Bolstering Edge security, if you’re willing to sacrifice a bit of performance
Why it matters: Microsoft’s Edge vulnerability researchers are interested in testing a rather unconventional idea that could improve the security of Chromium-based browsers for people that are willing to sacrifice a bit of performance. It’s been called “Super-Duper Secure Mode” and is mostly a fun experiment at this point, but it could turn into a real feature if there’s enough user interest.
After moving the Edge browser to the Chromium engine, Microsoft finally landed a browser that many people are willing to use and switch to permanently. My personal experience has been that Edge runs without any major headaches ever since the first developer and canary builds arrived for Windows 10. Since then, Microsoft has been adding a slew of features such as sleeping tabs, a password generator, vertical tabs, and more.
Google last year stopped warning people about supposed security risks of Edge, and the two companies have since committed to working together in fixing the biggest pain points in cross-browser compatibility for the modern web.
Edge doesn’t have perfect security, but like most browsers it does have some features that keep you as protected as you can be without becoming a headache. For instance, Microsoft’s browser lets you automatically block “potentially unwanted app” downloads, but the company is now testing a more aggressive security feature called “Super Duper Secure Mode.”
According to Microsoft’s Edge Vulnerability Research team, the new mode is based on an unconventional idea but is ultimately designed to make it more costly for malicious actors to exploit any flaws they may find. What researchers found is that 45 percent of the bugs in the V8 Javascript engine used in Chromium-based browsers like Edge, Chrome, Opera, Brave, and Vivaldi were related to the Just-In-Time (JIT) compilation pipeline for JavaScript that is used to improve web browser performance.
The idea behind Edge’s SDSM is that JIT offers a large attack surface that requires constant patching work to keep secure, so it might be worth testing if turning JIT off might improve security without a big sacrifice in terms of performance. And it’s not just about removing almost half the bugs in the V8 JavaScript engine, as disabling JIT makes it possible to enable security features like Intel’s Controlflow-Enforcement Technology (CET), or Microsoft’s Arbitrary Code Guard (ACG) exploit mitigation feature in Windows 10.
After running some automated tests for power, startup, memory usage and page load times, the researchers found that turning off JIT led to improvements in some cases and slightly lower performance in others. Memory usage doesn’t change that much, while startup times improve around 9 percent. As for page load times, the worst case observed is that they’re almost 17 percent slower while in best case scenarios they actually improve up to 9.5 percent. Power usage is a similar story, with some tests showing an 11.4 percent increase with JIT turned off and some tests showing a 15 percent improvement in power efficiency.
In synthetic benchmarks like Speedometer 2.0, turning JIT off led to a result that was 58 percent worse than with JIT turned on. However, the difference in performance was much less noticeable in actual use, which matters a lot more for users than a specific number achieved in a benchmark.
SSDM is an experimental feature for now, but if you’re willing to test it yourself you can do so by enrolling in the Edge Insider program. It doesn’t matter whether you’re in the Canary, Dev, or Beta ring, to enable the feature go to edge://flags and turn on the one named “edge-enable-super-duper-secure-mode.” It’s also worth noting Web Assembly (WASM) doesn’t work in this mode, so proceed with caution.
