Show HN: CloudBrowser – Free 30 Minute Internet Cafe for Secure Browsing(free.cloudbrowser.xyz)
free.cloudbrowser.xyz
Show HN: CloudBrowser – Free 30 Minute Internet Cafe for Secure Browsing
https://free.cloudbrowser.xyz
65 comments
How does performing all my browsing on someone else's computer whom I don't know make me more secure?
Exactly. For the slow on the uptake, this takes the entire security problem, and puts it on some strangers 'safe' computer.
Totally-Not-A-Surveillance-Organization: "Hey, um. We have this super safe place where you can do all your top secret need-to-be safe web browsing. Away from all those prying eyes. Yep, super safe, here. Right here."
Totally-Not-A-Surveillance-Organization: "Hey, um. We have this super safe place where you can do all your top secret need-to-be safe web browsing. Away from all those prying eyes. Yep, super safe, here. Right here."
These are excellent points thank you for bringing them to everybody's attention.
I'm a little shocked that people haven't brought this up until now. This is one of the main security issues that the BrowserGap on premise solution is built to address.
With on-premise self-hosting you can transfer the trust issue from our cloud-based system to your own private cloud or data center.
I'm not sure if all browser isolation vendors offer hybrid or on-premise solutions but I think most do. Menlo, Symantec, WEBGAP, LightPoint, Authentic8.
I'm a little shocked that people haven't brought this up until now. This is one of the main security issues that the BrowserGap on premise solution is built to address.
With on-premise self-hosting you can transfer the trust issue from our cloud-based system to your own private cloud or data center.
I'm not sure if all browser isolation vendors offer hybrid or on-premise solutions but I think most do. Menlo, Symantec, WEBGAP, LightPoint, Authentic8.
Ah, an on premise solution is something entirely different. Moving a group of users security problem to a controlled machine could be useful.
Setting phasers to laser pointer mode.
I don't get the use-case for this. In other replies, you claim it's protection against "Ransomware, malware, virii, browser exploits, zero days", but all people are really doing are trusting you instead of other sites.
Plus, in my experience, ransomware and malware are more often spread through email attachments and other downloads, not browser exploits or other zero-day bugs. I'm guessing users can't download through your service, so they're just going to switch out when they think they need to download something. --Otherwise you have to take responsibility for scanning the download first and I doubt you're able to guarantee that you're better at scanning content than any other anti-virus and malware vendor.
So the only people I can see who might benefit from this tool are those have the skills to spin up a VM and perform their risky browsing from there.
Plus, in my experience, ransomware and malware are more often spread through email attachments and other downloads, not browser exploits or other zero-day bugs. I'm guessing users can't download through your service, so they're just going to switch out when they think they need to download something. --Otherwise you have to take responsibility for scanning the download first and I doubt you're able to guarantee that you're better at scanning content than any other anti-virus and malware vendor.
So the only people I can see who might benefit from this tool are those have the skills to spin up a VM and perform their risky browsing from there.
This is really great criticism of the business, thank you for this.
I have not given much thought to downloads yet. This will indeed be a challenge. As you insightfully identify, many businesses are concerned with remotely rendered email integration, and making downloads safe again.
Positioning as a vertically-integrated supplier is challenging. For instance, how to compete with Symantec who have their own high quality scanners?
I don't plan to get into the threat detection business. It might be possible to sell or license to one in the space however. Or to integrate 3rd-party scanning tech as a first-class part of the product, or offer to build integrations with a customer's existing SWG solution.
There's no simple answers to these challenges. I look forward to making something that works to address these concerns.
Edit: This has also given me an idea. If the challenges you pinpoint make it too hard to compete with the existing RBI suppliers, it might work for BrowserGap to become a browsing tool for advanced users. Or I could be overfitting such a model based on the feedback of HN which skews toward technical specialization.
In any case, please make more feedback if you have it. I appreciate your look at this.
I have not given much thought to downloads yet. This will indeed be a challenge. As you insightfully identify, many businesses are concerned with remotely rendered email integration, and making downloads safe again.
Positioning as a vertically-integrated supplier is challenging. For instance, how to compete with Symantec who have their own high quality scanners?
I don't plan to get into the threat detection business. It might be possible to sell or license to one in the space however. Or to integrate 3rd-party scanning tech as a first-class part of the product, or offer to build integrations with a customer's existing SWG solution.
There's no simple answers to these challenges. I look forward to making something that works to address these concerns.
Edit: This has also given me an idea. If the challenges you pinpoint make it too hard to compete with the existing RBI suppliers, it might work for BrowserGap to become a browsing tool for advanced users. Or I could be overfitting such a model based on the feedback of HN which skews toward technical specialization.
In any case, please make more feedback if you have it. I appreciate your look at this.
This seems silly to me. Who cares that the browser data is scrubbed every 30 minutes. I can scrub my own browser data. Heck, I scan securely scrub my own browser data if I want to or run a everything in icognito. I can even run everything through a VPN where at least I have some sense of privacy, or just use Tor. The last thing I'd think to want or need is to run a browser remotely just because I can.
[deleted]
I totally understand it looks silly. You can scrub your own data. You can run everything through a VPN where at least you have some sense of privacy, or just use Tor. I get that the last thing you think you'd need is a remote browser just because you can.
Maybe you don't need one. Also, how much time do you want to invest in your security?
The main advantage of an isolated remote browser is isolation of the threats from the public internet away from your own network and device. Ransomware, malware, virii, browser exploits, zero days; by running your local browser, you directly expose yourself to that. When you connect to the public internet through an isolated remote browser, your device is "air gapped" from this. There's still channels of attack, at the same time, the surface area is greatly reduced. I think that's a reason remote browser isolation is becoming more popular as a security practice.
TL;DR - isolation and containment is an effective complement to detection and neutralization of threats.
At least one part is unclear in the page copy, that the session is only 30 minutes long. A sort of "free public internet cafe" or "library computer" limit. It reads like the browser you use is reset every 30 minutes. Actually the browser session only exists for 30 minutes, after that all data is scrubbed. If you want to keep going, you open a new one browser by clicking on the icon.
Maybe you don't need one. Also, how much time do you want to invest in your security?
The main advantage of an isolated remote browser is isolation of the threats from the public internet away from your own network and device. Ransomware, malware, virii, browser exploits, zero days; by running your local browser, you directly expose yourself to that. When you connect to the public internet through an isolated remote browser, your device is "air gapped" from this. There's still channels of attack, at the same time, the surface area is greatly reduced. I think that's a reason remote browser isolation is becoming more popular as a security practice.
TL;DR - isolation and containment is an effective complement to detection and neutralization of threats.
At least one part is unclear in the page copy, that the session is only 30 minutes long. A sort of "free public internet cafe" or "library computer" limit. It reads like the browser you use is reset every 30 minutes. Actually the browser session only exists for 30 minutes, after that all data is scrubbed. If you want to keep going, you open a new one browser by clicking on the icon.
But if "Ransomware, malware, virii, browser exploits, zero days" is what you are worried about, isn't it easier/faster to use local VM instead?
A short script which runs "kvm -readonly ..." (and a second one which does browser upgrades), and you have exactly the same functionality in the comfort of your own computer, but much faster, with video support, and not relying on the security of some remote service you know nothing about.
That said, I can see many reasons to run remote browser for other reasons -- zero-setup aspect is pretty useful, and the privacy is better than local VM as IP addresses are not shared. It is also a pretty great free proxy, handy when you are on those annoying networks which block some sites.
A short script which runs "kvm -readonly ..." (and a second one which does browser upgrades), and you have exactly the same functionality in the comfort of your own computer, but much faster, with video support, and not relying on the security of some remote service you know nothing about.
That said, I can see many reasons to run remote browser for other reasons -- zero-setup aspect is pretty useful, and the privacy is better than local VM as IP addresses are not shared. It is also a pretty great free proxy, handy when you are on those annoying networks which block some sites.
I appreciate this argument. I had not thought much about self-hosting with a couple of shell scripts. If I think back to when I built this, I think I did it because I wanted that, but I could not find a way to do it. In your solution, how would you stream the browser view to the client? Could you support mobile clients? Would they need to download special software?
Also, it might be easier and faster, but that sometimes comes as a trade-off with security. It's far easier and faster to just use a regular consumer browser on your device, but you get those risks.
Personally, I would feel a large amount of risk running a local VM versus a cloud hosted one. A local VM (sans Tor, sans proxy) would expose my IP, which could still be targeted. The VM could be escaped, I think more readily than a cloud machine. At the same time, I do think that a local isolated server would be a great option if you want to self-host, rather than doing that in the cloud. This is definitely something BrowserGap does.
Also, it might be easier and faster, but that sometimes comes as a trade-off with security. It's far easier and faster to just use a regular consumer browser on your device, but you get those risks.
Personally, I would feel a large amount of risk running a local VM versus a cloud hosted one. A local VM (sans Tor, sans proxy) would expose my IP, which could still be targeted. The VM could be escaped, I think more readily than a cloud machine. At the same time, I do think that a local isolated server would be a great option if you want to self-host, rather than doing that in the cloud. This is definitely something BrowserGap does.
"kvm" is just a command-line virtualization tool (think Parallels or VMWare Player or Virtualbox). So:
- I would not "stream the browser view to client", I'd use default display driver for the virtual machine (I think kvm uses SDL by default). kvm also provides VNC interface, if you want to run it remotely, but running it remotely will increase the latency.
- It does not support any clients, including mobile ones. You are not running a client/server setup, you are running virtual machine directly on your desktop/laptop.
- Yes, you need to download special software. This is a local-only solution.
IP exposure is a real risk, but I'd say it is a privacy risk, not a security one. There are scanners scanning IP address space non-stop; if your computer is vulnerable to IP-only attacks, it would be hacked even if you do not go to any websites at all.
VM escaping is a thing, but the cloud machine runs a VM as well, and it can be escaped too -- and then user's computer will be attacked via remote screen connection. So:
If one has 2 exploits: browser escape zero-day + VM-escape zero day, they can attack either via Cloud machine or via local VM.
But Cloud machine has an additional attack vector: if the infrastructure itself is compromised, then you instantly lose all secrecy, and open client computers to remote exploits. And while you can ensure that your laptop is safe and updated on time, you don't really know much about cloud.
That said, I think both of those are pretty unlikely, so the final decision should be based on other factors.
- I would not "stream the browser view to client", I'd use default display driver for the virtual machine (I think kvm uses SDL by default). kvm also provides VNC interface, if you want to run it remotely, but running it remotely will increase the latency.
- It does not support any clients, including mobile ones. You are not running a client/server setup, you are running virtual machine directly on your desktop/laptop.
- Yes, you need to download special software. This is a local-only solution.
IP exposure is a real risk, but I'd say it is a privacy risk, not a security one. There are scanners scanning IP address space non-stop; if your computer is vulnerable to IP-only attacks, it would be hacked even if you do not go to any websites at all.
VM escaping is a thing, but the cloud machine runs a VM as well, and it can be escaped too -- and then user's computer will be attacked via remote screen connection. So:
If one has 2 exploits: browser escape zero-day + VM-escape zero day, they can attack either via Cloud machine or via local VM.
But Cloud machine has an additional attack vector: if the infrastructure itself is compromised, then you instantly lose all secrecy, and open client computers to remote exploits. And while you can ensure that your laptop is safe and updated on time, you don't really know much about cloud.
That said, I think both of those are pretty unlikely, so the final decision should be based on other factors.
One viable business alternative for this idea (or a fork of it) would be to use it to have 2 people videochating over the browsing session, where both can control the mouse/keyboard, sort of what you can do with TeamViewer but without needing to install anything on either machine; it would be specially good for teaching, maybe even some sort of tabs for the teacher and each tab is a different student shared session.
I totally get it. I've done something like it, browsing via RDP via ssh on a remote VM. A clone, which I can nuke when I'm done.
But it's been on an anonymously leased LUKS-encrypted server, connecting via Tor. Here, I'd need to trust you to actually scrub the data. And to keep others from logging it.
I wouldn't call this silly. As you say, it does protect users from browser-mediated threats. Better than a local VM could. But trust issues ought to at least be mentioned.
But it's been on an anonymously leased LUKS-encrypted server, connecting via Tor. Here, I'd need to trust you to actually scrub the data. And to keep others from logging it.
I wouldn't call this silly. As you say, it does protect users from browser-mediated threats. Better than a local VM could. But trust issues ought to at least be mentioned.
That does sound highly secure. I like your set up. I definitely think there's room to roll this out onto anonymously leased LUKS-encrypted servers, over Tor.
What made you create such a secure setup? And what were the biggest challenges you in this?
I'm just starting this, so I'm using normal cloud servers. Other options I know people are interested in are self-hosting. I really appreciate your suggestion!
What made you create such a secure setup? And what were the biggest challenges you in this?
I'm just starting this, so I'm using normal cloud servers. Other options I know people are interested in are self-hosting. I really appreciate your suggestion!
I just got curious about hardcore "black hat" onion sites. And didn't want to get pwned.
But yes, self hosting. It'd be really cool if you could do something analogous to streisand.
The hardest part was doing RDP via Tor. Latency can get so bad that it's unusable.
But now that I think of it, I've also used remote Transmission nodes via Tor, running the WebGUI as an onion service. So maybe there's a way to access a remote browser as an onion service. There'd still be latency, but with less bits to move, maybe it'd be less problematic.
Edit: I looked at the BrowserGap link, but see no documentation. If I may ask, how does it do remote browser isolation? It's gotta be more than a proxy. But it's also gotta be less than a VPS, given that it's just a URL. Some sort of container, I guess.
And another question. Do you implement ad blocking?
But yes, self hosting. It'd be really cool if you could do something analogous to streisand.
The hardest part was doing RDP via Tor. Latency can get so bad that it's unusable.
But now that I think of it, I've also used remote Transmission nodes via Tor, running the WebGUI as an onion service. So maybe there's a way to access a remote browser as an onion service. There'd still be latency, but with less bits to move, maybe it'd be less problematic.
Edit: I looked at the BrowserGap link, but see no documentation. If I may ask, how does it do remote browser isolation? It's gotta be more than a proxy. But it's also gotta be less than a VPS, given that it's just a URL. Some sort of container, I guess.
And another question. Do you implement ad blocking?
I'm grateful for the technical details in your answer, and the feedback about hard to find docs.
There's a link to a PDF of points that address common questions on the BrowserGap homepage. I believe it addresses your question in quite a bit of depth.
I admit the link could be more prominent, and also that the PDF could be more polished.
Also, ad blocking is included! It blocks alot of ads, and not all.
Do you mind if I ask what sort of UI client did you use for RDP?
There's a link to a PDF of points that address common questions on the BrowserGap homepage. I believe it addresses your question in quite a bit of depth.
I admit the link could be more prominent, and also that the PDF could be more polished.
Also, ad blocking is included! It blocks alot of ads, and not all.
Do you mind if I ask what sort of UI client did you use for RDP?
Thanks. I did see "View our response to Gartner's Remote Browser Isolation Evaluation Factors." but didn't look.
I see that you do use dedicated VPS. And although I'm still a little puzzled by "Interactive Image™ technology", I gather that it's something like RDP. But just for the browser.
I used mainly rdesktop and Remmina.
I see that you do use dedicated VPS. And although I'm still a little puzzled by "Interactive Image™ technology", I gather that it's something like RDP. But just for the browser.
I used mainly rdesktop and Remmina.
Not sure why you’re getting downvoted for your explanation, but I found this comment very useful. I actually just bought an old used server to play around with something like this. I want to build a set of virtual workstations for different functions - making music, surfing the net, reading news - that I can remote into from various devices. This is an interesting project, thanks for sharing!
Hey, you're welcome!
I hadn't thought about why a couple people downvoted that answer. Without thinking about it much my guess is those people value hard technical data over empathic "I see where you're coming from and that's valid. Also, this is what I see there," communication.
In other words, if I'd said, "No, you're wrong, because X, Y and Z," it probably would have gotten upvoted.
I hadn't thought about why a couple people downvoted that answer. Without thinking about it much my guess is those people value hard technical data over empathic "I see where you're coming from and that's valid. Also, this is what I see there," communication.
In other words, if I'd said, "No, you're wrong, because X, Y and Z," it probably would have gotten upvoted.
Full disclosure:
I tried to get some chrome experiments (https://experiments.withgoogle.com/collection/chrome) to work in this and failed. With the exception of spin-dragging a 3D globe, everything didn't work.
The most far-out thing I've made work on the cloud browser is Quake 3. In fact, unless input on the remote page is focused, I do not transmit all key events (only things like Space, Enter and Tab). But you can look around with the pointer.
Proof: https://imgur.com/gallery/SNSoWnW
Or see for yourself. Visit http://quakejs.com in the CloudBrowser and select your options and start. It really does work.
Also, the failure to use WASD motivates me to transmit all key events regardless of remote page form control focus.
I tried to get some chrome experiments (https://experiments.withgoogle.com/collection/chrome) to work in this and failed. With the exception of spin-dragging a 3D globe, everything didn't work.
The most far-out thing I've made work on the cloud browser is Quake 3. In fact, unless input on the remote page is focused, I do not transmit all key events (only things like Space, Enter and Tab). But you can look around with the pointer.
Proof: https://imgur.com/gallery/SNSoWnW
Or see for yourself. Visit http://quakejs.com in the CloudBrowser and select your options and start. It really does work.
Also, the failure to use WASD motivates me to transmit all key events regardless of remote page form control focus.
I couldn't pass google captcha, and all urls open a google search.
What makes you say all URLs?
If you put
https://news.ycombinator.com/
in the OmniBox are you getting a Google CAPTCHA?
The server is very busy right now and I don't want to reset it while there are so many people trying it out. When things quiet down I'll replace the default search provider in an attempt to avoid these prove-you're-not-a-robot-challenges.
For now if you want to get started with a URL in the address bar you could try another search provider such as DuckDuckGo:
https://duckduckgo.com/
If you put
https://news.ycombinator.com/
in the OmniBox are you getting a Google CAPTCHA?
The server is very busy right now and I don't want to reset it while there are so many people trying it out. When things quiet down I'll replace the default search provider in an attempt to avoid these prove-you're-not-a-robot-challenges.
For now if you want to get started with a URL in the address bar you could try another search provider such as DuckDuckGo:
https://duckduckgo.com/
same here - getting captchas, and ... I got put through 7 before I gave up.
This needs to be fixed asap. Right now I have no idea how to do it.
FWIW I consistently get 1 CAPTCHA (usually traffic lights) and pass every time.
I cannot explain the discrepancy you experience.
Edit: Thinking about this, I think it is related to the User-Agent and platform pass through. When the load dies down I will test providing the same UA and navigator platform for all clients.
I have a hunch that one signal CAPTCHA uses is if the UA/platform is different to the browser.
FWIW I consistently get 1 CAPTCHA (usually traffic lights) and pass every time.
I cannot explain the discrepancy you experience.
Edit: Thinking about this, I think it is related to the User-Agent and platform pass through. When the load dies down I will test providing the same UA and navigator platform for all clients.
I have a hunch that one signal CAPTCHA uses is if the UA/platform is different to the browser.
This makes me think of the web performance power tool WebPageTest^1 (scriptable browsers that run in the cloud, and admin interface to manage their config, test parameters and reports / results).
^1. https://webpagetest.org
^1. https://webpagetest.org
Thanks for the connection.
There's also Browsh's demo services for purely text-based browsing:
https://html.brow.sh/https://news.ycombinator.com/item?id=21...
`ssh brow.sh -t https://news.ycombinator.com/item?id=21373756`
They've never really become very popular. No doubt being merely demos and unpolished doesn't help. Running cloud browsers is expensive though and I've never made the commitment to scale them without having some way to make money.
https://html.brow.sh/https://news.ycombinator.com/item?id=21...
`ssh brow.sh -t https://news.ycombinator.com/item?id=21373756`
They've never really become very popular. No doubt being merely demos and unpolished doesn't help. Running cloud browsers is expensive though and I've never made the commitment to scale them without having some way to make money.
Dude! I don't care about cookie scrubbing but great idea. Heard of any.run? I use that a lot but their sessions are a minute long. Will definetly try your service but I hope you clean up the UI if you want to charge for the service. I hope you can take in high demand because it's there.
Also: I specifically need a long(30min+) remote browsing session where I can interact with untrusted content in a specific browser and OS setting (most but not all of that is offered by any.run),your site is deploying VMs so I can't check it out now.
Also: I specifically need a long(30min+) remote browsing session where I can interact with untrusted content in a specific browser and OS setting (most but not all of that is offered by any.run),your site is deploying VMs so I can't check it out now.
Hey Dude! Have not heard of any.run, I appreciate you pointing that out to me!
If you need longer sessions, I'm happy to talk about possibilities with you, even though it sounds like your use-case is very malware specific and I don't think we'll support that specifically. Please check out https://browsergap.xyz and you can email me from the link there if interested.
Why do you say clean up the UI? The UI for the browser is OK, and you might not have seen that yet because it's quite busy. I'm happy to hear feedback about the browser UI so please go ahead. Here's a video if you can't wait right now:
https://www.youtube.com/watch?v=SD0Fhl9v87k
The UI for the linked site is meant to be a throwback to the 90s when "browsers" were something new. I like it. I get you don't want to pay for a service with this UI, that does make sense! You don't have to pay for these 30 minute sessions tho. They are totally free.
It's busy right now so you might have to wait to use it. If it's not too much trouble to you, you may leave your email at this form I'll write you later to let you know you can try:
https://forms.gle/cibEBFcDeUH9jB5M9
Any run looks awesome. That (advanced malware investigative capabilities) is definitely not something this will support tho. Regarding setting the OS/browser as parameters is also not something that will be supported. I can set you a User Agent and a navigator platform, yet I think you're saying you need an actual OS/Browser since it sounds like your requirement is hunting bad code.
If you need longer sessions, I'm happy to talk about possibilities with you, even though it sounds like your use-case is very malware specific and I don't think we'll support that specifically. Please check out https://browsergap.xyz and you can email me from the link there if interested.
Why do you say clean up the UI? The UI for the browser is OK, and you might not have seen that yet because it's quite busy. I'm happy to hear feedback about the browser UI so please go ahead. Here's a video if you can't wait right now:
https://www.youtube.com/watch?v=SD0Fhl9v87k
The UI for the linked site is meant to be a throwback to the 90s when "browsers" were something new. I like it. I get you don't want to pay for a service with this UI, that does make sense! You don't have to pay for these 30 minute sessions tho. They are totally free.
It's busy right now so you might have to wait to use it. If it's not too much trouble to you, you may leave your email at this form I'll write you later to let you know you can try:
https://forms.gle/cibEBFcDeUH9jB5M9
Any run looks awesome. That (advanced malware investigative capabilities) is definitely not something this will support tho. Regarding setting the OS/browser as parameters is also not something that will be supported. I can set you a User Agent and a navigator platform, yet I think you're saying you need an actual OS/Browser since it sounds like your requirement is hunting bad code.
Thank you for the response and best of lucj. Regarding the UI I like it and all but it simply isn't something I can present to others who are not as technophile as we are. Perhaps making it a CSS theme is better? And yes,I didn't mean the malware analysis part,I meant similar to urlscan.io -- not for analysis but to visit possibly harmful sites safely as with a normal browser.
Also, proofpoint isolation is another competition in this are but for their own customers.
Also, proofpoint isolation is another competition in this are but for their own customers.
Hey badrabbit, you mean the UI for the landing page, right? I agree that it will be likely appreciated by a limited target audience. I'll do a re-over of the UI and make alternate landing pages, and I want to ask your advice on them.
Also, you said, present to others. That sounds good to me. Do you have an email address I can reach you at? If it's no trouble for you, please reach me at the address on the landing page or you can add your email to this form:
https://forms.gle/3JjphZdDSrHDJoxJA
Also, you said, present to others. That sounds good to me. Do you have an email address I can reach you at? If it's no trouble for you, please reach me at the address on the landing page or you can add your email to this form:
https://forms.gle/3JjphZdDSrHDJoxJA
Curious, is the 80Mbps shared among all browser instances?
https://imgur.com/a/gEIN2Ih
Thank you for the cool screenshot! No. Also, the way that network ingress is allocated here is not something I'm tweaking now. The total ingress on this service is a lot bigger.
Can I ask how you feel the connection speed is? Laggy, fast or what's your impression? Also, is it too rude of me to ask what approximate location you are in?
This service is located in the US.
Can I ask how you feel the connection speed is? Laggy, fast or what's your impression? Also, is it too rude of me to ask what approximate location you are in?
This service is located in the US.
Not OP, but here's my impression:
Loaded up google.com, got hit with a captcaha. Ok, shared IP, fair enough. However the low resolution made solving the captcha more of a pain than usual. Also, the recaptcha fade-out thing took significantly longer than normal, like 20-30 seconds waiting watching the fade out animation.
It also "feels" laggy, but mostly because on hover doesn't work because it's an image and not HTML being rendered in my browser. Page loading is decent, it's definitely noticeably slower than loading a normal page for me but within what I'd expect for a web proxy.
Not being able to double/triple click on text boxes or drag to select text was kinda annoying. Suggestion: maybe add the ability for the browser to have some popular extensions activated, like uBlock Origin?
Browser: Latest FF (70) / Location: Southern US
Loaded up google.com, got hit with a captcaha. Ok, shared IP, fair enough. However the low resolution made solving the captcha more of a pain than usual. Also, the recaptcha fade-out thing took significantly longer than normal, like 20-30 seconds waiting watching the fade out animation.
It also "feels" laggy, but mostly because on hover doesn't work because it's an image and not HTML being rendered in my browser. Page loading is decent, it's definitely noticeably slower than loading a normal page for me but within what I'd expect for a web proxy.
Not being able to double/triple click on text boxes or drag to select text was kinda annoying. Suggestion: maybe add the ability for the browser to have some popular extensions activated, like uBlock Origin?
Browser: Latest FF (70) / Location: Southern US
That's some great feedback, I really appreciate your time doing that!
I've also found that the captcha is harder with the high image compression.
A tip to avoid the 20 to 30 second fading out, is continuing to move the mouse or tap the screen. This is because, normally, an increasing delay (exponential back-off) is used to fetch the next frame in the absence of user events. User events reset that and fetch the current frame immediately.
It seems like the lack of selection is annoying. And it looks as if this also breaks common editing interaction affordances in some annoying ways. Including and not limited to double and triple clicking text controls.
Ad blocks are included. And they do not succeed in blocking everything. I've hesitated to add ublock origin because of some well-publicized issues with regards to their relationship with the changing API.
Thank you for the compliment about decent page loading.
I've also found that the captcha is harder with the high image compression.
A tip to avoid the 20 to 30 second fading out, is continuing to move the mouse or tap the screen. This is because, normally, an increasing delay (exponential back-off) is used to fetch the next frame in the absence of user events. User events reset that and fetch the current frame immediately.
It seems like the lack of selection is annoying. And it looks as if this also breaks common editing interaction affordances in some annoying ways. Including and not limited to double and triple clicking text controls.
Ad blocks are included. And they do not succeed in blocking everything. I've hesitated to add ublock origin because of some well-publicized issues with regards to their relationship with the changing API.
Thank you for the compliment about decent page loading.
Edit 2: Server back up.
Edit: I just reset the server at 6:30 PM UTC. It will be down for a few minutes and back up very soon.
Just a bit of fun: I managed to do an inception. 3 layers deep, and brought back a screenshot:
https://imgur.com/a/zyL0eam
I took the shot using the outer most BrowserGap's screenshot context menu item.
Edit: I just reset the server at 6:30 PM UTC. It will be down for a few minutes and back up very soon.
Just a bit of fun: I managed to do an inception. 3 layers deep, and brought back a screenshot:
https://imgur.com/a/zyL0eam
I took the shot using the outer most BrowserGap's screenshot context menu item.
Keyboard input handling glitched out for me (from firefox 70, linux, connecting from an academic network with a gigabit link so stuff like input latency isn't usually a big deal for us). Random key presses were dropped, some were repeated, it seemed to get stuck on the letter 's' regardless of what key I pressed after a while
That sounds very annoying!
I'll have a fix for that in future. I've found a work around is to clear the input field, click outside it, click back inside the empty field, and begin typing again.
Regarding the lag it might be because the service is located in the US. I believe you might be in EU/UK.
This small location difference seems insignificant and yet most content is served over geographically distributed servers, and BrowserGap paid version uses servers closest to you.
I'm thinking of touring this "free internet cafe" version to other regions, because the lag caused to people outside the US is actually significant.
If it's no trouble to you, you can add your email and approximate location to this form
https://forms.gle/GHDCbDPUrTzB2pyV8
and I can let you know when the service is near you.
I'll have a fix for that in future. I've found a work around is to clear the input field, click outside it, click back inside the empty field, and begin typing again.
Regarding the lag it might be because the service is located in the US. I believe you might be in EU/UK.
This small location difference seems insignificant and yet most content is served over geographically distributed servers, and BrowserGap paid version uses servers closest to you.
I'm thinking of touring this "free internet cafe" version to other regions, because the lag caused to people outside the US is actually significant.
If it's no trouble to you, you can add your email and approximate location to this form
https://forms.gle/GHDCbDPUrTzB2pyV8
and I can let you know when the service is near you.
Hi just letting you know I think I have fixed (at least a large part of) the typing glitch you reported 3 days ago. Please take a look. I tested in FF 70 on Windows.
Reminds me to mightyapp.com... although neither this or that words at the moment :).
Why do you say doesn't work?
Getting a
"We're kind of packed and just creating some new browsers now, check back in a bit."
Error at 8:24 PM PDT.
"We're kind of packed and just creating some new browsers now, check back in a bit."
Error at 8:24 PM PDT.
Ah, okay. That's normal, it just means there are more users than queue of waiting browsers. More browsers will open soon, you can try again.
Btw, thanks for the nod to Mightyapp. To be compared to their work is flattering. What makes you say Mighty doesn't work?
Btw, thanks for the nod to Mightyapp. To be compared to their work is flattering. What makes you say Mighty doesn't work?
Didn't get an invite yet :).
This is now down (temporarily) to patch an exploit that was responsibly disclosed. More to follow. I'm sorry for this!
Hey, so it was an interesting couple of hours.
I got a responsible disclosure from a security researcher that metadata about the application, including an access_token could be accessed from the browser.
This was because the machines were misconfigured (my responsibility) to be authorized to access different cloud services, as is the default.
This access token authorizes various operations on the cloud infrastructure provisioned by my account.
It could have been disastrous, because an attacker would have been able to use the token to spin up many instances and potentially even gain shell access.
According to the activity audit, the token was never used. And there is no indication of anyone using this to attempt to gain unauthorized access to any data in the service.
In response to the report I suspended the service immediately, altered the default configurations for this project to prevent such authorization tokens being issued. And I deleted the token that was possibly exposed.
The service is now back up.
Also, as the researcher pointed out, the same misconfiguration was identified as affecting Shopify[0], 18 months ago, tho the effects and exploit path were different.
[0]: https://hackerone.com/reports/341876
I got a responsible disclosure from a security researcher that metadata about the application, including an access_token could be accessed from the browser.
This was because the machines were misconfigured (my responsibility) to be authorized to access different cloud services, as is the default.
This access token authorizes various operations on the cloud infrastructure provisioned by my account.
It could have been disastrous, because an attacker would have been able to use the token to spin up many instances and potentially even gain shell access.
According to the activity audit, the token was never used. And there is no indication of anyone using this to attempt to gain unauthorized access to any data in the service.
In response to the report I suspended the service immediately, altered the default configurations for this project to prevent such authorization tokens being issued. And I deleted the token that was possibly exposed.
The service is now back up.
Also, as the researcher pointed out, the same misconfiguration was identified as affecting Shopify[0], 18 months ago, tho the effects and exploit path were different.
[0]: https://hackerone.com/reports/341876
Head over to Google, be greeted with ~10 captchas before being able to do anything.. yikes.
I'm so sorry this happened to you!
I'm afraid I do not know how to solve the CAPTCHA issue.
I'm afraid I do not know how to solve the CAPTCHA issue.
You'd need to have a way to change your outgoing IP address.
VPN providers probably deal with this all the time, so try reaching out to them asking for guidance.
VPN providers probably deal with this all the time, so try reaching out to them asking for guidance.
That's a great idea, thank you much!
This is really cool, thank you for bring us this tool!
:)
Thanks a lot for your compliment and I'm happy to hear you think it's cool!
Thanks a lot for your compliment and I'm happy to hear you think it's cool!
getting an SSL cert error here..
I'm using Letsencrypt. Perhaps I need to include fullchain.pem. Would it be trouble for you to share the error you're getting?
In any case, if it's no trouble for you to do so, you can leave your email at this wait list form and once I update the server later I can let you know!
https://forms.gle/cibEBFcDeUH9jB5M9
In any case, if it's no trouble for you to do so, you can leave your email at this wait list form and once I update the server later I can let you know!
https://forms.gle/cibEBFcDeUH9jB5M9
I would recommend SSL Lab’s tests: https://www.ssllabs.com/ssltest/analyze.html?d=free.cloudbro...
> This server's certificate chain is incomplete. Grade capped to B.
> This server's certificate chain is incomplete. Grade capped to B.
I grateful you pointed this out to me! I'll upgrade the server when the load lightens a bit later.
I recommend hosting using CapRover if you'd like to use LetsEncrypt... the cert process is fully automated.
Thank you for this.
If "Show HN" is any indication we should all just be running dumb terminals to connect to someone elses oh-so-generous cloud box.
The 80s called, they want their mainframes back...
The 80s called, they want their mainframes back...
The 70s called. They want their joke back.