How much speed can security cost?

Microsoft wants to make the Edge browser more secure with the

Microsoft Edge “Super Duper Secure Mode” How much speed can security cost?

In an attempt to make Microsoft Edge more secure, the Microsoft Vulnerability Research Team is experimenting with deactivating the Just-in-Time (JIT) compilation in the browser’s V8 JavaScript engine, and initially calls the result “Super Duper Secure Mode” .

Company on the subject

Microsoft wants to make the Edge browser more secure with the
Microsoft wants to make the Edge browser more secure with the “Super Duper Secure Mode”, but this is at the expense of surfing speed.

(Image: © sasun Bughdaryan –

The test of the Microsoft Vulnerability Research Team on the “Super Duper Secure Mode” makes sense at first glance. Almost half of the vulnerabilities and vulnerabilities (CVE) known for V8 relate to the JIT compiler and more than half of all “in-the-wild” exploits for Chrome exploit errors in JIT. (Modern versions of Edge are based on the same Chromium code as Google’s Chrome browser, so Chrome exploits also affect Edge). So Microsoft speculates whether it would not be the simplest thing to simply deactivate the problematic sub-system and see what happens then.

The problem with this is that when JIT is deactivated, the surfing speed suffers. JIT is a performance feature that speeds up the execution of JavaScript (the world’s most popular computer language). Because it’s behind so many web applications, the speed at which JavaScript runs has a direct impact on how fast and responsive web applications are. But how big is the difference? This is what the team around Pieter Arntz from Malwarebytes investigated.

Only half as fast

The team compared the last official version of Edge (version 92.0.902.67) with the last available Microsoft Edge beta (version 93.0.961.11) with Super Duper Secure Mode activated and deactivated. During testing, Malwarebytes found that the speed differences between the last official version and the beta version were minimal, so we did not include them in the results. The tests were performed in a virtual machine (VM) with a slow connection. We used Sunspider 1.0.2 as a benchmark.

The results show that JavaScript execution is accelerated by a factor of 1.88 when JIT is activated. Deactivating JIT makes JavaScript processing in Edge more secure, but the browser, in return, half as fast.

Notes on the test:

  • The benchmark only tests the JavaScript language itself, but there are a lot more things that affect surfing speed than just JavaScript. So that doesn’t mean that normal surfing will be twice as slow in all cases!
  • The test was repeated several times and, although there were differences, they were generally minimal. (The results varied between 1.87 times and 1.90 times the speed when JIT was activated).

Microsoft claims that users of the Super Duper Secure Mode hardly notice any difference in their daily surfing. It probably depends on the type of website (s) you are visiting, what other activities are being done, etc. But it has to be said that tools that measure web performance – including Google’s Core Web Vitals – JavaScript is a That said, slow JavaScript can have a profound effect on the user experience.

A permanent solution?

The general public will not be willing to swap speed for more security, says the team around Pieter Arntz. Microsoft will therefore have to offer users an alternative at some point. What would the alternatives be? Microsoft may decide to find the cause of the V8 error and fix it. If you switch to a completely different JavaScript engine, there are four options: Chakra or ChakraCore, which were developed by Microsoft for their Edge Legacy web browser, or Duktape and Moddable.


If you want to try the Super Duper Secure Mode yourself, you need one of the Microsoft Edge pre-release versions (Beta, Dev or Canary). If one of the above is used, simply enter edge: // flags / # edge-enable-super-duper-secure-mode in the address line of the browser and set the new function to “Enabled”.

Leave a Reply

Your email address will not be published.