Looking for a bargain? – Check out the best tech deals in Australia
PCMag Australia

SquareX

SquareX

Full protection from malicious websites, 10 minutes at a time

3.5 Good
Neil J. Rubenking
by Neil J. Rubenking 
SquareX - SquareX
3.5 Good

Bottom Line

When you browse with the free SquareX app, there’s no way a malicious page can harm your computer. However, its time-limited usage means it can’t be your primary browser.

  • Pros

    • Disposable browser wholly isolated from malicious sites
    • All traces vanish when browser session ends
    • Allows safe viewing of suspect documents
    • Includes disposable email
    • Free

  • Cons

    • Browser self-disposes after 10 minutes
    • Disposable email extremely limited
    • Running traffic through servers can slow your connection

The earliest browsers did nothing but render HTML code and manage links. These days, with HTML5, CSS, and all manner of extensions, your browser has immense powers, powers that can be abused for things like drive-by downloads, man-in-the-middle attacks, and worse. The free SquareX disposable browser system defangs dangerous web pages by rendering them on a hardened Linux server and passing you a totally safe image of the page. The system has limitations, such as 10-minute usage increments, but it’s worth a look.

Getting Started With SquareX

To use SquareX, visit the website and click the Personal button. (Yes, there’s also a button for the Enterprise edition, but that’s a different product, the one that actually makes money for SquareX). If your browser is supported, this will bring you to an install page for the browser extension. At present, the extension is available for Chrome, Edge, Brave, Opera, and Vivaldi. I used the Chrome extension for testing.

(Credit: SquareX/PCMag)

Once the browser extension is installed, you click the toolbar button to continue. At this point, you create a free account with SquareX and verify your email address.

If you’re using an unsupported browser, you need to do a little digging for the SquareX web app. This app works in all major browsers including Firefox and Safari.

(Credit: SquareX/PCMag)

Whether you use the browser extension or the web app, you see a page featuring SquareX’s three main features: Disposable Browsers, Disposable File Viewer, and Disposable Email, along with a link to some email integration features.

What Is a Disposable Browser?

When you go to launch a disposable browser, you choose one of nine locations: Australia, Brazil, Canada, Germany, France, UK, Singapore, US East, or US West. My first guess on seeing these choices was that SquareX must function as a kind of VPN, or possibly a proxy server.

My SquareX contact explained that neither guess is correct. Your disposable browser is a Chrome instance “running on ephemeral containers on SquareX data centers” in a Linux environment. What you see on your local computer is just an image of that remote browser. Your mouse movements and keystrokes are transmitted securely to the remote browser, and any changes to the visible page are “projected to the end device in the form of a highly optimized stream of screenshots.”

A SquareX blog post points out that when you connect to a malicious website through a VPN, that connection is encrypted in transit, but the page arrives at your local computer with its malicious code still active. With SquareX, the worst a malicious page could accomplish is to damage the remote browser on the server. But the remote browser is ephemeral, vanishing when your session ends, so that damage is inconsequential.

Does SquareX Protect Your Privacy?

The main reason to use SquareX is to protect your browsing from any possible contact with malicious websites, programs, or code. However, a side benefit is that it seriously protects your privacy.

When you use a VPN or proxy server, the websites you visit see the IP address of the server. Your personal IP address is hidden, protecting your privacy. The same is true with SquareX. If you connect through the servers in England, for example, you appear to be in England.

You may notice a lack of ads in the disposable browser. That’s because it comes preloaded with the uBlock Origin ad blocker, a free, open-source tool. You can disable the blocker if it interferes with a particular page, but you can’t uninstall it. For security, you can’t install other extensions. Even if you could, your installation would disappear along with the disposable browser.

(Credit: SquareX/PCMag)

Since your entire session vanishes at the end of every disposable browser session, you don’t have to worry about cookie-based tracking. And any site that tries to track you using browser fingerprinting will wind up drawing its data from the browser on the SquareX server, not your personal browser. This is a different approach from browsers like Brave, which work by randomizing what your browser reports so as not to present a consistent fingerprint. Ghostery takes still another approach, blocking access by known fingerprinters and suppressing data requests from unknowns.

SquareX doesn’t offer a privacy-first search engine the way DuckDuckGo and Ghostery do. However, you’re free to connect with a private search engine from within SquareX.

Hands On With the Disposable Browser

When you launch a disposable browser, it’s best to pick the closest server location. As with a VPN, a more distant server can cause a slower connection. Just pick your server and click Start.

(Credit: SquareX/PCMag)

On launch, the disposable browser shows its server location on a map. It appears inside a tab of your regular browser, creating a browser-in-browser effect. If you find the presence of two address bars confusing, just tap F11 to make SquareX full-screen.

