When we were getting the NCSC’s new website ready, the question came up about what to do with all of the guidance that CESG, CPNI, CERT-UK and CCA had previously developed. We didn’t have time to rewrite it all, but at the same time we knew there was lots of good stuff already there.
We decided to compromise. We’d have an archive of previous guidance that could still be found (and used as needed), and over time we’d develop and rewrite new content as the need arose.
Everyone was happy, and we got to work on the new advice and guidance we wanted to have ready for the launch of the NCSC.
One of the collections of guidance which we put in the archive was CESG’s Browser Security Guidance. We developed this in 2014 as an addition to the Platform Security Guidance, covering Chrome, Internet Explorer, and Firefox. This was only ever ‘beta’ guidance, as we weren’t sure if it was a good idea to try and keep pace with browser development cycles, or if enterprise readers would find it useful.
Time passed. We heard anecdotally of some organisations using it, but attempts to get user feedback on it didn’t result in anything we could use. So we decided to stop updating it in 2015, leaving it as archived content. I had hoped that despite browsers evolving – and some of the settings no longer being relevant – that our underlying approach would still prove useful to enterprise readers who could use it as a framework when considering browser settings in their organisations.
Unfortunately we have heard that this archived browser guidance is being used by some organisations as a mandatory checklist of settings, and that this is causing regrettable outcomes given the delta between the archived content and modern browsers. We have reviewed the content and decided it is better that we delete the ‘per-browser’ guidance to avoid this sort of misunderstanding.
We also debated rewriting the per-browser guides for the latest versions of the browsers. This was tempting, but one of our principles is to only produce content where it is genuinely necessary, and we’re less convinced. Modern browsers have come a long way in terms of their inherent security properties, and are pretty good ‘out of the box’.
We’re not saying that you should now turn off all the browser security controls you’ve enabled in your organisation. Rather that your decisions around browsers should be considered as part of your wider EUD approach. For example, deciding on which plugins you install should be a very similar process to deciding which apps to install on your mobile devices.
So, we’re pressing the delete key on the outdated Firefox, IE and Chrome security guidance, but would welcome your thoughts on the future in this space. Is it an area where NCSC guidance for individual browsers is still required? Let us know via the contact form or the comments below.
Technical Director for Assurance
Source: National Cyber Security Centre