Introducing Project Robin | New Feature
this one is a new flag you can enable: edge://flags/#edge-robin Microsoft Edge Version 91.0.852.0 (Official build) canary (64-bit) I think, Project Robin is a way to show Windows Defender Application Guard windows as tabs, next to other regular tabs. because right now, when you open a new WDAG window, it has its own protected window, backed up by Windows Defender engine. this Project Robin might be a way to bring the 2 environments together in the same window. so far the feature doesn't seem to be fully implemented yet. when I try it, it takes me to https://dev.browse.trafficmanager.net/?header=0&url=https%3A%2F%2Fwww.bing.com%2F&escape=newdomain&titlePrefix=0 and then nothing. it's exciting, waiting for future versions to see more changes.New feature in Microsoft Edge: TLS Post-Quantum Confidentiality
To get familiar with it, here are 2 articles Towards Post-Quantum Cryptography in TLS https://blog.cloudflare.com/towards-post-quantum-cryptography-in-tls/ Post-quantum confidentiality for TLS https://www.imperialviolet.org/2018/04/11/pqconftls.html this feature is added to Microsoft Edge Version 82.0.437.0 (Official build) canary (64-bit) using this flag edge://flags/ TLS Post-Quantum Confidentiality This option enables a post-quantum (i.e. resistent to quantum computers) key exchange algorithm in TLS (CECPQ2). – Mac, Windows #post-quantum-cecpq2Edge Experimental Flags To Recommend
I like to try bleeding edge features and builds so I mostly use the Canary branch. I know it isn't recommended but I can just flip to another channel. I currently have the following flags enabled as recommended by a blog on the web: Experimental QUIC protocol Parallel downloading Enable lazy image loading Enable lazy frame loading Allow installation of external store themes My goal is to really try and push Edge further in terms of speed, I have no issues with the current speed but as I say, I like to try the bleeding 'edge'. I had enabled Future V8 VM features and Zero-copy rasterizer but I thought that made it slower. I am on a Macbook from 2014 haha. Does anyone have any recommendations?Microsoft Edge Kids! - Kids mode added to Edge - What an Amazing feature! (●'◡'●)
Microsoft Edge version 90.0.800.0 (Official build) canary (64-bit) introducing Kids mode which can be accessed from the browser settings: edge://settings/family you can learn all about it here in this official page a brief description: Kids Mode is a convenient browsing mode inside Microsoft Edge that’s designed for kids. With its kid-friendly features and safety guardrails in place, Kids Mode is a great place for children to safely explore the web. Kids Mode includes features like custom browser themes, kid-friendly content, browsing based on an allow list, Bing SafeSearch set to strict, and a password requirement to exit. Also, Kids Mode doesn't require a child account or profile. Currently, Kids Mode is limited to US English on Windows and MacOS. Kids mode is full screen mode, in order to exit it, kids need to have Windows Pin or Password and you can see, all the appropriate content and links are added to the home page ^^ Bonus content:What is the new prerenderer implementation for <link rel=prerender> instead of NoStatePrefetch ?
Microsoft Edge Version 89.0.726.0 (Official build) canary (64-bit) this new flag: Prerender2 Enables the new prerenderer implementation for <link rel=prerender> instead of NoStatePrefetch. – Mac, Windows #enable-prerender2 I'm curious to know what the new prerenderer implementation is that replaces NoStatePrefetch? couldn't find any information about it in here https://developers.google.com/web/updates/2018/07/nostate-prefetch also, in the same link, it says "Fetch the first result in Google Search results" does prefetch/prerender in Edge Fetch the first result in Bing search results? johnjansenNew privacy oriented feature added to Edge 82 - Freeze User-Agent request header
New in Microsoft Edge Version 82.0.421.0 (Official build) canary (64-bit) Reason for doing it is more about privacy and stopping fingerprinting. edge://flags/ Freeze User-Agent request header Set the User-Agent request header to a static string that conforms to the current User-Agent string format but only reveals desktop vs Android and if the 'mobile' flag is set – Mac, Windows #freeze-user-agent to be more effective, also enable this flag: Reduce default 'referer' header granularity If a page hasn't set an explicit referrer policy, setting this flag will reduce the amount of information in the 'referer' header for cross-origin requests. – Mac, Windows #reduced-referrer-granularity More info: https://www.chromestatus.com/feature/5704553745874944 https://css-tricks.com/freezing-user-agent-strings/New Feature | Sharing pages via QR code now fully working in latest Edge Canary 84.0.493.0
The icon is also changed in Edge Canary Version 84.0.493.0 To get that on your address bar, first you have to be on the latest Edge canary and also enable this flag: Enable sharing page via QR Code Enables right-click UI to share the page's URL via a generated QR Code. – Mac, Windows #sharing-qr-code-generator in edge://flags/ I tested scanning the code via the new All-in-One Office app on Android and it works correctlySome parts of the Privacy Sandbox land on Edge Canary
