Time
8 hours 53 minutes
Difficulty
Beginner
CEU/CPE
11

Video Transcription

00:15
Welcome back to domain three. Still looking at security.
00:20
And we are now in the module 3.3,
00:24
which we look.
00:31
Welcome back to domain three. Still looking at security.
00:36
We're now in model 3.3 where we look at Web browsing, best practices.
00:44
So what this model is all about is keeping yourself safe
00:49
while you are
00:50
on the Internet with your web grabs up.
00:54
So we're going to look at the protocols that are used to connect the websites.
00:58
These are called http or https.
01:02
We will look at the central role that a type of document called a certificate plays in, making sure that you are actually connected to the Web site you think you're connected to on that your connection is encrypted. So the data that you're sending and receiving from that website is being encrypted before it travels across the Internet.
01:23
So the first thing we're gonna do is have a look at How can you tell whether your connection to a Web site is secure or not?
01:30
Two protocols are used to connect to a website.
01:34
One is http and the other is https.
01:41
The protocol that is used to connect the websites is called H D D People.
01:46
Http stands for hypertext transfer protocol.
01:49
Unfortunately,
01:52
it does not by default verified the identity of the website that you think you're connected to,
01:59
nor did it encrypt the connection.
02:02
Therefore, you have no way of knowing whether you're really connected to the real website or possibly a fake malicious version created by a malicious use up.
02:14
The other thing that is a big problem with this kind of connection is this.
02:19
Supposing you get to the website and you log in, or you provide sensitive details like your Social Security number or your credit credit card information
02:29
that will be sent unencrypted across the Internet.
02:31
So if anyone is capturing network traffic,
02:35
they will capture the packets and they'll be able to look inside them and read all that sensitive information that you're either uploading or downloading to that website.
02:46
Http. S is a version that adds security to your connection to the Web site.
02:55
If you connect using https that verifies two things that this is the real website and not a fake one. So it's very find the identity of the Web server you're connecting to,
03:07
and it provides encryption so that anything you transmit to or download from the Web site is encrypted.
03:16
And if you are required to log on to the website,
03:20
your credentials will not be exposed to in plain text. As they travel across the Internet, they'll be encrypted.
03:28
At the heart of this security provided by https is the concept off certificates. So next we're gonna have a look at certificates and what they are and what they do for you. And also we'll have a look at
03:40
how your browser tells you if something's going wrong with those certificates.
03:47
Certificate is a digital document that verifies the identity of the website you're connected to.
03:53
It also gives you other information that you can see here,
03:58
such as What is the intended use of the certificate
04:01
when it is valid, from what date, what date
04:04
and who issued that certificate.
04:09
Typically, certificates are issued by trusted authorities, and we'll talk a bit more about those in a minute.
04:19
So, firstly, I'm going to connect to a website that does not use https.
04:25
You can see in the address bothered. The connection is using Http.
04:30
Now let's connect to Microsoft dot com, which always uses a secure connection,
04:35
and now you can see that the address bar says https. And over on the right, we see a lock indicating a secure connection.
04:45
You can click on the lock and view the certificate.
04:49
You'll see said this for Microsoft dot com, and it is currently valid
04:55
now, over on the details type here there's a field called Public Key.
04:59
This contains the encryption key that can be used to set up a secure, encrypted connection with Microsoft's Web site.
05:10
Now, sometimes things do go wrong. For example, a website may be presenting a certificate to your browser,
05:16
which has expired.
05:20
It might be that the certificate actually is not for that website, but within the certificate a different website is named.
05:30
It could be that the certificate was not issued by a trusted authority. Now, what is this trusted authority? While these there are range of commercial organizations such as very Sign
05:43
and their businesses to produce these certificates and to digitally sign them.
05:47
So Microsoft, for example, if they wanted a certificate might go to a company called Bharat Very sign who would create that certificate and then sell it to Microsoft. Microsoft would then install it on their Web servers. When you then connect to their website using https,
06:03
the certificate is downloaded to your browser and your browser checks. The certificate for its validity
06:12
certificates can have been revoked,
