Guide: What is Super Duper Secure Mode in Microsoft Edge and how to enable it

Microsoft Edge logo and Microsoft Edge written next to it with a red outline

Back in August, Microsoft Edge's Vulnerability Research Lead Jonathan Norman revealed that his team is working on a "Super Duper Secure Mode" - that I'll mostly refer to as "SDSM" following this instance for brevity - for Microsoft Edge. With the release of Edge 96.0.1054.29 to the Stable channel, this feature has been quietly added to the browser and is now available for the general public to enable.

What is Super Duper Secure Mode?

Microsoft logo on the left on a blue background with a padlock on the right on a black background

But before we go on with how to enable SDSM, it's probably wiser to know what it actually is. Norman has explained it in considerable detail in his blog post here but for the benefit of our readers, we'll summarize some of the key points. That said, if you want to dive into the nitty gritty details, do check out the aforementioned blog post.

Essentially, most JavaScript engines such as V8 use a performance-boosting technology called Just-In-Time (JIT) Compilation. As the name implies, it enables engines to translate weakly typed JavaScript code to machine code prior to it being actually needed. While this process obviously results in significant performance gains, it also opens some security holes for malicious actors to target. Data from Common Vulnerability and Exposures (CVE) indicates that 45% of those issued for V8 involved JIT's speculative optimization as the culprit. Similarly, a research from Mozilla also highlights that almost half of 0-day exploits on Chrome came from JIT bugs.

As such, what Microsoft is proposing that JIT be disabled completely in Edge via SDSM. The company has emphasized that a lot of security processes such as Intel's hardware-based mitigation called "Controlflow-Enforcement Technology" (CET) cannot be enabled. Arbitrary Code Guard (ACG) suffers the same fate as well. Disabling JIT would mean that these mitigations can now be applied and that the attack surface is reduced. Microsoft claims that roughly 50% of the V8 bugs that need to be patched would be left as-is and consumers won't be bothered by frequent patches and updates.

A graph showing performance difference after enabling Super Duper Secure Mode

But, of course, disabling JIT would also mean that consumers would take a performance hit. However, there is some good news on that front as well. In Microsoft's testing of real-world cases on Edge, the effect of disabling JIT was negligible in terms of performance and related metrics as you can see from the graphic above, whereas the security benefit was significant. That said, JavaScript benchmarks did suffer a decline of up to 58% but Microsoft is optimistic that this degradation will not be noticeable for the average user because JavaScript benchmarks only calculate a portion of the performance metrics rather than the overall experience.

How to enable Super Duper Secure Mode in Microsoft Edge?

If the added security benefits at the cost of slightly degraded performance intrigue you, you would likely want to know more about how to enable SDSM in Microsoft Edge. Fortunately, this is a straightforward process, and you can check it out below.

  1. Ensure that you are on Microsoft Edge version 96. You can click on the three-dotted menu on the top-right corner and then navigate to Help and feedback > About Microsoft Edge to check your browser version or trigger an update. The dedicated page can seen below.
    A screenshot of Microsoft Edge version page
  2. Go the to the Security page (utilize the search bar in the left pane or, alternatively, navigate to Privacy, search, and services) and scroll down to the bottom where you'll see an option called Enable security mitigations for a more secure browser experience. Enable the toggle shown in the screenshot below.
    A screenshot of the security page in Microsoft Edge
  3. Once you enable this, you will see two options, namely Balanced and Strict. Fortunately, Microsoft has noted the differences between the both the choices clearly and briefly. The former will apply to sites you rarely visit while the latter will apply to all sites. Microsoft has also cautioned that enabling either of the options may also result in portions of a website not working, so bear that in mind. You also have an Exceptions option at the bottom through which you can effectively add your trusted sites where you want JIT to work as usual. This information can be seen in the screenshot below as well.
    A screenshot of SDSM in Microsoft Edge

Disabling JIT via Edge's SDSM is certainly an interesting experiment. While Microsoft is not enabling it by default in its browser, that is probably the ultimate goal. We will also have to wait and see if other browser vendors follow suit, but that is likely dependent on consumer feedback. As of now, SDSM in Edge is mostly an experiment and Microsoft is looking to enhance it further.


What are your thoughts on Microsoft Edge's Super Duper Secure Mode and JIT compilation in general? Have you enabled SDSM in Edge on your machine? Let us know in the comments section below!

Report a problem with article
Razer Iskur
Next Article

ICYMI: Razer Black Friday deals at Amazon are up to 56% off on gaming equipment

comptia
Previous Article

Get this 2021 CompTIA Security Infrastructure Expert Bundle for just $9

14 Comments - Add comment

Advertisement