Browser Security – CompTIA A+ 220-1102 – 2.10

We rely on our browsers to protect us from many Internet-related security concerns. In this video, you’ll learn about hash verification, secure browser extensions, password managers, pop-up blockers, and more.


The first tip in our browser security video is a best practice that can be used for anything on your system, and that’s to always use trusted sources when you’re downloading and installing new software. If an attacker wants to infect your system, they’ll add the malware to a browser extension, and then you’ll download the extension and enable it in your browser. If you do need to install an extension for your browser, don’t install it from links that are in an email or from a third party website.

You should go directly to the browser developer’s website and make sure you download the extension directly from that site. It’s also a good idea to validate the hashes for any files that you downloaded to make sure that the hash on your machine matches the hash that’s posted on the website. If you’ve never checked the hash of a file, it’s a relatively easy process and there are applications available for the command line and the graphical front end that can help you with this process.

I used a program that was available in the Microsoft Store and installed that into my Windows desktop. So I wanted to download the latest distribution of Ubuntu Linux. I went out to the Ubuntu website where I could find the ISOs available to download. And with those ISOs, I also found SHA 256 sums. These are the hashes for these ISO files. I then downloaded the live server AMD 64 ISO and it has this long hash value that starts with echo 8 and ends in 2 delta 4.

I then started the hash checker program that I installed from the Microsoft Store and I had it checked the hash for the ISO that I downloaded. And you can see the SHA 256 is listed here at the bottom. It starts with echo 8, it ends in 2 delta 4, and everything else in the middle matches the hash that was posted on the Ubuntu website. This means the file that is stored on my local machine is exactly the same as the file that is stored on the Ubuntu website. And I’ve now verified that I have exactly the same file as the Ubuntu site.

When you’re installing a new program or an extension to your browser onto your computer, you have to make sure that you’re installing it from a trusted website. This might be the Chrome Web Store, or the Microsoft Store, or any other third party site where you really do trust the information that’s on that site. What you don’t want to do is install software that comes from a third party website or from links that appeared in your email.

Any software you install could potentially have malware inside of it. So installing from known good websites is always the best choice when installing new software. The attackers know that it’s very common for us to customize our browsers with extensions. So they’re going to make sure their malware is ready to go whenever you download that from an untrusted website.

This is a very practical concern because in March 2021, a study found that more than 24 Google Chrome extensions had malicious software inside of it. This included 40 malicious domains and none of this was identified by the antivirus, anti-malware, or other security software. When these extensions were installed, the researchers immediately found credential theft, screenshots, and key logging, and data exfiltration.

Once this software is on a system, it effectively has the same control that any browser might have and was able to collect quite a bit of data from a susceptible machine. As a good rule of thumb, you should always have a healthy distrust of any software that you’re installing. And you should always keep very good backups in case you do happen to accidentally install some malware, you can easily revert back to a clean configuration.

Every website you visit tends to have some type of username, password, or other type of authentication. And being human, we tend to reuse a lot of these usernames and passwords when we go from site to site. Unfortunately, that means if there’s a breach with one website that means attackers now have credentials that you’ve used on many other websites as well. One way to prevent this is to use a different password for every site you visit.

And one way to manage this process is through the use of a password manager or password vault. This vault will keep track of all of the sites you visit. It will provide different passwords for every site. And it will make sure that all of that information is encrypted and stored on your machine. Some of these password vaults will also synchronize this information to the cloud so that you can have the same password vault across all of your systems.

Using this password manager, we can now have different passwords for every single site, and the passwords themselves can be very strong and very difficult if someone was trying to perform a brute force attack. There’s many different types of password vaults available, some that are perfect to use at home and others that are designed for use at work. Our browsers are actually quite good at identifying suspicious websites. And if it does run across a problem with the communication, it will give you a message telling you things like this connection is not private.

The browser is looking at the certificate on the web server and validating everything that’s contained within that cert. You can also look at these cert details usually by clicking the lock that’s inside of your browser, and you can look to see whether the domain name is expired or may be using the incorrect domain name. Maybe the certificate is not properly signed or it’s signed by an untrusted certificate authority. Or maybe the time and date on your device is incorrect and that’s causing a conflict with the certificate that’s on the web server.

The example I’m using here is a certificate that is specifically incorrectly configured to provide examples of how your browser might react. And if you would like to try this on your browser, you can visit badssl.com. When we look at the certificate details, this clearly shows us in the browser that this is an untrusted root certificate authority, which is why we’re seeing the message that this site may not be trusted.

Most browsers include a pop up blocker that prevent a website from adding additional Windows to your screen. This is something that’s usually enabled by default inside of your browser, but you do have control on whether you’d like to turn that on or turn that off. Generally, this is an option that should stay enabled. But if you’re troubleshooting a problem with a website, you may need to temporarily disable it during the troubleshooting process.

There’s many legitimate websites that use pop up Windows extensively so you may need to configure your browser to block pop UPS but enable them for certain websites. And you can specify what those exceptions might be within the browser settings themselves. Our browsers collect a lot of data. You can look through the history where you’ve been browsing. You can look at any say passwords. And you can list all of the files that you may have downloaded inside of that browser.

But there may be times when you’d like to remove some of that data from the browser, and fortunately you have the option within the browser to clear browsing data. This might be your browsing history, your download history, any cookies, and other site data, and any images or files that may be cached inside of the browser. This is usually one of the troubleshooting steps when you have an issue with a third party website, they’ll ask you to delete all of your private data and then try to access the site again.

If you would like to limit how much information is being gathered from your browser, you might want to start in a private browsing mode. This is a mode that does not collect as much data as the normal browsing mode, which is not only good for privacy but very good for troubleshooting these website issues. When you close this private browsing mode, a lot of the data that would normally be stored is deleted from your system.

There’s no history information that’s stored. You don’t have any data on what files may have been downloaded. And anything that would have been in a cache is deleted. So the next time you open a private browsing mode, you’re effectively starting with a clean slate, which is perfect for troubleshooting. Some of the information we store in a browser is important, especially if we’re using browsers across multiple systems. We may want to store bookmarks or store passwords that we can then use across any browser session.

Fortunately, many of these browsers can synchronize this information in the cloud. So you can open up a browser in many different devices but still have access to all of your browsing history, your favorites, your bookmarks, and anything else that you’ve stored in that browser session. Our browsers are getting quite good at blocking advertisements and other targeting information. For example, your browser may be able to hide the IP address you’re using or prevent any tracking of where you go between websites.

This may or may not be how you’d like your browser to work. Some people like to visit a website and then have that website recognize them the next time they visit. Other folks would prefer to be private every time they visit a website on the internet Fortunately, you have a way that you can customize exactly the way the browser should operate, especially in relation to ads.

In Microsoft Edge, you have the option to set tracking prevention to a basic, a balanced, or a strict mode, and then you can customize exactly the way the browser will react in each of those modes.