APP.1.2 Web Browsers
Web browsers are application programs that can retrieve, process, display, output, and store (hypertext) documents, images, video, audio, and other data formats from the Internet...
Description
Introduction
Web browsers are application programs that can retrieve, process, display, output, and store (hypertext) documents, images, video, audio, and other data formats from the Internet on local IT systems. Web browsers can also transmit data to the Internet.
Stationary and mobile clients today are unimaginable without web browsers, because many private and business applications use corresponding content. At the same time, the content available on the Internet is becoming ever more diverse. Most websites use embedded videos, animated elements, and other active content. Modern web browsers also cover a wide range of additional functions by incorporating plug-ins and external libraries. In addition, there are extensions for specific functions, data formats, and content. The complexity of modern web browsers provides high potential for serious conceptual errors and software vulnerabilities. It not only increases the possible dangers of attacks from the Internet, but also harbors additional risks from programming and operating errors.
The risks to the confidentiality and integrity of data are considerable. The availability of the entire IT system is also threatened by such vulnerabilities. Internet content must therefore be regarded as fundamentally untrustworthy from the perspective of the web browser.
Objective
The objective of this building block is to describe security requirements for web browsers deployed on clients, i.e., on stationary and mobile IT systems as well as on tablets and smartphones.
Scope and Modeling
The building block APP.1.2 Web Browsers is to be applied once to each web browser.
It contains fundamental security requirements that must be observed and met when installing and operating web browsers for access to data from the Internet.
Web browsers are one of the most frequently used applications. They access unchecked, potentially harmful data on the Internet and thus represent a gateway for attacks, often with the aim of spreading further to the operating system. In order to secure the operating systems, the requirements of the building blocks in layers SYS.2 Desktop Systems and SYS.3.2 Tablets and Smartphones SHOULD therefore be met.
Web applications used with browsers and the responsible servers are addressed in the building blocks APP.3.1 Web Applications and Web Services and APP.3.2 Web Servers.
General requirements for the secure use of software are not included in this building block. They are found in the building block APP.6 General Software, which is to be applied in addition to this building block.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used as the basis for describing the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block APP.1.2 Web Browsers.
Execution of Malicious Code via Web Browsers
Web browsers regularly download data from untrusted sources. Such data can contain executable malicious code that can exploit vulnerabilities and infect the Users’ IT system without their knowledge.
This can be code that can be executed directly by the web browser, such as JavaScript or WebAssembly. It can also be executable code from a plug-in or extension in the context of the browser, such as Java or components of PDF documents. Finally, it can also be code that is downloaded by the web browser to the client and executed there outside the browser process. If the fundamental protection mechanisms of modern web browsers are not applied sufficiently, the confidentiality, integrity, or availability of information or services on the client or possibly even the networks connected to it are threatened.
Exploit Kits
Vulnerability lists and so-called exploit kits greatly facilitate the development of individual malware. Cyberattacks can be automated to easily exploit drive-by downloads or other means of distribution without requiring expert knowledge. Attackers can exploit known vulnerabilities in web browsers, connected resources, or extensions to prepare follow-up attacks or to download and install malicious code on clients. Often, the malicious code loaded onto clients in this way downloads further malware, which is then executed on the clients with the Users’ privileges.
Interception of Internet Communications
The fundamental security of communication on the Internet depends substantially on the authentication method used and on the encryption of data in transit.
Faulty implementations of the corresponding procedures are possible and prevent effective authentication and encryption. Many web services also still offer outdated encryption methods. Thus, during an attack, server authentication can be undermined, or the communication or the data may not be effectively encrypted. This can allow information to be read or modified in transit. In the past, certification authorities have also been compromised. Attackers could thus obtain certificates for third-party websites.
Loss of Integrity in Web Browsers
If web browsers, plug-ins, or extensions are obtained from untrusted sources, malicious functions can be executed unintentionally and undetected. Attackers can, for example, fake browser components such as toolbars to lure Users to manipulated copies of web pages, using them to carry out phishing attacks. Malicious extensions can manipulate the content of the web pages being viewed or spy on data and send it to the attackers.
Loss of Privacy
If web browsers are configured insecurely, trustworthy data can accidentally or maliciously be made accessible to unauthorized third parties. Passwords can also be inadvertently shared. If cookies, passwords, histories, input data, and search queries are stored or unnecessary extensions are activated, data can more easily be read abusively by third parties or malware.
Requirements
The following are the specific requirements of the building block APP.1.2 Web Browsers. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These SHOULD be filled insofar as this is meaningful and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Users |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many people SHOULD fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
APP.1.2.A1 Use of Basic Security Mechanisms (B)
The web browser used MUST ensure that each instance and each processing thread can only access its own resources (sandboxing). Web pages MUST be isolated from each other as independent processes or at least as separate threads. Plug-ins and extensions MUST also be executed in isolated areas.
