Microsoft is Working on a Super Duper Secure Mode for Edge

Posted on August 6, 2021 by Paul Thurrott in Microsoft Edge with 18 Comments

The Microsoft Browser Vulnerability Research team is working on a Super Duper Secure Mode for the Edge web browser. Yes, really.

“The VR is experimenting with a new feature that challenges some conventional assumptions held by many in the browser community,” Microsoft’s Johnathan Norman explains. “Our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers. Mitigations have a long history of being bypassed, so we are seeking feedback from the community to build something of lasting value.”

My favorite part of this post is that Norman admits that the name of this mode is “slightly provocative” because they want to have fun with this and it’s too early for an official name. Which Microsoft corporate will probably screw up.

Anyway, as Norman explains, most Chromium-based web browser exploits target Google’s V8 JavaScript rendering engine because “JavaScript engine bugs … provide powerful exploit primitives, there is a steady stream of bugs, and exploitation of these bugs often follows a straightforward template.” (This is true of non-Chromium browsers too.) JavaScript engines are a remarkably difficult security challenge for browsers, he adds.

To combat this problem, Edge’s proposed Super Duper Secure Mode would disable the JavaScript engine’s Just-In-Time (JIT) compilation technology, which speeds up JavaScript workloads dramatically and makes this scripting language roughly as performant as native C++ code. The reason? Obtaining this level of performance requires a lot of complexity, which provides hackers with lots of places to pry for vulnerabilities.

“What if we simply disabled the JIT?” he asks, rhetorically. “This reduction of attack surface has potential to significantly improve user security; it would remove roughly half of the V8 bugs that must be fixed. For users, this means less frequent security updates and fewer emergency patches required.”

That’s fantastic, but it seems like this change would also lead to a dramatically slower Microsoft Edge. But that’s not necessarily true: Norman says that “users with JIT disabled rarely notice a difference in their daily browsing” in testing. The performance degradation across multiple tasks ranged from no change at all to 16.9 percent, along with an average 11 percent increase in power consumption and a 2.3 percent increase in memory usage.

In a nod to my disdain for benchmark tests, this change impacts the popular Speedometer 2.0 benchmark by as high as 58 percent. “However, often users do not notice this impact because this benchmark tells only part of a larger performance story,” he says. Yes. That’s true of all benchmarks.

Norman says that Microsoft plans to investigate its Super Duper Secure Mode experiment over the next few months and determine whether making it available publicly in Edge is beneficial enough. And he admits that his team’s “tongue-in-cheek” name will likely have to change because, well, Microsoft.

But here’s the best bit: If you’re interested in testing Super Duper Secure Mode, you can do so now with Edge Canary, Dev, and Beta: Just enable the Super Duper Secure Mode in edge://flags. And then send Microsoft your feedback using the Feedback menu in Edge.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (18)

18 responses to “Microsoft is Working on a Super Duper Secure Mode for Edge”

  1. bschnatt

    Ahh, I don't know. I was really hoping for a Super Super Duper Secure Mode! How disappointing... ;)

  2. bgoodbody

    Option not in my version!

  3. compuser

    I don't use Edge at home because for whatever reason, Microsoft still will not allow me to pin favorites to the left side of the display like I can with both IE and Firefox, and even when I pin them to the right, they have to be re-pinned every time I launch Edge. It may be petty, but until they change this, I will not use Edge, and I know I'm far from alone in that. Maybe all Microsoft needs to do to increase market share is give people what they want instead of a bunch of crap apps that no one has asked for. That said, is there really a security threat to home computers? I don't think so. I'd venture to say that 99.whatever percent of home users have nothing on their computers that a hacker is interested in taking the time to find. It's so much effective to hack into some corporate system and get information on thousands (or millions) of people at a time, and they know that.

  4. proftheory

    I think the JIT stuff came into vogue when PCs were slower - No SSD, slower RAM. I may enable it in Linux since that only gets the DEV version anyway.

  5. ghostrider

    According to StatCounter, in July 2021, Chrome has 65% market share, Edge just over 3% (on par with Firefox). Go figure. MS still messing around with things, which will likely break more stuff, and giving it a totally stupid name at the same time. Look MS, you either want to use Chromium or you don't, but you could be heading down a path of making too many changes and forcing people onto Edge in Win11 will not achieve what you want - you've tried ramming these things down peoples throats before and it generally doesn't work very well.

