Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Firefox Chrome Security The Internet

Germany's Cybersecurity Agency Recommends Firefox As Most Secure Browser (arstechnica.com) 52

An anonymous reader quotes a report from ZDNet: Firefox is the only browser that received top marks in a recent audit carried out by Germany's cyber-security agency -- the German Federal Office for Information Security (or the Bundesamt fur Sicherheit in der Informationstechnik -- BSI). The BSI tested Mozilla Firefox 68 (ESR), Google Chrome 76, Microsoft Internet Explorer 11, and Microsoft Edge 44. The tests did not include other browsers like Safari, Brave, Opera, or Vivaldi. The audit was carried out using rules detailed in a guideline for "modern secure browsers" that the BSI published last month, in September 2019. The BSI normally uses this guide to advise government agencies and companies from the private sector on what browsers are safe to use. The article includes a list of all the minimum requirements required for the BSI to consider a browser "secure." It also lists the areas where the other browsers failed, such as: Lack of support for a master password mechanism (Chrome, IE, Edge); No built-in update mechanism (IE), and No option to block telemetry collection (Chrome, IE, Edge).
This discussion has been archived. No new comments can be posted.

Germany's Cybersecurity Agency Recommends Firefox As Most Secure Browser

Comments Filter:
  • Chrome has a master password feature. I'm starting to doubt their ability now, although Firefox is the right choice for security.

    • They have a repeating history of fails. In first publications they recommended to use MAC address filtering for wireless routers.
      • Please explain why this is stupid. I honestly donât know.

        • Because the attacker WILL BE FORCED to use YOUR MAC addresses (which is always clear text) and you'll not even have a chance that something unusual is logged by accident. It will always look like you attacked yourself.
          • You don't think that two systems both trying to use the same MAC address will have symptoms that tell you something is amiss? It is better to know right away that something is fishy and stop the fire from starting than to figure it out hours or days later and try to sift through the debris.
            • What makes you think anything would be amiss. What happens when Alice snarfs your laptop's MAC address during work hours and uses it to get a foothold on your network after you've taken your laptop home for the night?
              • That is easy and thank you for making my point. There is activity from Alice when she wasn't logged in / at work, and the timestamps isolate the suspicious packets. Again, it is the fact that the same MAC was used that gives it away. If a unique MAC was used then someone might look and say ... someone must have brought a different laptop or got a new phone.
    • by GuB-42 ( 2483988 ) on Thursday October 17, 2019 @05:52PM (#59320610)

      Firefox for privacy, probably, for security, not so sure.
      Firefox has consistently fared worse than Chrome in pwn2own exploit competitions. On the bright side, things are improving, it was terrible a few years ago.

      • yeah I think this says more about the abysmal state of german cybersecurity than the quality of firefox.
    • You mean it requires to type in the windows password? That is what Chrome help says on the web as of today. I guess the BSI forgot to mention: The windows password isnât enough, because it leaves the user with one password not only to mess with the OS, but to gain access to all passwords as well.

      Or is there another feature out of the box, that I am not aware of, that doesnât require a plugin or an undocumented/ unsupported feature?

    • Chrome has a master password feature. I'm starting to doubt their ability now, although Firefox is the right choice for security.

      You are incorrect. Chrome stores passwords on Google's servers using Google account credentials or it uses the local OS keychain facility.

      There is no master password.

      • Am I misunderstanding something

        As was demonstrated with Multics, the key to security is to NOT have a single all-powerful userid, like root

        This prevents a single attacker from breaching other user accounts and overwriting log files

        • by AmiMoJo ( 196126 )

          On Windows Chrome uses the Windows password to protect your saved credentials in the browser. In order to view them you must enter your Windows password. The database file is also encrypted with it.

          If they have your Windows password you are probably screwed anyway.

      • Firefox essentially does not have a master password, either, because shortly after starting Firefox you would be forced to input the master password to use websites and leave it unlocked for the entire session. Chrome just saves you from manual unlocking and at least encrypts the passwords on disk by default. In all imaginable cases, you should always lock the screen, because it is the most reliable method to protect your desktop.
      • by AmiMoJo ( 196126 )

        That is incorrect. If you enable encryption for cloud synced credentials then it encrypts the data locally with a hash of your Google account password. A different hash to the one they use to check your log-in details, which is the bit they store on their servers (not the plaintext).

        Locally the data is encrypted on disk and requires local account authentication to view.

        • That is incorrect. If you enable encryption for cloud synced credentials then it encrypts the data locally with a hash of your Google account password. A different hash to the one they use to check your log-in details, which is the bit they store on their servers (not the plaintext).

          Encrypted passwords are *STORED* on Google's servers.

          Encrypted passwords are unlocked with your Google account password.

          Google does NOT use a secure authentication protocol. It uses plaintext authentication over TLS.

          This different hash bullshit is therefore less than meaningless.

          • by AmiMoJo ( 196126 )

            But for example you can't view your encrypted passwords on the web, only in Chrome. So while Google does have an encrypted copy it doesn't appear to have the ability to actually decrypt them.

            • But for example you can't view your encrypted passwords on the web, only in Chrome.

              Why does this matter? What difference does it make?

              Someone just has to install chrome and login to their victims Google account in order to get access to all of their victims account passwords they use everywhere.

              Or some nameless government asks Google for any "tangible thing". Specifically stored "encrypted" passwords and password cleartext transmitted to Google during next user login.

              With Firefox master password does one and only one thing. It protects password database. If your system/credentials ar

    • by AHuxley ( 892839 )
      An ad company likes ads. Their "free" browser product is the way of showing ads and ensuring ads get seen...
  • What, Microsoft and Google didn't bri...um, entice them to pick their brands? Those two are slipping.

  • Publishes guidelines, audits according to own guidelines.
  • they have the tools for to exploit.
  • Yeah, IE sucks, but it and it's automatic updater are part of Windows. Why should it get a lower score because the update mechanism is part of the operating system instead of being part of the browser? No reason, that's why.
    • Automatic update is a vulnerability, not a security feature.
  • The tests did not include other browsers like Safari, Brave, Opera, or Vivaldi.

    Okay, so Firefox is not really "The most secure browser". It's just "the most secure browser out of those we tested, which excluded one used by millions of people".

No spitting on the Bus! Thank you, The Mgt.

Working...