Sure, BrowserGap is a remote browser isolation product. RBI means accessing the public internet through a browser that runs in the cloud, rather than through a browser that runs on your device. This helps protect you from attacks on the web.
Wow, that's awesome! Seems like it opens a lot of powerful possibilities.
I am a pretty technical person but also didn't know (and couldn't find) info on what RBI is and how it can be used - would love to see this information highlighted on GH and the website.
And, if you're interested, read on for more detail.
It works by providing a thin client over the web that you connect your regular browser to. The thin client provides an interface to a remote browser that you interact with the browser the public internet.
This is significant because the internet is a cesspool of attacks. Malware, ransomware, virii, tracking, exploited PDFs, ways to deliver device zero days over the web, browser zero days. All these things can lead to the security of your device and network being compromised, causing significant inconvenience, distress and loss for you.
BrowserGap and the RBI methodology acknowledges that not all threats can be detected and neutralized (such as by virus scanners), in order to face that reality, RBI adopts a "isolation" posture towards threats, effectively isolating them in the remote machine and preventing them from reaching your device.
With BrowserGap, in order to render the content of a web page, the only thing we send to your device form the remote page is pixels. So no HTML, CSS, JavaScript, etc from your browsing is ever executed on your device.
Cloud-based internet isolation is another name for this security practice and it is an emerging industry. Symantec recently acquired a company in this space, and Menlo Security was awarded[2] an agreement to build a CBII prototype for DISA, after a June 2018 request for RBI solutions that could eventually serve 60% of DoD's ~ 3 million users[0][1].
I mean, in theory the web is a cesspool of malware, but with reasonably good content blocking (I’m not even in the completely-disable-JS crowd) and conscious avoidance of shady sites, I managed to pretty easily stay clear of all attacks so far, at least over the past decade.
Those way more paranoid than me still have the option of using local VMs/containers without too much compromise. Then the attacker really needs an exceptional exploit chain to escape all the way; it’s hard to imagine any group blowing such a valuable chain on a drive-by.
So, why would anyone sacrifice the ability to interact with text, resolution, color accuracy, frame rate, etc. to reduce the minuscule chance of drive-by attacks (assuming otherwise reasonable opsec)? Extremely high value targets?
But then, why would extremely high value targets trust a MITM? (Self-hosting apparently changes that to some extent.) Also, even if you run your browser in the cloud, that browser could still be hacked and leak sensitive information or actively modify traffic, no? So this isn’t even bulletproof for high value targets.
I'll tell you the value of this software. I can build software for non prod environments and allow my developers/testers access. for instance, with wordpress, domains are hardcoded into the database leaving you with risky sed commands against mysqldumps. With this I can launch wordpress into its own environment where www.foobar.com resolves but I can run all dev code there.
I currently use a proxy and have instructions on how to use FoxyProxy to access each env's environment. This will provide for a much nicer UX where you simply click a link and you're brought to a virtual tab in that env. I'm sure some things will break, so the proxy is a backup, but for 90% of our work I think this is amazing!
Solves any app problem where you have the same hostname per environment
> sacrifice the ability to interact with text, resolution, color accuracy, frame rate, etc.
it’s very much an understatement... Pretty sure your devs/testers won’t appreciate the experience. Frontend devs in particular can’t possibly work with this.
I fail to see why it’s hard for you to spin up (possibly gated) dev/staging instances; certainly much easier and much less resource intensive than something like this.
Anyway, your use case only makes sense when the code can be self-hosted, but apparently this product / product category has customers before the source is opened up, and that’s what I’m curious about.
Customer base is people and organizations who are having problems with malware and cyber attacks.
> Have you tried using this? When I said
> sacrifice the ability to interact with text, resolution, color accuracy, frame rate, etc.
> it’s very much an understatement... Pretty sure your devs/testers won’t appreciate the experience. Frontend devs in particular can’t possibly work with this.
I totally agree the image quality can be much improved. So I'm really sorry you had this experience today trying it out!
Would you be unwilling to mail me cris@dosycorp.com and I can contact you if and when I have image improvements to share?
Initially, I used JPEG for all clients, then for clients with browsers that support WebP (chrome) I switch on WebP since the quality increase is a LOT (but WebP in FF looks pixelated, so I hope I can find a way around that), even tho the bandwidth is the same.
For Safari and iOS the quality is on JPEG. It sounds like it has sacrificed the ability ot interact with text, resolution, color accuracy and frame rate, etc. I'm really sorry about this.
Some people seem okay to roll RBI out in a test deployment, without the code being open-sourced. I can't speak directly for them, but I assume that Symantec (who bought FireGlass Browser), Menlo, WEBGAP, Light Point, Ericom, Authentic8, Citrix all have some customers even tho they are not OSS. I think that, often, as long as the contract provides the ability to examine the code if required (due diligence) even without publishing it openly, sales happen.
It sounds like you're unfamiliar with RBI, is that right? This is still an emerging industry so it makes sense to me that even if you are in security you are unfamiliar with RBI.
Appreciate the detailed response. Over the past few years I've seen a couple of similar remote browser services and was curious who actually need it, glad you shared firsthand knowledge.