  6. anderb

    It still sends every url you visit to Microsoft. I don't see how that makes it super nor duper or secure.

  7. codymesh

    I actually can't believe that's what microsoft is actually calling it. It's awesome.

  8. miamimauler

    Microsoft have more to worry about with Edge than a super duper mode if StatCounter numbers are accurate.


    On desktop Edge has barely moved in the past six months going from 7.8% to 8.2% which is nothing short of devastating news for MS as everything I have read points to Edge being a decent browser.

    People just don't seem to care and are sticking with Chrome it seems.


    This probably explains the utterly unacceptable and downright devious tactics MS are employing in changing the browser in W11 as Paul highlighted in a recent article.


    https://www.thurrott.com/windows/windows-11/254002/windows-11-tip-change-default-apps

    • miamimauler

      This is bizarre. I made this comment three days ago and it has only just shown up yet it states it is three days old. This may be a bug or perhaps just a one off glitch.

  9. miamimauler

    I made this comment four hours ago but it hasn't appeared yet. Perhaps it's been disallowed due to my linking to an article, even though it was an article from this site.

    Is linking not allowed now?


    Microsoft have more to worry about with Edge than a super duper mode if StatCounter numbers are accurate.


    On desktop Edge has barely moved in the past six months going from 7.8% to 8.2% which is nothing short of devastating news for MS as everything I have read points to Edge being a decent browser.

    People just don't seem to care and are sticking with Chrome it seems.


    This probably explains the unacceptable and downright devious tactics MS are employing in making it extremely difficult changing the browser from Edge in W11 as Paul highlighted in his recent 'Windows 11 Tip: Change Default Apps' article.


    I can imagine the uproar if Google were to behave so shady on Android.

    • bschnatt

      I can't speak to the extraneous features MS keeps piling on to Edge lately (I haven't kept up), but I really started to like the feature set (the reader mode, speak aloud, side tabs (with tab groups), etc. I was largely impressed with it -- until Vivaldi came out with their 2 level tab feature. THAT is what finally got me to move back to Vivaldi. Tabs are a *real* "hard computer problem to solve", it seems. No one has been able to really nail that effectively, although Vivaldi comes close. What I want is the 2 level tab feature PLUS a way to easily store aside and restore entire tab groups easily when needed. I loved the way the old Edge did tab group saving/restoring, but Microsoft got rid of that, of course. (And most-recently-used bookmarking is *still* done badly -- BY EVERYONE . That's something Vivaldi needs to work on too...)

    • sofan

      It is very difficult for edge to get market share from chrome.

  10. matsan

    Great! Microsoft will once again build their own incompatible browser. If they are to replace V8 with their own engine, why did they bother with using Chromium anyway??

    • aways987

      Firstly V8 only handles JavaScript so is just one component. Secondly it seems like V8 is remaining but they are just removing the JIT. This would see a reduction in performance but the output would be the same.

      • hellcatm

        Well, they're not removing but rather disabling which means there could be a toggle to turn it on if you want to turn it back on.

        • wright_is

          They are only disabling the JIT compiler, not V8 itself. The JavaScript will still be interpreted by V8, but the bugs that are caused by passing the code through JIT will be obviated those bugs, hopefully leading to a more secure experience.


          JIT was used in the past, because processors were too slow to handle interpreting the code. JIT compilers go back to the 80s and 90s, at least, and in web browsing well over a decade. It helps keep an interpreted language running at a reasonable speed on comparatively low powered hardware (say a 1Ghz Pentium of yore). Processors have more than outstripped the needs of software in most areas over the last 10 years. For a typical web page, removing JIT would hardly be noticeable.


          For a PWA, like Teams or Zoom, which are already over bloated mess that struggle with JIT, that is a different matter. The Electron version of Teams can bring a modern laptop connected to a 4K display to its knees very easily.


          I would think, that in the future, we will see some sort of hybrid. Trusted sited and signed code, for example, would get JIT, untrusted sites or unsigned code would be restricted to non-JIT execution.

        • Maverick010

          I was thinking the same thing. There will probably be a toggle option, similar to the flag to turn it on or like the InPrivate browsing option. We may see 3 options, Normal, InPrivate mode, and secure mode.

  11. stijnhommes

    I just don't care. I don't use Edge and a "feature" that makes browsing harder is not on my wish list.

Leave a Reply