kenpat/comptia-a-plus-core2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
comptia-a-plus-core2/notes/SEC-11-browser-security.md

7.3 KiB
Raw Blame History

SEC-11: Browser Security

Status: not started

Domain:

  • 2.0 Security

Objective alignment:

  • 2.11 Browser security

What You Need To Know

Browsers are a major security target because users access email, banking, cloud apps, password resets, downloads, and work systems through them.

The exam wants you to know how to secure:

  • Browser installation sources
  • Updates and patches
  • Extensions and plug-ins
  • Password storage
  • Certificates and secure connections
  • Pop-ups, ads, cache, cookies, and private browsing
  • Browser sync and proxy settings

Memory Trick

Use D-U-E-C-P:

  • Download from trusted sources
  • Update the browser
  • Extensions only from trusted stores
  • Certificates must be valid
  • Privacy data can be cleared

Shortcut:

  • Browser trust starts before install and continues with updates.

Trusted Browser Downloads

Safe browser installation:

  • Go directly to the vendor website or official app store.
  • Avoid links in email.
  • Avoid random third-party download sites.
  • Verify downloads with hashes or signatures when provided.

Hash verification:

  • A hash is a fingerprint of a file.
  • If the downloaded file hash matches the posted hash, the file likely did not change.
  • If it does not match, do not install it.

Exam clue:

  • If a user needs to install a browser safely, choose trusted source and hash/signature verification.

Browser Updates

Browsers need frequent updates because browser vulnerabilities are heavily targeted.

Updates may come from:

  • The browser itself
  • The operating system update process
  • An enterprise software management tool

Best practice:

  • Keep automatic updates enabled when possible.
  • Restart the browser after updates if required.

Exam clue:

  • If the browser has security vulnerabilities or degraded behavior from an old version, update it.

Extensions and Plug-ins

Extensions add browser features, but they can also steal data.

Trusted sources:

  • Official browser extension stores
  • Microsoft Store
  • Chrome Web Store
  • Known vendor websites

Untrusted sources:

  • Random websites
  • Email links
  • Pop-up prompts
  • Extensions installed by malware

Possible malicious extension behavior:

  • Credential theft
  • Screenshot capture
  • Keylogging
  • Redirecting searches
  • Data exfiltration

Best practice:

  • Install only necessary extensions.
  • Remove unused extensions.
  • Review permissions before installing.

Password Managers

Password managers store credentials in an encrypted vault.

Benefits:

  • Unique passwords for each site
  • Strong generated passwords
  • Easier password hygiene
  • Sync across devices when configured

Risk:

  • The vault must be protected with a strong master password.
  • Browser-saved passwords may be less controlled than enterprise password managers.

Exam clue:

  • If the issue is password reuse across many websites, use a password manager.

Secure Connections and Certificates

HTTPS uses certificates to prove the site identity and protect traffic.

Browser certificate warnings may mean:

  • Certificate is expired
  • Certificate is for the wrong domain
  • Certificate is signed by an untrusted authority
  • System date/time is wrong
  • A captive portal or inspection device is interfering

Best practice:

  • Do not ignore certificate warnings on sensitive sites.
  • Check certificate details.
  • Check the system date and time.

Exam clue:

  • If a browser shows invalid certificate warnings, investigate before entering credentials.

Pop-Up Blockers and Notifications

Pop-up blockers stop unwanted browser windows or prompts.

Best practice:

  • Keep pop-up blocking enabled.
  • Allow pop-ups only for trusted sites that require them.
  • Disable only temporarily for troubleshooting.

Browser notifications:

  • Websites may request permission to send notifications.
  • Malicious or low-quality sites can abuse notification prompts.
  • Disable unwanted site notifications.

Clearing Private Data

Browser data can include:

  • History
  • Cookies
  • Cache
  • Download list
  • Saved form data
  • Saved passwords

Cache:

  • Stores parts of websites locally.
  • Can speed up browsing.
  • Can cause stale-page or troubleshooting issues.

Cookies:

  • Store session and site data.
  • Can keep users signed in.
  • Can also be used for tracking.

Best practice:

  • Clear cache/cookies when troubleshooting site problems.
  • Be careful before clearing saved passwords.

Private Browsing Mode

Private browsing does not save normal local session history after the window closes.

It can remove:

  • Browsing history for that session
  • Download history list
  • Temporary cache/cookies for that private session

It does not make you invisible to:

  • Websites
  • Employer/school networks
  • Internet provider
  • Network logging tools

Exam clue:

  • Private browsing is local privacy, not full anonymity.

Browser Data Synchronization

Browser sync can share data across devices.

Synced items may include:

  • Bookmarks
  • History
  • Extensions
  • Passwords
  • Settings

Risk:

  • A compromised browser account can expose synced data.
  • Unwanted extensions may appear on multiple devices.

Best practice:

  • Protect sync accounts with MFA.
  • Disable sync for sensitive categories if policy requires it.

Ad Blockers and Proxies

Ad blockers:

  • Can reduce ads and some malicious ad risks.
  • May break some websites.
  • Should come from trusted extension stores.

Proxy:

  • Sits between the browser and the destination site.
  • Can cache content.
  • Can enforce access control.
  • Can filter traffic.
  • Can be configured manually or by policy.

Exam clue:

  • If browsing must be filtered or logged centrally, think proxy or content filtering.

Commands To Enter

Windows PowerShell:

Get-FileHash "$env:USERPROFILE\Downloads\example.exe"

What it does:

  • Calculates a hash for a downloaded file.
  • Replace example.exe with a real file name only when you intentionally want to check it.
start ms-settings:dateandtime

What it does:

  • Opens Windows date and time settings.
  • Wrong date/time can cause certificate warnings.
start chrome://settings/privacy

What it does:

  • Opens Chrome privacy settings if Chrome is installed.

Linux:

sha256sum ~/Downloads/example-file

What it does:

  • Calculates a SHA-256 hash for a downloaded file.
  • Replace example-file with a real file name only when checking a download.
date

What it does:

  • Shows the system date and time.
  • Incorrect date/time can cause certificate warnings.
xdg-open chrome://settings/privacy

What it does:

  • Attempts to open Chrome privacy settings.
  • Works only if a compatible browser handles the URL.

macOS:

shasum -a 256 ~/Downloads/example-file

What it does:

  • Calculates a SHA-256 hash for a downloaded file.
date

What it does:

  • Shows the system date and time.
open -b com.apple.Safari

What it does:

  • Opens Safari.
  • Use Safari Settings to inspect privacy, extensions, passwords, and website permissions.

Do not clear saved passwords, remove profiles, or reset browser settings during this section unless you intentionally want those changes.

Quick Checks

You should be able to answer:

  • Why download browsers from trusted sources?
  • What does a file hash prove?
  • Why do browser updates matter?
  • Why are extensions risky?
  • What does a certificate warning mean?
  • What does private browsing protect, and what does it not protect?
  • Why protect browser sync with MFA?