Germany’s standards on modern secure browsers

Soon, Germany’s cybersecurity agency will release a new set of standards any given browser must comply with in order to be considered secure.

At the time of writing, the guidelines are still in the works, but once they’re ready, they will be used as the basis for advising government agencies and private sector companies on what kind of browsers are safe to use.

Although the first version of this was available in 2017, the new version is in the works to cover topics such as SRI, HSTS, CSP 2.0, telemetry handling and so forth.

In any case, here is a short list of the requirements:

– TLS must be supported

– Automatic updates are a must

– Password manager is required to store passwords in encrypted form

– Users should have the option of deleting cookies, browsing and auto-complete history

– Extended validations certificates must be supported

– Cybersecurity flaws must be responded to and fixed within 21 days of discovery

– Web pages are required to be treated as separate processes

– Should be using the operating system’s memory protection functionality

Prior to release, these guidelines will go through a public debate to fine-tune them some more. Just like was the case back in 2017, the agency will release a document detailing which of the browsers available tick all the boxes. Although the document can still be found floating around today, its contents are no longer up-to-date.