Microsoft’s ‘Super Duper Secure Mode’ for Edge trades speed for better security

Technology

Microsoft’s browser vulnerability research team is working on a mode to make the Edge browser more secure, and it’s given it an incredible name: “Super Duper Secure Mode” (via The Record). The mode is currently very experimental, but could help make it harder for attackers trying to exploit bugs in Microsoft’s browser by turning off certain optimizations.

To make the browser “super duper secure,” the mode turns off a feature of Edge’s JavaScript engine that’s meant to make a website’s code run faster. The technology is called Just-In-Time compilation (or JIT), and while it can help improve performance, it’s also fiendishly complex. This makes it easy for bugs to slip in, which can lead to security exploits — Microsoft points to analysis by Mozilla that showed that over half of the real-world Chrome exploits since 2018 were related to JIT.

Of course, there are concerns that turning off technology meant to make a huge part of modern websites run faster could hurt performance. The blog post notes that disabling JIT can lead to significantly lower JavaScript benchmark scores, but the team says that, in the real world, people didn’t usually notice much of a difference.

I can at least somewhat back that up — I turned on Super Duper Secure Mode for myself (if you’re running a test version of Edge, you can enable the mode using a flag), and haven’t noticed any sites feeling particularly sluggish. Of course, everyone’s web use is different, so it’s possible that you’d notice a difference if you spend your days in complex webapps. The Microsoft team does note, though, that it’s looking into making the mode smart by having it turn protections on and off based on the risk a website may pose, or how resource intensive it may be.

The experimental mode still seems to be in its very early stages — there are things the team wants to enable but hasn’t, it doesn’t work on all the platforms that Edge supports, and the team says there are “quite a few technical challenges to overcome” before the feature launches. It is, however, exciting work being done — since Edge is now based on Chromium, it uses the same JavaScript engine that Chrome does. This makes it conceivable that the feature could end up being adopted by other browsers if it’s successful on Edge.

As for the Tesla-esque name, vulnerability research lead Johnathan Norman says that at some point it will have to change, in part because explaining how secure something described as “super duper secure” is to lawyers would be challenging. Still, if there’s any way that Microsoft can make it happen without incurring extra liability (people may understandably be upset if they fell victim to an exploit in Super Duper Secure Mode), it would bring some welcome whimsy to the browser alongside the additional protection.