How Microsoft Edge Super Duper Secure Mode Will Prioritize Your Security And Privacy Above All

Microsoft Edge
Which do you prefer when browsing the web—raw speed or a combination of security and privacy? Generally speaking, modern browsers deliver the whole kit and caboodle, which is the way it should be. That said, Microsoft is testing a new "Super Duper Secure Mode" for its Edge browser that puts more of an emphasis on the latter.

Or to put it another way, an experimental feature in Edge sacrifices a bit of speed to make the browser more secure and to enhance user privacy. It does this by tooling around with the V8 JavaScript engine that motors the Chromium foundation of Edge. Microsoft's reasoning for experimenting in this manner is because "JavaScript engine bugs are a mainstay for attackers."

"They provide powerful exploit primitives, there is a steady stream of bugs, and exploitation of these bugs often follows a straightforward template. JavaScript engine exploitation has not changed much over the years and generally follows the same pattern," Microsoft says.

It can be a "nightmare" dealing with the "regular stream of bugs" that necessitate a steady supply of security updates. And to be clear, Microsoft points out this is not unique to V8, but says it is a common problem for just about all modern JavaScript engines.

According to Microsoft, a lot of the difficulty arises from the Just-In-Time (JIT) components that were introduced to browser over a decade ago. JITs are intended to speed up certain tasks when browsing, in part by leveraging speculative optimization of code.

"JavaScript code is optimized through a series of complex processing pipelines. These changes result in performance gains that are quite impressive. Developers have managed to make JavaScript performance comparable with C++, which is an impressive feat," Microsoft explains.

This led Microsoft to wonder if the performance gains introduced by JITs is worth the security hassle. And in pondering the question, Microsoft also wonders if it would be a good idea to simply disable JIT. And so that is what the company is experimenting with, as part of its Super Duper Secure Mode.

"This reduction of attack surface has potential to significantly improve user security; it would remove roughly half of the V8 bugs that must be fixed. For users, this means less frequent security updates and fewer emergency patches required. These updates and patches are common points of frustration for our customers, particularly those in large enterprise environments who must test updates before rolling them out," Microsoft says.

Microsoft Edge Graphs
Click to Enlarge (Source: Microsoft)

What about performance, though? Microsoft ran undress of tests in its labs that mimic real-world sites and conditions, and grouped them into four categories—Memory, Page Load, Startup, and Power. In most cases, it found no discernible changes with JIT disabled.

"There are a few improvements and regressions, but most tests remain unchanged. Anecdotally, we find that users with JIT disabled rarely notice a difference in their daily browsing," Microsoft says.

Microsoft is planning to continue testing Super Duper Secure Mode over the next several months. Once complete, the challenge shifts to implementing mitigations in a way that balances the trade offs. The company readily admits there are "quite a few challenges to overcome," once of which is finding a new name for its tongue-in-cheek Super Duper Secure Mode designation.

If you want to test the feature for yourself, you will first need to download a test build (Edge Canary, Dev, or Beta). Then type edge://flags in the URL bar and look for the Super Duper Secure Mode setting.