Firefox is the only web browser proposed by the German Federal Office for Information Security (BSI) following its research (the German Federal Office for Information Security or the Bundesamt für Sicherheit in der Informationstechnik - BSI).
BSI performed checks on Mozilla Firefox 68 (ESR) applications, Google Chrome 76, Microsoft Internet Explorer 11, and Microsoft Edge 44. The tests did not contain any other browsers such as Safari, Brave, Opera or Vivaldi.
The audit was conducted in a manner described in detail in a guideline (PDF) for "modern secure browsers" released by BSI last month in September on 2019.
BSI usually uses this guide to guide government agencies and private companies in which browsers are safe to use.
According to the new BSI guide, to be considered "safe", a modern browser must meet the following minimum requirements:
- Must support TLS
- Must have a list of trusted certificates - Must support Extended Validation Certificates (EV)
- Must verify loaded certificates with a Certificate Revocation List (CRL) or Certificate Status Protocol (OCSP)
- The browser must use icons or primary colors to indicate whether communication with a remote server is encrypted or in plain text format. Links to remote sites running with expired certificates should only open after users have approved them
- Must support HTTP Strict Transport (HSTS) security (RFC 6797)
- It must support the same source policy (SOP) and it must support the 2.0 Content Security Policy (CSP)
- Must support Sub-resource integrity (SRI)
- Must support automatic updates with a separate browser update for critical browser updates and extensions
- Browser updates must be signed and verifiable
- The browser password manager must store the passwords in encrypted form and access to the browser's built-in password function should only be allowed when the user has entered a master password
- The user must be able to clear the passwords from the browser password manager
- Users should be able to block or delete cookie files. Users should be able to block or delete their autocomplete history
- Users should be able to block or delete their browsing history
- Administrators should be able to configure or block browsers from sending telemetry (usage data). Browsers should support the mechanism for controlling harmful content and URLs
- Browsers will allow organizations to have blacklists locally
- They must support a configuration module where users can enable or disable addons, extensions or JavaScript.
- Administrators should be allowed to disable the profile sync features that Cloud uses.
- Must run with minimal permissions on the operating system and must support sandboxing. All elements of the browser should be isolated from each other as well as the operating system. Communication between isolated features can only take place through specified interfaces. It should not be possible to access individual resources directly.
- Websites should be isolated from each other, ideally in the form of stand-alone processes.
- Browsers should be deployed using programming languages that support stack and heap memory protections
- Browsers should use OS memory protections such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
According to BSI, Firefox is the only browser that supports all of the above. Points where other applications failed:
- Lack of support for a master password (Chrome, IE, Edge)
- No built-in update mechanism (IE)
- There is no option to exclude telemetry
- No SOP (Same Origin Policy) support (IE)
- No CSP (Content Security Policy) support (IE)
- No SRI (Subresource Integrity) support (IE)
- No support for browser profiles, different configurations (IE, Edge)
- Lack of transparency (Chrome, IE, Edge)