Platform
Network-as-a-service
The browser is a hardened sandbox: no raw sockets, no UDP, no ICMP, no listening ports. That's the right default for the rest of the web — and the wrong default for an operating system. brintOS Network-as-a-service gives the in-browser Linux machine a real network interface. Name resolution and read-only file fetches are free for everyone, no sign-up. The full virtual NIC — raw sockets, UDP, ICMP, listening ports, the whole stack — is a paid add-on with exit nodes near you.
Why a Linux machine in a tab needs a NIC
The browser's networking model is built to protect you from the pages you visit. Pages cannot
open raw TCP sockets, send UDP datagrams, or listen on a port; fetch and WebSocket are the only ways out, and both are filtered by CORS, the same-origin
policy, and the browser's HTTP semantics. That is exactly the right behaviour for a webpage,
and exactly the wrong behaviour for an operating system.
Real Linux software expects to connect(2) to arbitrary hosts and ports, expects ping to send ICMP, expects nc -l 8080 to listen, expects DNS to
work over UDP/53. Without a way to escape the browser's network sandbox, your in-browser
Linux can run bash and vim just fine — but apt update fails, git clone git:// fails, curl http://10.0.0.5 fails, and any tool that opens a non-HTTPS socket fails.
brintOS's answer is a tiered virtual NIC. The cheap, sign-up-free tier covers the 80% case — resolving names and downloading public files. The paid tier covers everything else — the full IP stack out to the internet, with exit nodes geographically close to your tab.
Free, no sign-up
Three things are wired straight into the kernel and cost nothing. Open a tab, boot a machine, and they work.
- DNS resolution over DoH. The kernel's
/etc/resolv.confpoints at a userspace DoH stub that asks Google'sdns.googleover standard browserfetch.getaddrinfo("debian.org")returns a real IP. No account, no rate limit beyond Google's own, no brintOS-side logging of your queries. - HTTP file downloads through your browser.
curl http://archive.ubuntu.com/.../Packages.gzworks without a NIC subscription. The kernel recognizes outbound HTTP traffic on port 80, hands the URL to a HardwareJS shim, which asks a small brintOS worker to fetch the bytes (the worker exists only so that browsers' mixed-content rules don't refuse the plaintext-HTTPfetchfrom an HTTPS origin) and streams the response back through the kernel's TCP stack. From userspace's perspective it's a normalread(2)on a normal socket. Read-only — there is no inbound port, no listening, no UDP. - HTTPS file downloads through your browser, with our CA. The TLS
termination happens entirely in your tab. HardwareJS holds an intermediate CA, issues
itself a fake leaf cert on the fly for whatever hostname your kernel just asked for,
and your kernel completes its TLS handshake against that fake cert — which is why you
install the brintOS intermediate CA into the machine's trust store first
(
/etc/ssl/certs/prestrike-fetch.pem, one command). HardwareJS then sees the plaintext request, makes the real HTTPS fetch directly from your browser to the destination, and pipes the response back through the fake TLS to your kernel. brintOS's servers are not on this path — neither the request, the response, nor the destination ever leaves your tab. The MITM is real; the only "man" in the middle is the JavaScript running in your own browser, which you can read in DevTools.
These three together let an unsubscribed user do most of what a fresh-boot machine actually
needs to do: apt update and pull packages, git clone https://..., pip install, cargo fetch, curl a tarball. They do not
let you SSH out, ping a host, run a server, or open a UDP socket. Those need the paid NIC.
Network-as-a-service: the full network
On a paid plan, the kernel gets a real virtual NIC — eth0, a standard Linux virtio-net device — wired through HardwareJS to a brintOS tunnel terminator
that ferries every IP packet to and from a real Linux network namespace allocated to your
session. From userspace's point of view, nothing is unusual: ip route shows a
default route over eth0, ping 1.1.1.1 emits real ICMP and gets
real replies, nc -u 8.8.8.8 53 works, sshd on :22 listens, and the browser's restrictions stop at the kernel boundary.
