Epic: A Privacy-Focused Web Browser

Rob @CmdrTaco Malda writes "I've been advising Epic Browser, a startup building a privacy-focused, Chrome-based browser that starts where incognito mode ends. Epic employs a host of tactics designed to make what happens inside your browser stay there, to the tune of a thousand blocks in a typical hour of browsing. They also provide a built-in proxy service. If the corporations and governments are going to watch us, there's no reason to make it any easier for them. Epic has Mac and Windows builds for now. Their site goes into far greater detail about how they block tracking methods most browsers don't."

Interesting

Been using Comodo (has nearly the same tagline), but I'll try this out as well.

Re: Interesting

Wouldn't using some special snowflake browser like this make you especially vulnerable to fingerprinting?

Re: Interesting

Only sort of. Ideally it will make you precisely match everyone else using a browser like this, which is probably more people than have your special snowflake of fonts and plugins and extensions and ...

It will make you stand out, but it won't identify you as uniquely when people look closer.

Re:Interesting

I see nowhere on their site where the source code is available. That's just a scummy move.

Re:Interesting

[Samantha+Wright]

Can either of them defeat Panopticlick? I don't see anything on Epic's site about hiding font lists. (And on that point, Epic is a bad name choice since it's vaguely synonymous with the death of objectivity in news reporting.)

Re:Interesting

[gl4ss]

presumably, if they're being any serious at all, you'll look to panopticlick like any other dude using the browser(well, lying about screen resolution might cause some problems down the line).

Re:Interesting

[hairyfeet]

Same here and haven't had a problem with it and unlike this browser its used by millions (coming with Comodo Internet Security with VM mode for secure banking) so you are not gonna stick out like a sore thumb.

The problem with going TOO niche is it would make you stick out all the more, if everyone wears a blue shirt and your shirt is a slightly different hue of blue? probably not gonna be noticed and won't trip any flags, if your shirt is neon orange? You might as well be holding a giant neon sign that says "Look at me, I'm up to something!". Its no different than how guys carrying pot really shouldn't be driving flashy red sports cars but driving some boring blue 4 door instead, you want to go off the radar without attracting attention for doing so.

So while I'll keep an eye on this for the time being I'll stick with Comodo Dragon, it too has increased security and unlike this it is offered with most of Comodo's security products (and since nobody ever unchecks the defaults millions have it) and since it uses the same secure DNS that Comodo uses on their enterprise products you can just blend into the crowd. I wouldn't be surprised if some 3 letter agency has gotten a memo about this thing this very day, /. isn't exactly under the radar ya know.

Re:Interesting

[MacGyver2210]

It lost me at "Chrome-based"...

Re: Interesting

[phoebe]

One wonders what is the excuse this time that the patches have not been submitted upstream to Chromium?

Re:Interesting

[mspohr]

It's actually Chromium based, not Chrome
Chromium is open source:
http://www.chromium.org/

Re: Interesting

[johanw]

It will only make you stand out if it identifies itself as Epic instead of standard Chrome.

Re:Interesting

[fiver22]

not just scummy -how can anything closed be trusted to not be full of Ms style backdoors?

Re:Interesting

[lgw]

Screen resolution is the big one for me, since I browse from inside a virtual machine. If the VM isn't full-screen, it has a quite distinctive "screen resolution". A good answer is to lie by using the closest (or perhaps next smaller) frequent size, then making sure you still render acceptably.

Re:Interesting

None of this works, for all the reasons listed below. The ANSWER might be: Download the whole internet on to your own disks. Surf that.

Re: Interesting

[MyFirstNameIsPaul]

Perhaps you know something about browser fingerprinting that I don't...

Re: Interesting

Not if millions go for it, you'll be just one of the epic crowd.

Re:Interesting

[number11]

Can either of them defeat Panopticlick? I don't see anything on Epic's site about hiding font lists.

It doesn't, either. I just tried installing it.

Your browser fingerprint appears to be unique among the 3,356,831 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 21.68 bits of identifying information.

It's mostly the font list that gives the show away.

Re: Interesting

cjwck out panopticlick

Re:Interesting

[Samantha+Wright]

Welp. Mark that one as torpedoed. The really aggressive "doesn't require cookies!" tracking/ad services rely on stuff like Panopticlick's tricks, I'm pretty sure.

Re: Interesting

[pepty]

Check out SecretAgent (for Firefox). It automatically rotates the user agent string the browser reports through a list of about 50 possibilities. Happens every time you restart the browser. Your browser may be unique today, it may be unique tomorrow, but it won't be identified as the same unique browser both times..

Re: Interesting

[number11]

Check out SecretAgent (for Firefox). It automatically rotates the user agent string the browser reports through a list of about 50 possibilities. Happens every time you restart the browser. Your browser may be unique today, it may be unique tomorrow, but it won't be identified as the same unique browser both times..

Actually, SecretAgent seems to rotate with every page load. And not just the user agent, but some other headers, too. I find it works best if you edit the list of possibilities to remove the ones that often display screwy (few websites are optimized for Mosaic anymore).

Re: Interesting

wget --recursive http:// > /dev/cdrom

Re:Interesting

[santosh.k83]

I would say not unless it blocks Javascript. Just using Firefox with NoScript reduces my fingerprint to 14 bits apparently. Enable JS and it becomes uniquely ID'able in the panopticlick DB.

Re: Interesting

[allo]

rotating on each request is a bad idea. Your ip remains valid for 12-24 hours, so the website can assume that two requests from the same ip are the same user. When the fingerprint is rotating, they have a good criteria: You're the only one with the paranoia plugin.

Better rotate it on browser start. New session, new identity.

Maybe I'm an excessive user

[i+kan+reed]

But 1000 blocks an hour is way short of what Ad-block plus gets with the standard list.

Re:Maybe I'm an excessive user

[What'sInAName]

But 1000 blocks an hour is way short of what Ad-block plus gets with the standard list.

Ok, now it makes sense. I'd originally read that as 1000 BUCKS an hour in the summary and was trying to figure out what the hell they meant!

Chrome?

