Platform

Network-as-a-service

The browser is a hardened sandbox: no raw sockets, no UDP, no ICMP, no listening ports. That's the right default for the rest of the web — and the wrong default for an operating system. brintOS Network-as-a-service gives the in-browser Linux machine a real network interface. Name resolution and read-only file fetches are free for everyone, no sign-up. The full virtual NIC — raw sockets, UDP, ICMP, listening ports, the whole stack — is a paid add-on with exit nodes near you.

Why a Linux machine in a tab needs a NIC

The browser's networking model is built to protect you from the pages you visit. Pages cannot open raw TCP sockets, send UDP datagrams, or listen on a port; fetch and WebSocket are the only ways out, and both are filtered by CORS, the same-origin policy, and the browser's HTTP semantics. That is exactly the right behaviour for a webpage, and exactly the wrong behaviour for an operating system.

Real Linux software expects to connect(2) to arbitrary hosts and ports, expects ping to send ICMP, expects nc -l 8080 to listen, expects DNS to work over UDP/53. Without a way to escape the browser's network sandbox, your in-browser Linux can run bash and vim just fine — but apt update fails, git clone git:// fails, curl http://10.0.0.5 fails, and any tool that opens a non-HTTPS socket fails.

brintOS's answer is a tiered virtual NIC. The cheap, sign-up-free tier covers the 80% case — resolving names and downloading public files. The paid tier covers everything else — the full IP stack out to the internet, with exit nodes geographically close to your tab.

Free, no sign-up

Three things are wired straight into the kernel and cost nothing. Open a tab, boot a machine, and they work.

  • DNS resolution over DoH. The kernel's /etc/resolv.conf points at a userspace DoH stub that asks Google's dns.google over standard browser fetch. getaddrinfo("debian.org") returns a real IP. No account, no rate limit beyond Google's own, no brintOS-side logging of your queries.
  • HTTP file downloads through your browser. curl http://archive.ubuntu.com/.../Packages.gz works without a NIC subscription. The kernel recognizes outbound HTTP traffic on port 80, hands the URL to a HardwareJS shim, which asks a small brintOS worker to fetch the bytes (the worker exists only so that browsers' mixed-content rules don't refuse the plaintext-HTTP fetch from an HTTPS origin) and streams the response back through the kernel's TCP stack. From userspace's perspective it's a normal read(2) on a normal socket. Read-only — there is no inbound port, no listening, no UDP.
  • HTTPS file downloads through your browser, with our CA. The TLS termination happens entirely in your tab. HardwareJS holds an intermediate CA, issues itself a fake leaf cert on the fly for whatever hostname your kernel just asked for, and your kernel completes its TLS handshake against that fake cert — which is why you install the brintOS intermediate CA into the machine's trust store first (/etc/ssl/certs/prestrike-fetch.pem, one command). HardwareJS then sees the plaintext request, makes the real HTTPS fetch directly from your browser to the destination, and pipes the response back through the fake TLS to your kernel. brintOS's servers are not on this path — neither the request, the response, nor the destination ever leaves your tab. The MITM is real; the only "man" in the middle is the JavaScript running in your own browser, which you can read in DevTools.

These three together let an unsubscribed user do most of what a fresh-boot machine actually needs to do: apt update and pull packages, git clone https://..., pip install, cargo fetch, curl a tarball. They do not let you SSH out, ping a host, run a server, or open a UDP socket. Those need the paid NIC.

Network-as-a-service: the full network

On a paid plan, the kernel gets a real virtual NIC — eth0, a standard Linux virtio-net device — wired through HardwareJS to a brintOS tunnel terminator that ferries every IP packet to and from a real Linux network namespace allocated to your session. From userspace's point of view, nothing is unusual: ip route shows a default route over eth0, ping 1.1.1.1 emits real ICMP and gets real replies, nc -u 8.8.8.8 53 works, sshd on :22 listens, and the browser's restrictions stop at the kernel boundary.

