To start our discussion on security in a browser, let's start with the browser itself. We want to be sure that the browser that we're using is one from a legitimate source. You don't want to download any browser from any website because attackers have been known to release their own browser versions to gain access to your system. This is effectively the same best practice we use for installing any software. We want to be sure that we're not clicking links that might be inside of an email. And we shouldn't follow links that are going from one thirdparty site to another thirdparty site. Instead, you can go directly to your browser, type in the name of the browser that you're looking for, and visit that developer site directly. And in some cases, you may be able to verify the hash of that downloaded file to ensure that the file that you have on your system is identical to the installer that is on the developer website. To be able to perform this comparison of hashes, we need an application or utility that can create these hashes based on a specific input. If you're running Mac OS or Linux, you may already have these utilities available at the command line. And in Windows, there are many utilities available in the Microsoft Store. You will usually see these hashes provided on the download page. For example, I was downloading a Linux distribution and it showed me a couple of Linux ISOs and next to each ISO was a Shaw 256 sum. This is referring to this hash that's just before the file name. This was created using the Shaw 256 hashing algorithm. And you can use that same algorithm to confirm that you've downloaded this file correctly. Once you've downloaded the file to your local system, you can run your own SHA 256 hash on that downloaded file. That's exactly what I did here using this free utility from the Microsoft Store called hash checker. I specified Shaw 256. I dropped the ISO file right into the window and it created this hash that you see on the screen. If we compare this hash versus the one that is on the original website, you can see that those two hash values are exactly the same. That means the file that I have downloaded matches the file that was on the developer's website that was originally used to create the hash. If these two hashes did not match each other, then we have downloaded a file that's either different than what the developer posted and put on their website or there was some type of problem with the file when we downloaded it. You'll want to do some additional research if you want to know why the file that you have downloaded is different than the one that was originally used to create that hash. Once we've downloaded and installed our browser, we need to be sure that that browser is up to date. And that applies to any browser that you might be using on your system. You always need to make sure that you're using the latest version of that browser to maintain the security of that system. Most browsers have their own update manager, and they will go out and check to see if a new version is available at least once a day. If it notifies you that a new version is available, it may be able to download and upgrade the entire package all by itself. Most browsers are fully featured applications, but occasionally there might be an addin or what a browser may refer to as an extension to be able to extend the capabilities of that browser application. Most of these extensions can be found on an official app store, such as the Chrome Web Store or the Microsoft Store, but some extensions can also be downloaded and installed from thirdparty websites. These extensions have the same amount of control over your system as your browser does. So, it's a good idea to make sure that if you are installing an extension that you know you're downloading and installing this from a known good website. If you're downloading an extension from a third-party website or from a website that you've never been on before, then it's probably a good idea to perform some additional checks before trusting that software on your system. This is a very popular attack vector, and you want to be sure that anything you're putting inside of your browser is trusted and legitimate. Occasionally, you'll find a set of security researchers will go through the latest library of extensions. And they did this in March of 2021 and found more than 24 Google Chrome extensions that were identified as being malicious. Because this software was previously unknown as being malicious and is being installed as an extension and not an application, many anti virus and anti-malware utilities had no idea that this software could harm your computer. The researchers also installed these malicious extensions to see what they would do. And they found that many of these extensions would steal your credentials. So when you logged in with your username and password to a website, those credentials were also sent to the attacker. Some of them made screenshots and logged the keys that you were typing on your computer and others would grab information and data that you're saving and send that information to the attackers as well. Trust is one of the most significant foundations in IT security. And if we can't trust our software, then you probably should not be installing it onto your system. On all of my devices, I use a fullyfeatured third-party password vault. This password vault is designed to save every login credential that I use on every website that I visit. This ensures that I am not only remembering what that password might be, but it allows me to create a very strong and very different password on every site that I visit. If you do plan to use some type of password vault, you need to make sure that everything you're saving in that vault is protected. The password vault that I use and most of the password vaults that you'll run into use a method to encrypt all of the data that you're storing in that vault. and access to that database is often protected using a number of different security features. You can also synchronize this data across all of those different password vaults. So, if I'm using and storing information on one computer and I move to my tablet device, that same password vault will be synchronized across all of those. When attackers are able to gain access to an authentication database from a third party website, they begin to use those usernames and passwords across multiple sites. That's because they know that people will often reuse the username and the password on every site that they visit. But