
Show HN: Open-source isolated browser, free for journalists etc. - win66
https://github.com/dosyago/BrowserGap
======
oefrha
This will definitely be brought up, so why not from me: this is not open
source by Open Source Definition standards.[1] You're free to sell your builds
as commercial, but if I can't compile the source code myself and use it at my
workplace (assuming I'm not a journalist or any other type of listed free-to-
use professional) then you're discriminating against fields of endeavor.

[1] [https://opensource.org/osd](https://opensource.org/osd)

~~~
oefrha
Replying to a now flagged and dead comment, as it's a common sentiment
expressed in a rude way, and the sentiment deserves a reply:

> I'm sick of self-proclaimed "orgs" (with unclear sponsorship) or SJWs
> claiming ownership of commonly used terms.

This is revisionist history. OSI was formed and OSD was published in February
1998 immediately after the term "open source" was proposed, and OSD was
largely based on Debian Free Software Guidelines which predates the
term.[1][2] So the term only became popular after the "self-proclaimed org"
formed and popularized it. The OSD clearly predates any so-called open source
abuse, and AFAIK it was never revised due to some sort of corporate
sponsorship.

You can coin your own term and try to popularize it. FSF has their free
software (well, that's actually a weak claim on a broad term) and libre
software (much better). You can also get behind some weird term like "Open
Source with Commons Clause", or just use another commonly used term, "source
available" (which, granted, spans a pretty wide range on the restrictiveness
spectrum, so definitely not ideal).

Meanwhile, many of us get annoyed when commercial products try to reap the
marketing benefits of open source but does not grant the rights we've come to
expect from the term. This particular case isn't even subtle like the Commons
Clause.

[1] [https://opensource.org/history](https://opensource.org/history)

[2] [https://en.wikipedia.org/wiki/History_of_free_and_open-
sourc...](https://en.wikipedia.org/wiki/History_of_free_and_open-
source_software#The_launch_of_Open_Source)

~~~
mehrdadn
I feel like the fact that their very first sentence [1] has to say this:

> Open source doesn't just mean access to the source code.

is pretty good evidence they themselves are to blame for poorly picking the
terminology. You can't really fault people for assuming words mean what they
say and not going back to check the etymology. Consider it a special case of
designing intuitive UIs. Which is something many pieces of software
(especially open-source software...) don't do particularly spectacularly.

It's kinda like picking your site to be called "Hacker News" and then yelling
at people for thinking that's where the hackers that broke into their
computers got their news. The associated trouble and confusion is the price
you decided to pay in exchange for picking a cool (but misleading) name.

[1] [https://opensource.org/osd](https://opensource.org/osd)

~~~
bhickey
This isn't a compelling argument. No one says "free software" is bad branding
because you're implored to "think free as in free speech, not free beer."

~~~
mehrdadn
I imagine they didn't start using "libre" due to a sheer lack of problems with
"free".

> The loan adjective "libre" is often used to avoid the ambiguity of the word
> "free" in English language, and the ambiguity with the older usage of "free
> software" as public-domain software.

[https://en.wikipedia.org/wiki/Free_software#Naming_and_diffe...](https://en.wikipedia.org/wiki/Free_software#Naming_and_differences_with_Open_Source)

------
enriquto
> Sure, other companies might have bigger brands and bigger sales budgets, but
> this is open-source.

No, it's not. They are delibetarely misusing a well-established term and they
deserve to be called out for that. This is extremely antagonizing and it is
impossible to take the rest of the project seriously when it is presented that
way. The same thing happened when zoom said that their program did "end-to-end
encryption", while it didn't; it was a great project, but tainted by a callous
and misleading usage of terminology.

