Puffin Secure Browser: A Browser that protects endpoints from current and future web threats

CloudMosa, Inc.
Published in
4 min readFeb 3, 2021


In our last article, we talked about how Puffin Cloud Isolation works and how it works with Puffin Secure Browser to deliver a seamless web isolation experience that can protect endpoints from current and future web threats without changing user behavior. Here, we will dig deeper into the concept and see how Puffin Secure Browser isolates and nullifies web threats.

A Core Browser-as-a-Service platform

Puffin Secure Browser is a large-scale, multi-data center, high availability cloud service that can support over 10 million monthly active users globally. An endpoint first connects the Puffin Secure Browser to create a remote user session and forward user events and gestures. Each user session has its sandbox processes for the web engine, JavaScript engine, and Flash Player engine. The remote browser user session issues HTTP requests on the user’s behalf and handles the HTTP responses in isolated sandboxes. After sandbox parses, renders, and executes web content, it uses a proprietary remote browser graphics language to present the web page exterior without untrustworthy web data (We will talk more about remote browser graphics language later). During the user session, the sandboxes receive user events from the endpoint and continuously update the graphic language data responding to web page visual changes.

Puffin Secure Browser can handle different web content, including HTML, CSS, JavaScript, and Flash. It also supports various multimedia resources, including still and animated images, audio/video clips or streams, SVG, web fonts, etc. Standard web resources are processed in a sandbox environment with our proprietary remote browser engine derived from Blink. Flash contents are handled in a different sandbox with Flash Player and our proprietary remote PPAPI implementation.

Secure Web by Web Isolation

Web threats reside not only in the web pages

Malicious web sites can exploit endpoints via downloading files containing malware or viruses. Puffin Secure Browser works with 3rd party cloud storage services, including DropBox, Google Drive, and OneDrive, to isolate download files from endpoints by directly transferring them into the user’s cloud storage space. Users can view or edit downloaded documents and files in cloud storage without physically storing documents in the local device. Puffin Secure Browser also can integrate with 3rd-party virus scanning services to verify downloading files on-the-cloud first. Besides download isolation and download scanning,

Puffin Secure Browser also has a document preview feature that can convert DOC, PPT, XLS, and PDF documents into a read-only web page to avoid unnecessary file downloads. Puffin Secure Browser is an isolation layer for endpoints web security and a simple, efficient, and comprehensive browser management layer for the enterprise. Puffin Secure Browser Enterprise Edition provides an admin interface for monitoring service status, auditing user access log, and enforcing enterprise web security policies including web filtering, clipboard operation, file uploading, file downloading, virus scanning, document previewing, etc. Enterprises can leverage Puffin Secure Browser to deploy a secured and managed web environment across all endpoints.

Puffin Secure Browser Platform

Remote Browser Graphics Language

Comprehensive, Efficient, and Secure Format to Present Web Content

Now, let’s talk more about the Remote Browser Graphics Language, which is an API and network protocol used between Remote Browser Server and Puffin Cloud Isolation. It uses hierarchical layers and vector-based drawing commands to represent the web page’s appearance.

The generic web contents, including text and images, are defined by content layers with the vector-based drawing commands in Remote Browser Graphics Language. Special web elements like video stream, Flash content, HTML canvas, and WebGL canvas are defined in separated layers. Remote Browser Graphics Language is designed to represent dynamic web content efficiently. Remote Browser Server doesn’t need to send the whole render data on web page changes. On web page scrolls, only the attributes of corresponding layers need to be updated. On web page content changes, only the difference in their drawing commands needs to be sent.

Compared with other pixel-based web isolation solutions, the Remote Browser Graphics Language provides exceptional visual quality and uses fewer data to render remote web pages. The vector-based drawing commands preserve original text and graphics quality and adapt to various endpoint screen dimensions and resolutions. The heterogeneous layers optimize content streaming based on the layers’ characteristics, and the hierarchical layer structure increases remote content scrolling performance.

Puffin Cloud Isolation has better quality and uses less network bandwidth.

The Remote Browser Graphics Language is an intermediate data format used in all our remote browser products. It transmits the web page’s appearance and behaviors lossless without any web technologies so that no browser exploits can apply. Remote Browser Graphics Language is a comprehensive, efficient, and secure format to present web content after web isolation.

We hope this brief article can give you a basic understanding of how Puffin Secure Browser isolates and nullifies web threats, enjoy safe surfing on the Internet with Puffin Secure Browser! See you next time.

Sign Up for Free: https://www.puffin.com/cloud-isolation/beta/

For more information about Puffin Cloud Isolation: https://cloudmosa.medium.com/future-proof-browser-security-against-zero-day-23f8e7d9cdde



CloudMosa, Inc.

A pioneer in providing remote browser solutions for users worldwide.