Germany to impose minimum security standards for web browsers in government


Less famous browsers and outdated applications like Internet Explorer will be non-grata browsers.

Germany mandates the use of secure and modern web browsers on government networks with a proposal for minimum standards currently open for consultation.

The Federal Office for Information Security (BSI) has published a draft set of minimum standards in July. The agency hopes the standards will strengthen government cyber resilience and better protect sensitive data. Major browsers incorporate several features that block or mitigate a variety of common web attacks.

The proposed standard covers both desktop and mobile browsers, whereas previous security guidelines only applied to desktop browsers on PCs and government workstations.

Learn about the latest browser security news

As a result of the consultation, BSI expects the minimum standard to be mandatory in all government systems. The move will prevent federal employees from using non-compliant browsers, such as the now-obsolete Internet Explorer, for government business.

Most security and privacy technologies prescribed by the BSI are available in most modern browsers. These include support for certificates according to the X.509 standard, encryption of server connections and support for HSTS (HTTP Strict Transport Security).

Browsers should also support an automatic updates mechanism, with updates only being performed if an integrity check passes. And they should implement a same-origin policy (SOP), so that documents and scripts can’t access resources, such as text and graphics, from other websites.

“Very encouraging”

“The minimum standards proposed by the BSI are very encouraging,” said Simon Backwell, head of information security at Benefex and a member of ISACA’s Emerging Trends Task Force. The daily sip.

“Many of these standards are already what companies look for in software, so extending them to browsers as well ensures that organizations, especially government agencies or private sector companies in Germany, consider all aspects of their environment. Most, if not all, modern browsers meet the standards, so there should be limited impact to organizations running them.

And, since many browsers are based on the same core code – from Google’s open-source Chromium project – government agencies will find it easy to comply.

YOU MIGHT ALSO LIKE Bypassing Chromium Site Isolation Enables a Wide Range of Attacks on Browsers

“All modern browsers are already very secure (privacy ignorant), with most of them sharing the exact same engine and therefore sharing the same security features and encryption capabilities,” said Tarquin Wilton Jones, developer and expert in security from browser company Vivaldi. The daily sip.

“Browsers in general have been at the forefront of establishing secure connections and implementing security features such as sandboxing.”

The move, he added, is more about improving the security of government computing than changing the way browsers are designed. However, he warned that the way some browsers don’t allow users to opt out of telemetry or provider tracking data could lead to compliance issues.

Interested parties in Germany have until August 19 to respond to the consultation.

RELATED Microsoft Edge bolsters defenses against malicious websites with enhanced security mode


Comments are closed.