Yeah it is, it’s very old. But I’m not in the minority, half of my family uses crappy phones too, and I know some other people in my area with old phones too. Unfortunately neither of us have the means of upgrading. My circumstances are awful and I live in a place where there’s a war happening. Hence I can conclude that recommending disabling JIT for everyone isn’t a solution, yet. I think all three of us can reach a compromise on that JIT topic and say that disabling JIT can only apply to those who have at least a mid-tier device.
Answered in another thread.
No, I wouldn’t use a browser with JIT disabled even if my device allowed me to use it without sacrificing usability and performance. I would disable JIT only if there were 100% no drawbacks and performance regressions. I know what JIT is, know the effects of disabling/enabling it, and I know for myself whether I need to disable JIT or not. I don’t sacrifice my security because I’m sure I won’t get exploited by a JIT-related vulnerability. But as we can infer from this thread, everyone has their own priorities, use-cases, ideas and even seemingly “entrenched” ideologies, etc. It’s everyone’s own business I guess.
I’ve just tested it. Same story with Brave Search: the effect of disabling JIT compilation is visually noticeable. Same page loading delay. So it’s an issue related to a low-end device, not Google’s fault. I would also certainly not call Google Search website crap. For your information, Google Search works amazingly without JavaScript too. But, well, as always — to each his own.
I wanted to base my statements on official Microsoft documentation. I haven’t argued for not using a local account.
The technical documentation is largely targeted at enterprises, not end-users. In corporate environments it makes sense to hand out privileged access only to a limited set of employees.
With UAC set to highest, the default way of opening Windows Task Manager will show the user a UAC prompt. You may of course adjust this through group policy, or lower the UAC security level.
Perhaps by “local account” you mean a (in Windows’s terms) “standard user” account?
Some old devices I have laying around: Samsung Galaxy S8, a Lenovo Laptop with a core i3 dual core and 4GB RAM and a Google Pixel 4a5G. I would consider the former two to be pretty low-powered in today’s terms.
Yeah I noticed that. That’s why I advised people on searching up something from the documentation on the internet.
No, I’m on Windows 10 now, and opening Task Manager doesn’t invoke a UAC prompt. UAC is on highest.
Yes-yes. But opening Task Manager doesn’t do invoke a UAC, no matter if you are on a Standard User account, or on an Administrator account. That’s the default behavior.
Okay I see. My standards are lower because the standard of living in my area is extremely low. I guess, from my low-standard point of view, I would call Google Pixel 4a a mid-tier device. My phone is worse than either Samsung Galaxy S8 or Google Pixel 4a. However I’m not in the minority, as I said. So it’s kinda early to recommend everyone to disable JIT, in my opinion.
You said that the performance impact is negligible, but it still does have an impact. It could be even as little as 100 or 50 milliseconds. And if you sum up all those 50 milliseconds of all the times when you loaded a page — it would amount to a big number eventually. It is sacrificing UX/performance for that tiny chance of being JIT-exploited. I think it’s better to wait until the technology improves (both software and hardware), and until all people in the world will run no less than phones with specs similar to those of Google Pixel 3, for example. Then we can recommend disabling JIT to everyone.
Can you also point me to any sources that say that JIT exploits are common? If I’m not right in my opinion that a regular user getting exploited by a JIT-related vulnerability is a rare case, you can prove me wrong by linking some info.
I’m sorry we haven’t been able to review this PR… I just want to let you know that I’m going to be working on completing this guide for the next website release by the end of the year. The work you’ve done is really appreciated even though it’s taken us a long time to get to it, and you’ll be credited in the final draft
IMO Microsoft Surface for business should be recommended over other WIndows PC because it has 6 years firmware support, is secured-core certified and has open sourced UEFI. There’s no privacy without security and you cannot use Windows privately on Lenovo X230 (jk
Also, pls donot forget to mention win32 app isolation.
Do you have a source for these? Afaik most Microsoft Surfaces are not secured-core and I remember the firmware support to be shorter, but maybe this has changed since then.
Isnt’t this only in public preview and barely used?
yes but when win32 app isolation is out of preview it’ll be a HUGE security feature as you can isolate nearly every win32 app by yourself. I donot know if you can isolate every traditional app on Linux. afaik for macOS, the only thing you can do to improve app sandbox is to only install apps from mac App Store(or use some deprecated sandbox-exec command).
I think you can. Im still not sure on the specifics (see my question on this topic), but it can be done with some combination of firejail, bubblewrap, and/or Apparmor.
Thank you for your work on this!