------
techntoke
Here is an open source way to do this yourself:

    
    
      # Dockerfile
    
      FROM node:alpine3.12
      RUN apk add --no-cache chromium \
      && yarn add puppeteer-core \
      && apk add \
        --no-cache \
        --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing \
          novnc

~~~
erk__
You can also do it with jails on FreeBSD: [https://honeyguide.eu/posts/pot-
throwaway-firefox/](https://honeyguide.eu/posts/pot-throwaway-firefox/)

~~~
win66
I appreciate you sharing that, thanks! On here I set up the restrictions using
user accounts and groups, iptables, cgroups and some monitoring of CPU and
memory, with cpulimit and pkill for excessive use. Sort of like a lightweight
"container" for each browser process.

In other words, each chrome process runs in its own user-space (a no-login
user which exists only for the duration of the session), which has cpu and
memory limits thanks to cgroups, bandwidth limits and restrictions thanks to
iptables, and disk and browser cache limits thanks to chrome command-line
flags.

------
gitgud
So it's a browser within your browser running on a remote machine somewhere?

At first glance it seems needlessly complicated, but modern browser finger-
printing is also incredibly complex. So this might be better than a VPN... As
both the IP and the browser are proxied

~~~
mr__y
With https over VPN, at least the vpn provider cannot inspect the contents of
your traffic. With a browser running on a remote machine, whoever controlls
that machine can. This is better than VPN only in a scenario when you either
controll that machine or fully trust the provider

~~~
Wowfunhappy
I assumed it was more for security than privacy. Run the Javascript remotely
so your own machine will be (or at least, is more likely to be) be protected
from zero-days.

------
Shared404
Super cool looking, and a great idea.

> Get and self-host

This seems like it kind of defeats the purpose though. Is this section just to
prove that it can be done?

edit: This was not meant to be rude. I was just asking if there is another
reason. The reason I listed is more than enough, I was just wanting to learn
more.

~~~
mr__y
Depends on the motivation to use - self-hosted option is of course bad for
privacy, but still good for security - you could use a browser running on a
separate machine, effectively making it a physically isolated sandbox

~~~
DyslexicAtheist
_> self-hosted option is of course bad for privacy, but still good for
security_

there are plenty of anonymous hosting services out there in which case it
would be exactly the opposite: "good for privacy, bad for security"

~~~
mr__y
that's a valid point as well. This pretty much results in a privacy vs
security choice, you either run it in infrastructure you fully control at the
loss of privacy or some anonymous service, where you could have privacy but
loosing the security. Although one could argue that using an anonymous hosting
service, there's still a risk that whoever is running that infrastructure
could monitor your activity meaning that effectively you have neither privacy
nor security.

------
js4ever
Super cool, I have just tested with YouTube and it's allowing background audio
playback on mobile because the video continue to play on the server. Audio is
playing on my phone with a 3 sec latency but without hiccups and good enough
quality.

~~~
win66
Thank you :) I thought that would be a cool use case for people (what with
free YouTube not letting you play in the background) but I couldn't find a way
to get lots of people using it.

Feel free to share the word about the free demo.

------
bernardlunn
What do you mean by isolated browser? What is use case?

~~~
Shared404
Webpage -> Remote server running "isolated browser" -> Local Browser

Use case is to protect security by not allowing any arbitrary website code to
run on your local browser, the remote actually renders the webpage and just
sends you pixels -- I think.

Kind of like a proxy on steroids.

~~~
Andrew_nenakhov
Sound more like MitM on steroids.

~~~
Shared404
Thus the self hosted option I was so confused about before.

------
Fnoord
On the live demo, ipleak.net detected my actual OS, resolution, and browser
which I used to run the live demo.

~~~
win66
It passes through your navigator.platform, userAgent and screen dimensions,
from the client you connect with. But this is not necessarily the actual
values of the _machine you run it_ on. So the site you're browsing thinks it
is talking to a browser on, say, an Android phone, but actually it is (in the
live demo anyway) talking to a browser running in a virtual Debian instance in
GCP.

For fun, check out your geolocation. That is _not_ passed through

------
chirau
What exactly is this? I am not sure I get its purpose either. Am I just
opening a browser on a VM somewhere?

------
tarulahsan
Would love to give it a try

~~~
win66
LIve demo up now:
[https://start.cloudbrowser.xyz](https://start.cloudbrowser.xyz)

