
Show HN: CloudBrowser – Free 30 Minute Internet Cafe for Secure Browsing - slowenough
https://free.cloudbrowser.xyz
======
peterkelly
How does performing all my browsing on someone else's computer whom I don't
know make me more secure?

~~~
bkdbkd
Exactly. For the slow on the uptake, this takes the entire security problem,
and puts it on some strangers 'safe' computer.

Totally-Not-A-Surveillance-Organization: "Hey, um. We have this super safe
place where you can do all your top secret need-to-be safe web browsing. Away
from all those prying eyes. Yep, super safe, here. Right here."

~~~
slowenough
These are excellent points thank you for bringing them to everybody's
attention.

I'm a little shocked that people haven't brought this up until now. This is
one of the main security issues that the BrowserGap on premise solution is
built to address.

With on-premise self-hosting you can transfer the trust issue from our cloud-
based system to your own private cloud or data center.

I'm not sure if all browser isolation vendors offer hybrid or on-premise
solutions but I think most do. Menlo, Symantec, WEBGAP, LightPoint,
Authentic8.

~~~
bkdbkd
Ah, an on premise solution is something entirely different. Moving a group of
users security problem to a controlled machine could be useful. Setting
phasers to laser pointer mode.

------
tallanvor
I don't get the use-case for this. In other replies, you claim it's protection
against "Ransomware, malware, virii, browser exploits, zero days", but all
people are really doing are trusting you instead of other sites.

Plus, in my experience, ransomware and malware are more often spread through
email attachments and other downloads, not browser exploits or other zero-day
bugs. I'm guessing users can't download through your service, so they're just
going to switch out when they think they need to download something.
--Otherwise you have to take responsibility for scanning the download first
and I doubt you're able to guarantee that you're better at scanning content
than any other anti-virus and malware vendor.

So the only people I can see who might benefit from this tool are those have
the skills to spin up a VM and perform their risky browsing from there.

~~~
slowenough
This is really great criticism of the business, thank you for this.

I have not given much thought to downloads yet. This will indeed be a
challenge. As you insightfully identify, many businesses are concerned with
remotely rendered email integration, and making downloads safe again.

Positioning as a vertically-integrated supplier is challenging. For instance,
how to compete with Symantec who have their own high quality scanners?

I don't plan to get into the threat detection business. It might be possible
to sell or license to one in the space however. Or to integrate 3rd-party
scanning tech as a first-class part of the product, or offer to build
integrations with a customer's existing SWG solution.

There's no simple answers to these challenges. I look forward to making
something that works to address these concerns.

Edit: This has also given me an idea. If the challenges you pinpoint make it
too hard to compete with the existing RBI suppliers, it might work for
BrowserGap to become a browsing tool for advanced users. Or I could be
overfitting such a model based on the feedback of HN which skews toward
technical specialization.

In any case, please make more feedback if you have it. I appreciate your look
at this.

------
techntoke
This seems silly to me. Who cares that the browser data is scrubbed every 30
minutes. I can scrub my own browser data. Heck, I scan securely scrub my own
browser data if I want to or run a everything in icognito. I can even run
everything through a VPN where at least I have some sense of privacy, or just
use Tor. The last thing I'd think to want or need is to run a browser remotely
just because I can.

~~~
slowenough
I totally understand it looks silly. You can scrub your own data. You can run
everything through a VPN where at least you have some sense of privacy, or
just use Tor. I get that the last thing you think you'd need is a remote
browser just because you can.

Maybe you don't need one. Also, how much time do you want to invest in your
security?

The main advantage of an isolated remote browser is isolation of the threats
from the public internet away from your own network and device. Ransomware,
malware, virii, browser exploits, zero days; by running your local browser,
you directly expose yourself to that. When you connect to the public internet
through an isolated remote browser, your device is "air gapped" from this.
There's still channels of attack, at the same time, the surface area is
greatly reduced. I think that's a reason remote browser isolation is becoming
more popular as a security practice.

TL;DR - isolation and containment is an effective complement to detection and
neutralization of threats.

At least one part is unclear in the page copy, that the session is only 30
minutes long. A sort of "free public internet cafe" or "library computer"
limit. It reads like the browser you use is reset every 30 minutes. Actually
the browser session only exists for 30 minutes, after that all data is
scrubbed. If you want to keep going, you open a new one browser by clicking on
the icon.

