Microsoft Gives Its New Browser 'Edge' In Security

Internet Explorer has long been decried as the least security browser out there. With IE being deprecated, and with the new focus on the Edge browser in Windows 10, Microsoft plans to change all of that and make its browser one of the most secure around.

In a new blog post, Microsoft presented three main security problems on the Web and how it can use its new browser to protect users against them: trickery (for giving out sensitive information), hacking and memory corruption.

Defending Against Trickery

Passport

One of the most common ways for malicious hackers to steal data is to utilize phishing, or in other ways to dupe users into entering their logins and passwords in a fake website that looks like the one they intended to visit.

There are some ways to mitigate these attacks, such as having websites buy certification that shows the company's name in the address bar. This allows users to trust that the address they are visiting is indeed the one they were looking for. However, hackers can sometimes bypass this as well, according to Microsoft.

Microsoft has recently announced Passport, its passwordless authentication for the Web. It allows the user to log in to a website using either a PIN number (which only works with the chip inside your PC or mobile device) or a fingerprint or face scan (through Microsoft's local authentication protocol, Hello).

Smartscreen

Microsoft has had the Smartscreen malware protection Web filter since the introduction of Internet Explorer 8. It has now added it to both the Edge browser and the Windows 10 shell. The Smartscreen filters websites that Microsoft knows to be infected. It's a feature that both Chrome and Firefox have had for sometime as well. It's far from a magic bullet, but it adds a necessary layer of extra protection on the Web.

Certificate Reputation

"Certificate Reputation" is a feature Microsoft announced last year for IE11, and an extension of Smartscreen that verifies server certificates for authenticity. When users surf the Web in a browser that supports "Certificate Reputation" and have enabled the Smartscreen filter, Microsoft is fed with data about the sites' certificates. When a new certificate is issued by a different Certificate Authority for a certain website, Microsoft can automatically flag it.

This seems like a good idea because users don't have to do anything to protect themselves against forged certificates, and it's also quite scalable (unlike Google's Chrome certificate pinning, which only works with a handful of websites). The only problem here is that Microsoft may sometimes block the wrong certificates. The company does notify the site's owner about the flagged certificate, so this issue should be mitigated in large part.

Hopefully, we can also see Microsoft join Google and Mozilla in the Certificate Transparency system, as well. CT would just create a cleaner certificate system by default and may even improve the effectiveness of Microsoft's own Certificate Reputation system, because CT would make finding the "bad guys" much easier. Therefore, it should be a complementary rather than competing technology.

Modern Standards

Microsoft is committed to leaving all the Internet Explorer cruft behind and start new with strong support for modern Web standards. This should also increase the security of Edge by default, as it simplifies the code, which means there are fewer places in which security holes can exist.

Microsoft also plans to adopt two modern security standards for the Web: the Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS). The CSP allows web developers to whitelist certain types of content that web browsers can load on a given page, which could help prevent the all-too-common cross-site scripting (XSS) attacks.

Defending Against Browser Hacking

No more toolbars, VB scripts or ActiveX

ActiveX has caused many great pains for the Internet Explorer developers, as it has likely been the most abused IE technology in history. The new Edge browser will do away with all the proprietary technologies that have weak security. Instead, Microsoft will adopt an HTML5/JS model for its browser extensions (which the company plans to launch after Windows 10 is released on the market).

Edge lives in a sandbox

Because the Edge browser is actually a store "app" and not a Win32 "program," as Internet Explorer is, that means Edge benefits from all the security features of Windows store apps, such as app sandboxing and cryptographic signing (ensuring the app you want to download has not been tampered with).

Microsoft will not just protect the whole browser with a sandbox, but every single web page will be opened in its own "app container." This could possibly make Edge's sandboxing even stronger than that of Chrome, as Chrome currently puts its pages or extensions in separate processes that aren't as secure as app containers.

Of course, this is because app containers haven't existed until now on Windows, and Google could now adopt them as well. However, Google would probably have to create a "different" Chrome on Windows 10 than the one on previous versions of Windows. With Microsoft wanting to move everyone to Windows 10 as quickly as possible, Google would have no reason to wait for the adoption of this model. The same goes for Mozilla, which has yet to deploy its own multi-process sandboxing model.

64-bit Security

Microsoft will make exploiting sensitive memory to attack the Edge browser much more difficult in Windows 10 by installing only a 64-bit version of Edge on all 64-bit capable machines (which should be all new PCs from the past decade or so). The ASLR (Address Space Layout Randomization) protection is exponentially stronger when the app is 64-bit, because the address space is much larger.