The web browser used MUST implement the Content Security Policy (CSP). The currently highest level of the CSP SHOULD be met.
The browser MUST support measures for the Same-Origin Policy and Subresource Integrity.
APP.1.2.A2 Support for Secure Encryption of Communications (B)
The web browser MUST support Transport Layer Security (TLS) in a secure version. Connections to web servers MUST be encrypted with TLS if this is supported by the web server. Insecure versions of TLS SHOULD be disabled. The web browser MUST support and use the security mechanism HTTP Strict Transport Security (HSTS) in accordance with RFC 6797.
APP.1.2.A3 Use of Trustworthy Certificates (B)
If the web browser provides its own list of trusted root certificates, it MUST be ensured that only IT Operations can modify this list. If this is not possible through technical measures, Users MUST be prohibited from modifying this list. Furthermore, it MUST be ensured that the web browser can revoke certificates locally.
The web browser MUST fully verify the validity of server certificates using the public key and taking into account the validity period. The revocation status of server certificates MUST also be checked by the web browser. The certificate chain including the root certificate MUST be verified.
The web browser MUST display clearly and visibly to Users whether the communication is occurring in plain text or encrypted. The web browser SHOULD be able to display the server certificate used to Users on request. The web browser MUST signal to Users when certificates are missing, invalid, or revoked. In this case, the web browser MUST abort the connection until Users have explicitly confirmed this.
APP.1.2.A4 DISCONTINUED (B)
This requirement has been discontinued.
APP.1.2.A6 Password Management in the Web Browser (B)
If a password manager is used in the web browser, it MUST establish a direct and unambiguous relationship between the website and the password stored for it. The password store MUST store passwords in encrypted form. It MUST be ensured that the passwords stored in the password manager can only be accessed after entering a master password. Furthermore, it MUST be ensured that the authentication for password-protected access is only valid for the current session.
IT Operations MUST ensure that the browser used gives Users the ability to delete stored passwords.
APP.1.2.A13 Use of DNS-over-HTTPS (B)
The institution MUST decide whether the browsers used should use DNS-over-HTTPS (DoH). The browsers MUST be configured according to this decision.
If an internal DNS resolver is used, it MUST also be used by the browser.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be met.
APP.1.2.A5 DISCONTINUED (S)
This requirement has been discontinued.
APP.1.2.A7 Data Minimization in Web Browsers (S) [Users]
Cookies from third-party institutions SHOULD be rejected by the web browser. Stored cookies SHOULD be deletable by Users.
The autocomplete function for data SHOULD be disabled. If the function is nevertheless used, Users SHOULD be able to delete this data. Users SHOULD also be able to delete the browser history.
If available, synchronization of the web browser with cloud services SHOULD be disabled. Telemetry functions as well as the automatic sending of crash reports, URL inputs, and search queries from within the institution or to external parties SHOULD be disabled as far as possible.
Peripheral devices such as microphones or webcams, as well as location permissions, SHOULD only be activated for websites where they are absolutely necessary. The browser SHOULD offer a way to configure or disable WebRTC, HSTS, and JavaScript.
APP.1.2.A8 DISCONTINUED (S)
This requirement has been discontinued.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. These proposals SHOULD be considered when there is a high protection need. The specific determination takes place in the context of an individual risk analysis.
APP.1.2.A9 Use of an Isolated Web Browser Environment (H)
The institution SHOULD use specially hardened, isolated browser environments, such as ReCoBS or virtualized instances.
APP.1.2.A10 Use of Private Mode (H) [Users]
If there are elevated requirements regarding confidentiality, the web browser SHOULD be run in so-called private mode so that no information or content is permanently stored on the Users’ IT system. The browser SHOULD be configured so that local content is deleted when it is closed.
APP.1.2.A11 Checking for Malicious Content (H)
Accessed internet addresses SHOULD be checked by the web browser for potentially malicious content. The web browser SHOULD warn Users if there is information about malicious content. A connection classified as harmful SHOULD NOT be accessible. The checking method used MUST NOT violate data protection or confidentiality requirements.
APP.1.2.A12 Two-Browser Strategy (H)
In the event of unresolved security problems with the web browser in use, an alternative browser based on a different platform SHOULD be installed to serve as a fallback for Users.
Additional Information
Good to Know
- BSI Publication on Cyber Security BSI-CS 047: “Protection options when using web browsers”
- BSI minimum standard for the use of the SSL/TLS protocol by federal authorities pursuant to Section 8(1) sentence 1 BSIG
- BSI minimum standard for web browsers pursuant to Section 8(1) sentence 1 BSIG
- Common Criteria Protection Profile for Remote-Controlled Browsers Systems (ReCoBS): BSI-PP-0040
The minimum standards must be implemented by the bodies of the federal administration referred to in Section 8(1) sentence 1 BSIG.