Microsoft Edge's Super Duper Secure Mode lands in Settings
Microsoft unveiled a new security feature called Super Duper Secure Mode in the company's Microsoft Edge web browser about two weeks ago. Super Duper Secure Mode is an experimental feature to make the browsing experience more secure. The name is not final and it is possible that the feature will never land in Microsoft Edge stable.
Microsoft targets the Just In Time (JIT) compiler with the security feature and introduces security mitigations at the same time. Research on JIT shows that it was responsible for nearly 45% of CVEs (Common Vulnerabilities and Exposures) in 2019, and that attacks abuse bugs in the compiler in more than 50% of the cases that are "in the wild".
Disabling JIT would reduce attacks by a significant margin right away, and it would pave the way for security mitigations that cannot be enabled in the browser while JIT is enabled.
Microsoft mentions Controlflow-Enforcement Technology (CET), a "hardware-based exploit mitigation from Intel" and Arbitrary Code Guard (ACG) as two example mitigations that cannot be enabled while JIT is enabled.
With JIT disabled, these exploit mitigation techniques can be enabled, and that is what Microsoft has planed for Super Duper Secure Mode in the company's Edge browser.
Disabling JIT may impact performance. Microsoft notes that most users would probably not notice a difference with JIT disabled, Performance data revealed that the disabling does not always have negative impacts. For page load performance, results varied from a positive 9.5% improvement to a negative 16.9% decrease, depending on the page. Memory use's rage was between 4.6% and -2.3%, and power between 15% and -11.4%.
Managing Super Duper Secure Mode in Microsoft Edge
Microsoft introduced Super Duper Secure Mode as an experimental flag in Edge Canary, Dev and Beta. To enable it, do the following:
- Load edge://flags/#edge-enable-super-duper-secure-mode.
- Set the experimental flag to Enabled.
- Restart Microsoft Edge.
Work on the security mode continues, and it is possible that some features are still missing at this point.
Microsoft added a second experimental flag to Edge recently; this flag, when enabled, enables a preference in the browser's Settings to enable or disable the new security mode from there.
- Load edge://flags/#edge-saya in the browser's address bar.
- Set the flag to Enabled.
- Restart Microsoft Edge.
You find the new preference under Settings > Privacy, search and services > Security.
Closing Words
Super Duper Secure Mode is experimental at this point and there is no guarantee that it will land in Edge Stable. Should it be released, it will be released under a different name. (via Deskmodder)
More proprietary crap. No thanks.
What’s proprietary about this? MS are simply enabling a UI option for a function that already exists in Chromium (which, need I remind you, is still open-source).
Be nice. MS love you long time!
One thing that was not mentioned in this article is that the Super Duper Secure Mode disables Web Assembly.
You are right, but Microsoft is working on this.
I looked into this a little bit, and a German publication claims that JIT can be turned off in Firefox using about:config options:
Machine-translation of the relevant part into English:
“The gate browser is based on Firefox, you can also switch off the JIT compiler in Firefox. On the configuration page in about: config should use the following switches false be set: javascript.options.baselinejit, javascript.options.ion and javascript.options.asmjs.”
Source: https://www.heise.de/news/Sicherer-oder-schneller-Microsoft-testet-Super-Duper-Secure-Mode-im-Browser-6162990.html
Irionically, at this second, there may be no easy way to achieve the same thing in non-Edge Chromium based browsers (Vivaldi, etc.) because they probably haven’t set a flag or a GUI option to do so. However, the makers of those browsers could essentially add this feature pretty easily, it looks like, especially if the Microsoft code is open-sourced (But even if it isn’t). They’d have to use a different name for the feature, but we all agree the name Microsoft is using isn’t very good anyway, right?
Running out of names, are we?
LMAO They really called it “Super Duper”… it must not be that great then.
>This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome. Also, our tongue-in-cheek name will likely need to change to something more professional when we launch as a feature. For now, we are going to continue having fun with it.
People are allowed to have fun, mr super serious guy.
Super Duper Secure sounds like the word of a five year old and the first association I had whit this word was Supercalifragilisticexpialidocious a song and single, from the 1964 Disney musical film Mary Poppins. Not really a word that inspires confidence.
Regarding the function itself, I remain of the opinion why not put the browser in a sandbox?
chromium is already sandboxed from the rest of the OS, as well as having various processes isolated from each other.
Edge goes a step further and allows the use of WDAG for further isolation of the browser, assuming you’re running pro or above.
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
one does not have to be related to the other.
as a sidenote, JITless mode and ACG are part of standard chromium, although it’s hidden behind command line flags, so the only real work Microsoft put into this feature is the nice little button.
probably why it has a dumb name as well, it’s a low effort feature for them.
Probably a lie “safe” and “security” and any mode like that, like the others. The only things those modes are for is to consume more resources and slow down your computer while probably trying to spy on you like the FLOC wants to do and not stopping nice Microsoft and Google from checking stuff you do on the internet.
Seems more like they are just scared tactics to try to deceive you to do whatever they want you to do. It just feels like all these security features are more like being afraid to go out in New York for the fear of being attacked by a eastern brown snake.
I disabled Sandbox and Site Isolation and would disable all stupid modes like these and I am sure nothing will ever happen to me, like how I turned Microsoft Defender off until Microsoft decided you can’t easily do it anymore and you just can stop the realtime protection which is still fine by me but not perfect solution. If they are going to hack you and spy you, like the CIA and NSA or any other government agency in the world, I am sure they easily can with the help of technology and internet which even a refrigerator and probably even a toaster is connected to.