[peatmoss]

Yes, I do think it’s pretty different.

If you weren’t the fine upstanding person you are, you’d have all the web traffic of users at your disposal: banking, secure interactions with healthcare providers, credentials to Hacker News, the whole nine yards.

With access to my email, you could probably reset a handful of my passwords to various services that don’t support dual factor auth, and you could probably discover what services I subscribe to.

I mean, I wouldn’t want you to have access to my email, but I would much rather that than a permanent man-in-the-middle web client.

[e12e]

It should be quite doable to spin up a container/VM on demand. I'd probably look at lxd/lxc or bsd jails for this (both with zfs for storage) - or if there now are any real ways to run containers under hw virtualization - maybe that.

Maybe something like:

https://github.com/rkt/rkt/blob/master/Documentation/running...

for VM backed containers - but I'm not sure if it's considered stable and/or secure.

[tombh]

Thanks for the suggestion. I'm already using Kubernetes/Docker for the `ssh brow.sh` service. What advantages would your approach have?

[e12e]

I don't think I'd look too hard at lxd or freebsd as you already have a docker setup.

But hw isolation might be worth investigating - as others are saying - hostile access to a web browser, including webmail etc - is pretty dangerous. And plain docker never had a good story wrt secure isolation.

Apparently there was "hypernetes", now stackube - for combining VM runtime and kubernetes:

https://kubernetes.io/blog/2016/05/hypernetes-security-and-m...

https://github.com/openstack/stackube

As far as I can tell, this allows the mix of k8 style pod/container management and VM level isolation:

https://stackube.readthedocs.io/en/latest/stackube_scope_cla...

As for lxd/freebsd jails and zfs - both offer very nice and easy to grasp environment for isolated services - and both should end a little more isolated than a typicaldocker setup (some services running as root in container, no additional lxc restrictions).

But all things considered, if you already have k8/docker set up to give every user a separate, possibly ephemeral container... Infrastructure is probably not where I'd devote most time. It should work well enough as is.

[tombh]

Now that you describe it, yes indeed I can see the problems. I can't think of any other precedent, as most other proxies are least protected by HTTPS, wheres a Browsh service is literally reading every character on a page in plain text! So there's need to be a great deal of trust. I wonder if it's just too much to ask of people, especially where money is involved.