~~~
theamk
But if "Ransomware, malware, virii, browser exploits, zero days" is what you
are worried about, isn't it easier/faster to use local VM instead?

A short script which runs "kvm -readonly ..." (and a second one which does
browser upgrades), and you have exactly the same functionality in the comfort
of your own computer, but much faster, with video support, and not relying on
the security of some remote service you know nothing about.

That said, I can see many reasons to run remote browser for other reasons --
zero-setup aspect is pretty useful, and the privacy is better than local VM as
IP addresses are not shared. It is also a pretty great free proxy, handy when
you are on those annoying networks which block some sites.

~~~
slowenough
I appreciate this argument. I had not thought much about self-hosting with a
couple of shell scripts. If I think back to when I built this, I think I did
it because I wanted that, but I could not find a way to do it. In your
solution, how would you stream the browser view to the client? Could you
support mobile clients? Would they need to download special software?

Also, it might be easier and faster, but that sometimes comes as a trade-off
with security. It's far easier and faster to just use a regular consumer
browser on your device, but you get those risks.

Personally, I would feel a large amount of risk running a local VM versus a
cloud hosted one. A local VM (sans Tor, sans proxy) would expose my IP, which
could still be targeted. The VM could be escaped, I think more readily than a
cloud machine. At the same time, I do think that a local isolated server would
be a great option if you want to self-host, rather than doing that in the
cloud. This is definitely something BrowserGap does.

~~~
theamk
"kvm" is just a command-line virtualization tool (think Parallels or VMWare
Player or Virtualbox). So:

\- I would not "stream the browser view to client", I'd use default display
driver for the virtual machine (I think kvm uses SDL by default). kvm also
provides VNC interface, if you want to run it remotely, but running it
remotely will increase the latency.

\- It does not support _any_ clients, including mobile ones. You are not
running a client/server setup, you are running virtual machine directly on
your desktop/laptop.

\- Yes, you need to download special software. This is a local-only solution.

IP exposure is a real risk, but I'd say it is a privacy risk, not a security
one. There are scanners scanning IP address space non-stop; if your computer
is vulnerable to IP-only attacks, it would be hacked even if you do not go to
any websites at all.

VM escaping is a thing, but the cloud machine runs a VM as well, and it can be
escaped too -- and then user's computer will be attacked via remote screen
connection. So:

If one has 2 exploits: browser escape zero-day + VM-escape zero day, they can
attack either via Cloud machine or via local VM.

But Cloud machine has an additional attack vector: if the infrastructure
itself is compromised, then you instantly lose all secrecy, and open client
computers to remote exploits. And while you can ensure that _your_ laptop is
safe and updated on time, you don't really know much about cloud.

That said, I think both of those are pretty unlikely, so the final decision
should be based on other factors.

------
slowenough
Full disclosure:

I tried to get some chrome experiments
([https://experiments.withgoogle.com/collection/chrome](https://experiments.withgoogle.com/collection/chrome))
to work in this and failed. With the exception of spin-dragging a 3D globe,
everything didn't work.

The most far-out thing I've made work on the cloud browser is Quake 3. In
fact, unless input on the remote page is focused, I do not transmit all key
events (only things like Space, Enter and Tab). But you can look around with
the pointer.

Proof: [https://imgur.com/gallery/SNSoWnW](https://imgur.com/gallery/SNSoWnW)

Or see for yourself. Visit [http://quakejs.com](http://quakejs.com) in the
CloudBrowser and select your options and start. It really does work.

Also, the failure to use WASD motivates me to transmit all key events
regardless of remote page form control focus.

