Browser Security for CompTIA A+ 220-1102

Major browsers (Chrome, Firefox, Edge, Safari) share common security controls. Trusted and restricted sites: Internet Options → Security zones (IE/Edge legacy) — add trusted sites to reduce security prompts, restrict untrusted sites. Privacy settings: block third-party cookies, clear browsing data on exit, enable Do Not Track (advisory only — sites can ignore it). JavaScript controls: can be disabled per site (rarely recommended — breaks most websites). Pop-up blocker: enabled by default in all modern browsers — allow-list specific sites when legitimate pop-ups are needed. SmartScreen Filter (Edge, IE): Microsoft's anti-phishing and malware URL protection — warns before visiting known malicious sites. Google Safe Browsing (Chrome, Firefox): similar cloud-based protection against known malicious URLs. Private/Incognito mode: does NOT provide anonymity — prevents local browser history storage. ISP, employer, and websites can still see traffic. Useful for: preventing local tracking (shared computers), testing without cached data.

HTTPS (padlock icon) means the connection is encrypted — it does not mean the site is safe or legitimate. Types of SSL certificates: Domain Validation (DV): cheapest — only verifies domain ownership. Used by phishing sites (they can get DV certs easily). Organization Validation (OV): verifies domain + organization identity. Extended Validation (EV): strongest verification — company name shown in address bar (green bar in older browsers; now shows organization name in some browsers). Certificate errors: 'This site's security certificate is not trusted': self-signed or expired cert, or CA not trusted by browser. Connection is NOT private: browser blocking a site due to expired, revoked, or mismatched certificate. Certificate mismatch: cert was issued for a different domain — possible MitM attack or misconfigured server. What to do with cert errors: do NOT proceed if the error is for a financial or login site. For internal corporate sites, a custom CA may need to be installed.

Browser extensions can enhance functionality but also introduce security risks. Risks: malicious extensions — available even in official stores (Google Play, Chrome Web Store). Extensions can read all browsing data, inject scripts, redirect traffic. Adware bundled with 'free' software often installs browser extensions without clear disclosure. Best practices: install only from official browser stores. Review requested permissions — an extension that 'can read and change all your data on websites you visit' has very broad access. Keep extensions updated. Remove extensions you no longer use. Disable extensions you don't recognize. Signs of malicious extension: browser redirecting to unexpected search engine, unwanted ads on every page, homepage changed. How to manage: Chrome: chrome://extensions, Firefox: about:addons, Edge: edge://extensions. Browser plugin vs extension: plugins (Flash, Java, Silverlight) were native code that ran in the browser — mostly obsolete now. Extensions are JavaScript-based and run in the browser's sandbox.

Clearing browser data resolves many browser issues and protects privacy. Data types: Browsing history (list of visited pages), Download history, Cookies (session data, login tokens, preferences), Cache (stored images and files for faster loading), Saved passwords, Autofill data (forms, credit cards). When to clear: resolving website loading issues (corrupt cache), privacy when using a shared computer, troubleshooting login problems. How to clear: Chrome/Edge: Ctrl+Shift+Delete → select data types → Clear data. Firefox: Ctrl+Shift+Delete. Selectively clearing: delete cookies/cache for a specific site — Chrome: click padlock icon → Cookies → Remove. Session cookies: expire when browser closes. Persistent cookies: stored between sessions — enable 'remember me' features. Third-party cookies: from domains other than the site you're visiting — used for cross-site tracking. Most browsers now block third-party cookies by default.

URL inspection: hover over links to see the actual destination in the status bar. Short URLs (bit.ly, tinyurl) hide the real destination — use a URL expander to check. Verify HTTPS on sites that handle sensitive data. Check the domain carefully — phishing sites use typosquatting (gooogle.com, paypa1.com, amazon-billing.com). Downloads: only download software from official sources (manufacturer website, official app store). Avoid third-party download sites that bundle adware/malware. Verify file hash (SHA-256) for critical software downloads. Drive-by download: malware downloaded automatically by visiting a malicious page — keep browser and plugins updated. Browser sandbox: modern browsers isolate tabs — a compromised tab cannot easily affect the system. Keep the browser itself updated — security patches are released frequently. Password manager integration: use browser's built-in password manager or a dedicated manager — avoids phishing (password manager recognizes the correct domain).