Aviator-Industry Observations-Tools and Applications-Web Application Security

Introducing WhiteHat Aviator – A Safer Web Browser

Jeremiah Grossman and I have been publicly discussing browser security and privacy, or the lack thereof, for many years. We’ve shared the issues hundreds of times at conferences, in blog posts, on Twitter, in white papers, and in the press. As the adage goes, “If you’re not paying for something, you’re not the customer; you’re the product being sold.” Browsers are no different, and the major vendors (Google, Mozilla, Microsoft) simply don’t want to make the changes necessary to offer a satisfactorily secure and private browser.

Before I go any further, it’s important to understand that it’s NOT that the browser vendors (Google, Mozilla, and Microsoft) don’t grasp or appreciate what plagues their software. They understand the issues quite well. Most of the time they actually nod their heads and even agree with us! This naturally invites the question: “why aren’t the necessary changes made to fix things and protect people?”

The answer is simple. Browser vendors (Google, Mozilla, and Microsoft) choose not to make these changes because doing so would run the risk of hurting their market share and their ability to make money. You see, offering what we believe is a reasonably secure and privacy-protecting browser requires breaking the Web, even though it’s just a little and in ways few people would notice. As just one example of many, let’s discuss the removal of ads.

The online advertising industry is promoted as a means of helping businesses reach an interested target audience. But tens of millions of people find these ads to be annoying at best, and many find them highly objectionable. The targeting and the assumptions behind them are often at fault: children may be exposed to ads for adult sites, and the targeting is often based on bias and stereotypes that can cause offense. Moreover, these ads can be used to track you across the web, are often laden with malicious malware, and can point those who click on them to scams.

One would think that people who don’t want to click on ads are not the kind of people the ad industry wants anyway. So if browser vendors offered a feature capable of blocking ads by default, it would increase the user satisfaction for millions, provide a more secure and privacy-protecting online experience, and ensure that advertisements were seen by people who would react positively, rather than negatively, to the ads. And yet not a single browser vendor offers ad blocking, instead relying on optional third-party plugins, because this breaks their business model and how they make money. Current incentives between the user and browser vendor are misaligned. People simply aren’t safe online when their browser vendor profits from ads.

I could go on and give a dozen more examples like this, but rather than continuing to beat a drum that no one with the power to make the change is willing to listen to – we decided it was time to draw a line in the sand, and to start making the Web work the way we think it should: a way that protects people. That said, I want to share publicly for the first time some details about WhiteHat Aviator, our own full-featured web browser, which was until now a top secret internal project from our WhiteHat Security Labs team. Originally, Aviator started out as an experiment by our Labs team to test our many Web security and privacy theories, but today Aviator is the browser given to all WhiteHat employees. Jeremiah, myself, and many others at WhiteHat use Aviator daily as our primary browser. We’re often asked by those outside the company what browser we use, to which we have answered, “our own.” After years of research, development, and testing we’ve finally arrived at a version that’s mature enough for public consumption (OS X). Now you can use the same browser that we do.

WhiteHat Security has no interest or stake in the online advertising industry, so we can offer a browser free of ulterior motives. What you see is what you get. We aren’t interested in tracking you or your browsing history, or in letting anyone else have that information either.

Aviator is designed for the every day person who really values their online security and privacy:

  • We bundled Aviator with Disconnect to remove ads and tracking
  • Aviator is always in private mode
  • Each tab is sandboxed (a sandbox provides controls to help prevent one program from making changes to others, or to your environment)
  • We strip out referring URLs across domains to protect your privacy
  • Flash and Java are click-to-play – greatly reducing the risk of drive-by downloads
  • We block access to websites behind your firewall to prevent Intranet hacking

Default settings in Aviator are set to protect your security and your privacy.

We hope you enjoy using Aviator as much as we’ve enjoyed building it. If people like it, we will create a Windows version as well and we’ll add additional privacy and security features. Please download it and give it a test run. Let us know what you think! Click here to learn more about the Aviator browser.

Tags: application, browser security, privacy, security, web application security, web browser
  • http://digiforensics.blogspot.com Ken Pryor

    Sounds great! I’m not a Mac user, but I’d love to see it for Linux, Windows and Android.

  • https://grepular.com/ Mike

    Please also consider a GNU/Linux port

  • https://grepular.com/ Mike

    Also. Where can I get the source code?

    • Maurina Venturelli

      Hi Mike,

      Thank you for the comment. We answer that and many more questions here: http://bit.ly/1dnhQWe

  • http://danpopp.net daniel popp

    https://opensource.conformal.com/wiki/xombrero (formerly xxxterm) is an ubersecure option for the insanely paranoid security engineers, but it’s a serious tradeoff of ‘breaking the web’ (no javascript, no redirection, etc.)

