Twitter trades speed for better security

by | Sep 2, 2021 | IT | 0 comments

Microsoft’s browser vulnerability research team is working on a mode to make the Edge browser more secure, and it’s given it an incredible name: “Super Duper Secure Mode” (via The Record). The mode is currently very experimental, but could help make it harder for attackers trying to exploit bugs in Microsoft’s browser by turning off certain optimizations.

To make the browser “super duper secure,” the mode turns off a feature of Edge’s JavaScript engine that’s meant to make a website’s code run faster. The technology is called Just-In-Time compilation (or JIT), and while it can help improve performance, it’s also fiendishly complex. This makes it easy for bugs to slip in, which can lead to security exploits — Microsoft points to analysis by Mozilla that showed that over half of the real-world Chrome exploits since 2018 were related to JIT.

(If you’ve got some programming knowledge, this video provides an interesting overview of how Just-In-Time works for JavaScript.)

Of course, there are concerns that turning off technology meant to make a huge part of modern websites run faster could hurt performance. The blog post notes that disabling JIT can lead to significantly lower JavaScript benchmark scores, but the team says that, in the real world, people didn’t usually notice much of a difference.

I can at least somewhat back that up — I turned on Super Duper Secure Mode for myself (if you’re running a test version of Edge, you can enable the mode using a flag), and haven’t noticed any sites feeling particularly sluggish. Of course, everyone’s web use is different, so it’s possible that you’d notice a difference if you spend your days in complex webapps. The Microsoft team does note, though, that it’s looking into making the mode smart by having it turn protections on and off based on the risk a website may pose, or how resource intensive it may be.