[J'raxis]

You're basing this on a browser made by one of the companies known to have been cooperating with the NSA every step of the way, including the latest revelations about said companies inserting backdoors into their products?

Sounds like a good idea to me.

Re:Chrome?

Based off Chromium, not Chrome. The first is open source.

Re:Chrome?

And you've audited every line of Chromium code and every line of every library it uses?

Re:Chrome?

Exactly. For something like this, I'd base my code off something small and understandable, as much as any browser can be. Chances are, if you care about privacy enough to use this over another browser, you aren't concerned with HTML5, fancy javascript (any javascript), etc. etc, so why even bother using them?

This project sounds about as reputable as Iron. If you want real privacy, use {elinks,links,lynx,w3m} or Dillo or something, so you can at least have a chance at scanning the relevant parts of the source and proving something to yourself.

Re:Chrome?

No. Open Source means "it's source code is open for me to read" not "it's source is open and i must read it". Besides, i only pointed out it was Open Source, not trustworthy (even though if there was something fishy in there someone would probably point that out).

Re:Chrome?

[liamevo]

so concerned about privacy = doesn't care about keeping up to date with web technology?

"You whippersnappers with your javascript and your canvas! HTML 4.1 was fine for me, and we didn't use javascript back in my day! It was considered bad practice even!"

Re:Chrome?

[bill_mcgonigle]

and every line of every library it uses?

This is pretty important. Use the Fedora build of Chromium if you care about this. Tom "spot" Callaway has been fighting this battle for years - rebuilding Chromium with dependencies on system libraries, rather than private, stashed, local copies of libraries as it's wont to do.

Since we now know that the spooks pressure companies to put back doors into their products, if that happened with Chrome/Chromium, the smart place to do that would be, not in the main product code, which is the place most people will audit, but in the local modifications to libraries that are bundled, which might well be skipped by an audit.

Re:Chrome?

[MacGyver2210]

Which, in my experience, means it's the same thing but less polished and stable.

My first experience with Chromium was running it on a fresh install of Ubuntu, and getting the window *STUCK* on my mouse pointer when I tried to drag it around. No matter what keys or clicks, it wouldn't stop following the mouse. Even after restarting X, it wouldn't go away.

Ended up having to reboot, then when it happened a second time, uninstall Chromium.

Re:Chrome?

[Score+Whore]

Ready to wet your pants? Think about this:

How do you know that Intel and AMD haven't included back doors in their processors that elevate a running thread to ring 0? (or -1?)

Re:Chrome?

[poetmatt]

There's no browser company that doesn't have backdoors, including Mozilla. Whether willingly or not, well - only IE does it willingly.

What do you think encryption research from FIPS 140 is for? Gov't has been given the keys to OS-level encryption for over 8 years, now.

Re:Chrome?

Ok genius, show me the Mozilla backdoor.

Re:Chrome?

[hairyfeet]

Noooo but it DOES mean that a certain lie about FOSS must be faced the "many eyes" myth which is just that. Show of hands, how many here have actually done an extensive code audit of the latest Chromium source code? Firefox? Libre Office? What are your qualifications? Because the obfuscated C code contest shows you had better be DAMNED SKILLED to spot a malicious code insert, so how many years of security training do you have?

The myth, which common sense can disprove, is that because something CAN be done it HAS been done. Well there COULD be werewolves but I don't think I really need to keep a pocket full of silver bullets, do you? Projects like Chromium and Firefox can easily get into tens and even hundreds of thousands of lines of code and that code is constantly changing. Since you have ZERO way of knowing if the changes are malicious you would need to audit not ONLY the code itself but also all changes AND compare what those changes did to not only the area the change occurred but to the entire program, because after all we have seen nasties in the wild that were harmless by themselves but when combined with code from another pwned program allowed an attacker entrance to the system.

So now I hope that everyone can see why merely HAVING source code means nothing, because for it to mean anything you HAVE to have 1.- Security experts going over each and EVERY release with a fine tooth comb, 2.- Certifying that they have done so and its clean and 3.- be sure that said experts haven't been bought. The "many eyes" myth simply makes assumptions that are easily disproved and might have worked when the entire Linux source code could be handed over on a couple of floppies, when the kernel alone is over a million lines of code? Sorry but it just doesn't hold water folks.

Re:Chrome?

[Em+Adespoton]

Exactly. For something like this, I'd base my code off something small and understandable, as much as any browser can be. Chances are, if you care about privacy enough to use this over another browser, you aren't concerned with HTML5, fancy javascript (any javascript), etc. etc, so why even bother using them?

This project sounds about as reputable as Iron. If you want real privacy, use {elinks,links,lynx,w3m} or Dillo or something, so you can at least have a chance at scanning the relevant parts of the source and proving something to yourself.

Personally, I figure browser choice isn't too big of an issue... it's what you're using between your browser and your network that counts the most -- such as privoxy/tor.

Re:Chrome?

[Arker]

Yeah, look. Pat yourself on the back for being 'up-to-date' all you want but you are missing the point. You cannot have privacy and an ecmascript based substitute for the web, they are mutually exclusive. No matter what else you tighten up on the browser end, if your browser is required to trust the server it will be compromised in short order. This is not a matter of old vs new it's a matter of fundamental logic.

Re:Chrome?

[Em+Adespoton]

so concerned about privacy = doesn't care about keeping up to date with web technology?

No, concerned about privacy = educating yourself as to the risks of data leakage.

Attempting to keep your information private = prefers tested and known implementations over keeping up to date with web technology.

Security works the same way; you need to fully analyze the implications of the new technology and give it some "burn in" time before jumping into using it, or you have unknown variables at play in privacy and security.

Re:Chrome?

That's because Ubuntu is a steaming pile of goat crap.

Re:Chrome?

agree. If the source code is available there is always the possibility your evil code will be revealed, bugs fixed etc.

Re:Chrome?

Since you have ZERO way of knowing

You're missing the GP's point. If you really have ZERO way of knowing, why not just run Windows XP and Google Chrome? The point was that with small codebases, you can have a way of knowing what the code would do if correctly compiled.