06:15
so it is possible that a certificate was issued for some particular reason.
06:18
But then it was found to be fraudulent
06:21
and the certificate has been revoked by the authority. Your browser always checks to see any certificate that's presented by a Web server
06:31
has not been revoked.
06:35
If any of these problems do exist with a certificate, normally your Web browser will alert you
06:41
to the problems.
06:45
Let's have a look at some typical errors you might see.
06:48
So here my browser is warning me that this certificate has expired, so its expiration dates have passed.
07:00
Now my browser's warning me that a certain name off the website specified in the certificate
07:08
doesn't match the actual name of the website I'm connected to.
07:14
Now it's warning me
07:15
that
07:16
the authority that issued the certificate is not trusted,
07:29
and now it's warning me that the certificate has bean revoked, so you should not accept it.
07:36
So how do we stay safe from the Internet? apart from using https, well, there's a number of other safe browsing practices that we're gonna look at,
07:49
said. You've seen browsers do try and keep you safe.
07:54
All modern Web browsers try and protect you from going to known malicious websites,
08:00
For example, in Windows using Internet Explorer, the feature is called Smart Screen.
08:07
In Google Chrome. You can turn on protection in the advanced settings
08:11
in these cases. What these browsers will do it. If you try and connect to a website that is already known to be a malicious website, they will pop up a warning and give you a chance to back out and go back to the previous what page we're looking at.
08:30
So how can we avoid danger? Well,
08:31
don't go toe unsavory websites now. Of course, unsavory is a fairly subjective definition, but you'll have some idea when you're going to an unsavory website.
08:41
For example, if it offers Pirated software or Pirated movies,
08:46
that's pretty unsavory. Or if you go to a website where you can download ***,
08:52
um,
08:54
that any of those types of websites could be sending you malicious software.
09:01
If your browser does probable warning, pay attention to it and back out. If you're at all unsure,
09:09
don't go to any sensitive sites by clicking links inside e mails.
09:13
For example, if I get any mail that claims to be from my bank,
09:16
I never would click on the link within the email. Instead, I would close my email. Then I would independently go to the website, log into my bank account and see there's a similar message there.
09:30
If not, this was probably a phishing attack.
09:37
Cybersquatting. Sometimes people register website names that are similar to, but not exactly the same as a legitimate Web site.
09:46
For example, by looking carefully in the address bar or in the spelling of a link, you're you're about to click on
09:54
that. It actually say, Bank of America.
09:56
What does it actually say? Something different, like back of America.
10:01
Subtle difference of one letter, but a quick glance. It may fool you.
10:09
So what Other types of things are suspicious?
10:13
Let's say you receive an email that is threatening. You are demanding money.
10:18
Um, that would be pretty suspicious.
10:22
A pop up suddenly appears on your screen, that is, a window opens up,
10:26
and sometimes it just contains advertisements where in which case you know, it's annoying,
10:31
but not necessarily militias.
10:33
Sometimes you see fake warning messages or fake dialog boxes. So you see a warning that our virus has been detected on your computer and you must immediately click this link something like that.
10:46
Most browsers these days will block most types of pop ups. You can configure that in the settings of the browser
10:56
websites that try to make it hard to leave the website.
11:00
So every time you try and leave the website to go to another website instead of letting you go to another website, it keeps popping up messages to try and stop you
11:09
on your back button doesn't work
11:11
in that case, closed the browser, and if it wanted to close the browser logged off and then look back on again.
11:24
Examples off suspicious e mails include unsolicited e mails. If you don't recognize who the sender is, it's probably best to just delete it before or not open. It certainly do not click on any links you see inside such an email.
11:41
If an email contains the misspellings and grammatical errors,
11:46
well, if it really comes from some institution like the bank, it's highly unlikely that it would contain those.
11:54
It offers you a $1,000,000 or some other scam.
11:58
So as long as you can provide some useful information like your bank details,
12:05
remember, you don't get anything for nothing. And you certainly don't get off on a $1,000,000 through any mail.
12:13
It tells you you want something and all you have to do is click on the link.
12:20
It threatens you with arrest.
12:22
Um, for example, there's a scam which involves
12:26