------
AbuAssar
I couldn't pass google captcha, and all urls open a google search.

~~~
slowenough
What makes you say all URLs?

If you put

[https://news.ycombinator.com/](https://news.ycombinator.com/)

in the OmniBox are you getting a Google CAPTCHA?

The server is very busy right now and I don't want to reset it while there are
so many people trying it out. When things quiet down I'll replace the default
search provider in an attempt to avoid these prove-you're-not-a-robot-
challenges.

For now if you want to get started with a URL in the address bar you could try
another search provider such as DuckDuckGo:

[https://duckduckgo.com/](https://duckduckgo.com/)

~~~
lowercased
same here - getting captchas, and ... I got put through 7 before I gave up.

~~~
slowenough
This needs to be fixed asap. Right now I have no idea how to do it.

FWIW I consistently get 1 CAPTCHA (usually traffic lights) and pass every
time.

I cannot explain the discrepancy you experience.

Edit: Thinking about this, I think it is related to the User-Agent and
platform pass through. When the load dies down I will test providing the same
UA and navigator platform for all clients.

I have a hunch that one signal CAPTCHA uses is if the UA/platform is different
to the browser.

------
chrisweekly
This makes me think of the web performance power tool WebPageTest^1
(scriptable browsers that run in the cloud, and admin interface to manage
their config, test parameters and reports / results).

^1. [https://webpagetest.org](https://webpagetest.org)

~~~
slowenough
Thanks for the connection.

------
tombh
There's also Browsh's demo services for purely text-based browsing:

[https://html.brow.sh/https://news.ycombinator.com/item?id=21...](https://html.brow.sh/https://news.ycombinator.com/item?id=21373756)

`ssh brow.sh -t
[https://news.ycombinator.com/item?id=21373756`](https://news.ycombinator.com/item?id=21373756`)

They've never really become very popular. No doubt being merely demos and
unpolished doesn't help. Running cloud browsers is expensive though and I've
never made the commitment to scale them without having some way to make money.

------
badrabbit
Dude! I don't care about cookie scrubbing but great idea. Heard of any.run? I
use that a lot but their sessions are a minute long. Will definetly try your
service but I hope you clean up the UI if you want to charge for the service.
I hope you can take in high demand because it's there.

Also: I specifically need a long(30min+) remote browsing session where I can
interact with untrusted content in a specific browser and OS setting (most but
not all of that is offered by any.run),your site is deploying VMs so I can't
check it out now.

~~~
slowenough
Hey Dude! Have not heard of any.run, I appreciate you pointing that out to me!

If you need longer sessions, I'm happy to talk about possibilities with you,
even though it sounds like your use-case is very malware specific and I don't
think we'll support that specifically. Please check out
[https://browsergap.xyz](https://browsergap.xyz) and you can email me from the
link there if interested.

Why do you say clean up the UI? The UI for the browser is OK, and you might
not have seen that yet because it's quite busy. I'm happy to hear feedback
about the browser UI so please go ahead. Here's a video if you can't wait
right now:

[https://www.youtube.com/watch?v=SD0Fhl9v87k](https://www.youtube.com/watch?v=SD0Fhl9v87k)

The UI for the linked site is meant to be a throwback to the 90s when
"browsers" were something new. I like it. I get you don't want to pay for a
service with this UI, that does make sense! You don't have to pay for these 30
minute sessions tho. They are totally free.

It's busy right now so you might have to wait to use it. If it's not too much
trouble to you, you may leave your email at this form I'll write you later to
let you know you can try:

[https://forms.gle/cibEBFcDeUH9jB5M9](https://forms.gle/cibEBFcDeUH9jB5M9)

Any run looks awesome. That (advanced malware investigative capabilities) is
definitely not something this will support tho. Regarding setting the
OS/browser as parameters is also not something that will be supported. I can
set you a User Agent and a navigator platform, yet I think you're saying you
need an actual OS/Browser since it sounds like your requirement is hunting bad
code.