And I know you're a troll, but your point about many eyeballs + large source falls flat on its own example - Linux kernel code is constantly vetted, and well, by a huge userbase. And it works very well for the kernel. Chromium / Mozilla code, on the other hand, is scarcely vetted at all. Therefore it doesn't work for them.

Re:Chrome?

[marcello_dl]

How do you know that Intel and AMD haven't included back doors in their processors that elevate a running thread to ring 0? (or -1?)

Why shouldn't they?
I mean, one of those corporations is named "INTEL", come on :D

Re:Chrome?

[lgw]

Linux kernel code is constantly vetted, and well, by a huge userbase.

There are few enough kernel experts, though. Do you think for a moment that the NSA doesn't have a set of 0-days for the Linux kernel? That they didn't put some of them there? That they haven't had someone making (mostly) good and useful contributions for 10+ years? The Linux kernel isn't small.

I'd perhaps trust BSD in this regard. The codebase is a lot smaller. SecureBSD has been intensively audited, with several engineers going line-by-line through the kernel. The US government's obvious dislike of Theo de Raadt makes me think he didn't play ball with the NSA when they came knocking. I'm sure they still have 0-days though.

Re:Chrome?

How do you know China hasn't done something simlar in firmware?

Re:Chrome?

[thoromyr]

"Linux kernel code is constantly vetted, and well, by a huge userbase. And it works very well for the kernel."

Really? This is exactly the same "reasoning" that gets us:

  - who needs AV? I don't run it and I've never been compromised
  - you don't need to patch Windows, I have an unpatched WinXP box directly on the Internet and it has never been compromised
  - you don't need to patch linux, I have an unpatched linux box directly on the Internet and it has never been compromised

All of these boil down to the same thing: the person doesn't know that there is a problem so there must not be one.

I disagree with hairyfeet that "many eyes" adds nothing, but it really doesn't mean anything by itself. With the NSA actively infiltrating software (as revealed recently) there is every reason to expect them to have at least tried to insert vulnerabilities into the linux kernel and related software. The fact that it was never outed somewhat increases the likelihood of success.

Code review is very helpful and a good way to identify unintentional bugs, and open source at least facilitates this. But not finding inserted vulnerabilities does not mean they aren't there.

Re:Chrome?

Yes, I have.

Re:Chrome?

[zidium]

Hell, the aliens have been inserting nanobots to pwn all of our electronics since they first gave us the tech to fabricate microprocessors!!

Re:Chrome?

[LordLimecat]

IIRC the Linux kernel had a pretty big issue a few years back when they discovered a bug that was believed to have been maliciously inserted into the kernel several years prior.

Re:Chrome?

[gottabeme]

...You mean OpenBSD? Do you not know what you're talking about, or was that just a brain cramp? :p

Re:Chrome?

[lgw]

I've been good at brain-cramp on /. today!

Re:Chrome?

Pretty sure Apple does it more than willingly with Safari.

Re:Chrome?

This is exactly the same

Err, no. It isn't even close to being exactly the same.

Try exaggerating less, next time. Who knows, you might even get your actual message across. Currently, you're not credible, due to overdoing it, wildly.

Re:Chrome?

Make it HTML 2.0 and it's getting warmer. Now, could these seven-digitters get finally out of my lawn?

Re:Chrome?

[hairyfeet]

Really? By whom? Can you name them? What are their qualifications?

See you too have fallen for the myth, you think because it CAN be done it HAS been done when in reality you have NO proof, NO evidence at all really, that anybody other than Linus and a few devs have done anything with it, much less the kind of code audits required to certify its secure.

Sorry, appeals to emotion are fail, bring some evidence and try again.

Re:Chrome?

*Raises hand*

Done it for both Chromium and Firefox. I haven't diffed out source changes between releases and compared to previous versions any further than Git does by default, but whenever I have downtime at work this is precisely what I do: audit the source of programs I use everyday.

I am not alone either. I know many like myself, all fanboys of Windows or Mac or Linux, who also audit open source code.

The most peculiar thing I find when auditing dev builds, there can be some wonky shit going on in there, but it usually gets ironed out by release.

Re:Chrome?

You seem to be very active in defending your position that OSS code must be safe. Are you an intelligence agency (or similar) employee?

Re:Chrome?

[hairyfeet]

Uhhhh...Miss AC? I was pointing out that OSS code is by its design NOT SAFE, or at least not safer than any other code. Perhaps you should take some basic reading comprehension classes before posting again, yes?

Re:Chrome?

[J'raxis]

More on this. I remember back when SELinux came out, some people were speculating that the bugs they did find were actually inserted there intentionally by the NSA. Sounded paranoid back in 2000, but who knows now?

By "SecureBSD," did you mean this?

Re:Chrome?

[lgw]

I meant Open BSD, but had a mental hash table collision.

SELinux is quite awesome as a model for how security should work (limit what programs can do, regardless of user), instead of how it does work today (user vs admin privileges). But I'd never trust the code itself to be safe from the NSA, however patched.

That's the most annoying thing about all this: the NSA has made real, positive, contributions to security. The destruction of trust as they moved their focus to "pure offense" is all the more harmful because of it.

Re:Chrome?

The sheer vitriol of your response is amusing. In responding to a myth, you seem to invent your own, the myth of "absolute security".

Noooo but it DOES mean that a certain lie about FOSS must be faced the "many eyes" myth which is just that. Show of hands, how many here have actually done an extensive code audit of the latest Chromium source code? Firefox? Libre Office? What are your qualifications? Because the obfuscated C code contest shows you had better be DAMNED SKILLED to spot a malicious code insert, so how many years of security training do you have?

The myth, which common sense can disprove, is that because something CAN be done it HAS been done. Well there COULD be werewolves but I don't think I really need to keep a pocket full of silver bullets, do you? Projects like Chromium and Firefox can easily get into tens and even hundreds of thousands of lines of code and that code is constantly changing. Since you have ZERO way of knowing if the changes are malicious you would need to audit not ONLY the code itself but also all changes AND compare what those changes did to not only the area the change occurred but to the entire program, because after all we have seen nasties in the wild that were harmless by themselves but when combined with code from another pwned program allowed an attacker entrance to the system.