if you're using a password vault, you now have a different username and password on every single site. So if an attacker does gain access to your username and password information stored on one website, they will have no way to access any of your other accounts on any other website. There are not only password vaults available for personal use, but there are also password vaults specifically created for use in a business environment. If you're not using a password vault at your place of work, you may want to look to see what options might be available to you. Many of us have visited a website that popped a message up that said this connection is not private or this certificate is not valid or some other type of certificate related error. Each browser has a different way of presenting these errors and a different syntax that they use to describe the error that you've received. It's often useful to dig into the certificate and see what specifically is causing this browser to provide this error message. You may find that the certificate is expired or is using an incorrect domain name or maybe the certificate itself has not been properly signed by a trusted certificate authority. And since these certificates are also sensitive to dates and times, you need to make sure that your computer is also set to the correct date and time. In this case, I'm visiting a website at badsl.com. This is a well-known website that you can use to test your browser and see how it reacts with different certificate problems. I visited untrustedroot.badsl.com badsl.com. And if we show the details of that certificate, you can see that this is an untrusted root certificate authority. This certificate has been signed, but it has been signed by a certificate authority that our browser does not trust. Therefore, it puts a message on the screen that says, "This site is untrusted." If you'd like to see how your browser reacts to these types of problems, you can visit badssl.com and go through a number of different scenarios and see what messages you get on your browser. In the early days of the internet, attackers found many ways to get their malicious information in front of you on the screen. One of those methods was to have a pop-up window appear when you visit a particular website. And one of the things that you may have noticed in the most recent browsers is that pop-up blockers are built into the browser itself. With the pop-up blocker enabled, you can visit those websites and none of those pop-up messages will appear inside of your browser. In some cases, however, you may find that a website does want to provide a popup window that is legitimate and does not have any type of malicious use. In that case, you may choose to disable the entire pop-up blocker or simply disable it for this trusted domain. Setting individual exemptions for the website pop-up blocker is probably the best way to approach this. That way, you're able to still have those pop-up messages occur on sites that are trusted, but still block those popups on any third-party sites. If you're looking inside the settings of your browser, you'll certainly come across one that talks about clearing browsing data inside of that browsing application. This often includes the history of the sites that you've already visited, any passwords that you have saved in that browser, and any files that you may have downloaded. This gives you control over the privacy of your system and allows you to decide how much information is saved and what information you'd like to delete. When you're troubleshooting an application problem inside of your browser, you'll often hear tech support tell you to delete everything in your cache and try the application again. That's because our browsers store a great deal of information in a local cache so that you're not constantly downloading the same information from a third party website. But unfortunately, that cache can sometimes become corrupted or the information in the cache may be older than what's really on the website. In order to work around these problems, you can clear the information that's inside of your cache, including things like your cookies, any website data that may be stored, cached images, and cached files. There's usually an option that allows you to specify exactly what type of data you'd like to delete, and you can simply clear that by clicking a button inside of your browser settings. Instead of visiting a website and then deleting that from a list of websites you visited, it might be a good idea to simply not log that information from the very beginning. You can do that if you use a private browsing mode. In the private browsing mode, you can visit websites, but none of that information will be stored in a cache or anywhere locally. This is also a great troubleshooting step since this also is not using any pre-existing caches. You can visit a website when you're troubleshooting to see if the problem you're having in your browser also occurs if you're browsing in a private browsing mode. On most browsers, when you close this browsing mode, it removes all of your history, all of your downloaded files, and everything that may have been cached during that session is also deleted. This might also be a good mode to use if you're using someone else's computer or you're on a public computer and you don't want to save any of that information on that local machine. We store a lot of information in our browsers. We have a list of favorites. We have a bookmark list and we have extensions that we've installed to customize our use of the internet. The problem is when you move to another computer, those settings are not going to follow you. However, many browsers have a feature that allow you to synchronize data between your systems. You do this by logging into the browser that you're using and then it stores all of those configuration options in the cloud. If you use those same credentials to log in to another browser on a different computer, it will download all of those configuration options and have them available. This way, you can move from computer to computer and have exactly the same environment on all of your different browsers. This stores information such as your browsing history, all of your favorites, any extensions that you've installed, and any of the settings you have for the user interface inside of your browser session. This is obviously a trade-off because you are storing a great deal of information in the cloud, but you've also made it very easy for you to move from one computer to