To be clear, Edge stable version 96.0.1054.29 was released on November 19th but the inclusion of the Super Duper Secure Mode was not mentioned in the patch notes. Instead, we came to know about this feature’s presence in the latest Edge stable from a tweet. Microsoft Edge Vulnerability Research Lead Johnathan Norman took to Twitter and let us know:
— Johnathan Norman (@spoofyroot) November 22, 2021
Super Duper Secure Mode and its importance
Super Duper Secure Mode does one thing and one thing only, and that is the removal of the Just-in-Time Compilations (JIT) from the V8 JavaScript engine. As you already know, Edge is based on Chromium which is the open-source codebase developed by Google for internet browsers, built on the backbone of Google Chrome. JavaScript engines are already a complicated enough piece of software so JIT helps the engine translate JavaScript into machine code right before it’s executed which greatly improves the speed of browsing. However, this comes at a severe security cost and leaves you and your browser vulnerable to harmful attacks. That’s why roughly 45% of all security bugs and attacks found inside V8 have been linked to the JIT component and the engine’s dependence on JIT only worsens this. Because people like speed, developers have actively used JIT to keep their browsers fast even if it puts the user at a risk. But, now, with the latest stable version of Edge, Super Duper Secure Mode will work to remove this dependency by disabling JIT completely and making the browsing experience a lot securer. According to Norman, about half of all security bugs inside V8 go away when JIT is disabled. Not only that, but with JIT disabled, several other mitigation technologies such as Intel’s hardware-based Controlflow-Enforcement Technology also start to work, furthering the security measures of your browser.
— Johnathan Norman (@spoofyroot) August 4, 2021
The catch
There’s always one, isn’t it? Well, in this case, the cost of better security is slightly slower speeds. As you’ve probably guessed by now, disabling the one thing that made machine code translation so efficient and quick, would lead to worsened performance. However, it’s not as severe to the point where you start to really notice the dip in performance. Page load times saw a regression of only about 17% but tests that measured improvements in power showed a 15% improvement on average. Meanwhile, an 11% improvement was seen in regressions when power consumption was increased.
Balanced vs. Strict
Super Duper Secure Mode also comes with two different modes, both of which constitute performance. The Balanced mode adds restrictions to sites you seldom visit and treats the sites you visit often as trustable. Strict, on the other hand, adds restrictions to all sites no matter the frequency of your visits. As you can expect, Balanced barely has an effect on performance but strict bolsters the security of Edge to the point where you will likely see a performance decrement, and some sites may even exhibit dysfunctional behavior. You can toggle between Balanced and Strict on your own depending on what type of security you prefer. But, before you do that, you’ll first need to enable the Super Duper Secure Mode. The feature isn’t as clearly outlined in Settings as it doesn’t even carry that name. Super Duper Secure Mode is technically just an internal name that the team came up with in the development phase, because the actual toggle in Settings appears as “Enable security mitigations for a more secure browser experience“. You can find the option under Security in the Privacy tab in Edge Settings.