This flag edge://flags/#use-first-party-set which was added today to Edge Version 89.0.749.0 (Official build) canary (64-bit) it's one of many privacy-related features for Privacy Sandbox, the goal of which is to ultimately get rid of 3rd party cookies. Use First-Party Sets First-Party Sets are sets of registrable domains (or origins). The browser uses these sets to allow websites that have multiple domains to treat their related domains as if they were first-party domains. This enables less restricted cross-domain communication across all the domains in a First-Party Set. – Mac, Windows, Linux Enable domains to belong to the same first party Goal: Enable entities to declare that related domain names are owned by the same first party. Many organizations own sites across multiple domains. This can become a problem if restrictions are imposed on tracking user identity across sites that are seen as 'third-party' but actually belong to the same organization. First Party Sets aims to make the web's concept of first and third parties more closely aligned with the real world's by enabling multiple domains to declare themselves as belonging to the same first party. more info: Digging into the Privacy Sandbox (web.dev) privacycg/first-party-sets (github.com)Kerberos Authentication flow
Video version: Kerberos Authentication flow Whenever you login with Windows Authentication to the sever like SQL Server, in many cases, Kerberos is used as a main authentication type. In short, Kerberos is a secure method for verifying the identity of users and services in a network to authenticate users. So, suppose, Kerberos authentication started to fail and your application cannot login? You started to panic and want to troubleshoot as soon as possible! But you do not know how to do that because you do not understand how this authentication works internally. In this case, if you know how Kerberos functions internally, it becomes much easier for you to troubleshoot this issue. The below is the Kerberos authentication flow at high level: 1. Whenever client tries to login to the server, it should first do Name resolution. If there is no DNS cache, it will connect domain controller and bring IP address for the server DNS name. 2. Afterwards, there will be three-way TCP handshake with the server. 3. Following TCP handshake, servers negotiate on protocol types of authentications: NTLM or KERBEROS. Often Kerberos is chosen as this is new protocol with more performance efficiency. 4. After Kerberos is chosen, Client will do TCP handshake on TCP port 88. 5. Then, client will send AS-REQ packet to KDC center in domain controller. AS-REQ (Authentication Service Request) is the initial message sent by a client to the Key Distribution Center (KDC) in Domain controller to get TGT. This message includes the client's principal name (username) and may include pre-authentication data such as password. If the username is correct and password is valid, domain controller sends AS RESPONSE. This response includes TGT key and session key. Here is the important point: TGT key is encrypted with password of KRBTGT account and session key is encrypted with client's password. If you go to your domain controller, you will see this KRBGT account. TGT is encrypted with this account’s password. When the client receives the TGT, it decrypts the session key with password and this session key is placed in memory along with the TGT. Going forward the account’s password is no longer required. When the client makes subsequent ticket requests it will present the TGT and creates a new authentication using the session key and the system timestamp. 6. After getting TGT and session key, client makes TGS request presenting TGT and service principal name (SPNs) of the service the client wants to access. 7. After getting TGS-REQ, domain controller decrypts TGT ticket, validates the user and SPNs. If the SPNs are correctly registered and user credentials, TGT ticket are valid, domain controller responds with TGS-REP which includes the service ticket and a session key. The service ticket is encrypted with the service's secret key, while the session key is encrypted with the client's session key. Here, important point is service ticket is encrypted with the password of service account attached to the server and session key is encrypted by the client’s session key. Therefore, client cannot decrypt service ticket. 8. Finally, by using this service ticket, client makes AP request to the server. And AP-REP is received. This AP-REP is often not mandatory and does not happen depending on the service type. With this, KERBEROS authentication finishes. Authentication flow in network traces 1. TCP-handshake 2. First, as we learn AS REQUEST is sent. One important point here: first AS-REQ fails with PRE-AUTH REQUIRED error because client did not send pre-authorization, or did not send the appropriate type of pre-authorization, to receive a ticket. The client will retry with the appropriate kind of pre-authorization (the KDC returns the pre-authentication type in the error). Many Kerberos implementations will start off without preauthenticated data and only add it in a subsequent request when it sees this error. This is expected and you should ignore this. 3. Afterwards, client again sends AS-REQUEST with appropriate pre-authorization. 4. Domain controller is responding with AS-REP and providing encrypted TGT ticket and session key. 5. By using this session key and TGT, client is making TGS request. It also includes SPN names. 6. Finally, domain controller responds TGS response and includes service key. By using this service key, client makes authentication request.