  • phrack

    What license? Will the source code be released?

    • Maurina Venturelli


      Thank you for the comment. We address those questions and many more here: http://bit.ly/1dnhQWe

  • Adam

    Please provide an example of the user agent string that the WhiteHat Aviator presents.

    Refer to https://panopticlick.eff.org/ – it is old, and the data may not be current, but the idea is still relevant.

  • Carpe

    Closed Source: Check

    Potential GPL license violation: Check

    Random “whitehate” company using wordpress to host website: Check.

    Maybe it’s just me, but unless I see the source, I wouldn’t touch this with even a virtual machine.

    • Alexander

      +1 about it

    • Jeremiah Grossman

      Actually, Chromium (browser) is covered under BSD. Therefore, no OSS violation.

      • http://www.linuxbsdos.com finid


        So is WhiteHat Aviator released under a BSD licence. If so, where’s the link to the source code?

        • Jeremiah Grossman

          BSD doesn’t require modification to source be shared, but again, this doesn’t mean we’re against doing so. Just haven’t discussed the pros and cons internally of doing so. Any of the supporting libraries, which may be GPL, we didn’t touch. aviator://credits/

        • Maurina Venturelli

          Thank you for your comment.
          We answer this and many other questions here: http://bit.ly/1dnhQWe

      • Chris

        @jeremiahg Chromium (browser) itself incorporates many many other items with various licenses, as can be seen via chrome://credits/ Claiming it’s BSD-licensed is thus not accurate – the Google-developed portions are, but much of the rest is not. (Your legal team must have signed off on this, of course, so please don’t take this as a suggestion that anything is amiss or improperly done.)

        • Jeremiah Grossman

          aviator://credits/ lists them all out. Much third-party code and various licensing. We didn’t touch anything GPL, or code that had licensing which would have required us to post diffs. We may in fact post all our changes to even the BSD code, we just haven’t done so yet. We need to discuss this more internally.

  • Richard

    “Aviator.app” can’t be opened because it is from an unidentified developer. Oops. I think there is a MITM attack going on trying to infect all Macs trying to download this ultra secure browser!

    • Jeremiah Grossman

      We’ve been receiving that report. Annoying oversight on our part. We thought we had that handled already. We’ll get it fixed. Thanks.

  • Richard

    I thought DuckDuckGo was supposed to be the default search engine? When I start Aviator, it searches with Google, other default options are Bing, Yahoo and Ask.com. WTF?

    • Jeremiah Grossman

      Some kind of bug. We’ve received one or two more since yesterday. Having trouble replicating.

  • JohnP

    So is this just a repacked Chromium with some extensions preinstalled?

    • Maurina Venturelli

      Hi John P,

      Great question! We answer that question and many others here: http://bit.ly/1dnhQWe

  • Pingback: WhiteHat Aviator: A browser for privacy and security, but is proprietary and for OS X only. WTH? | Linux-Support.com()

  • Mike

    I would love to see a Windows version!

    • Jeremiah Grossman

      Aviator was first designed our WhiteHat employees, which are all OSX users. That’s why the initial focus there. If we see that we’ve gotten the focus and feature set right — we’ll invest in other platforms like Windows and Linux. Just need time.

  • aww

    To bad that it’s only on Mac :/

    • Jeremiah Grossman

      From all the feedback received, we agree. Please stay tuned.

  • http://www.shub-internet.org/ Brad Knowles

    Panopticlick says: User Agent

    18.43 (bits of information)

    353176.4 (one in this number of browsers)

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ WhiteHat Aviator/28.0.1500.71 Safari/537.36

    I also find it interesting that I can’t log in here with Twitter using Aviator in order to post my comment. I get back this error:


    POST to https://www.whitehatsec.com/blog/index.php?social_controller=auth&social_action=authorized&salt=dd2ea289961427260c48d25d6989c949&p=8141 failed: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)

    • Jeremiah Grossman

      Probably Disconnect getting in the way. If you like, you can disabling the protection for a moment.

    • Maurina Venturelli

      Hi Brad,

      Thank you for pointing that out! We’ll make sure that bug gets noted.

  • http://www.shub-internet.org/ Brad Knowles

    Just visiting the home page at https://www.whitehatsec.com/index.html comes up with something like thirty-plus sites that show up in Collusion, although only eight of them are allowed.

    Is there any valid reason why I can’t install plugins like Ghostery, LastPass, AwesomeScreenshot, WOT, Google Hangouts, KB SSL Enforcer, HTTPS Everywhere, ScriptBlock (the closest thing I’ve found to NoScript on Chrome), and YSlow? I know that some of them offer “competing” services to what Aviator provides out of the box, but is that really a valid reason to block them if all you’re really concerned about is privacy and security?

