# SEC-11: Browser Security Status: not started Domain: - 2.0 Security Objective alignment: - 2.11 Browser security ## What You Need To Know Browsers are a major security target because users access email, banking, cloud apps, password resets, downloads, and work systems through them. The exam wants you to know how to secure: - Browser installation sources - Updates and patches - Extensions and plug-ins - Password storage - Certificates and secure connections - Pop-ups, ads, cache, cookies, and private browsing - Browser sync and proxy settings ## Memory Trick Use **D-U-E-C-P**: - **D**ownload from trusted sources - **U**pdate the browser - **E**xtensions only from trusted stores - **C**ertificates must be valid - **P**rivacy data can be cleared Shortcut: - **Browser trust starts before install and continues with updates.** ## Trusted Browser Downloads Safe browser installation: - Go directly to the vendor website or official app store. - Avoid links in email. - Avoid random third-party download sites. - Verify downloads with hashes or signatures when provided. Hash verification: - A hash is a fingerprint of a file. - If the downloaded file hash matches the posted hash, the file likely did not change. - If it does not match, do not install it. Exam clue: - If a user needs to install a browser safely, choose trusted source and hash/signature verification. ## Browser Updates Browsers need frequent updates because browser vulnerabilities are heavily targeted. Updates may come from: - The browser itself - The operating system update process - An enterprise software management tool Best practice: - Keep automatic updates enabled when possible. - Restart the browser after updates if required. Exam clue: - If the browser has security vulnerabilities or degraded behavior from an old version, update it. ## Extensions and Plug-ins Extensions add browser features, but they can also steal data. Trusted sources: - Official browser extension stores - Microsoft Store - Chrome Web Store - Known vendor websites Untrusted sources: - Random websites - Email links - Pop-up prompts - Extensions installed by malware Possible malicious extension behavior: - Credential theft - Screenshot capture - Keylogging - Redirecting searches - Data exfiltration Best practice: - Install only necessary extensions. - Remove unused extensions. - Review permissions before installing. ## Password Managers Password managers store credentials in an encrypted vault. Benefits: - Unique passwords for each site - Strong generated passwords - Easier password hygiene - Sync across devices when configured Risk: - The vault must be protected with a strong master password. - Browser-saved passwords may be less controlled than enterprise password managers. Exam clue: - If the issue is password reuse across many websites, use a password manager. ## Secure Connections and Certificates HTTPS uses certificates to prove the site identity and protect traffic. Browser certificate warnings may mean: - Certificate is expired - Certificate is for the wrong domain - Certificate is signed by an untrusted authority - System date/time is wrong - A captive portal or inspection device is interfering Best practice: - Do not ignore certificate warnings on sensitive sites. - Check certificate details. - Check the system date and time. Exam clue: - If a browser shows invalid certificate warnings, investigate before entering credentials. ## Pop-Up Blockers and Notifications Pop-up blockers stop unwanted browser windows or prompts. Best practice: - Keep pop-up blocking enabled. - Allow pop-ups only for trusted sites that require them. - Disable only temporarily for troubleshooting. Browser notifications: - Websites may request permission to send notifications. - Malicious or low-quality sites can abuse notification prompts. - Disable unwanted site notifications. ## Clearing Private Data Browser data can include: - History - Cookies - Cache - Download list - Saved form data - Saved passwords Cache: - Stores parts of websites locally. - Can speed up browsing. - Can cause stale-page or troubleshooting issues. Cookies: - Store session and site data. - Can keep users signed in. - Can also be used for tracking. Best practice: - Clear cache/cookies when troubleshooting site problems. - Be careful before clearing saved passwords. ## Private Browsing Mode Private browsing does not save normal local session history after the window closes. It can remove: - Browsing history for that session - Download history list - Temporary cache/cookies for that private session It does not make you invisible to: - Websites - Employer/school networks - Internet provider - Network logging tools Exam clue: - Private browsing is local privacy, not full anonymity. ## Browser Data Synchronization Browser sync can share data across devices. Synced items may include: - Bookmarks - History - Extensions - Passwords - Settings Risk: - A compromised browser account can expose synced data. - Unwanted extensions may appear on multiple devices. Best practice: - Protect sync accounts with MFA. - Disable sync for sensitive categories if policy requires it. ## Ad Blockers and Proxies Ad blockers: - Can reduce ads and some malicious ad risks. - May break some websites. - Should come from trusted extension stores. Proxy: - Sits between the browser and the destination site. - Can cache content. - Can enforce access control. - Can filter traffic. - Can be configured manually or by policy. Exam clue: - If browsing must be filtered or logged centrally, think proxy or content filtering. ## Commands To Enter Windows PowerShell: ```powershell Get-FileHash "$env:USERPROFILE\Downloads\example.exe" ``` What it does: - Calculates a hash for a downloaded file. - Replace `example.exe` with a real file name only when you intentionally want to check it. ```powershell start ms-settings:dateandtime ``` What it does: - Opens Windows date and time settings. - Wrong date/time can cause certificate warnings. ```powershell start chrome://settings/privacy ``` What it does: - Opens Chrome privacy settings if Chrome is installed. Linux: ```bash sha256sum ~/Downloads/example-file ``` What it does: - Calculates a SHA-256 hash for a downloaded file. - Replace `example-file` with a real file name only when checking a download. ```bash date ``` What it does: - Shows the system date and time. - Incorrect date/time can cause certificate warnings. ```bash xdg-open chrome://settings/privacy ``` What it does: - Attempts to open Chrome privacy settings. - Works only if a compatible browser handles the URL. macOS: ```bash shasum -a 256 ~/Downloads/example-file ``` What it does: - Calculates a SHA-256 hash for a downloaded file. ```bash date ``` What it does: - Shows the system date and time. ```bash open -b com.apple.Safari ``` What it does: - Opens Safari. - Use Safari Settings to inspect privacy, extensions, passwords, and website permissions. Do not clear saved passwords, remove profiles, or reset browser settings during this section unless you intentionally want those changes. ## Quick Checks You should be able to answer: - Why download browsers from trusted sources? - What does a file hash prove? - Why do browser updates matter? - Why are extensions risky? - What does a certificate warning mean? - What does private browsing protect, and what does it not protect? - Why protect browser sync with MFA?