Germany's Cybersecurity Agency Recommends Firefox As Most Secure Browser

An anonymous reader quotes a report from ZDNet: Firefox is the only browser that received top marks in a recent audit carried out by Germany's cyber-security agency -- the German Federal Office for Information Security (or the Bundesamt fur Sicherheit in der Informationstechnik -- BSI). The BSI tested Mozilla Firefox 68 (ESR), Google Chrome 76, Microsoft Internet Explorer 11, and Microsoft Edge 44. The tests did not include other browsers like Safari, Brave, Opera, or Vivaldi. The audit was carried out using rules detailed in a guideline for "modern secure browsers" that the BSI published last month, in September 2019. The BSI normally uses this guide to advise government agencies and companies from the private sector on what browsers are safe to use. The article includes a list of all the minimum requirements required for the BSI to consider a browser "secure." It also lists the areas where the other browsers failed, such as: Lack of support for a master password mechanism (Chrome, IE, Edge); No built-in update mechanism (IE), and No option to block telemetry collection (Chrome, IE, Edge).

Re:Too few audited

[drinkypoo]

How many of them are actually different, and not just a different UI on the same engine?

Re:

[KixWooder]

I care more about the UI than the rendering engine as that is what I see and interact with.

Re:

[garyisabusyguy]

What does the UI have to do with security?

Re:

[subreality]

What does the UI have to do with security?

The UI shows whether encryption is used, certs are valid, enforces SOP / HSTS / etc, applies updates, implements the password manager, sets JS policies, handles deleting history... I'd say the UI has more threat vectors than the rendering engine.

Re:

[BardBollocks]

But doesn't actually do any of the security stuff.

Re:

[thegarbz]

There is more to a browser than just the UI and the engine. Incidentally a large number of UI based exploits are used by malware to do things like prevent you from closing a browser, prevent the thread dying while you're mining bitcoin for a pedo etc.

Re:

[drinkypoo]

I care more about the UI than the rendering engine as that is what I see and interact with.

Everything that the UI does is only relevant because of what it configures the underlying engine to do, or some information that comes from it, which is about a lot more than rendering.

Re:

[Zero__Kelvin]

"How many of them are actually different, and not just a different UI on the same engine?"

You can build the same program from the same exact source code and have differing levels of security. Just by way of a single example one vendor may build with the -fstack-protector flag to gcc and the other with -f-no-stack-protector, and even though they are using the exact same source code (if all other build options are identical) the vendor who builds with -fstack-protector will be the deterministically more secur

Re:

[drinkypoo]

"How many of them are actually different, and not just a different UI on the same engine?"

You can build the same program from the same exact source code and have differing levels of security.

While what you said is true, it doesn't address the question even slightly.

Re:

[Zero__Kelvin]

Of course it does. You suggested that if two browsers share the same engine there is no fundamental difference apart from the UI. I showed you that you were wrong, and now you are trying your best not to man up and say you didn't realize that sharing the same engine doesn't mean they are the same.

Re:

[drinkypoo]

I showed you that you were wrong,

No, you didn't. You didn't provide any evidence that anyone was actually changing build options as you suggest, or that it was actually relevant to security outcomes. You just ran your suck without substance, like always.

Re:

[Zero__Kelvin]

"You didn't provide any evidence that anyone was actually changing build options as you suggest"

We now know that you have no idea how the software build process works.

" or that it was actually relevant to security outcomes."

... and that you don't understand what enabling and disabling the stack protector means.

"You just ran your suck without substance, like always. "

Oh, and you were so close too! What you really meant to say was you don't understand what I said and you think it is my job to teach you about

Re:

[drinkypoo]

We now know that you have no idea how the software build process works.

I've built lots of software, but thanks for playing.

... and that you don't understand what enabling and disabling the stack protector means.

Apparently you don't know that there are other means of stack protection, but thanks for playing.

Oh, and you were so close too! What you really meant to say was you don't understand what I said

I understand you know a whole lot less about this than you think you do, but thanks for playing.

TL;DR: Thanks for playing.

Re:

[Zero__Kelvin]

"I've built lots of software, but thanks for playing."

So now your claim is that you knew all along that one doesn't "change" build options but were lying. OK.

"Just by way of a single example one vendor may build with the -fstack-protector flag to gcc and the other with -f-no-stack-protector, and even though they are using the exact same source code (if all other build options are identical) the vendor who builds with -fstack-protector will be the deterministically more secure browser."

"Apparently you don't

Re:

[drinkypoo]

So now your claim is that you knew all along that one doesn't "change" build options but were lying. OK.

No, your claim is that I was lying. My claim is that you are a dumbshit. I offer as evidence your entire posting history.

Re:

[Zero__Kelvin]

Yeah. My history of proving you have no idea what you are talking about sure does make someone look like an idiot.

Re:

[Presence Eternal]

There are two browsers: Webkit and Lynx.

I'm at risk of Poe's Law in claiming that, so I'll specify I'm joking.

Re:

[AHuxley]

Re 'bowsers out there"...
From the "Comparison of web browsers"
https://en.wikipedia.org/wiki/... [wikipedia.org]
Go down the list. Note terms like "Blink" and "Gecko" get used a lot...

No master password?

[AmiMoJo]

Chrome has a master password feature. I'm starting to doubt their ability now, although Firefox is the right choice for security.

Re: No master password?

[koinu]

They have a repeating history of fails. In first publications they recommended to use MAC address filtering for wireless routers.

Re: No master password?

[echnaton192]

Please explain why this is stupid. I honestly donât know.

Re: No master password?

[koinu]

Because the attacker WILL BE FORCED to use YOUR MAC addresses (which is always clear text) and you'll not even have a chance that something unusual is logged by accident. It will always look like you attacked yourself.

