We are pleased to announce the security review for Microsoft Edge, version 108!
We have reviewed the new settings in Microsoft Edge version 108 and determined that there are no additional security settings that require enforcement, however there is one setting that attention should be given to. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit.
TLS Encrypted ClientHello Enabled (Consider)
An interesting setting Admin’s may wish to consider, particularly if using Windows Defender Network Protection or similar security software. TLS Encryped ClientHello (ECH) Enabled is a privacy-improving feature that combats one of the shortcomings of HTTPS – namely, TLS does not hide from a network observer the target hostname to which the browser is connecting. This means that your company or ISP network administrator (or anyone who can spy on network traffic) can see the hostname of the site to which your browser is connecting, which has privacy implications. ECH hides the hostname so that a network observer can only see the target IP address of browser traffic, but not which specific site at that IP is being requested.
The reason that this feature has a security impact is that some security software may be spying upon your network requests and blocking requests to specific sites based on the site’s hostname. As a specific example, the Windows Defender Network Protection feature relies upon looking at the Server Name Indication (SNI) within the ClientHello to decide whether to block traffic to sites on the “known malicious” list or the customer’s custom blocklist. If the ClientHello is encrypted by the browser’s new ECH, this Network Protection feature (and similar features in other security software) will not be able to read the SNI, and thus will not be able to block the traffic.
For Microsoft Edge specifically, there’s a subtlety around the interaction of ECH and Network Protection. Machine installed channels of Edge (Stable/Beta) are exempted from Network Protection (in favor of Microsoft Defender SmartScreen), so the implications of this policy on Microsoft Edge are really limited to Edge Canary OR users of non-Microsoft Defender security products. But IT departments using Network Protection in Google Chrome really should set the equivalent policy.
Microsoft Edge version 108 introduced 4 new computer settings and 4 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them.
As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here.
Please continue to give us feedback through the Security Baselines Discussion site or this post.