~~~
badrabbit
Thank you for the response and best of lucj. Regarding the UI I like it and
all but it simply isn't something I can present to others who are not as
technophile as we are. Perhaps making it a CSS theme is better? And yes,I
didn't mean the malware analysis part,I meant similar to urlscan.io -- not for
analysis but to visit possibly harmful sites safely as with a normal browser.

Also, proofpoint isolation is another competition in this are but for their
own customers.

~~~
slowenough
Hey badrabbit, you mean the UI for the landing page, right? I agree that it
will be likely appreciated by a limited target audience. I'll do a re-over of
the UI and make alternate landing pages, and I want to ask your advice on
them.

Also, you said, present to others. That sounds good to me. Do you have an
email address I can reach you at? If it's no trouble for you, please reach me
at the address on the landing page or you can add your email to this form:

[https://forms.gle/3JjphZdDSrHDJoxJA](https://forms.gle/3JjphZdDSrHDJoxJA)

------
inquisitorial
Curious, is the 80Mbps shared among all browser instances?
[https://imgur.com/a/gEIN2Ih](https://imgur.com/a/gEIN2Ih)

~~~
slowenough
Thank you for the cool screenshot! No. Also, the way that network ingress is
allocated here is not something I'm tweaking now. The total ingress on this
service is a lot bigger.

Can I ask how you feel the connection speed is? Laggy, fast or what's your
impression? Also, is it too rude of me to ask what approximate location you
are in?

This service is located in the US.

~~~
thenewnewguy
Not OP, but here's my impression:

Loaded up google.com, got hit with a captcaha. Ok, shared IP, fair enough.
However the low resolution made solving the captcha more of a pain than usual.
Also, the recaptcha fade-out thing took significantly longer than normal, like
20-30 seconds waiting watching the fade out animation.

It also "feels" laggy, but mostly because on hover doesn't work because it's
an image and not HTML being rendered in my browser. Page loading is decent,
it's definitely noticeably slower than loading a normal page for me but within
what I'd expect for a web proxy.

Not being able to double/triple click on text boxes or drag to select text was
kinda annoying. Suggestion: maybe add the ability for the browser to have some
popular extensions activated, like uBlock Origin?

Browser: Latest FF (70) / Location: Southern US

~~~
slowenough
That's some great feedback, I really appreciate your time doing that!

I've also found that the captcha is harder with the high image compression.

A tip to avoid the 20 to 30 second fading out, is continuing to move the mouse
or tap the screen. This is because, normally, an increasing delay (exponential
back-off) is used to fetch the next frame in the absence of user events. User
events reset that and fetch the current frame immediately.

It seems like the lack of selection is annoying. And it looks as if this also
breaks common editing interaction affordances in some annoying ways. Including
and not limited to double and triple clicking text controls.

Ad blocks are included. And they do not succeed in blocking everything. I've
hesitated to add ublock origin because of some well-publicized issues with
regards to their relationship with the changing API.

Thank you for the compliment about decent page loading.

------
slowenough
Edit 2: Server back up.

Edit: I just reset the server at 6:30 PM UTC. It will be down for a few
minutes and back up very soon.

Just a bit of fun: I managed to do an inception. 3 layers deep, and brought
back a screenshot:

[https://imgur.com/a/zyL0eam](https://imgur.com/a/zyL0eam)

I took the shot using the outer most BrowserGap's screenshot context menu
item.