I have never done a code audit. I also have never done an FDA-certified food inspection.

The obfuscated C contest demonstrates that it is easy to insert malicious code. Halloween psychos demonstrate that it's easy to lace trick-or-treat goodies with malicious instruments.

So now I hope that everyone can see why merely HAVING source code means nothing, because for it to mean anything you HAVE to have 1.- Security experts going over each and EVERY release with a fine tooth comb, 2.- Certifying that they have done so and its clean and 3.- be sure that said experts haven't been bought. The "many eyes" myth simply makes assumptions that are easily disproved and might have worked when the entire Linux source code could be handed over on a couple of floppies, when the kernel alone is over a million lines of code? Sorry but it just doesn't hold water folks.

So, now I hope you can see why merely inspecting food means nothing, because for it to mean anything, you HAVE to have:

1) FDA food inspectors going over every baked bean with a fine tooth comb.
2) FDA inspectors must certify your plate is clean.
3) You've got to have honest FDA food inspectors, not those crappy ones thta are just in it for the chocolate.

The FDA is a massive hoax, and I can prove it because the FDA isn't in your home like I just proved it should be! You should be alarmed, and above all, you should stop eating! Who knows when you might next eat an ant in your food?

Re:Chrome?

"Linux kernel code is constantly vetted, and well, by a huge userbase. And it works very well for the kernel."

Really? This is exactly the same "reasoning" that gets us:

  - who needs AV? I don't run it and I've never been compromised

  - you don't need to patch Windows, I have an unpatched WinXP box directly on the Internet and it has never been compromised

  - you don't need to patch linux, I have an unpatched linux box directly on the Internet and it has never been compromised

All of these boil down to the same thing: the person doesn't know that there is a problem so there must not be one.

I disagree with hairyfeet that "many eyes" adds nothing, but it really doesn't mean anything by itself. With the NSA actively infiltrating software (as revealed recently) there is every reason to expect them to have at least tried to insert vulnerabilities into the linux kernel and related software. The fact that it was never outed somewhat increases the likelihood of success.

Code review is very helpful and a good way to identify unintentional bugs, and open source at least facilitates this. But not finding inserted vulnerabilities does not mean they aren't there.

This is silly reasoning. You have simply assumed your conclusion, and then tried to rationalize it. You have also conflated individual behavior with group behavior.

I don't see anyone arguing that you shouldn't run AV or shouldn't apply security patches, so those arguments are disingenuous. These are practices that everyone should follow, or their system will become a potential target. This is similar to advice to not go out late at night in dark places, and to do so with a buddy. They are individual risk-reduction measures. And it's clearly a separate matter from saying "the streets are constantly policed, by a sizable force, and it works well in Seattle."

Re:Chrome?

Really? By whom? Can you name them? What are their qualifications?

See you too have fallen for the myth, you think because it CAN be done it HAS been done when in reality you have NO proof, NO evidence at all really, that anybody other than Linus and a few devs have done anything with it, much less the kind of code audits required to certify its secure.

Sorry, appeals to emotion are fail, bring some evidence and try again.

Can you name the last 20 FDA food inspectors that checked your food?

Re:Chrome?

"less polish and stable" means less polish and less stable? or as it's written?

Why should I trust...

...closed source browser

Re:Why should I trust...

It's a fucking joke riding the NSA spy wave in search of suckers. One born every minute after all.

What about on the "Web" itself...

[flogger]

I can decript my data, use browsers to erase cookies, but without spoofing IP addresses, the websites know where I am accessing from and when I access the site. If I would then use a major email (instead of my own email server), then the NSA has their hands on my emails and any cloud stuff I save. Everything in the internet needs to be reworked for privacy, not just the browser...

Of course the The United Surveilla^H^H^H^H^H^H^H^H States Government is not going to let that happen.

Re:What about on the "Web" itself...

[h4rr4r]

That is what proxies are for, and things like tor.

Literally spoofing an IP will not work since it if does not match your network segment your provider is not going to route that traffic.

Re:What about on the "Web" itself...

[hairyfeet]

Uhhhh...its already been reported that NSA is running several Tor exit nodes to collect the data, you DO know this, right? There has also been people who had their doors kicked down and all their computers hauled off because they ran a Tor exit node and somebody supposedly used it to look at child porn so even running your own exit node carries significant risks.

I think everybody is just gonna have to accept the party is over and has been for awhile, and that any and every thing you do on the net needs to be treated like you were standing on a street corner holding up a sign as THAT is how little privacy you have now. And if the report is true that the NSA has the keys to HTTPS then running a proxy really isn't gonna do shit, they can set there with taps on the backbone and read it all in near real time and if they are doing a MITM on the backbone then that proxy isn't gonna do shit as those packets still have to get to your PC and they can just follow it back to the source.

Re:What about on the "Web" itself...

[number11]

Uhhhh...its already been reported that NSA is running several Tor exit nodes to collect the data, you DO know this, right?

You don't have to be an exit node to run Tor. You don't even have to run as a relay, though if you can, that helps everybody's speed.

Re:What about on the "Web" itself...

[TheSeatOfMyPants]

At this point, using a VPN is kind of a must if we want to have even a bit of privacy. I've been doing my homework starting with things like TorrentFreak's Guide To VPN Services That Take Anonymity Seriously, 2013 Edition and the informational comments left on that article, and hopefully this month I'll finally have figured out which to go with.

Re:What about on the "Web" itself...

[hairyfeet]

Wow, thanks, I so rarely get to say this...WHOOSH! Kinda missed the point friend which was Tor is pointless if the NSA runs the exit nodes that you happen to go through because you just handed them the data, understand?

To say Tor is the answer when its been reported several major exit nodes are NSA is like saying "I'm against MITM attacks!" so you just send your data to the NSA directly. You haven't changed anything, all you have done is make it easier for the one that is spying on you, that's all.

Re:What about on the "Web" itself...

[santosh.k83]

Can you be sure that any of those companies haven't been founded by, or are collaborating with the NSA and CIA? It's logical for the latter two to get unscrupulous non-Americans to start-up VPN services touting to be very secure and trackerless, all the while secretly in partnership with the Devil.

epic

Oh how I despise the misuse of the word epic.

Re:epic

I agree. It is an epic fail.

Re:epic

But it is a name, not a word.
Just like Warner Bros is not a word, but a name.

It is like being mad at Windows being called Windows. Wait, I am mad at that. Bad example, but you get the point.

Gb2/b/.

Re:epic

Technically, yes. It is not a misuse when it is simply the name. But if epic was not trendy in such a way that I deplore, the author would likely have named it something else. There is nothing epic about a web browser.

Private Browsing

[Kiaser+Zohsay]

I have said for years that Private Browsing in Firefox is what Incognito Mode wants to be when it grows up. Looks like that is about to happen.

Re:Private Browsing

[Forbo]

Excuse my ignorance, but can you elaborate on the differences?

Re:Private Browsing

[Derek+Pomery]

I was kinda curious what he meant, myself, so I checked out this old-ish paper.
http://crypto.stanford.edu/~dabo/pubs/papers/privatebrowsing.pdf

I don't know if things have changed much, but their fairly thorough review seems to indicate firefox and chrome are pretty similar.
Looking at their table, one possible area of concern they listed (that Chrome might no longer have a problem with) is zoom level.
That could give information to a site that it is the same person, if they cared, although, that seems to be a pretty minor leak, given all the other information you could be revealing even if you hid your IP (a la panopticlick).
Looks like Chrome retains it from the non-private session, Firefox does not. The download list thing doesn't seem like a big deal. Depends on what you're using it for I guess.

Some leaks they fixed...
http://code.google.com/p/chromium/issues/detail?id=3493
http://code.google.com/p/chromium/issues/detail?id=21341

Open issues:
http://code.google.com/p/chromium/issues/detail?id=867
http://code.google.com/p/chromium/issues/detail?id=34593 (I'm not a fan of this one either, but multiple private windows in Firefox do the same thing)

Back in 2010 Flash added support for private browsing in their plugin (that is, wrt local storage) in Firefox. I have no idea if/when that got added to Chrome.

I saw one complaint that disabled plugins (like Flash) in Chrome were reactivated in Incognito, but I don't know enough about the browser to check that.

Anyway, they seem pretty similar to me.

Fail

[some+old+guy]

Things like this only serve to foster and spread an illusion of security and privacy. It may make life a little harder for the commercial maggots, but the government worms? You're as good as owned already.

If it has not already been compromised, by technology or force of law, it soon will be. Bet on it.

Re:Fail

[briancox2]

After reading your comment, I got the distinct feeling that everything was hopeless and we should all give up. You're not some old guy are you?

Re:Fail

With experience comes wisdom, kiddo.

Proxies

The trouble with proxies is the added latency.

Try this, go through a proxy and just try to post here on Slashdot - or even load the page.

I tried using proxies and I just got so many timeouts that it made the web unusable.

Re:Proxies

[larry+bagina]

Slashdot is a bad example -- they block (the banned pink page) many proxies and tor exit nodes. Some are read-only (no posting). They also intentionally throttle the response, intentionally and with their proxy detection code.

If slashdice cared about, well, anything, they would also run a {slashdot}.onion site as well.

Re:Proxies

[jeffmflanagan]

Your proxy server sucks. A properly functioning proxy server will cause lag issues with twitch-gaming, but not anything noticeable with web surfing or even streaming videos.

Re:Proxies

^this. +1 insightful.

Re:Proxies

The trouble with proxies is the added latency.

Try this, go through a proxy and just try to post here on Slashdot - or even load the page.

I tried using proxies and I just got so many timeouts that it made the web unusable.

I use a VPN. US$40/year (give or take, depending on who you use) gives you a fast connection, and the ability to be wherever you want. Chicago? Amsterdam? Zurich? Bucharest? Hong Kong? Kuala Lumpur? The better VPNs don't (or at least, claim that they don't) log connections, and you can use one that's not based in the US. You can find various reviews online at places like Torrentfreak.

Re:Proxies

[santosh.k83]

The "backdoors" leak from Snowden shows how money and threats corrupt even large corporations to speak nothing of small VPN companies. I wouldn't be surprised to learn one day that popular VPN providers were incentivised/coerced by CIA/NSA and such into deploying backdoors. After all, very few people can remain honest when a promise of tens of millions of dollars is dangled with one hand while threats are dangled with the other. To be sure, this might not be possible with all VPN providers in all countries, but the reach of CIA is very long, and combined with the local govt's own secret service...

Based on Chromium, not Chrome

[spivster]

The summary is incorrect. This browser is based on the open source Chromium, not Chrome, a subtle but important difference since Chrome has Google's extra tracking goodness. However, I have to wonder why they didn't start with Firefox, which is truly open source and not connected at all with Google, which has pretty much become the poster child of privacy invasion these days.

Re:Based on Chromium, not Chrome

[geminidomino]

I haven't looked at it in some years, but I suspect that, being a younger project, Chromium's codebase is a lot cleaner and easier to work with than Firefox's.

NB: It's in the nature of code to build up cruft. This isn't intended as an endorsement or insult to either group's coding or design styles and abilities.

Re:Based on Chromium, not Chrome

[Desler]

and not connected at all with Google

Other than Mozilla getting the vast majority of their funding by making the Google search engine the default?

Re:Based on Chromium, not Chrome

And your comment about Firefox and Google not being connected, is also incorrect:

http://www.pcmag.com/article2/0,2817,2398046,00.asp

Re:Based on Chromium, not Chrome

[GrBear]

Perhaps they wanted to build off a browser that doesn't crash all the time and has feature creep/bloat.

Re:Based on Chromium, not Chrome

You would think that, but Chromium has a hefty amount of cruft itself. It takes about three times as long for me to build chromium as for me to make a (mrproper'd!) Linux kernel, while Firefox can complete in a little under the kernel build time. I'm not sure what that says about code bloat to you, but it's a metric.

Re:Based on Chromium, not Chrome

[kthreadd]

You can't build on Chrome since Chome is closed source.

Re:Based on Chromium, not Chrome

[larry+bagina]

It's the language, not the code. KHTML/WebKit/Chromium/Blink is c++. Compiling and optimizing, especially when templates are involved, is much more processor and memory intensive.

Re:Based on Chromium, not Chrome

[phoebe]

Firefox isn't truly open source either, you are probably after IceWeasel if you want the Mozilla route.

Re:Based on Chromium, not Chrome

[FunPika]

Wrong, Firefox is open source. IceWeasel exists to allow the Debian developers to backport security fixes to the stable version in the Debian repositories and avoid Mozilla's trademark restrictions on the use of Firefox's logo and name. All of the code that makes up what Mozilla officially considers Firefox is freely licensed.

Re:Based on Chromium, not Chrome

They didn't start with FF because someone already has and they wanted kudos also. At least that would be my guess.

Re:Based on Chromium, not Chrome

[theprop]

Epic's previous incarnation was built on Mozilla. We like many have been unhappy with Mozilla's development and performance. Moreover, even though Mozilla is supposed to support all Mozilla projects, we got zero support from Mozilla...less than what we got from Google engineers/Chromium and believe me that was very little. (Mozilla is supposed to be non-profit but they do get $400+ million a year from Firefox in Google payments so that's their complete focus & FF is very successful and a great product too.) 100s of millions of users have switched to Chrome/Chromium because it continues to outperform other browsers so we also had to finally work with Chromium as well. That's in brief why we developed on Chromium.

Proxy ?

[Jimpqfly]

Proxy is a nice option, except when you don't know where the Proxy is... Easy to implement a Proxy and have a look at users communications...

Re:Proxy ?

[emilv]

Indeed. And accessing using HTTPS isn't even guaranteeing anything in this browser since the proxy service and the browser is provided by the same party, so they can trivially add their own CA and sign certificates for whatever sites they want.

Re:Proxy ?

Indeed, adding their own CA could even be given a rational explanation: They want to save the money it would cost to get a normal CA sign, and moreover connecting to the proxy will still work if you revoke any other CA (if they e.g. signed with Verizon, and you decided to not trust Verizon and remove the Verizon root certificate, connecting with the proxy would fail).

Oblig..

[SuperCharlie]

I'd try it..Linux pls..

Source available?

So we're supposed to trust the company behind this browser, and the security of their web services? Can we at least build it ourselves from source?

Who would have thought...

[StripedCow]

that computing in the 21st century would become so exciting?

Why another?

[mwissel]

Sounds a lot like SRWare Iron* to me - that's a long existing Chromium-based fork altered for enhanced privacy.

At a first glance, I cannot make out any advantages of Epic over Iron. Aside from the removal of all user tracking which Chrome brings, they only provide a 1-click-proxy functionality. Which, if I used it, would leave me and my privacy at the mercy of an India based startup. Instead, I'd also rather suggest JAP** which is also long and well established.

So what am I missing that makes Epic Browser worth a Slashdot post?

[1] https://www.srware.net/en/software_srware_iron.php
[2] http://anon.inf.tu-dresden.de/

Re:Why another?

Or... I wasn't aware that any such browser project existed, and now I know of 3?

This seems exactly like the right topic for a Slashdot post to me...

Re:Why another?

So what am I missing that makes Epic Browser worth a Slashdot post?

The founder of Slashdot sent it in.

Interesting that Washington Post is an investor:

http://epicbrowser.com/about_us.html

Doesn't Cmdr Taco work for the Washington Post?

Re:Why another?

[bill_mcgonigle]

So what am I missing that makes Epic Browser worth a Slashdot post?

EPIC is well-known in the electronic privacy realm and their actions are frequently a Slashdot topic.

Wait, this is the Electronic Privacy and Information Chromium, right? Because market-confusion among names would be pretty confusing.

Re:Why another?

Of course, Slashdot posts are a rare and valuable resource!

Re:Why another?

[Stephen+Gilbert]

Instead, I'd also rather suggest JAP** which is also long and well established.

Yes, with a long-established backdoor for "crime prevention".

Re:Why another?

They both seem like traps. This one doesn't seem to be providing source at all, while Iron's source is provided as a multipart archive on rapidshare for minimal transparency.

Re:Why another?

Dig a little deeper into the context on this. The day after the article about the NSA having back doors into everything under the sun we get a blurb about a new browser that provides "better privacy". One of the main issues with the release of the back door info was that people would loose trust in American/UK businesses and the NSA would loose the work they did persuading/pressuring these organizations into helping them.

So what's an enterprising Intel agency to do? Why come out with a new cover story, of course. If you search on Hidden Reflex (What an interesting, revealing name!) you will come across this article from the Business Standard with tomorrow's date on it: http://newsle.com/article/0/27850288/

Yes private equity! No need to reveal anything then.

Also, this thing comes with 1,500 ready to install sidebar apps? What could possibly be unsecure about that?

Re:Why another?

SRware Iron is a scam. It does nothing. They only hard code settings you could already change.

Re:Why another?

Use SRware Iron if you like, but don't fall for the hype. It's all about exploiting panic grab some bucks -- functionally speaking, Iron is the same as Chromium (not Chrome) except with some privacy-related settings (that are already user-configurable) removed entirely; using chromium and turning those settings off gives you every privacy advantage, without the slimy feeling that comes from reading

...
<mgreenblatt> Iron.. why not propose a patch based on preprocessor
                            defines that disables the sections you dislike without
                            forking the code?
<mgreenblatt> (assuming such a thing doesn't already exist)
<Iron> because a fork will bring a lot of publicity to my person and
              my homepage
<Iron> that means: a lot of money too ;)
<Kmos> rotflol
<Iron> what means rotful?
<mgreenblatt> Iron.. you're a large corporation that can dedicate the
                            time to support a fork of something as complicated as
                            chromium?
<Kmos> Iron: google about it
<Iron> yes there is enough time to support it
<jamessan> heh, you're expecting to make lots of money from making a
                      fork of chromium? that's quite amusing
<Iron> i dont take money for my fork
<Iron> but i have adsense on my page ;)
<Iron> a lot of visitor -> a lot of clicka > a lot of money ;) ...

Yeah -- the dude wants to use deceptive advertising (comparing his product to Chrome, not Chromium) to leverage Google's reputation as evil privacy-violator to make a mint with Google's ad network... and giving people a false sense of better privacy, reduces their incentive to try actual privacy measures like better search engine (ixquick/startpage), TOR, and the various extensions (available for Firefox and Chromium) that block various types of tracking and identifying information leakage.

As I said, keep using it if you like -- there's certainly no evidence it's backdoored or anything. But personally, I find the exploitative nature, and the recklessness regarding the effect of a false sense of safety, to be morally objectionable, and I feel people need to be informed about this to make their own choice.

Re:Why another?

[mwissel]

Thanks for the hint. I didn't know that.

Personally, I don't use Iron - I have vanilla Chromium and rekonq on my machines. But I do recommend Iron from time to time for non tech-savvy people. For them, even after what I read now, it might still be the better choice because they would never fiddle with config values inside Chrome.

Full ACK - what that guy states there leaves a certain aftertaste. Hmpf.

Where does the money come from?

[kullnd]

From their page::

Epic like most browsers earns a commission on searches we drive. So the more you use Epic’s default search engine, the more you support Epic and our continued privacy efforts : - ) And best of all your searches always remain exceptionally private since they’re routed via a secure, encrypted connection over a proxy – so private by design when you use EpicSearch.me that we literally can’t know what you’re searching for nor anyone else. Ads and search results never include any personalized results or tracking of any sort and are only based on your search term and general geographical location.

So ... They get paid for searches they drive but those searches don't have any ads or tracking? Again, where does the money come from?

Re:Where does the money come from?

Ads and search results never include any personalized results or tracking

So, ads yes, tracking no. Or in other words, what search engine ads were like before Google. Something relevant to exactly what you typed in, nothing more.

Or at least that's the claim.

Re:Where does the money come from?

[Mr.+Slippery]

They get paid for searches they drive but those searches don't have any ads or tracking?

Read the text you quoted. There are ads. These ads do not include tracking, they're based only on your search terms and general location.

Re:Where does the money come from?

Epic like most browsers earns a commission on searches we drive. So the more you use Epic’s default search engine, the more you support Epic and our continued privacy efforts : - ) And best of all your searches always remain exceptionally private since they’re routed via a secure, encrypted connection over a proxy – so private by design when you use EpicSearch.me that we literally can’t know what you’re searching for nor anyone else. Ads and search results never include any personalized results or tracking of any sort and are only based on your search term and general geographical location

If they are being routed via proxy, how do they know/track your location? Sounds fishy.

Re:Where does the money come from?

[theprop]

Search query and rough geographical location. Google & others track you in order to target non-search ads. Search terms (with a rough geographical area) are MORE than enough to target search ads!

One process per tab?

Really, a process?

Could I get fork bombed by visiting a website that opens two new tabs?

Thank you NSA and GCHQ

[jopet]

Closed source? Seems legit.

Re:Thank you NSA and GCHQ

But CmdrTaco says it's good and he works for WaPo now so... ohhhhhhh. Never mind. I'll stick with carrier pidgeons; http://en.wikipedia.org/wiki/IP_over_Avian_Carriers

Re:Thank you NSA and GCHQ

The Washington Post Company, mouthpiece of the United Surveillance of Amerika government, owns the Epic Browser company.

http://epicbrowser.com/about_us.html

This is a no go.

Privacy Theatre

Because just as Security Theatre takes well intentioned measures which are ineffective, this product takes well intentioned measures which are ultimately ineffective. It is like building a garage and expecting this will hide your new Ferrari, while doing nothing whatsoever about the CCTV camera on public land across the street pointed right at the garage door... the moment you take it out on the street, the camera owner has a record of it.

Useless on a proxied LAN

[peter.kingsbury]

Epic is useless on a proxied LAN. Under Settings, Advanced Settings, Network, "Change proxy settings..." is disabled and a message indicates "Your network proxy settings are being mangaed by an extension". However, going over to Extensions yields the message, "Epic does not allow extensions for security & privacy reasons".

Cool but

[TheSkepticalOptimist]

While blocking cookies or ads are fine, once the data is sent out into the ether its going to be picked up an decrypted, no browser is going to stop that.

If you want privacy on the web, stop using the web.

Extentions in Epic

[slash.jit]

I just gave Epic a try...

In Proxy settings it says "Your network proxy settings are being managed by an extension."
In Extensions link it says "Epic does not allow extensions for security & privacy reasons e.g. read this (right click and open in a new tab)"

So what extension is managing network proxy settings? I don't trust this browser any more than Chrome.

Nice but there is one problem

[aaaaaaargh!]

a software product company founded by Alok Bhardwaj and based in Washington DC

In the "About Us" section of the web site. US-based, so it won't protect your privacy against the spooks (Patriot Act *wink* *wink*). Neverthless, it's nice to see more software made with privacy in mind.

"Poster child of privacy invasion" hyperbole

[brunes69]

Google is very upfront about what is collected and what they do with it and who they do and do not share what data with. As someone who actually follows this stuff closely and READS agreements and doesn't just rely on Slashdot hype, I am 100% comfortable with everything Google does and what they do with the data, and also with how hard they fight back against governments who want that data. Google doesn't sell your data to ANY third parties, they use it INTERNALLY for their own stuff. As such it is actually VERY private. The data you share with Google is a lot more private than the data you share with your telco or cable company or bank in this respect.

Compare this to Facebook or LinkedIn or even Twitter, who are NOT upfront about what is collected and shared, and who not only share data with governments, but ALSO 3rd party companies at will as part of their business models. As well as your bank, your telco, etc again - all of whom routinely sell client lists including names, addresses, and phone numbers.

Who is the poster child again?

Re:"Poster child of privacy invasion" hyperbole

or even microsoft. a couple years ago, when yahoo and google threatened to pull out of china over censorship, microsoft never blinked and eye.