Defending Against Memory Corruption

MemGC

I've recently written about how Microsoft should implement EMET's security features by default in Windows 10. Memory corruption vulnerabilities that happen due to carelessly written C/C++ code are much too common for the status quo to be acceptable. Many attackers use them to craft zero-day exploits and bypass other Windows protections. EMET goes a long way to protect against that class of vulnerabilities.

Microsoft will not quite add EMET by default to Windows 10, but instead it will do what apparently looks like giving a garbage collector to C++ programs. Garbage collectors are used in some languages (such as Java) to protect against many memory corruption bugs. However, that usually comes with a cost in performance, which is why many developers still prefer writing C++ code.

It will be interesting to see if Microsoft's MemGC garbage collector will have a significant impact on performance. If not, then it could be a big benefit to the security of many Windows apps and programs.

Control Flow Guard

The Control Flow Guard is a Visual Studio technology that makes it more difficult for an attacker to take advantage of memory corruption bugs. The technology has already been available for a year, but all of its safety features will work by default in the Edge browser.

Bug bounty program

Microsoft will be offering a "Windows 10 Technical Preview Browser Bug Bounty" program to entice security researchers to find and report bugs from Windows 10 and the Edge browser before Microsoft ships them to its users.

Microsoft seems to be quite committed to "getting it right" with its browser this time, and not fall behind the competition but actually lead the way in some areas. It's good to see that one of those areas is security.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • vern72
    How about this for security: Making secure connections the default, just like what you voted against a couple of months ago.
    Reply
  • alextheblue
    Edge may be an "app" but that doesn't mean it isn't also Win32. Remember, they're allowing Win32 projects in the app store. They also can run fullscreen and/or windowed.
    Reply
  • EvilMonk
    I hope you didn't meant insecurity...
    Reply
  • fuzzion
    they lost me at "......having websites buy certification"

    Reply
  • joex444
    "which is why many developers still prefer writing C++ code"

    You use the language for the job. If you only know one language then you're useless. Not everything written in C++ could be just as easily done in Java, nor vice versa.
    Reply
  • Aaron Stackpole
    Oh god, like garbage collection written by a software developer with 30 years of experience optimizing it on systems that perform gigaflops of calculations is going to be a performance impact. Be real. lol
    Reply
  • Aaron Stackpole
    Edge may be an "app" but that doesn't mean it isn't also Win32. Remember, they're allowing Win32 projects in the app store. They also can run fullscreen and/or windowed.
    The Win32 API was gutted with Windows 8. Most of the reason Windows 8 is so much faster and a big chunk of the GPOs stopped working.
    Reply
  • knowom
    Oh my god LMFAO April Fools came really prematurely this year KUDOS ON that web browser name.
    Reply
  • Jordan Nwokolo
    Since the status of this Windows 10 is "Windows As a Service" i want to know how much the price of this EDGE Browser ??
    Reply
  • Marcus52
    Browsers are built to ALLOW others to control your computer first, and then security band-aids are applied to try to prevent "malicious" intents from doing so. (This isn't a Microsoft thing, ALL browsers for ANY OS are made this way.)

    What I like about NoScript is that it gives me some control over which of these sites I let run on my computer. I can connect to, say, Tomshardware, and shut down as many of the other 20+ servers that going to the Tomshardware site tries to connect me to as I want on an individual basis. I use Firefox (Mozilla browsers) because it is the only browser that allows NoScript to run in a fully functional way.

    What I want is to

    1) Know EXACTLY which sites are trying to connect to my computer (or browser) when I go to an internet address, and

    2) Make the decision myself to allow or deny the connections on an individual basis.

    I understand that a lot of end-users can't be bothered with that kind of control - but it should at least be possible to have it. Microsoft knows that the best way to increase security is to get the people using the computers involved in the decision about whether or not to let things run on their systems. Give us the same kind of capabilities we get with UAC when sites try to run programs in our browsers.

    (For the record, I don't use NoScript to block ads per se, I use it in an attempt to control which sites are allowed to run their various software packages in my browser, and how many of them run at the same time, and to prevent Clickjacking and other kinds of attacks. I use it because it gives me a level of transparency I don't get with anything else. I should be allowed to KNOW what's going on and do something about it; preventing me from doing that leads me to believe you are doing something dishonest. This goes for everyone, not just Microsoft.)
    Reply