A recent audit study carried out by one of Germany’s cyber-security agencies – the German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik – BSI) ranked Mozilla’s Firefox browser as the most secure one to date.
The cyber-security agency during its audit tested various browsers such as Mozilla Firefox 68 (ESR), Google Chrome 76, Microsoft Internet Explorer 11, and Microsoft Edge 44. However, the tests weren’t conducted on other browsers like Safari, Brave, Opera, or Vivaldi.
The audit was carried out using rules detailed in a guideline for “modern secure browsers” that the BSI published last month, in September 2019. It also uses the same guideline to advise government agencies and companies from the private sector on what browsers are safe to use.
The German cyber-security agency published a first secure browser guideline in 2017, but reviewed and updated the specification over the summer.
Some of the important and key features looked at by BSI based on its guideline included improved security measures added to modern browsers such as; HSTS (a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking), SRI (allows web developers to ensure that resources hosted on third-party servers have not been tampered with), CSP 2.0, telemetry handling, and improved certificate handling mechanisms.
BSI’s audit findings ranked Firefox as the most secure browser that supported all the minimum requirements
According to the BSI’s new guide, to be considered “secure,” a modern browser must satisfy these minimum requirements:
- Must support TLS
- Must have a list of trusted certificates- Must support extended validation (EV) certificates
- Must verify loaded certificates against a Certification Revocation List (CRL) or an Online Certificate Status Protocol (OCSP)
- The browser must use icons or color highlights to show when communications to a remote server is encrypted or in plaintext- Connections to remote websites running on expired certificates must be allowed only after specific user approval
- Must support HTTP Strict Transport Security (HSTS) (RFC 6797)
- Must support Same Origin Policy (SOP)- Must support Content Security Policy (CSP) 2.0
- Must support Sub-resource integrity (SRI)
- Must support automatic updates- Must support a separate update mechanism for crucial browser components and extensions
- Browser updates must be signed and verifiable
- Browser’s password manager must store passwords in an encrypted form- Access to the browser’s built-in password vault must be allowed only after the user has entered a master password
- User must be able to delete passwords from the browser’s password manager
- Users must be able to block or delete cookie files- Users must be able to block or delete auto-complete history
- Users must be able to block or delete browsing history
- Organization admins must be able to configure or block browsers from sending telemetry/usage data- Browsers must support a mechanism to check for harmful content/URLs
To mention but a few. To find out more about other minimum browser requirements check out this post via Zdnet.
Based on BSI’s audit findings, Firefox was the only browser that supported all the above requirements making it the most secure compared to other web browsers that failed in various areas which include:
- Lack of support for a master password mechanism (Chrome, IE, Edge)
- No built-in update mechanism (IE)
- No option to block telemetry collection (Chrome, IE, Edge)
- No SOP (Same Origin Policy) support (IE)
- No CSP (Content Security Policy) support (IE)
- No SRI (Subresource Integrity) support (IE)
- No support for browser profiles, different configurations (IE, Edge)
- Lack of organizational transparency (Chrome, IE, Edge)
It should be noted that on several occasions, Firefox has been found to have different vulnerabilities from time to time but they have continuously worked hard towards making it safer, better and secure for users who are conscious about who has access to their data.
Do you think Firefox is the most secure browser? Let’s hear your opinions in the comment section.
Author: Allan Bangirana
Allan Bangirana has a taste for all kinds of topics and usually writes about tech, entertainment, sports and community projects that make a difference in society.