Now I can see that while this would probably be an overkill security-conscious individuals, it might make sense for organizations because there are always employees who can be easily tricked into clicking anything. I do wonder whether it's more effective and productive to instead enforce host-based blocking + browser-level content blocking + lightweight virtualization (like Windows Sandbox? Not sure how well it works since I'm a Mac user for the most part), but I'm in no position to evaluate for organizations.
Having checked Symantec's website, they seem to advocate falling back to a remote browser when the site is potentially risky, which sounds reasonable.
> then for clients with browsers that support WebP (chrome) I switch on WebP since the quality increase is a LOT
Yeah, I first tried the service on my iPad Pro, image quality was terrible. I have since tried it again in desktop Chrome and it's definitely passable. That's unfortunate.
Anyway, I'm probably not in the target market, but best of luck to your business.
Interesting hearing you know about RBI. Did you evaluate any of the other services? What did you feel about them?
I definitely think the approach you say (host level blocking, content blocking and some lightweight virtualization, like Edge/Windows Sandbox, or a local VM) is a valid one that reduces risks.
I think it comes down to considering, when attacks inevitably occur, where do you want to be doing the cleanup? Zapping a few containers, or instances in the cloud and starting them frehh, or decontaminating the local machines and network?
Sorry about the typo (in my comment below)! I couldn't edit it past the edit horizon. I meant,
> Genuinely curious: who's your customer base?
Anyway, thank you so much for being interested in this product, especially for helping make the space for me to speak about the type of customer, the risks they face, and their reasons for adopting BrowserGap. I really appreciate your time on this!
At my 30 second glance I saw both problems and solutions with using it. But if didn’t use software based on problems, we wouldn’t get anywhere :) It’s open source so my mind is leaning toward crack it open and fix the shortcomings for the use case
Thanks for this feedback, you make some great points which I really appreciate you taking the time to make. And your experience of being malware free is mostly my experience as well.
It sounds like with reasonably good content blocking a person can avoid all attacks, and it looks like using local VMs/containers mean then the attack needs an exceptional exploit chain to escape all the way, and it's hard to imagine any target being caught in a drive-by.
I agree. Also, internet-based attacks are a real problem for many businesses and organizations. For example, in 2016 Singapore government mandated that RBI had to be used because of ongoing attacks.[0]
How can it both be true that most people avoid any attacks whatsoever (and therefore that most simple measures are sufficient) while at the same time, malware is a real industry inflicting real damage on organizations?
I think of malware as an "industry" and as a collection "criminal enterprises" and from that viewpoint the malware industry has certain goals and markets it seeks to penetrate. If you don't find yourself in one of those target groups, that's a good thing. If you do, then you probably are already exploring RBI or CBII to some extent.
So your logic is correct and it looks like you are simply not in the target group.
At the same time, I think categorizing the only victim of web-based malware that can benefit from RBI/CBII as "extremely high value targets" is misleading. Perhaps the finance department in a Fortune 500 company is an "EHVT", but there's a lot of web-based attacks that succeed at targeting businesses and organization units of many different sorts, and the costs inflicted are significant and important, not just to "EHVTs".
Your concern about trust and the cloud is valid, and perceptive, as is the solution you propose (self-hosting). Self-hosting is indeed the right choice for many. That's one reason I think OSS has a role to play in RBI/CBII.
Even if the security is not significantly enhanced over a content blocker, tracking using JS will be much harder (assuming the cloud device is randomized in some way).
Question: why have the protocol based on pixels when you could use vanilla css and html? Like SSR, you could render the page with js remotely and capture the live html/css render to display. Of course, this process would be tricky as you'd also have to look for iframes and also generate bake out its render too. While much more complex, it would be far more efficient than sending back a pixel video stream.
It's too complicated. The complexity in the code leads to more opportunities for bugs and exploits and more maintenance cost. Also it breaks the isolation model since you can do all sorts of crazy exploits just with HTML and CSS (animation event listeners for XSS etc).
I investigated this path after PoCing the original (you can see the code in a directory plugins/appminifier and public/voodoo/src/plugins/appminifer, I think) but there's all sorts of interaction issues that arise when you attempt to filter the HTML in this way.
Efficient in terms of what? Bandwidth, from a certain point of view but you lose the "source of absolute truth" that a screenshot is, and at the cost of interaction quirks. Also, not necessarily CPU efficient, as you have to do a lot of bookkeeping to transmit events to the right places and keep the local tree in sync with the remote tree.
The main reason I avoided it was the security holes introduced by breaking the strict isolation model of pixels, and the complexity.
You're welcome to fork and improve on the work begun in appminifier! If you go down that path, just know, there be dragons, and good luck!
The entire point of this project is to bypass the browser rendering engine locally and risk exposing all of its bugs, zero days, vulnerabilities, tracking etc. If you would be just copying HTML, that would give a regular old proxy server. This project is about security, not just hiding the ip address.
> it would be far more efficient than sending back a pixel video stream
Yes it would also deliver back exactly all the vulnerabilities to you that this project was specifically made for protecting against... Are you sure you have read its description? The whole point is to do dumb pixels that can't be exploited.
