The basics of web browser security: an introduction

In a series of blog posts, we look into some of the most important aspects of online privacy and security.

Read this article in 日本語.

Many of us think that if we’ve done nothing wrong, then we should have nothing to hide.

In reality, everyone has details about themselves that they would like to keep private, whether it’s from the other members of their household, from advertisers who seek to learn everything about them in order to create an advertising profile, or from network monitoring which leads to false assumptions about their intentions.

The concepts of security and privacy are easy to confuse, and the line can often blur between them. The basic idea is that security is about protecting you from malicious websites and remote attackers, and privacy is about protecting your private information from other trusted users of your computer or network.

Over the coming weeks, we’ll look into some of the most important aspects of online privacy and security.

Secure connections and your browser

When you browse websites, you ask the browser to load content from a website controlled by someone else, which may or may not be trustworthy. It downloads their content on to your computer, runs their trusted or untrusted code, and it has to do this constantly, without exposing you or your computer to unnecessary risks. The browser has to make sure you know which websites you are connecting to and when you’re being asked to reveal anything sensitive.

When you connect to a secure (https) website, Vivaldi and other browsers use various protocols to establish a secure connection with the website. All data is encrypted so that only the browser and the website can see what is being sent over the connection. Anyone else who can monitor what is being sent over the network would be unable to decrypt the data, at least not within a reasonable timespan.

At the same time, the browser checks the certificates sent by the website to make sure the connection is being made to the real domain so that an attacker cannot pretend to be that website – an attacker will not have the website’s certificate.

The certificate is signed by a chain of trusted authorities to ensure that a fake certificate cannot be created. The user can check the address field, to make sure the website’s domain (eg. “example.com”) is the one that they want to visit.

When you visit a website, Vivaldi and other browsers do not allow the website to run untrusted code on your computer. Websites may run JavaScript in the browser, but this is run within a sandbox so that it cannot affect other programs on your computer. It cannot install malware unless you actively run an executable which is downloaded from the website.

Cookies created by one website will not be sent to other websites, and scripts that run on one website cannot interact with scripts on another website (except within very strictly allowed limits). So websites cannot modify another website to make it do something unexpected, or watch what the other website is doing. This is one of the most fundamental concepts about web browser security, known as the same-origin policy.

Security enhancements in Vivaldi

Like most browsers, Vivaldi can also check for known malicious websites, such as ones that pretend to be a different website in order to trick users into divulging usernames, passwords, or other sensitive information, or websites that offer malware for download. As this is not considered an essential part of the browser security model, it’s known as a security enhancement.

When downloading a file, Vivaldi displays the correct domain for where the file actually came from to prevent an attacker from downloading a file from their own site, while redirecting to a trusted website. Since downloads may be executable files, Vivaldi makes sure you explicitly want to run the executable and puts you in control. Where available, it also hooks into your system’s executable signing, to make sure your system can warn you if you just downloaded an executable from an untrusted publisher. Vivaldi offers a setting to tell it to download files without prompting, but executables will still not run without your explicit permission and action.

Stay tuned for more tips in our series on privacy and security.  

* * *

Read more blog posts from the series:

Main photo by Ricardo Gomez Angel on Unsplash.

Get away from Big Tech and have fun doing it

Download Vivaldi