calling you up on the phone on this may be done by email as well, telling you that there's beena problem discovered with your tax return. The I. R s is going to arrest you unless you click on this link and put in your credit card details and pay off the penalty.
12:43
Of course, the IRS does not send you a warning before it comes to arrest. You
12:48
contains information about a service or institution you've never bean affiliated with.
12:54
So you get an email that comes from some random bank, not the bank you actually use. That would be pretty suspicious
13:05
cookies. You may have heard of these.
13:09
What they are usually is text files that store information about you,
13:15
and that could be useful
13:16
because
13:18
they could store your log in information. So every time you go to the same website, you don't have to log in each time, or they might simply store your preferences. So you go to the website once you configure a few settings to see what this is, what I want to see when I get to the website and its stores. That information
13:35
that cookie is stored on your local computer,
13:39
not cookies, can be dangerous that could be used to track your online activity,
13:45
so browsers allow you to configure whether or not to allow various types of cookies.
13:54
Another thing that you should be careful about is when you download software,
13:58
make sure it is digitally signed.
14:01
Digitally signed software
14:03
means that the author, the company that produced it,
14:07
has digitally signed it to verify its authenticity.
14:11
It also tells you
14:13
the digital signature
14:15
that the file has not Bean ordered since it was created. In other words, somebody hasn't intercepted the file and added malicious code to it.
14:24
If software you download is not digitally signed or there's something wrong with the digital signature,
14:30
you get a warning appearing like this dialogue box. In this case, what it's actually complaining about is that, yeah,
14:35
the software might be digitally signed, but it's not signed by some trusted organization.
14:43
So browsers check digital signatures of files when you download them,
14:48
so they're looking for files that either not signed it all
14:52
or the signature appears to be invalid.
14:58
You can configure your browser to simply block any unsigned files or to prompt you before downloading them.
15:05
The problem with just blocking all unsigned fives is this. Occasionally you come across. A useful program may be created by someone in their spare time,
15:13
and they don't have the time. And resource is to get it digitally signed because that costs money.
15:18
And so it may be perfectly useful utility with nothing wrong with it.
15:22
But whenever you accept an unsigned file from the Internet, you're always taking a risk
15:33
browser. Adan's can take many different forms. They could be toolbars that are added to your Web browser. They could be Activex controls that improve the functionality of a website.
15:45
They might be what I call shell extensions for the brows up
15:48
now, all of these again should be digitally signed
15:52
and you might find that when you go to a particular website, it says all you have to download, say this active X control before everything will work.
16:00
Remember that all of these are being downloaded to your local computer and running on your local machine.
16:07
If they are digitally signed and your brother sees no problem with that signature,
16:11
then it will let you go ahead on download and install them. But once again, if the browser issues a warning, you should heed the warning and not proceed with installing that add on.
16:25
So normally you'll be prompted before they are installed,
16:29
and only they digitally signed
16:30
should you install them.
16:37
Cookies can track your activities on the Web, but it's not always malicious. Sometimes it is just simply that they want to sell you stuff. So they're looking at what you're shopping for on the Internet, what your reviews you might be reading for products and so on.
16:52
And then adware appears, and what it does attempts to direct you to a specific website to make your purchase.
17:00
So
17:02
adware is annoying, but it's not necessarily militias.
17:06
What are the symptoms of having God wet?
17:08
You see, pop up windows, trying to sell you what you've been looking for.
17:11
Your browser home page gets changed, your search engine gets changed
17:17
and you go from one website to another. But you keep seeing the same advertisements at every website. I mean, I've had this experience many times where I might say, going to Amazon to look for a product.
17:29
And then I log in to Facebook and there's adverts for the very same product, appearing on the right hand side of the browser.
17:41
P I. I refers to personally identifiable information
17:45
so this can take many forms. It's stuff like your name, your date of birth, your telephone number, your social security number, but also things like the name off your
17:57
pet or partner or spouse.
18:00
Or it could be
18:02
that it is asking for the net, your mother's maiden name.
