Breach.cc Browser for the HTML5-era

[Ink]

Breach - breach.cc

Modular

Everything in the browser is a module, a web-app running in its own process.
Construct your own browsing experience by selecting the right modules for you.​

Hackable

Want vertical tabs? Write some JS & CSS! Customised autocomplete engine? JS!
Every behavior is programmatic and exposed through APIs.​

Open Source

The entire technological stack is opensource.
Modify existing modules and create your owns to extend the behavior of Breach​

Please note, this is a Public Alpha and currently for Mac and Linux.

A few simple ingredients to make magic happen.

Spoiler: How it's built (click to expand)

HTML / JS / CSS
The entire UI is built out of interchangeable modules coded in pure Javascript / HTML5.
Each module is a web-app with access to the Breach API.

Chromium
The Chromium Content API is exposed to Node JS through v8 native bindings and multiplexed to modules.
Security and performance is at the heart of the design, tabs and modules run in separate processes.

Node.js
Breach embeds a NodeJS event loop in charge of running the core browser javascript implementation.
Each module is run in its own NodeJS process and interacts with the core browser through IPC.

Find out more: http://breach.cc/2014/07/09/we-ve-come-a-long-way-breach-public-alpha-release.html

 

[Cowpipe]

I worry about this, the ability to modify the entire browsers functionality with Javascript modules. That gives an awful lot of power to a malicious module, should it manage by whatever means to sneak into the user's Breach browser configuration. In a phishing attack for example, the address bar could be directly modified to display a specific address on detection of a certain page being present. It could simply be set simply to "http://www.worldbank.com" which would appear to the user that they were on worldbank.com when actually they were visiting "http://scup0u.eqbijnet.ru" or whatever.

A module called mod_strip controls the value of the address box. Perhaps somewhat unknowingly the devs own webpage gives the perfect tutorial in how to construct a phishing attack within Breach

Changing the behaviour of mod_strip
We're going to add some extra logic to the module, by intercepting a certain string of character submitted in the URL box and associating with it a special action.

Source: http://breach.cc/hack/

The following code will intercept the string "http://www.worldbank.com" and redirect the user to "http://scup0u.eqbijnet.ru" (a pretty lame phishing attack, but it's just a quick and dirty example)

socket_submit = function(data) {
if(data.input === 'http://www.worldbank.com') {
common._.tabs.action_load("http://scup0u.eqbijnet.ru");
return;
}

Obviously an actual, real world attack, would be more difficult to implement and I haven't really been through the full security yet, just glanced over things, but I think the main point of all of this is that for an average user to download and use this browser, is almost as dangerous as dropping a baby in the middle of a busy street and giving it a handgun with a brightly coloured trigger...

The more power we give those who don't know how to use it, the more power we are giving those who do.