Blog post

Parting (with our Browser Guidance) is such sweet sorrow

Created:  17 Feb 2017
Updated:  17 Feb 2017
Author:  Jon L
Part of:  Archived guidance
Delete button

When we were getting the NCSC's new website ready, the question came up about what to do with all of the guidance that CESG, CPNI, CERT-UK and CCA had previously developed. We didn't have time to rewrite it all, but at the same time we knew there was lots of good stuff already there.

We decided to compromise. We'd have an archive of previous guidance that could still be found  (and used as needed), and over time we'd develop and rewrite new content as the need arose.

Everyone was happy, and we got to work on the new advice and guidance we wanted to have ready for the launch of the NCSC.

One of the collections of guidance which we put in the archive was CESG's Browser Security Guidance. We developed this in 2014 as an addition to the Platform Security Guidance, covering Chrome, Internet Explorer, and Firefox. This was only ever 'beta' guidance, as we weren't sure if it was a good idea to try and keep pace with browser development cycles, or if enterprise readers would find it useful.

Time passed. We heard anecdotally of some organisations using it, but attempts to get user feedback on it didn't result in anything we could use. So we decided to stop updating it in 2015, leaving it as archived content. I had hoped that despite browsers evolving - and some of the settings no longer being relevant - that our underlying approach would still prove useful to enterprise readers who could use it as a framework when considering browser settings in their organisations.

Unfortunately we have heard that this archived browser guidance is being used by some organisations as a mandatory checklist of settings, and that this is causing regrettable outcomes given the delta between the archived content and modern browsers. We have reviewed the content and decided it is better that we delete the 'per-browser' guidance to avoid this sort of misunderstanding. 

We also debated rewriting the per-browser guides for the latest versions of the browsers. This was tempting, but one of our principles is to only produce content where it is genuinely necessary, and we're less convinced. Modern browsers have come a long way in terms of their inherent security properties, and are pretty good 'out of the box'.

We’re not saying that you should now turn off all the browser security controls you’ve enabled in your organisation. Rather that your decisions around browsers should be considered as part of your wider EUD approach. For example, deciding on which plugins you install should be a very similar process to deciding which apps to install on your mobile devices.

So, we're pressing the delete key on the outdated Firefox, IE and Chrome security guidance, but would welcome your thoughts on the future in this space. Is it an area where NCSC guidance for individual browsers is still required? Let us know via the contact form or the comments below.

Jon L

Technical Director for Assurance

 

8 comments

Tony Smith - 21 Feb 2017
I can understand you pulling the individual browser guidance but the generic information is still useful (although I can't find the link to that info any more). This was the generic info on protecting data at rest/in transit/user authentication/protecting privacy/etc.
I'm just about to implement new information security policies (which are currently out for review) so I've managed to pull the links in my accompanying guidance for the individual browser configuration.
Jon L - 22 Feb 2017
Hi Tony. Thank you for your comment. We are currently in the process of reinstating some content but, in the meantime, we would be happy to send you a PDF of what you require. Please get in touch using ‘Contact Us’ which can be found in the ‘quick links’ towards the bottom of the page.
julie.p - 22 Feb 2017
Hi Jon,

Just read your blog.

What I would say is any new guidance should be more explicit in terminology. As an end user, ironically, I wouldn't automatically search for End User Device Guidance (END) or Platform guidance. I would search for browser (IE, Firefox etc) security guidance. I'm sure the guidance was very good but if I found this page I wouldn't necessarily realize what it was about and probably think that it wasn't relevant to me as an individual. I understand the guidance is predominantly for organisations but it would also apply to individual users who are also customers of NCSC.
Jon L - 22 Feb 2017
Hi Julie – this is very helpful feedback and we’re grateful you took the time to send it to us. We’ll bear this in mind as we produce and categorise our guidance in the future, as we want to make it as easy as possible for our readers to find the content they need.
Jonathan G - 09 Mar 2017
Agree with Julie, myself and Id imagine most of my clients wouldn't find this guidance due to the name.
Billy - 23 Feb 2017
I (security officer in a local authority) found the browser guidance useful as a starting point and wish I had provided that feedback before now. I completely get the idea that guidance can do more harm than good, though, and see that it would be difficult to keep them up to date.

I also appreciate the note to explain why they have gone.

Pity, though.




GB - 06 Mar 2017
Like Tony and Billy, I also use the guidance as a "checklist" of sensible guidance generically (not unlike CESG's 14 Cloud Security Principles) , and much like Julie I don't automatically search for EUD either.
If the Browser guidance could be re-instated, even for reference it serves as a base from which to start.
Mary Branscombe - 21 Mar 2017
Anything you publish on browsers will be normative; suggest your guidance is a list of links to the appropriate information on the browser vendor sites because they do update that (usually!), with a strong note that turning off features for the sake of it drives users to other, even less secure workarounds

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No