18:06
Now all of that information can be used for identity theft, so you should be very cautious about entering that.
18:11
One thing to think about is why is the website asking me for this information?
18:17
Because it may be that some of that is just trying to gather information, but they don't require it. See which feels are actually required and which ones are optional.
18:30
And if you are about to enter that information, make sure that you have a secure connection in place. Look in the address bar of the browser mixture, it says. Https
18:44
verified that you're connected to the real website that you think you're connected to again. Check in the address bar the actual spelling off the name of the website
18:56
using public computers.
18:59
So if you, for example, will go to a library and you use a public computer there. Or possibly there's one in a lobby of a company's reception area or maybe even a public computer available at a coffee shop.
19:15
Be careful about these because
19:18
your personally identifiable information and other sensitive information such as passwords and log on information could be being recorded by the browser. This is actually normal in Web browsers that record that information to make it easy for you to go back to the same websites.
19:36
In order to stop this on a public machine, you should use private browsing or manually delete all your history after you have finished.
19:49
So modern browsers allow for something called in private browsing by Internet Explorer
19:56
More incognito browsing by Google Crown.
20:00
What these settings do is they turn off the browser's ability to remember anything.
20:04
So it will not remember
20:07
one website she visited. It won't remember anything. You typed into any forms on a website
20:12
and it won't remember your passwords.
20:18
Just be aware. This is not gonna prevent your I s p, your Internet service provider, from tracking you
20:25
or anybody who's snooping on the connection using tools like a Web like a packet sniffer.
20:30
So if you're not using https,
20:33
then your connection is unencrypted and therefore
20:37
various entities could actually be tracking the website you're going to and so on.
20:48
So let's have a look at enabling in private browsing in in an Internet Explorer, I click on the cog
20:56
and that I choose in private browsing. Now without actually does pops up a new browser window.
21:02
And in there you can see clearly it says in private,
21:11
failing that
21:12
whenever you leave a public computer, you should delete your history
21:17
particularly, um,
21:18
if you have been typing in
21:22
personal information or passwords and so on.
21:26
So most prizes
21:27
have the ability to delete your history.
21:36
You should also disable auto felt
21:40
as a convenience for user's browsers. Remember your browsing history, what you typed in two forms on a website and even your passwords there, then fill in the information for you the next time you visit the same website
21:51
on a shared computer. Leaving that history stored could be dangerous.
21:55
Someone else could log on,
21:56
see every website visited, and worse, they could go to each one, and the browser would just logged them in using your stored credentials.
22:06
Fortunately, this browser this feature can be turned off in the options for the browser.
22:11
For example, in Internet Explorer, we would
22:17
click on the settings Cog, choose Internet options from the menu and then click on the content tab
22:25
on the content tab. Click the settings button under where it says water complete.
22:30
Here, you can choose what the browser records and doesn't record
22:41
the other way to keep yourself safe. It's to keep everything updated,
22:45
so
22:47
don't use older browsers.
22:48
Fuse the latest browsers. They contain the latest security features
22:55
and check to see regularly. If new versions of your Web browser are available or updates are available for any add ons that you might have installed within the browser,
23:07
so to summarize. In Model 3.3, we looked at how you can tell if you're connected to a website securely, and that's using https
23:18
with https. See, we verify the identity of the website, and the connection is encrypted.
23:26
We saw that central to all of this are the certificates that are done loaded from a Web server to your local browser.
23:33
Your brother then checks out the certificate to make sure it's valid and then uses it to set up a secure, encrypted connection.
23:41
We also looked at various practices for remaining safe
23:45
and cautious on the Internet.

Up Next

CompTIA IT Fundamentals

The CompTIA IT Fundamentals certification is aimed at people considering a career change to IT. The course will prepare you to take the CompTIA IT Fundamentals exam. If you are new to IT this course is prerequisite knowledge that allows you to tackle the more advanced A+ and Network+ CompTIA certifications that many IT professionals hold.

Instructed By

Instructor Profile Image
Ali Wasti
Instructor