Microsoft is Working on a Super Duper Secure Mode for Edge

The Microsoft Browser Vulnerability Research team is working on a Super Duper Secure Mode for the Edge web browser. Yes, really.

“The VR is experimenting with a new feature that challenges some conventional assumptions held by many in the browser community,” Microsoft’s Johnathan Norman explains. “Our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers. Mitigations have a long history of being bypassed, so we are seeking feedback from the community to build something of lasting value.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

My favorite part of this post is that Norman admits that the name of this mode is “slightly provocative” because they want to have fun with this and it’s too early for an official name. Which Microsoft corporate will probably screw up.

Anyway, as Norman explains, most Chromium-based web browser exploits target Google’s V8 JavaScript rendering engine because “JavaScript engine bugs … provide powerful exploit primitives, there is a steady stream of bugs, and exploitation of these bugs often follows a straightforward template.” (This is true of non-Chromium browsers too.) JavaScript engines are a remarkably difficult security challenge for browsers, he adds.

To combat this problem, Edge’s proposed Super Duper Secure Mode would disable the JavaScript engine’s Just-In-Time (JIT) compilation technology, which speeds up JavaScript workloads dramatically and makes this scripting language roughly as performant as native C++ code. The reason? Obtaining this level of performance requires a lot of complexity, which provides hackers with lots of places to pry for vulnerabilities.

“What if we simply disabled the JIT?” he asks, rhetorically. “This reduction of attack surface has potential to significantly improve user security; it would remove roughly half of the V8 bugs that must be fixed. For users, this means less frequent security updates and fewer emergency patches required.”

That’s fantastic, but it seems like this change would also lead to a dramatically slower Microsoft Edge. But that’s not necessarily true: Norman says that “users with JIT disabled rarely notice a difference in their daily browsing” in testing. The performance degradation across multiple tasks ranged from no change at all to 16.9 percent, along with an average 11 percent increase in power consumption and a 2.3 percent increase in memory usage.

In a nod to my disdain for benchmark tests, this change impacts the popular Speedometer 2.0 benchmark by as high as 58 percent. “However, often users do not notice this impact because this benchmark tells only part of a larger performance story,” he says. Yes. That’s true of all benchmarks.

Norman says that Microsoft plans to investigate its Super Duper Secure Mode experiment over the next few months and determine whether making it available publicly in Edge is beneficial enough. And he admits that his team’s “tongue-in-cheek” name will likely have to change because, well, Microsoft.

But here’s the best bit: If you’re interested in testing Super Duper Secure Mode, you can do so now with Edge Canary, Dev, and Beta: Just enable the Super Duper Secure Mode in edge://flags. And then send Microsoft your feedback using the Feedback menu in Edge.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 18 comments

  • bschnatt

    06 August, 2021 - 7:56 pm

    <p>Ahh, I don’t know. I was really hoping for a Super Super Duper Secure Mode! How disappointing… ;)</p>

  • miamimauler

    06 August, 2021 - 8:58 pm

    <p>Microsoft have more to worry about with Edge than a super duper mode if StatCounter numbers are accurate.</p><p><br></p><p>On desktop Edge has barely moved in the past six months going from 7.8% to 8.2% which is nothing short of devastating news for MS as everything I have read points to Edge being a decent browser.</p><p>People just don’t seem to care and are sticking with Chrome it seems.</p><p><br></p><p>This probably explains the utterly unacceptable and downright devious tactics MS are employing in changing the browser in W11 as Paul highlighted in a recent article.</p><p><br></p><p>https://www.thurrott.com/windows/windows-11/254002/windows-11-tip-change-default-apps</p&gt;

    • miamimauler

      10 August, 2021 - 3:39 am

      <p>This is bizarre. I made this comment three days ago and it has only just shown up yet it states it is three days old. This may be a bug or perhaps just a one off glitch.</p>

  • matsan

    07 August, 2021 - 12:35 am

    <p>Great! Microsoft will once again build their own incompatible browser. If they are to replace V8 with their own engine, why did they bother with using Chromium anyway??</p>

    • aways987

      07 August, 2021 - 4:12 am

      <p>Firstly V8 only handles JavaScript so is just one component. Secondly it seems like V8 is remaining but they are just removing the JIT. This would see a reduction in performance but the output would be the same.</p>

      • hellcatm

        07 August, 2021 - 5:03 am

        <p>Well, they’re not removing but rather disabling which means there could be a toggle to turn it on if you want to turn it back on.</p>

        • Maverick010

          07 August, 2021 - 6:52 pm

          <p>I was thinking the same thing. There will probably be a toggle option, similar to the flag to turn it on or like the InPrivate browsing option. We may see 3 options, Normal, InPrivate mode, and secure mode.</p>

