Secure Remote Browser Concept
Overview
In this concept, users interact with a secure web application through their web browsers without running JavaScript locally.
Instead, the actual browser logic and JavaScript execution occur in a secure, remote virtual browser hosted in a secure part of a private cloud. This setup provides enhanced security and control, ensuring that users are protected from malicious scripts and other threats.
Key Components
-
Client-Side Browser (Local Browser)
- Rendering Only: The user's local browser is responsible only for rendering content. It draws the user interface using technologies like HTML5 Canvas.
- No Local JavaScript Execution: No JavaScript code runs on the local browser, eliminating the risk of client-side script attacks.
-
Remote Browser (Virtual Browser)
- Secure Execution Environment: The remote browser runs within a secure container in the cloud. For example, this could be within the secure network of a bank.
- JavaScript Execution: All JavaScript execution happens in the remote browser. This environment is tightly controlled and monitored.
- Context Validation: Each JavaScript file executed is checked to ensure it originates from the original, built application. This prevents unauthorized or malicious scripts from running.
-
Session Management
- Ephemeral Sessions: Each user session is temporary. After a session ends, the context is destroyed and rebuilt for the next session, ensuring a clean state each time.
- Session Recording: Sessions can be recorded, similar to screen CCTV, for auditing and security purposes. This allows for detailed monitoring and review if needed.
-
Network Service Lists and Mycelium Integration
- Secure Communication: The connection between the local browser and the remote browser uses end-to-end encryption. The Mycelium overlay network ensures the shortest path and secure, peer-to-peer communication.
- Access Control: Network service lists and group-based access control manage which users can access specific applications, enhancing security and control.
Example Workflow
-
User Initiates Connection
- The user opens their local browser and navigates to the bank's application URL.
- The local browser connects to the remote browser hosted in the bank's secure cloud environment.
-
Remote Browser Setup
- A new, secure container is instantiated for the user's session.
- The remote browser loads the bank's application and validates all JavaScript files.
-
Rendering in Local Browser
- The remote browser executes the JavaScript and sends the rendered output to the local browser.
- The local browser draws this output on the canvas, providing a seamless user experience.
-
Session Management
- Throughout the session, all interactions are processed by the remote browser.
- User interactions (e.g., clicks, form submissions) are sent to the remote browser, which processes them and updates the rendered output accordingly.
-
Session Termination
- When the user finishes their session, the remote browser context is destroyed.
- Any recorded session data is stored securely for auditing purposes.
Benefits
-
Enhanced Security
- By not running JavaScript locally, the risk of client-side attacks such as cross-site scripting (XSS) is eliminated.
- The remote browser's secure environment ensures that only validated scripts execute.
-
Controlled Environment
- The bank has full control over the execution environment, allowing for stringent security policies and monitoring.
- Ephemeral sessions ensure that each user starts with a clean slate, reducing the risk of persistent threats.
-
Auditing and Compliance
- Session recording provides a detailed audit trail, which is valuable for security reviews and compliance with regulatory requirements.
-
Improved User Experience
- Users benefit from a secure browsing experience without performance degradation, as rendering is offloaded to the client's local browser.
Integration with Mycelium and Network Service Lists
By combining this remote browser concept with Mycelium and network service lists, we can ensure secure and efficient communication:
- Mycelium Overlay Network: Ensures that the connection between the local and remote browser is routed through the most efficient path, leveraging peer-to-peer connections where possible.
- Network Service Lists: Manage which users and groups can access the remote browser and specific applications, providing fine-grained access control.