Reports are starting to emerge that Microsoft is to stop developing Microsoft Edge after three pretty unimpressive years and instead replace it with a Chromium-based browser. Codename Anaheim, this new browser is said be slated to replace Edge in Windows 10 although it's not clear if the Edge name will remain.
What does seem almost certain is that the EdgeHTML rendering engine is toast for PC systems. After all, Edge on iOS and Android devices use native rendering engines for those platforms and is working with Google for Chrome support on an ARM-driven Windows OS. So it makes plenty of sense. Perhaps more so given that Microsoft has, to put it nicely, struggled a tad to compete with Google Chrome in the browser market share stakes. Then there's the small matter of security to consider...
Just how insecure is Microsoft Edge then?
Daniel Smith, a security researcher at Radware, doesn't pull any punches. "Edge is one of the most vulnerable browsers and was the most hacked browser at Pwn2Own," he told SC Media UK. "Edge/IE are typically only used to download more secure web browsers like Chrome and Firefox."
It proved impossible to find anyone who was of a different opinion, truth be told. Not least, as Jerry Gamblin, principal security engineer at Kenna Security, points out: "In 2018, Microsoft Edge has had 142 CVEs compared to the 73 that Google Chrome has had."
So does that mean that a Chromium-based browser will automatically be more secure than Edge in its current incarnation? That depends upon how closely Microsoft keeps to the master branch of Chromium, according to Gamblin.
"The Chromium project has had eight major releases this year," he says. "It would be a major feat for Microsoft and their users to keep up with that pace."
That Chromium is open source code, maintained by the Chromium project, is key to the security question. The many eyes approach makes for a compelling security argument, more often than not. "At the end of the day, Chrome and Firefox are more secure due to the extra features and attention given to them by their dedicated security teams," Daniel Smith insists.
Gamblin remains concerned that a hard fork from Microsoft will start to lag behind, though, and become less secure more quickly. "Microsoft could make a copy of the Chromium source code," Gamblin worries, "with no intention of ever re-merging any future changes from or back into the project."
But is there perhaps a broader danger to security? If two of the major browsers are based on the same project, Chromium, are we not headed toward a browser monoculture?
SC reached out to Tim Callan, senior fellow at Sectigo and an ex-DigiCert staffer who was part of the group that developed extended validation certificates. "Certainly a major move like this one toward monoculture is worrisome in any technology category," he told us, "especially one as ubiquitous as the web browser."
As Callan says, Microsoft certainly has the ability to adopt Google’s HTML rendering engine without abdicating other browser interface and technology decisions, but the possibility definitely looms of the new Microsoft browser becoming little more than a re-skinned version of Chrome, whatever it is called.
"In the certificate space, this monoculture could lessen the influence of many important voices," Callan warns. "Interoperability requirements have caused public PKI mechanisms such as TLS certificates to be governed by standards bodies such as the IEFT and the CA/Browser Forum."
And for good reason as these bodies incorporate the unique expertise of not only browser manufacturers but also CAs, information providers, auditing firms and others to create a robust ecosystem that defends against myriad attack vectors.
"As a single browser manufacturer gains the ability to flex its muscle and make decisions unilaterally that all others must comply with," Callan said, "these other viewpoints and their valuable knowledge threaten to be lost..."