------
erinaceousjones
Keyboard input handling glitched out for me (from firefox 70, linux,
connecting from an academic network with a gigabit link so stuff like input
latency isn't usually a big deal for us). Random key presses were dropped,
some were repeated, it seemed to get stuck on the letter 's' regardless of
what key I pressed after a while

~~~
slowenough
That sounds very annoying!

I'll have a fix for that in future. I've found a work around is to clear the
input field, click outside it, click back inside the empty field, and begin
typing again.

Regarding the lag it might be because the service is located in the US. I
believe you might be in EU/UK.

This small location difference seems insignificant and yet most content is
served over geographically distributed servers, and BrowserGap paid version
uses servers closest to you.

I'm thinking of touring this "free internet cafe" version to other regions,
because the lag caused to people outside the US is actually significant.

If it's no trouble to you, you can add your email and approximate location to
this form

[https://forms.gle/GHDCbDPUrTzB2pyV8](https://forms.gle/GHDCbDPUrTzB2pyV8)

and I can let you know when the service is near you.

------
sdan
Reminds me to mightyapp.com... although neither this or that words at the
moment :).

~~~
slowenough
Why do you say doesn't work?

~~~
sdan
Getting a

"We're kind of packed and just creating some new browsers now, check back in a
bit."

Error at 8:24 PM PDT.

~~~
slowenough
Ah, okay. That's normal, it just means there are more users than queue of
waiting browsers. More browsers will open soon, you can try again.

Btw, thanks for the nod to Mightyapp. To be compared to their work is
flattering. What makes you say Mighty doesn't work?

~~~
sdan
Didn't get an invite yet :).

------
slowenough
This is now down (temporarily) to patch an exploit that was responsibly
disclosed. More to follow. I'm sorry for this!

~~~
slowenough
Hey, so it was an interesting couple of hours.

I got a responsible disclosure from a security researcher that metadata about
the application, including an access_token could be accessed from the browser.

This was because the machines were misconfigured (my responsibility) to be
authorized to access different cloud services, as is the default.

This access token authorizes various operations on the cloud infrastructure
provisioned by my account.

It could have been disastrous, because an attacker would have been able to use
the token to spin up many instances and potentially even gain shell access.

According to the activity audit, the token was never used. And there is no
indication of anyone using this to attempt to gain unauthorized access to any
data in the service.

In response to the report I suspended the service immediately, altered the
default configurations for this project to prevent such authorization tokens
being issued. And I deleted the token that was possibly exposed.

The service is now back up.

Also, as the researcher pointed out, the same misconfiguration was identified
as affecting Shopify[0], 18 months ago, tho the effects and exploit path were
different.

[0]:
[https://hackerone.com/reports/341876](https://hackerone.com/reports/341876)

------
luastoned
Head over to Google, be greeted with ~10 captchas before being able to do
anything.. yikes.

~~~
slowenough
I'm so sorry this happened to you!

I'm afraid I do not know how to solve the CAPTCHA issue.

~~~
aurbano
You'd need to have a way to change your outgoing IP address.

VPN providers probably deal with this all the time, so try reaching out to
them asking for guidance.

~~~
slowenough
That's a great idea, thank you much!

------
terrycody
This is really cool, thank you for bring us this tool!

~~~
slowenough
:)

Thanks a lot for your compliment and I'm happy to hear you think it's cool!

------
jb_s
getting an SSL cert error here..

~~~
slowenough
I'm using Letsencrypt. Perhaps I need to include fullchain.pem. Would it be
trouble for you to share the error you're getting?

In any case, if it's no trouble for you to do so, you can leave your email at
this wait list form and once I update the server later I can let you know!

[https://forms.gle/cibEBFcDeUH9jB5M9](https://forms.gle/cibEBFcDeUH9jB5M9)

~~~
oefrha
I would recommend SSL Lab’s tests:
[https://www.ssllabs.com/ssltest/analyze.html?d=free.cloudbro...](https://www.ssllabs.com/ssltest/analyze.html?d=free.cloudbrowser.xyz&latest)

> This server's certificate chain is incomplete. Grade capped to B.

~~~
slowenough
I grateful you pointed this out to me! I'll upgrade the server when the load
lightens a bit later.

------
tomc1985
If "Show HN" is any indication we should all just be running dumb terminals to
connect to someone elses oh-so-generous cloud box.

The 80s called, they want their mainframes back...

~~~
Mo3
Yes. What exactly is the intended purpose of this?