Near the bottom right corner of the screen, you see a tiny tab with the SquareX logo. Clicking it pulls out a small popup that lets you do things like share links, toggle ad blocking, mute tab sound, and go full screen. Most significantly, there’s a timer that says, “Browser disposes in [minutes],” counting down from 10.

(Credit: SquareX/PCMag)

If you ignore the countdown, your browser session softly and suddenly vanishes when time runs out. That could be a bummer if you’re in the middle of something. Fortunately, SquareX gives you a warning when just three minutes are left and lets you extend the session another 10 minutes. You can extend the session up to five times, for a total of 60 minutes per active session.

Why the time limit? Well, every local SquareX instance is linked to a browser running on a remote server. That means it’s taking up resources on the server. Given the service is free, I see it as completely reasonable that SquareX wants you to do what you need to and then release those resources. It does mean that you can’t just use SquareX as your everyday browser.

How Does SquareX Handle Downloads, Dangerous or Otherwise?

To check how SquareX protects you from dangerous downloads, I fired up the malicious URL blocking test that I run for each antivirus product. Naturally, SquareX did not block access to any of the URLs. Its job is to neutralize dangerous URLs, not block them. For each URL that did result in a download, SquareX opened a Disposable File Viewer window.

However, the files in question were all EXEs, not the images or documents that are the target of the Disposable File Viewer. All I got from these was the bland message “Unsupported File Type.”

I verified that none of the malware payloads reached the local Downloads folder. That makes sense because the viewer doesn’t even run on your computer. Like the disposable browser window, it runs on a SquareX server. The files you download go to the viewer on the server, and any local files that you drop onto the viewer get uploaded to the server.

(Credit: SquareX/PCMag)

Next, I tried a stripped-down version of my exploits test, which uses the Core Impact penetration tool. I focused on exploits that use a tainted document file as part of their attack. This test also didn’t work out. To avoid any chance of releasing exploit code, I performed this test entirely within my virtual network, using local-only IP addresses. There’s no way the SquareX server could reach those addresses, so this test wasn’t useful.

When I downloaded legitimate documents from the web or uploaded them from my test machine, SquareX displayed them in a disposable file viewer window using open-source viewer apps such as those from Okular and OnlyOffice. Editing is possible for some file types, and you can download a local copy of your edited version. If you don’t download a local copy, documents vanish when the viewer’s 10-minute timer expires.

(Credit: SquareX/PCMag)

While a document in the viewer can’t harm your local computer, you still might like to know whether you’ve grabbed a potentially dangerous file. In the File Viewer settings, you can optionally enable Scan for Malicious Documents in Download Interceptor. This feature looks for dangerous macros and other techniques that weaponize seemingly innocent documents.

Disposable Email Address and Email Integrations

You may have used a service that manages temporary email addresses, sometimes called disposable. Using Cloaked, SimpleLogin, and similar products, you can create an email alias for each of many correspondents. You receive and respond to their messages from within your normal email inbox. If one such address starts getting spam, you just delete it. A few, like Bulc Club and ManyMe (both free), let you create email aliases on the fly, away from your computer. Disposable email in SquareX is nothing like this.

(Credit: SquareX/PCMag)

With your SquareX account, you get just one disposable email, assigned at random. Mine was charmingmclean3@typingsquirrel.com. You submit that email when an address is required, but you don’t want to expose your actual email. Emails show up within your SquareX inbox, with a notification popup by default. You can read the message. You can delete it. And that’s all.

There is an option to generate a new random disposable email, or choose your own. You can pick from 10 slightly odd domains (ysosirius.com, for example), and enter your own address within that domain. As with any email system, addresses must be unique. And when you choose a new address, custom or random, all mail associated with the old address goes poof.

(Credit: SquareX/PCMag)

Gmail users get some bonuses when they connect with Gmail through SquareX. By default, it blocks email trackers that notify senders you’ve seen their message. It can add right-click options for attachments to, for example, open them in a disposable file viewer. However, most Gmail users are accustomed to keeping their inbox open, not having it shut down every 10 minutes. I don’t see Gmail integration as a big asset.

Verdict: Truly Safe Browsing, With Some Quirks

If you use SquareX for your browsing, you can visit the worst, most malware-infested website in the world with no risk. All that reaches your browser is an image of the site, rendered on a faraway server. When you shut down the disposable browser, all traces of your online session vanish. On the downside, the browser self-disposes after 10 minutes, a limit you can extend to an hour in 10-minute increments (extensible up to 60 minutes). You can’t use it as your daily browser; you’re meant to load it up, take care of a task or two, and then let it go. It’s free, so give it a try and see if that style works for you.

More Inside PCMag.com

About Neil J. Rubenking

More From Neil J. Rubenking