Who Needs Microsoft Edge’s New “Super Duper Secure” Mode?

The Microsoft Edge logo on the water.
Microsoft

Microsoft’s Edge Vulnerability Team is experimenting with a new “Super Duper Secure Mode” that goes against standard browser practices to significantly boost web security. And while this new “Secure Mode” may sound like a feature for overly-concerned IT departments, it could one day become the default setting for all Edge users. So how does it work?

Well, the software behind Super Duper Secure Mode is a bit complicated (even to web developers), but the overall concept is pretty easy to grasp; the V8 JavaScript engine’s speed-enhancing JIT compiler is a security nightmare and needs to be turned off.

The V8 JavaScript engine has long been a favorite target for hackers, as it’s super buggy, easy to exploit, and provides a wonderful entry point into an operating system. Introduced in 2008, the JIT (or Just-In-Time) compiler increases JavaScript performance at the cost of security, to the point that 45% of identified V8 vulnerabilities are related to JIT.

Not only that, but the JIT compiler prevents browser developers from enabling powerful security protocols like Intel’s Controlflow-Enforcement Technology (CET) and Microsoft’s Arbitrary Code Guard (ACG). The benefits of disabling JIT are stunning—according to the Edge Vulnerability Team, doing so makes all browser vulnerabilities more difficult for hackers to exploit.

This reduction in attack surface kills half of the bugs we see in exploits and every remaining bug becomes more difficult to exploit. To put it another way, we lower costs for users but increase costs for attackers.

But there’s a reason why this scheme goes against common practice. Disabling JIT lowers browser performance, especially on webpages that rely heavily on JavaScript, like YouTube. Although the Edge Vulnerability Team reports that “users with JIT disabled rarely notice a difference in their daily browsing,” a difference certainly exists and would cause outrage among many.

The Edge Vulnerability Team’s tests confirm that “Super Duper Secure Mode” often has a negative impact on browsing speed, especially page load times. But to be fair, a 17% average regression in load times isn’t all that bad. And in some cases, disabling JIT actually had a positive impact on memory and power usage.

Microsoft’s “Super Duper Secure Mode” clearly needs to overcome some technical hurdles, but the Edge team is probably up to the task. In time, the “Super Duper Secure Mode” could become the default for all users, as its security benefits are just too hard to ignore. Not to mention, it could reduce the frequency of security updates, which are annoying to both individuals and businesses.

But “Super Duper Secure Mode” is just an experimental feature, for now. Those who want to test it must download the latest Microsoft Edge preview release (Beta, Dev, or Canary) and type edge://flags/#edge-enable-super-duper-secure-mode in their address bar.

Source: Microsoft via TechRadar

Andrew Heinzman Andrew Heinzman
Andrew is a writer for Review Geek and its sister site, How-To Geek. Like a jack-of-all-trades, he handles the writing and image editing for a mess of tech news articles, daily deals, product reviews, and complicated explainers. Read Full Bio »

The above article may contain affiliate links, which help support Review Geek.