Germany is mandating the use of secure, modern web browsers across government networks with a proposal for minimum standards currently open to consultation.
The Federal Office for Information Security (BSI) released a draft set of minimum standards in July. The agency hopes that the standards will bolster governmental cyber-resilience and better protect sensitive data. Leading browsers incorporate multiple features that block or mitigate a variety of common web-based attacks.
The proposed standard covers both desktop and mobile browsers, whereas previous security guidance only applied to desktop browsers on government PCs and workstations.
Following the consultation, the BSI expects the minimum standard to be mandated across government systems. The move will bar federal employees from using non-compliant browsers, such as the now-deprecated Internet Explorer, on government business.
Most of the security and privacy technologies prescribed by the BSI are available in most modern browsers. These include supporting certificates to the X.509 standard, encrypting connections to the server, and supporting for HSTS (HTTP Strict Transport Security).
Browsers also need to support a mechanism for automatic updates, with updates only carried out if an integrity check is successful. And they must implement a same-origin policy (SOP), so that documents and scripts cannot access resources, such as text and graphics, from other websites.
‘Very encouraging’
“The minimum standards being put forward by the BSI are very encouraging,” Simon Backwell, information security manager at Benefex and a member of the ISACA Emerging Trends Working Group, told The Daily Swig.
“Many of these standards are already what companies look for in software, so to extend them to browsers too ensures that organizations, especially government agencies or private sector companies within Germany, consider all aspects of their working environments. Most, if not all, modern browsers meet the standards, so there should be limited impact for organizations running these.”
And, as many browsers are based on the same core code – from Google’s open source Chromium project – government agencies will find it easy to comply.
“All modern browsers are already very secure (ignoring privacy), with most of them sharing the exact same engine and therefore sharing the same security features and encryption capabilities,” Tarquin Wilton Jones, a developer and security expert at browser company Vivaldi, told The Daily Swig.
“In general, browsers have been at the forefront of making secure connections, and implementing security features such as sandboxing.”
The move is, he added, aimed more at improving security in government IT than at changing the way browsers are designed. However, he cautioned that the way some browsers do not allow users to turn off telemetry or vendor tracking data could cause compliance issues.
Interested parties in Germany have until 19 August to respond to the consultation.
Source: https://portswigger.net/daily-swig/germany-to-mandate-minimum-security-standards-for-web-browsers-in-government