate is valid and trusted, a padlock icon is shown. Select the icon to view information about the certificate and the CA guaranteeing it.

CA root certificates must be trusted implicitly, so it would obviously be highly advantageous if a malicious user could install a bogus root certificate and become a trusted root CA. Installing a trusted root certificate requires administrative privileges. On a Windows PC, most root certificate updates are performed as part of Windows Update or installed by domain controllers or administrators as part of running Active Directory. There have been instances of stolen certificates and root certificates from CAs being exploited because of weaknesses in the key used in the certificate.

While Edge uses the Windows certificate store, third-party browsers maintain a separate store of trusted and personal certificates. When using enterprise certificates for internal sites and a third-party browser, you must ensure that the internal CA root certificate is added to the browser.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

BROWSER PRIVACY SETTINGS

A

The marketing value of online advertising has created an entire industry focused on creating profiles of individual search and browsing habits. The main function of privacy controls is to govern sites’ use of these tracking tools, such as cookies. A cookie is a text file used to store session data. For example, if you log on to a site, the site might use a cookie to remember who you are. A modern website is likely to use components from many different domains. These components might try to set third-party cookies that could create tracking information that is available to a different host than the site owner.
The browser’s privacy settings can be set to enable or disable all cookies or just third-party cookies and to configure exceptions to these rules for chosen sites. Most browsers also have a tracking protection feature that can be set to strict or standard/balanced modes.

As well as cookies, sites can use the header information submitted in requests plus scripted queries to perform browser fingerprinting and identify source IP. Several other analytics techniques are available to track individuals as they visit different websites and use search engines. Tracking protection can mitigate some of these techniques but not all of them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

To supplement the cookie policy and tracking protection, the following features can be used to block unwanted content:

A

Pop-up blockers prevent a website from creating dialogs or additional windows. The pop-up technique was often used to show fake A-V and security warnings or other malicious and nuisance advertising.
Ad blockers use more sophisticated techniques to prevent the display of anything that doesn’t seem to be part of the site’s main content or functionality. No sites really use pop-up windows anymore as it is possible to achieve a similar effect using the standard web-page formatting tools. Ad blockers are better able to filter these page elements selectively. They often use databases of domains and IP addresses known to primarily serve ad content. An ad blocker must normally be installed as an extension. Exceptions can be configured on a site-by-site basis. Many sites detect ad blockers and do not display any content while the filtering is enabled.

17
Q

Aside from the issue of being tracked by websites, there are privacy concerns about the data a browser might store on the device as you use it. This browsing history can be managed by two methods:

A

Clearing cache and browsing data options are used to delete browsing history. By default, the browser will maintain a history of pages visited, cache files to speed up browsing, and save text typed into form fields. On a public computer, it is best practice to clear the browsing history at the end of a session. You can configure the browser to do this automatically or do it manually.
Private/incognito browsing mode disables the caching features of the browser so that no cookies, browsing history, form fields, passwords, or temp files will be stored when the session is closed. This mode will also typically block third-party cookies and enable strict tracking protection, if available. Note that this mode does not guarantee that you are anonymous with respect to the sites you are browsing as the site will still be able to harvest data such as an IP address and use browser fingerprinting techniques.

18
Q
A