Google continues to add security features to Chrome, which is by far the most widely used browser in the world. Yet only Mozilla Firefox meets the German government’s security requirements, as it recently revealed. Is that justified? And aren’t there enough alternatives that also value privacy more than the most well-known browsers?
The Bundesamt für Sicherheit in der Informationstechnik (BSI), part of the German Federal Ministry of the Interior, laid out some concrete security requirements. The BSI tested both the desktop and mobile variants of Firefox, Chrome, Edge and Safari against this yardstick. Since the German government provides non-binding advice on secure web usage with the new document, other organizations can also draw meaningful conclusions from it. The government body looked primarily at the extent to which the browser can protect internet users. After all, web usage is inherently risky, so it is up to software to mitigate said risk. Privacy is not considered too extensively in the analysis.
The fact the BSI examined only the best-known browsers shouldn’t be too surprising. More than 8 in 10 internet visitors use one of the aforementioned options, with Chrome the clear leader (boasting a massive 65 percent market share). As a result, while there are alternative browsers that we’ll come back to later, the focus is on the software that people actually use.
Google Chrome: a secure browser, but privacy is an issue
Google is constantly working on new security features for Chrome. As a result, it meets numerous criteria such as support for Transport Layer Security (TLS) 1.3 and HTTP Strict Transport Security (HSTS) and has regular updates. It is always the first to receive security updates added to Chromium, which is the foundation for both Chrome and many other browsers.
That’s not to say that Chrome passes the BSI checklist flawlessly. For example, administrators cannot centrally disable Encrypted Media Extensions (EME) within an organization and replace them with a more secure alternative. Also, only partially secure (“Mixed content,” with partial use of cleartext HTTP in addition to the more secure HTTPS) websites are not directly identifiable as such in the address bar. Only when a URL is copied and pasted elsewhere is the lack of complete security shown. Also, certificates can only be managed after configuring them and are not revokable from the local device.
Tip: New feature in Chrome structures your tab chaos
The security of a browser can be defined in different ways. Regardless, privacy is an important consideration for many when choosing a browser. Here, the BSI mostly highlights tracking in incognito mode, something Google is allegedly guilty of. Sharing data with third parties, even when permitted, can be included as a security consideration. Those who do so quickly conclude that Chrome scores particularly poorly in this area. Tracking scripts and cookies, collecting session telemetry and leaving DNS queries unencrypted are all pain points, as Privacytests.org points out. Chrome’s status as a leading secure browser is thus debatable and subject to its own interpretation.
Mozilla Firefox: emerging as the winner, but is it justified?
Unlike Chrome, Firefox did get all BSI checkmarks in the green. Please note that this refers only to the desktop version. On Android, for example, this browser is susceptible to “stack smashing,” which exploits buffer overflows. This practice can lead to security dangers, such as executing code on the affected device. On the desktop, this danger is barred with the default settings. Firefox, like Chrome, features a sandbox that should predominantly prevent suffering from rogue websites.
Whether Firefox is the safest browser depends on who you ask. VPN services appear to be divided. For example, NordVPN argues that Mozilla’s offering is safer than Chrome due to its privacy features, while its competitor ExpressVPN points out that Chrome is updated more regularly and thus safer. In terms of tracking, Firefox prevents a lot of tracking, but scripts and pixels from Bing, Facebook and X, among others, remain present. It’s not a foolproof resume, but of the larger browsers, Firefox has many security advantages.
Microsoft Edge: those who pay more get management features
Edge is now widely known as the replacement for the old Internet Explorer, with which Microsoft once dominated the browser world. It is based on Chromium and has many similarities to Chrome. For example, certificates are also partially stored online, and their local revocation is only possible after configuration. In addition, partially unsecured websites are not immediately recognizable as such via the address bar.
In one area, Edge fails where Chrome did score a passing grade with the BSI. This concerns the sending of telemetry data, which can only be centrally managed in more expensive Windows 11 versions. Only in Enterprise, Education and Server editions can telemetry and diagnostic data be turned off by a system administrator.
Edge is also very similar to Chrome when it comes to privacy. Notably, Edge blocks a number of trackers that Google does allow for, such as those from Adobe, Amazon, Google itself and Taboola. Ultimately, Edge should be seen as the Chrome cousin that it is, with mainly the same advantages and shortcomings— Edge does however benefit from some Windows 11 integrations such as adherence to the same security protocols. Nevertheless there are examples of unwanted behaviour from Microsoft that point to broader tracking, such as the unprompted importing of Chrome data.
Reading tip: Microsoft Edge imports Chrome data without permission
Apple Safari: iOS integrations
Safari was also analyzed by the BSI, with mostly positive results. For this study, they only looked at the mobile version (iOS) and not its equivalent on Macs (macOS). Safari benefits from a solid integration within the Apple ecosystem, which is already less frequently affected by malware than Windows or Linux. Not being able to disable EME is considered a problem by the German government body, as is the lack of control over buffer overflows. The BSI does indicate that iOS handles this itself. As a result, Safari, in its natural habitat, is a secure browser in this area.
Safari does not protect against known trackers by default, although it can offer this with Intelligent Tracking Prevention (ITP). A paid iCloud subscription enables Private Relay, which prevents anyone from tracking the user.
And the alternatives?
The limited scale of the BSI study means that alternative browsers are not covered. There are plenty of them: Brave, Opera, Tor, Vivaldi, et cetera. Brave stands out for being particularly rigorous, including by virtually eliminating third-party tracking and automatically disabling ads. This means that some websites have problems with Brave’s adblocker, though. One example in September was YouTube, which recognized the Brave browser and blocked the site for some users.
Those who want to take anonymity a step further could install the Tor browser. However, Tor is notorious for being a conduit to the dark web and cyber criminals. That means some organizations already prevent internet access via Tor by default due to it being blacklisted. Since Tor still leaves one’s IP address vulnerable at the entry node and data susceptible to theft at the exit node, it is not an ideal business option.
If we do not define security too broadly, these alternatives are not necessarily more attractive to organizations. After all, Google, Mozilla, Microsoft and Apple provide browser users with the most (and most frequent) security updates. Plug-ins make them even better at blocking potentially harmful content, at least on Chrome, Edge and Firefox. However, those who value privacy issues highly (or have a profession where this is essential) shouldn’t be using Google’s offering. Alternatives abound, but whether an organization can persuade all employees to use a niche browser remains to be seen. The vast majority of the world simply runs Chrome, Edge, Firefox or Safari, meaning those remain the most obvious options to choose from. Firefox appears to be the most well-rounded option among them.
Also read: Internet can easily be disrupted due to an old design flaw
22 hours ago
