Germany's cyber-security agency is working on a set of minimum rules that modern web browsers must comply with in order to be considered secure.
The new guidelines are currently being drafted by the German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik -- BSI), and they'll be used to advise government agencies and companies from the private sector on what browsers are safe to use.
A first version of this guideline was published in 2017, but a new standard is being put together to account for improved security measures added to modern browsers, such as HSTS, SRI, CSP 2.0, telemetry handling, and improved certificate handling mechanisms -- all mentioned in a new draft released for public debate last week.
According to the BSI's new draft, to be considered "secure," a modern browser must follow the following requirements:
Once this draft goes through a public debate, it is expected that the BSI will release a public document detailing which browsers meet the new criteria, as it did in 2017 -- document that is now outdated.
But besides rules for what is considered a "secure browser," the BSI guideline also includes a basic "secure" configuration for browsers, that sysadmins can use as a guide for deploying browsers in their organizations.
- Browsers must support TLS 1.2 or higher - Sysadmins must check whether the list of root CAs must be restricted or not. - The use of HSTS must be activated for all websites. Exceptions for special sites and privacy requirements are possible. - Third-party cookies may not be accepted. - Plugin execution (such as Flash, Java, or others) is only allowed after user confirmation (click-to-play). - Extended Media Extensions (EME) must be disabled if they are not needed. - The autocomplete feature must be disabled. - The synchronization of data (cookies, history, bookmarks, etc.) with external storage services or locations (cloud) must be disabled. - Centrally-managed settings/configurations must be protected from unauthorized user changes. - After applying browser updates, admins must check for any browser configuration changes.