What you get with the paid NIC that the free tier doesn't include:
- Raw IP, UDP, ICMP. Anything Linux's network stack can emit — including
the protocols that don't fit in
fetch— leaves the tunnel as a real packet on a real wire. - Listening ports with a public address. The terminator can advertise a
brintOS-issued IPv4/IPv6 (or hostname) for your session. Inbound traffic forwards back
through the tunnel, so
nc -l 8080andsshdare reachable from the open internet — without you opening a port on your laptop. - No certificate to trust. Because the tunnel terminates outside the browser, end-to-end TLS to a destination is end-to-end TLS to that destination — we do not MITM and you do not install our CA.
- Choice of egress region. Pin your session to a specific region for geo-locality, or let brintOS pick the closest healthy exit.
- Higher throughput per session than free-tier fetches, with the egress cap defined by your plan rather than the free-tier worker's fair-use limit.
How packets actually get out of the browser
- WebTransport over HTTP/3 where the browser supports it. The kernel's outbound packets ride QUIC datagrams (for protocols that don't care about loss) and QUIC streams (for everything else). This is the fast path; you get UDP-shaped flow control and substantially better latency under packet loss — important for SSH, interactive shells, and anything chatty.
- WebSocket fallback for hostile networks. When the browser or the network blocks HTTP/3, the same packet stream rides a long-lived TLS-encrypted WebSocket. Slower under loss but reaches through almost every corporate proxy.
- IETF MASQUE shape. The wire format is modeled on
connect-ip(RFC 9484): each brintOS session corresponds to a real Linux network namespace on the terminator, and your kernel's IP packets are tunneled to it directly. There is no proprietary protocol layer between your kernel and a normal Linux network stack — the tunnel is the wire, and the exit is just Linux.
Performance: exit nodes near you
Every TCP handshake your kernel makes costs one round trip to the exit node. If the exit is on the wrong continent, every connection inherits that latency. So the paid NIC runs in multiple AWS regions — initially North America, Europe, and Asia-Pacific — fronted by AWS Global Accelerator. Your tab connects to the nearest healthy edge POP over an anycast address, and AWS's backbone hauls the traffic to the closest regional terminator. The end result is exit-node RTTs comparable to a same-region EC2 instance, not a transcontinental hop.
The free tier reaches the same edge POPs (the HTTP/HTTPS fetch worker is itself geo-distributed), so even unsubscribed users get reasonably local file pulls.
Privacy and trust boundaries
The trust boundaries differ between tiers, and we'd rather be plain about that than promise a level of opacity we couldn't deliver.
- DoH (free). Queries go to
dns.googleover your browser's TLS. brintOS never sees them. Google sees them under their own public-DNS privacy policy. - HTTP fetch (free). The brintOS fetch worker sees the URL, the response bytes, and the source/destination IPs. We log the destination host and byte counts for abuse handling and discard the rest. Nothing about plaintext HTTP is confidential to begin with — anyone on path already sees it.
- HTTPS fetch with our CA (free, opt-in). The TLS termination happens entirely in your browser. HardwareJS — the brintOS JavaScript running in your tab — handles the kernel's fake-TLS handshake and makes the real HTTPS fetch directly from your browser to the destination. brintOS's servers are not on the path: we don't see your queries, your destinations, or your bytes, and we cannot log what we cannot see. The trust you are extending is to the JavaScript brintOS ships into your tab — open and inspectable in DevTools — not to a remote brintOS service.
- Paid NIC. The tunnel terminator sees your kernel's IP packets at the same level any ISP or VPN provider sees its customers' packets — i.e. encrypted ciphertext to the destinations the kernel dialed, and the destinations themselves. We do not log packet contents, retain destination metadata for the minimum window required for abuse correlation, and offer per-session ephemeral keys by default. On Enterprise, the terminator can run inside your VPC against your own egress allowlist; the brintOS control plane never sees the packets or the addresses they resolve.
What this unlocks
The free tier turns "I just booted a machine in my browser" into "I can install software,
clone a repo, and read the docs." That alone is enough for a lot of people. The paid NIC
turns it into a real Linux on a real network — package managers and registries that need
non-HTTP protocols work, embedded boards on the other side of a peered tunnel are reachable, ssh in and ssh out both work, and inbound listeners are addressable
from the open internet. The browser stays hard, your machine stays soft, and the only
place packets cross is one you've explicitly chosen.