Back in August, Microsoft Edge's Vulnerability Research Lead Jonathan Norman revealed that his team is working on a "Super Duper Secure Mode" - that I'll mostly refer to as "SDSM" following this instance for brevity - for Microsoft Edge. With the release of Edge 96.0.1054.29 to the Stable channel, this feature has been quietly added to the browser and is now available for the general public to enable.
What is Super Duper Secure Mode?
But before we go on with how to enable SDSM, it's probably wiser to know what it actually is. Norman has explained it in considerable detail in his blog post here but for the benefit of our readers, we'll summarize some of the key points. That said, if you want to dive into the nitty gritty details, do check out the aforementioned blog post.
As such, what Microsoft is proposing that JIT be disabled completely in Edge via SDSM. The company has emphasized that a lot of security processes such as Intel's hardware-based mitigation called "Controlflow-Enforcement Technology" (CET) cannot be enabled. Arbitrary Code Guard (ACG) suffers the same fate as well. Disabling JIT would mean that these mitigations can now be applied and that the attack surface is reduced. Microsoft claims that roughly 50% of the V8 bugs that need to be patched would be left as-is and consumers won't be bothered by frequent patches and updates.
How to enable Super Duper Secure Mode in Microsoft Edge?
If the added security benefits at the cost of slightly degraded performance intrigue you, you would likely want to know more about how to enable SDSM in Microsoft Edge. Fortunately, this is a straightforward process, and you can check it out below.
- Ensure that you are on Microsoft Edge version 96. You can click on the three-dotted menu on the top-right corner and then navigate to Help and feedback > About Microsoft Edge to check your browser version or trigger an update. The dedicated page can seen below.
- Go the to the Security page (utilize the search bar in the left pane or, alternatively, navigate to Privacy, search, and services) and scroll down to the bottom where you'll see an option called Enable security mitigations for a more secure browser experience. Enable the toggle shown in the screenshot below.
- Once you enable this, you will see two options, namely Balanced and Strict. Fortunately, Microsoft has noted the differences between the both the choices clearly and briefly. The former will apply to sites you rarely visit while the latter will apply to all sites. Microsoft has also cautioned that enabling either of the options may also result in portions of a website not working, so bear that in mind. You also have an Exceptions option at the bottom through which you can effectively add your trusted sites where you want JIT to work as usual. This information can be seen in the screenshot below as well.
Disabling JIT via Edge's SDSM is certainly an interesting experiment. While Microsoft is not enabling it by default in its browser, that is probably the ultimate goal. We will also have to wait and see if other browser vendors follow suit, but that is likely dependent on consumer feedback. As of now, SDSM in Edge is mostly an experiment and Microsoft is looking to enhance it further.
What are your thoughts on Microsoft Edge's Super Duper Secure Mode and JIT compilation in general? Have you enabled SDSM in Edge on your machine? Let us know in the comments section below!