by | | 0 comment(s)

Microsoft Edge security features: an in-depth look


With Microsoft Windows 10 on its way to commercial availability, Microsoft Edge is also getting ready to ship, as a Universal App, adding considerable leverage to this completely new Windows experience.

Among some of the planned features revealed so far, Microsoft Edge will support most of the most up-to-date W3C and IETF standards, as well as HTML5 and CSS3, in alignment with the experience offered by competing browsers, specifically Google Chrome, Mozilla Firefox and Apple Safari.

With a new experience, comes a new array of security features that will transparently keep web users safer than they have ever been on any version of IE. In a recent post on Microsoft’s official Windows blog, the Windows Team published a thorough list of security features that will be part of Microsoft Edge, upon release.

Microsoft Edge focus on security

Asymmetric Cryptography

Windows 10 comes with Microsoft Passport, a technology that ensures safe credentials authentication to secure sites. This method, depending on the application, may support anything from regular two-factor authentication, all the way up to biometric recognition. By such token, authentication for secure sites becomes not only more secure, but also more convenient and fast.

SmartScreen

Rolled out in 2010, Microsoft Smartscreen is a security feature introduced initially in Windows 8, which blocks access to suspicious websites, and allow users to report websites that contain malware or other security threats.

Smartscreen is not only active during browsing sessions, but it is part of the Microsoft Windows 10 shell itself.

Certificate Reputation

The purpose of SSL certificates is to keep form-submitted information confidential, by employing encryption protocols that scramble the information and make it harder for hackers to steal or intercept. Unfortunately, SSL certificates can also be obtained in illicit ways, or counterfeit. Certificate Reputation is a reporting tool introduced by Microsoft, to report suspicious websites that provide fake SSL credentials, in order to engage in fraudulent activities.

Microsoft EdgeHTML

As we mentioned earlier, Microsoft Edge will support W3C standards, as well as IETF’s. These standards are meant to help web developers build websites that are less vulnerable to cross-site scripting attacks (XSS). This practice consists of the injection of malicious code into a website, directly from a client’s browser. The objective of a XSS attack is to gain unauthorized access to a location on the web, to steal information, such as a membership website, or an online store that uses outdated or unsafe PCI-DSS security and authentication standards.

Say goodbye to toolbars

With HTML5 providing a solid ground for a plugin-less experience, extensions and plugins are being put out to pastures, and Microsoft Edge is the last nail in the coffin. Edge will not support toolbars, VB, BHOs, VML, or ActiveX. This is great news for users who had enough of fighting off pesky toolbars and plugins hijacking their browsing experience with ads and malware.

Even better news for developers, is the plan for a new HTML/JS extension model, on which Microsoft will release more details in the coming months.

App Container Sandbox

Every website that is accessed by Microsoft Edge, will open by default within a sandbox environment called “App Container”, which keeps the code running within the browser, separate from the rest of the operating system. This method was first introduced in Windows Vista, as what some will recall as Protected Mode. That model has been completely redesigned, to create a comprehensive sandbox-like layer, protecting the system from any malicious code attempting to interact directly with the client’s operating system.

64-bit all the way

Microsoft Edge will run in 64-bit, by default, wherever a 64-bit CPU is available. Running 32-bit web browsing applications presents great security risks, as they are easier to exploit and manipulate, on top of the fact that 32-bit applications are also limited on the amount of memory they can use.

By such token, Edge will include better protection against memory corruption attacks. These types of exploit are carried out by feeding malformed information to an application, until it crashes.

Back in the 1960s, when the Internet barely existed, early computer systems did not have protection against what was known as “buffer stack overflow”, which consisted of inputting either code, or a series of characters longer than the length allowed by a password or login field, at least in one example, which resulted in a crash that allowed hackers to gain control of said system. Of course we are a long way from 1960s technology, however, software coded in C and C++ still has related vulnerabilities that need special protection protocols, and countermeasures, such as MemGC (Memory Garbage Collector). MemGC in particular, is designed to suppress many types of memory-related attacks.

Bug Bounty

Yes, that is exactly what the name suggests: Microsoft will pay cash, to anyone reporting serious vulnerabilities and bugs, in a similar way as Google has done with Chrome.

The Project Spartan Bug bounty, set at $15,000, will go to anyone who is able to report vulnerabilities and bugs for the duration of the Technical Preview period. The bounty will end June 22nd, which is not necessarily an indication for a release date of Windows 10, or Microsoft Edge. (Or is it?).


You must be logged in to post comments.