Re:

[Zero__Kelvin]

You don't think that two systems both trying to use the same MAC address will have symptoms that tell you something is amiss? It is better to know right away that something is fishy and stop the fire from starting than to figure it out hours or days later and try to sift through the debris.

Re:

[scdeimos]

What makes you think anything would be amiss. What happens when Alice snarfs your laptop's MAC address during work hours and uses it to get a foothold on your network after you've taken your laptop home for the night?

Re:

[Zero__Kelvin]

That is easy and thank you for making my point. There is activity from Alice when she wasn't logged in / at work, and the timestamps isolate the suspicious packets. Again, it is the fact that the same MAC was used that gives it away. If a unique MAC was used then someone might look and say ... someone must have brought a different laptop or got a new phone.

Re:

[DontBeAMoran]

mac address security is the equivalent of using 123456 as your password.

(insert Spaceballs luggage combination joke here)

Re:No master password?

[GuB-42]

Firefox for privacy, probably, for security, not so sure.
Firefox has consistently fared worse than Chrome in pwn2own exploit competitions. On the bright side, things are improving, it was terrible a few years ago.

Re:

[bloodhawk]

yeah I think this says more about the abysmal state of german cybersecurity than the quality of firefox.

Re: No master password?

[echnaton192]

You mean it requires to type in the windows password? That is what Chrome help says on the web as of today. I guess the BSI forgot to mention: The windows password isnât enough, because it leaves the user with one password not only to mess with the OS, but to gain access to all passwords as well.

Or is there another feature out of the box, that I am not aware of, that doesnât require a plugin or an undocumented/ unsupported feature?

Re:

[AmiMoJo]

No, that's it, just the Windows password.

Re:

[WaffleMonster]

Chrome has a master password feature. I'm starting to doubt their ability now, although Firefox is the right choice for security.

You are incorrect. Chrome stores passwords on Google's servers using Google account credentials or it uses the local OS keychain facility.

There is no master password.

Re:

[garyisabusyguy]

Am I misunderstanding something

As was demonstrated with Multics, the key to security is to NOT have a single all-powerful userid, like root

This prevents a single attacker from breaching other user accounts and overwriting log files

Re:

[AmiMoJo]

On Windows Chrome uses the Windows password to protect your saved credentials in the browser. In order to view them you must enter your Windows password. The database file is also encrypted with it.

If they have your Windows password you are probably screwed anyway.

Re: No master password?

[koinu]

Firefox essentially does not have a master password, either, because shortly after starting Firefox you would be forced to input the master password to use websites and leave it unlocked for the entire session. Chrome just saves you from manual unlocking and at least encrypts the passwords on disk by default. In all imaginable cases, you should always lock the screen, because it is the most reliable method to protect your desktop.

Re:

[AmiMoJo]

That is incorrect. If you enable encryption for cloud synced credentials then it encrypts the data locally with a hash of your Google account password. A different hash to the one they use to check your log-in details, which is the bit they store on their servers (not the plaintext).

Locally the data is encrypted on disk and requires local account authentication to view.

Re:

[WaffleMonster]

That is incorrect. If you enable encryption for cloud synced credentials then it encrypts the data locally with a hash of your Google account password. A different hash to the one they use to check your log-in details, which is the bit they store on their servers (not the plaintext).

Encrypted passwords are *STORED* on Google's servers.

Encrypted passwords are unlocked with your Google account password.

Google does NOT use a secure authentication protocol. It uses plaintext authentication over TLS.

This different hash bullshit is therefore less than meaningless.

Re:

[AmiMoJo]

But for example you can't view your encrypted passwords on the web, only in Chrome. So while Google does have an encrypted copy it doesn't appear to have the ability to actually decrypt them.

Re:

[WaffleMonster]

But for example you can't view your encrypted passwords on the web, only in Chrome.

Why does this matter? What difference does it make?

Someone just has to install chrome and login to their victims Google account in order to get access to all of their victims account passwords they use everywhere.

Or some nameless government asks Google for any "tangible thing". Specifically stored "encrypted" passwords and password cleartext transmitted to Google during next user login.

With Firefox master password does one and only one thing. It protects password database. If your system/credentials ar

Re:

[AHuxley]

An ad company likes ads. Their "free" browser product is the way of showing ads and ensuring ads get seen...

"Here are your winnings, sir"

[Tablizer]

What, Microsoft and Google didn't bri...um, entice them to pick their brands? Those two are slipping.

Biased?

[koinu]

Publishes guidelines, audits according to own guidelines.

has the most hidden security holes...

[pahles]

they have the tools for to exploit.

Wait, IE gets dinged for how it updates?

[sabbede]

Yeah, IE sucks, but it and it's automatic updater are part of Windows. Why should it get a lower score because the update mechanism is part of the operating system instead of being part of the browser? No reason, that's why.

Re:

[DontBeAMoran]

That's a Windows problem, not an Edge problem.

Re:

[hispeedzintarwebz]

I don't think it's fair to claim Windows being in charge of updates as an automatic updater while also claiming the problems that come with/because of it are a "Windows problem, not an Edge problem." Love or hate Edge, it seems to me it should be one or the other.

Re:

[DontBeAMoran]

Microsoft are supposed to be releasing Edge for Mac and Linux in the future, that point will not be applicable on those OS.

Re:

[ChrisMaple]

Automatic update is a vulnerability, not a security feature.

"Most secure browser"

[DontBeAMoran]

The tests did not include other browsers like Safari, Brave, Opera, or Vivaldi.

Okay, so Firefox is not really "The most secure browser". It's just "the most secure browser out of those we tested, which excluded one used by millions of people".