        • wright_is

          Premium Member
          08 August, 2021 - 2:28 am

          <p>They are only disabling the JIT compiler, not V8 itself. The JavaScript will still be interpreted by V8, but the bugs that are caused by passing the code through JIT will be obviated those bugs, hopefully leading to a more secure experience.</p><p><br></p><p>JIT was used in the past, because processors were too slow to handle interpreting the code. JIT compilers go back to the 80s and 90s, at least, and in web browsing well over a decade. It helps keep an interpreted language running at a reasonable speed on comparatively low powered hardware (say a 1Ghz Pentium of yore). Processors have more than outstripped the needs of software in most areas over the last 10 years. For a typical web page, removing JIT would hardly be noticeable.</p><p><br></p><p>For a PWA, like Teams or Zoom, which are already over bloated mess that struggle with JIT, that is a different matter. The Electron version of Teams can bring a modern laptop connected to a 4K display to its knees very easily.</p><p><br></p><p>I would think, that in the future, we will see some sort of hybrid. Trusted sited and signed code, for example, would get JIT, untrusted sites or unsigned code would be restricted to non-JIT execution.</p>

  • miamimauler

    07 August, 2021 - 1:22 am

    <p>I made this comment four hours ago but it hasn’t appeared yet. Perhaps it’s been disallowed due to my linking to an article, even though it was an article from this site.</p><p>Is linking not allowed now?</p><p><br></p><p>Microsoft have more to worry about with Edge than a super duper mode if StatCounter numbers are accurate.</p><p><br></p><p>On desktop Edge has barely moved in the past six months going from 7.8% to 8.2% which is nothing short of devastating news for MS as everything I have read points to Edge being a decent browser.</p><p>People just don’t seem to care and are sticking with Chrome it seems.</p><p><br></p><p>This probably explains the unacceptable and downright devious tactics MS are employing in making it extremely difficult changing the browser from Edge in W11 as Paul highlighted in his recent ‘Windows 11 Tip: Change Default Apps’ article.</p><p><br></p><p>I can imagine the uproar if Google were to behave so shady on Android.</p>

    • sofan

      07 August, 2021 - 2:22 am

      <p>It is very difficult for edge to get market share from chrome.</p>

    • bschnatt

      07 August, 2021 - 9:24 am

      <p>I can’t speak to the extraneous features MS keeps piling on to Edge lately (I haven’t kept up), but I really started to like the feature set (the reader mode, speak aloud, side tabs (with tab groups), etc. I was largely impressed with it — until Vivaldi came out with their 2 level tab feature. THAT is what finally got me to move back to Vivaldi. Tabs are a *real* "hard computer problem to solve", it seems. No one has been able to really nail that effectively, although Vivaldi comes close. What I want is the 2 level tab feature PLUS a way to easily store aside and restore entire tab groups easily when needed. I loved the way the old Edge did tab group saving/restoring, but Microsoft got rid of that, of course. (And most-recently-used bookmarking is *still* done badly — BY EVERYONE . That’s something Vivaldi needs to work on too…)</p>

  • codymesh

    07 August, 2021 - 3:36 am

    <p>I actually can’t believe that’s what microsoft is actually calling it. It’s awesome.</p>

  • anderb

    Premium Member
    07 August, 2021 - 8:38 am

    <p>It still sends every url you visit to Microsoft. I don’t see how that makes it super nor duper or secure.</p>

  • ghostrider

    07 August, 2021 - 9:07 am

    <p>According to StatCounter, in July 2021, Chrome has 65% market share, Edge just over 3% (on par with Firefox). Go figure. MS still messing around with things, which will likely break more stuff, and giving it a totally stupid name at the same time. Look MS, you either want to use Chromium or you don’t, but you could be heading down a path of making too many changes and forcing people onto Edge in Win11 will not achieve what you want – you’ve tried ramming these things down peoples throats before and it generally doesn’t work very well.</p>

  • proftheory

    Premium Member
    07 August, 2021 - 12:41 pm

    <p>I think the JIT stuff came into vogue when PCs were slower – No SSD, slower RAM. I may enable it in Linux since that only gets the DEV version anyway.</p>

  • compuser

    07 August, 2021 - 6:20 pm

    <p>I don’t use Edge at home because for whatever reason, Microsoft still will not allow me to pin favorites to the left side of the display like I can with both IE and Firefox, and even when I pin them to the right, they have to be re-pinned every time I launch Edge. It may be petty, but until they change this, I will not use Edge, and I know I’m far from alone in that. Maybe all Microsoft needs to do to increase market share is give people what they want instead of a bunch of crap apps that no one has asked for. That said, is there really a security threat to home computers? I don’t think so. I’d venture to say that 99.whatever percent of home users have nothing on their computers that a hacker is interested in taking the time to find. It’s so much effective to hack into some corporate system and get information on thousands (or millions) of people at a time, and they know that.</p>

  • bgoodbody

    Premium Member
    07 August, 2021 - 9:35 pm

    <p>Option not in my version!</p>

  • stijnhommes

    08 August, 2021 - 7:05 pm

    <p>I just don’t care. I don’t use Edge and a "feature" that makes browsing harder is not on my wish list.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC