72 lines
4.6 KiB
Markdown
72 lines
4.6 KiB
Markdown
|
![](virtual_browser.jpeg)
|
||
|
|
||
|
## Secure Remote Browser Concept
|
||
|
|
||
|
### Overview
|
||
|
|
||
|
In this concept, users interact with a secure web application through their web browsers without running JavaScript locally.
|
||
|
|
||
|
Instead, the actual browser logic and JavaScript execution occur in a secure, remote virtual browser hosted in a secure part of a private cloud. This setup provides enhanced security and control, ensuring that users are protected from malicious scripts and other threats.
|
||
|
|
||
|
### Key Components
|
||
|
|
||
|
1. **Client-Side Browser (Local Browser)**
|
||
|
- **Rendering Only**: The user's local browser is responsible only for rendering content. It draws the user interface using technologies like HTML5 Canvas.
|
||
|
- **No Local JavaScript Execution**: No JavaScript code runs on the local browser, eliminating the risk of client-side script attacks.
|
||
|
|
||
|
2. **Remote Browser (Virtual Browser)**
|
||
|
- **Secure Execution Environment**: The remote browser runs within a secure container in the cloud. For example, this could be within the secure network of a bank.
|
||
|
- **JavaScript Execution**: All JavaScript execution happens in the remote browser. This environment is tightly controlled and monitored.
|
||
|
- **Context Validation**: Each JavaScript file executed is checked to ensure it originates from the original, built application. This prevents unauthorized or malicious scripts from running.
|
||
|
|
||
|
3. **Session Management**
|
||
|
- **Ephemeral Sessions**: Each user session is temporary. After a session ends, the context is destroyed and rebuilt for the next session, ensuring a clean state each time.
|
||
|
- **Session Recording**: Sessions can be recorded, similar to screen CCTV, for auditing and security purposes. This allows for detailed monitoring and review if needed.
|
||
|
|
||
|
4. **Network Service Lists and Mycelium Integration**
|
||
|
- **Secure Communication**: The connection between the local browser and the remote browser uses end-to-end encryption. The Mycelium overlay network ensures the shortest path and secure, peer-to-peer communication.
|
||
|
- **Access Control**: Network service lists and group-based access control manage which users can access specific applications, enhancing security and control.
|
||
|
|
||
|
### Example Workflow
|
||
|
|
||
|
1. **User Initiates Connection**
|
||
|
- The user opens their local browser and navigates to the bank's application URL.
|
||
|
- The local browser connects to the remote browser hosted in the bank's secure cloud environment.
|
||
|
|
||
|
2. **Remote Browser Setup**
|
||
|
- A new, secure container is instantiated for the user's session.
|
||
|
- The remote browser loads the bank's application and validates all JavaScript files.
|
||
|
|
||
|
3. **Rendering in Local Browser**
|
||
|
- The remote browser executes the JavaScript and sends the rendered output to the local browser.
|
||
|
- The local browser draws this output on the canvas, providing a seamless user experience.
|
||
|
|
||
|
4. **Session Management**
|
||
|
- Throughout the session, all interactions are processed by the remote browser.
|
||
|
- User interactions (e.g., clicks, form submissions) are sent to the remote browser, which processes them and updates the rendered output accordingly.
|
||
|
|
||
|
5. **Session Termination**
|
||
|
- When the user finishes their session, the remote browser context is destroyed.
|
||
|
- Any recorded session data is stored securely for auditing purposes.
|
||
|
|
||
|
### Benefits
|
||
|
|
||
|
1. **Enhanced Security**
|
||
|
- By not running JavaScript locally, the risk of client-side attacks such as cross-site scripting (XSS) is eliminated.
|
||
|
- The remote browser's secure environment ensures that only validated scripts execute.
|
||
|
|
||
|
2. **Controlled Environment**
|
||
|
- The bank has full control over the execution environment, allowing for stringent security policies and monitoring.
|
||
|
- Ephemeral sessions ensure that each user starts with a clean slate, reducing the risk of persistent threats.
|
||
|
|
||
|
3. **Auditing and Compliance**
|
||
|
- Session recording provides a detailed audit trail, which is valuable for security reviews and compliance with regulatory requirements.
|
||
|
|
||
|
4. **Improved User Experience**
|
||
|
- Users benefit from a secure browsing experience without performance degradation, as rendering is offloaded to the client's local browser.
|
||
|
|
||
|
### Integration with Mycelium and Network Service Lists
|
||
|
By combining this remote browser concept with Mycelium and network service lists, we can ensure secure and efficient communication:
|
||
|
- **Mycelium Overlay Network**: Ensures that the connection between the local and remote browser is routed through the most efficient path, leveraging peer-to-peer connections where possible.
|
||
|
- **Network Service Lists**: Manage which users and groups can access the remote browser and specific applications, providing fine-grained access control.
|