What you get with the paid NIC that the free tier doesn't include:

  • Raw IP, UDP, ICMP. Anything Linux's network stack can emit — including the protocols that don't fit in fetch — leaves the tunnel as a real packet on a real wire.
  • Listening ports with a public address. The terminator can advertise a brintOS-issued IPv4/IPv6 (or hostname) for your session. Inbound traffic forwards back through the tunnel, so nc -l 8080 and sshd are reachable from the open internet — without you opening a port on your laptop.
  • No certificate to trust. Because the tunnel terminates outside the browser, end-to-end TLS to a destination is end-to-end TLS to that destination — we do not MITM and you do not install our CA.
  • Choice of egress region. Pin your session to a specific region for geo-locality, or let brintOS pick the closest healthy exit.
  • Higher throughput per session than free-tier fetches, with the egress cap defined by your plan rather than the free-tier worker's fair-use limit.

How packets actually get out of the browser

  • WebTransport over HTTP/3 where the browser supports it. The kernel's outbound packets ride QUIC datagrams (for protocols that don't care about loss) and QUIC streams (for everything else). This is the fast path; you get UDP-shaped flow control and substantially better latency under packet loss — important for SSH, interactive shells, and anything chatty.
  • WebSocket fallback for hostile networks. When the browser or the network blocks HTTP/3, the same packet stream rides a long-lived TLS-encrypted WebSocket. Slower under loss but reaches through almost every corporate proxy.
  • IETF MASQUE shape. The wire format is modeled on connect-ip (RFC 9484): each brintOS session corresponds to a real Linux network namespace on the terminator, and your kernel's IP packets are tunneled to it directly. There is no proprietary protocol layer between your kernel and a normal Linux network stack — the tunnel is the wire, and the exit is just Linux.

Performance: exit nodes near you

Every TCP handshake your kernel makes costs one round trip to the exit node. If the exit is on the wrong continent, every connection inherits that latency. So the paid NIC runs in multiple AWS regions — initially North America, Europe, and Asia-Pacific — fronted by AWS Global Accelerator. Your tab connects to the nearest healthy edge POP over an anycast address, and AWS's backbone hauls the traffic to the closest regional terminator. The end result is exit-node RTTs comparable to a same-region EC2 instance, not a transcontinental hop.

The free tier reaches the same edge POPs (the HTTP/HTTPS fetch worker is itself geo-distributed), so even unsubscribed users get reasonably local file pulls.

Privacy and trust boundaries

The trust boundaries differ between tiers, and we'd rather be plain about that than promise a level of opacity we couldn't deliver.

  • DoH (free). Queries go to dns.google over your browser's TLS. brintOS never sees them. Google sees them under their own public-DNS privacy policy.
  • HTTP fetch (free). The brintOS fetch worker sees the URL, the response bytes, and the source/destination IPs. We log the destination host and byte counts for abuse handling and discard the rest. Nothing about plaintext HTTP is confidential to begin with — anyone on path already sees it.
  • HTTPS fetch with our CA (free, opt-in). The TLS termination happens entirely in your browser. HardwareJS — the brintOS JavaScript running in your tab — handles the kernel's fake-TLS handshake and makes the real HTTPS fetch directly from your browser to the destination. brintOS's servers are not on the path: we don't see your queries, your destinations, or your bytes, and we cannot log what we cannot see. The trust you are extending is to the JavaScript brintOS ships into your tab — open and inspectable in DevTools — not to a remote brintOS service.
  • Paid NIC. The tunnel terminator sees your kernel's IP packets at the same level any ISP or VPN provider sees its customers' packets — i.e. encrypted ciphertext to the destinations the kernel dialed, and the destinations themselves. We do not log packet contents, retain destination metadata for the minimum window required for abuse correlation, and offer per-session ephemeral keys by default. On Enterprise, the terminator can run inside your VPC against your own egress allowlist; the brintOS control plane never sees the packets or the addresses they resolve.

What this unlocks

The free tier turns "I just booted a machine in my browser" into "I can install software, clone a repo, and read the docs." That alone is enough for a lot of people. The paid NIC turns it into a real Linux on a real network — package managers and registries that need non-HTTP protocols work, embedded boards on the other side of a peered tunnel are reachable, ssh in and ssh out both work, and inbound listeners are addressable from the open internet. The browser stays hard, your machine stays soft, and the only place packets cross is one you've explicitly chosen.