    • Jeremiah Grossman

      All Chrome extensions should function in Aviator. However, sometimes Private / Incognito mode gets in the way. If an extension really doesn’t work, please do let us know which and we’ll investigate. Thanks!


  • Ken

    @ carpe: LinkedIn check of the founders of White Hat Security, Inc., check? I guess why go for the mundane obvious when the conspiratorial is much more fun.

  • http://www.shub-internet.org/ Brad Knowles

    I don’t remember installing these plugins (list thanks to Panopticlick): 21.75+ (bits of information)

    3531764 (one in this many browsers match this profile, which makes me 100% unique)

    Plugin 0: Chromoting Viewer; This plugin allows you to securely access other computers that have been shared with you. To use this plugin you must first install the Chrome Remote Desktop webapp.; internal-remoting-viewer; (; application/vnd.chromium.remoting-viewer; ). Plugin 1: Citrix Online Web Deployment Plugin; Plugin that detects installed Citrix Online products (visit http://www.citrixonline.com).; CitrixOnlineWebDeploymentPlugin.plugin; (Citrix Online Application Detector; application/x-col-application-detector; ).

  • Alan Barbour

    I just gave it a whirl. When I attempted to import bookmarks, it crashed (twice). When I tried to enter a comment on a Blogspot blog, it didn’t take. I have been thinking about migrating from OmniWeb, which is not working as well as it used to.

  • Alan Barbour

    Combining the URL and search functions into a single box/bar is a very good, functional idea.

  • Aman Abhishek

    I don’t use Mac but would love to test it if you make an iOS app! I have been waiting for a non-chrome, non-safari browser for the iPad which is good.

    • Jeremiah Grossman

      Other platforms are on our list, especially the mobile platforms like iOS. Development is resource intensive, so… it’ll likely come, just not soon.

  • http://tosbourn.com/2013/10/development/review-whitehat-aviator/ Toby

    Really interesting concept, I tried it out for a bit and wrote up my thoughts here: http://tosbourn.com/2013/10/development/review-whitehat-aviator/

    • Jeremiah Grossman

      Exactly the type of feedback we were looking for. Thanks Toby. We’ll be using this to improve upon our assumptions and design.

  • ted

    Do Mac users care that much more about privacy?

    As long as they can buy their new precious ever cycle or two, I dont think of them would care if their mom’s phone number was passed along to every prison inmate in the country.

    • Maurina Venturelli

      Hi Ted,

      I don’t think any of us feel that Mac users are more or less worried about privacy, but since that’s what our company uses, and we wanted to release a beta for people to play with, that’s all that is currently available. But we will investigate the cost of additional versions in the future. Thank you for your question!

  • jimbob

    Can you possibly explain why I can’t change the startup page away from http://whitehatsec.org/securebrowser? What need have you to know whenever I open my browser? That and unavailability of my most useful privacy plugins makes it a no-go. Deleting. Good luck.

    • Jeremiah Grossman

      Sorry for your troubles, but before you delete. It’s easily changed by going to “WhiteHat Aviator”->”Preferences”->”Appearance” -> click “Change” and then modify the URL to whatever you like. We’re not interested in tracking you and in future versions we are investigating a locally cached copy so it makes no outbound requests to our server at all, other than for updates as necessary.

  • Pingback: Most interesting links of October ’13 « The Holy Java()

  • Pingback: IT Security Guru | Daily news digest – 22nd October 2013()

  • http://www.machold.ca FMMachold

    I love this browser! But after tweaking pages on my website, I notice WHA does not render the whole content: compare my first page on WHA with same on Chrome, for example. Cannot figure it out.

  • GX

    Windows and android version please

  • http://www.aureliendebord.com/ Référencement strasbourg

    I will surely test it on my mac.

  • http://Yahoo Garth Reid

    I would love to see a Windows version of your product / service. I’m fed up with having to turn off pop-ups and with having my computer bombarded with ads simply because I searched for information on line.

    • Maurina Venturelli

      Hi Garth,

      We’ll be launching Windows beta very soon! Stay tuned.

  • jerry Devine

    Can I be notified when the windows version is available?

  • bob

    I see no features in this browser besides bundling disconnect, duck duck go and always using private browsing, please elaborate on your other claims

    • Maurina Venturelli

      Hi Bob,

      What specific claims would you like us to elaborate on?

  • DisgruntledBrowserUser

    Would be great to see (and get) a windows version of Aviator.

    • Maurina Venturelli


      We’ll be launching a Windows version very soon! Stay tuned!

  • Gina Hatcher

    I heard about your site from watching 60 minutes. After reading your introduction I was very disappointed that it was only available on the Mac OS X. There needs to be much more public attention on this issue it a way that should make them want to actively put pressure on these other browser vendors. The generations that actually care about privacy are the ones to target. The younger generations don’t value it enough to fight for it.

    • Maurina Venturelli

      Hi Gina,

      Aviator is now available for Windows https://www.whitehatsec.com/aviator/. We make it available on different operating systems based on need from the community.

  • Leonard Samson

    I can not thank you people enough for creating this browser. Our privacy and freedom in this world are being eroded at an alarming pace. You folks are truly heroes in my estimation.

  • John Scott

    Have tried Aviator on Windows 7 PC. Works OK or as well as Chrome does. Like the security, but it’s not without issues on some sites. Weather.com tells me that Flash plugin is not installed even though its simply not auto loaded in Aviator. Most sites allow you to simply click on the video to load it. For some reason, Weather.com is a site that cannot recognize this. Personally I think much of the security you can have with Aviator can be set in Chrome. I decided to try browsers like Aviator and Comodo’s Dragon browser to see if indeed the security works, and does not incur speed penalties or user friendly abilities. I think for the most part these secure browsers work. But not without some annoyances because of the security.

  • Todd

    I have two screens. When I’m streaming a video and full screen and then select the other screen for reading web sites the streaming screen drops to the small window viewing. How can I get the screen to stay at a full screen and view other screen websites at the same time?

  • http://www.website.com arturo

    Do u plain to remove automatic updates and let users decide or manually update the browser ?I noticed that ChromeRecovery exe conects and search for updates with out users permission.

    • Maurina Venturelli

      Hi Arturo,

      Aviator has automatic updates right now, but we are planning to release a manual update mechanism in the near future.

      Thank you.

  • Lon Diffenderfer

    You say it’s a safer web browser. However, when I downloaded and attempted to install Aviator, Webroot immediately halted the installation and deleted the files saying that something called W32.Malware.Gen had been eliminated. Please.advise.

    • Lon Diffenderfer

      I would also appreciate information on how to determine that all traces of Aviator and other files from WhiteHat Security have been removed. Thank you.

      • Maurina Venturelli

        Hi Lon,

        Firstly, is there a reason you are uninstalling it? If there is a bug or a missing feature, please let us know and we’ll do what we can to help rectify the issue. If it’s just not for you you can uninstall it. In Windows there is a build in uninstaller, so you can uninstall it from “Add and remove programs”. On Mac it is slightly more difficult at the moment because there is no simple uninstaller built into Macs like there is for Windows (down the road we’ll make this a single program since this process is undoubtedly annoying):

        1. Quit out from the Aviator process
        2. Delete Aviator.app from /Applications folder (install path).
        3. Delete Aviator folder from/Users//Library/ApplicationSupport
        4. Delete Aviator folder from /Users/
        5. Delete Aviator folder from /User//Library/Caches
        6. Delete com.aviator.agent.plist file from
        7. Restart the machine to remove the in-memory process

    • Maurina Venturelli

      Hi Lon,

      Webroot is either giving you false positives or something has infected the binary once it was put on your computer. You may have a virus. We would recommend working with Webroot to identify the root cause.

  • Pingback: Boot up: closing Android, iTunes v FLAC, Surface v battery, and more - AndroTab- AndroTab()

    • MR

      How can I change the option for “load in different browser”. I expected it to choose my default browser, however, it is loading the webpage back to the Aviator Browser instead of Comodo dragon, or Firefox, or I.E browser.

  • duncan lucas

    Highly pleased with Aviator web browser been using it for about a week .Up till now have been using Yandex/Comodo Dragon and have used others in the past like Chrome/Opera along with Ixquick/ABP/Ghostery. This browser is the smoothest yet and more secure. Only problem was that Disconnect allowed some ads to show especially Yahoo sites so installed ABP that cured it .Have it set to remove any history etc on closedown Mine uses Yandex and Duck Duck Go other than that it is imo superior to the rest. Very impressed.

    • Maurina Venturelli

      Hi Duncan,

      Thank you for the feedback. We’re glad you’re enjoying Aviator.

  • Anon

    The Wizard was interrupted before Aviator could be completely installed.

  • http://www.imradioha.org Tom McKee

    Just downloaded and installed the update. It fixed the default browser problem and Aviator is now my default browser. My first impression is very positive. Very quick and clean page rendering. Many thanks for making it available. More comments after a few day’s experience with it.

  • mac

    No open source, no comparison with the features of NoScript, no way to automatically blacken annoying grey text… I dont know, I think I’ll stick with Firefox.