another and maintain the same working environment across all of those different systems. On the internet, there's certainly a balancing act between websites that want to provide information and being able to fund those websites using advertising. Many browsers now include ad blockers in the browser itself. This is a good way to prevent extreme forms of advertising, but these types of ad blockers don't necessarily block all types of advertising, and you may find that your browser may not even include any way to block ads within the browser itself. Sometimes you'd also like to control how much information is being stored by a third-party website. When you visit that website, often they will collect information about your computer, and if you visit again, they will recognize that you are a returning customer. You may want to allow or not allow that level of tracking. And many browsers will give you options that can set different levels of privacy depending on your requirements. And of course, there is a constant battle between advertisers that would like you to see their ads and blockers that would like to block those ads. These types of blockers are not always 100% reliable, but your browser may give you options to give you the control over how much privacy you'd like to have when you're surfing the internet. When you're at home, you're the one who's in control over the sites that you visit. But on a business network, you might want to have additional control over exactly what sites people are visiting. One of the ways that businesses are able to provide this control is through the use of a proxy. A proxy is a device that sits in the middle of the communications flow between all of the devices on your work network and all of the websites that are on the internet. This proxy receives all of the requests that are being made from the devices on your local network and it makes those requests on your behalf to the devices on the internet. This proxy can obviously stop that query from going out to the internet if there are controls that prevent you from visiting that type of website. And the proxy is receiving all of the responses from the web servers on the internet. So it can look through those responses to see if there might be anything malicious. And if there is malicious software in that response, it will prevent any of that from getting on your local computers. These proxies often have additional functions inside of them such as authentication, access control. They are obviously providing URL filtering and they may be caching information locally so that you don't have to go out to the internet to get information from that web server. It can all be provided locally if someone has previously visited that website. If your organization is using an explicit proxy, then you have to configure these proxy settings inside of your browser. Some organizations are using a proxy known as a transparent proxy that performs all of these proxy functions, but you don't have to configure anything extra on your local system. You'll often find these proxy configuration options in your browser underneath the normal settings. In Windows, for example, there's a network and internet option and a proxy option underneath that. This proxy can be set up to automatically detect that a proxy exists or you can manually configure the proxy configuration with exactly what's required for your network. If this is an explicit proxy, then you'll need to configure it either using the automatic detection or you'll need to manually put in IP address and authentication details that will allow you access to the proxy on your network. And as we mentioned earlier, if your organization is using a transparent proxy, you don't have to configure anything inside of your operating system or browser, it will use that proxy configuration by default. So, if you're on your corporate network and you're not able to connect to a third party website, it may be that you haven't properly configured the proxy or the proxy itself may be blocking your communication. Here's a standard proxy configuration on my computer. You first enable or disable the web proxy. You specify the name of the proxy server that's on your network. On my network, it's proxy.professormeser.com. It uses port 8080 to communicate to that proxy server. It also requires authentication. So, if I need to use that proxy, I have to specify the correct username and password before I can communicate to the internet. If you were to look at a packet capture of the domain name service communication on your network right now, you would probably see a lot of requests being made in the clear. You'd be able to read all of those requests from your packet capture. To prevent somebody from capturing those packets and seeing that information, many organizations are implementing secure DNS. Secure DNS will send this DNS information using DNS over HTTPS. You'll sometimes see this referred to as DO. This is the same HTTPS we use to encrypt our communication to web servers. So, it's a perfect protocol to use to encrypt our communication to a DNS server. Obviously, the DNS server that you're using has to support DNS over HTTPS. Many of our large DNS providers are already providing this capability, and you might even be using it, and you may have no idea that it's even turned on inside of your browser. On my Chrome browser, for example, under the advanced options is the link for use secure DNS, and I can enable and disable that option inside of the browser itself. We mentioned earlier that you can install additional extensions into your browser from your app stores. And most browsers will provide you with a management frontend that allows you to see all of the extensions that you've installed and allows you to individually enable or disable those extensions. If you're in Chrome, for example, there are links inside the Chrome browser that says discover more extensions and themes on the Chrome web store, and you can click their link to visit that Chrome web store and download additional extensions. But you could also install extensions from thirdparty websites. There's nothing inside of your browser that would prevent you from installing those extensions. So, you need to be sure that everything you're installing is trusted. You'll be able to see all of the extensions that you've installed on your computer inside of your browser's extension manager. And on this screen, you can confirm that all of the extensions that are running inside of your browser are extensions that you trust.