Microsoft has never made a fuss about collaberating with any and all governments of areas it does business with. When they bought skype the first thing they did was add centralized logging and tracking of all conversations, and allowed access for LE, and the NSA.

Re:"Poster child of privacy invasion" hyperbole

[UdoKeir]

Google is very upfront about what is collected and what they do with it

Except when that collection and disclosure is requested via a national security letter.

Re:"Poster child of privacy invasion" hyperbole

Ok Sergey, back to the Minecraft with you...

Re:"Poster child of privacy invasion" hyperbole

That's why they're suing the US federal government to be able to release the data. As of right now, they're being told that if they release it, they will be prosecuted. The article for those who don't want to Google it.

Re:"Poster child of privacy invasion" hyperbole

That's why they're suing the US federal government to be able to release the data. As of right now, they're being told that if they release it, they will be prosecuted. The article for those who don't want to Google it.

So then are you admitting or ignoring the fact that they've already compromised you?

Re:"Poster child of privacy invasion" hyperbole

I haven't bothered updating chrome for android since they decided that I have to allow the privacy permissions of taking audio, video, or pictures of me at any time from my phone or tablet's camera.

The new android keyboard update has some ridiculous permissions too.

Upfront doesn't change the ridiculousness of it.

Re:"Poster child of privacy invasion" hyperbole

In a way Google does sell it via targeted advertising. Google sells a service based on information about you.

Re:"Poster child of privacy invasion" hyperbole

[hairyfeet]

And if you believe that? I have a bridge you might be interested in. Its already been reported that the NSA has had access to the Google and Yahoo DBs and a security letter trumps any and all subscriber agreements so if you are betting on that to keep your data out of big bro's hands? you are wasting your time dude.

The moral of the story is thus: If a company is in the USA or UK? Give it up, the data is now in the hands of the NSA, it does not matter what the company says, if they are on US soil its NSA's data now.

Re:"Poster child of privacy invasion" hyperbole

[ggraham412]

Compare this to Facebook or LinkedIn or even Twitter, who are NOT upfront about what is collected and shared, and who not only share data with governments, but ALSO 3rd party companies at will as part of their business models. As well as your bank, your telco, etc again - all of whom routinely sell client lists including names, addresses, and phone numbers.

Who is the poster child again?

Oh I get it. The problem is everyone EXCEPT Google. Thanks for clearing that up.

Re:"Poster child of privacy invasion" hyperbole

[PRMan]

Google is fighting it better than most and is even trying to make the point (without the NSA's help, because it will expose what other companies are doing (AT&T)), that they only comply with very limited warrants the numbers of which are quite reasonable for actual crime.

Re:"Poster child of privacy invasion" hyperbole

...wow, that's awesome. I never knew I just had to tell you what I was going to for it to become 100% condonable. Next time you get mugged I hope the mugger tells you just before doing so, and then you can eat your words. There's a fine line between trust and idiocy, and you've hit the latter. Unless, of course, you consider what they DON'T tell you to be no problem as well.

Re:"Poster child of privacy invasion" hyperbole

[thoromyr]

Wait, you claim to have actually read Google's revised AUP? And your fine with the "we protect the correlated data so that only those we knowingly give it to (contractors, customers and the government) can have it"? It isn't stated *quite* that succinctly, but it wasn't far removed from it either. I haven't read it since the change and at the time they were revising it without notice (next day to get a quote for someone and the wording had been altered) but I seriously doubt that the gist of it is any different.

Re:"Poster child of privacy invasion" hyperbole

So they say, PR Man. "Trust us" is looking less and less compelling every day.

Re:"Poster child of privacy invasion" hyperbole

[gottabeme]

That's true, but the only solution to those is to not use the Internet at all. Since you're on Slashdot, and not even AC, I'm guessing that's not an option you're considering.

I don't think Google's as not-evil as it used to be, but I'm guessing that they are less evil and more privacy-advocating and -protecting than most corporations, such as...every major ISP.

As much as I'm against mass surveillance, the bottom line hasn't changed in many years: if you need serious privacy, either use strong encryption or use meatspace.

Re:"Poster child of privacy invasion" hyperbole

[mattack2]

Aren't they legally prohibited from doing so? If I'm correct, then are you suggesting they should blatantly break the law, and thus presumably be fined?

I am unconvinced...

[geminidomino]

No source code, no verifiable improvement over SRWare Iron, and the company gets paid from...

Epic like most browsers earns a commission on searches we drive. So the more you use Epicâ(TM)s default search engine, the more you support Epic and our continued privacy efforts : - ) And best of all your searches always remain exceptionally private since theyâ(TM)re routed via a secure, encrypted connection over a proxy â" so private by design when you use EpicSearch.me that we literally canâ(TM)t know what youâ(TM)re searching for nor anyone else. Ads and search results never include any personalized results or tracking of any sort and are only based on your search term and general geographical location.

by tying in to the industry that is even more hostile to the concept of user privacy than the USGov...

Thanks, but I'll pass.

I LIKE OUR GREEK GIFT !!

Allow us to bring it inside the gates !! Make haste !!

Their own proxy!

[brillow]

What will keep a NSL from telling them to give the NSA the key's to their proxy?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Epic browser is not epic browser - or used to be

According to Wikipeida Epic ( http://en.wikipedia.org/wiki/Epic_(web_browser) ) is a gecko based browser and does not aim at privacy .. but now it's chromium based privacy browser (both are said to use epicbrowser.com) ? somethings weird.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Open Source?

When, if ever, will the source for Epic be published? And under what license?

Turns out I am wrong ...

[jopet]

Chromium obviously is open source already, but they do plan to opensource their additions too.
So this could actually be the good stuff.

Privacy is based on trust

[mistapotta]

You either trust Google with your data, and use their services, or you don't. Same with Facebook, et. al. If you're using this browser, you're trusting this company that they're doing what they say. Maybe you'll peruse the OS code, maybe not. But it's still who and how much you trust. Ultimately, if you want better privacy than what's out there, you need to roll your own browser. Find an open-source project you like, put the features you want in it, take the features you don't want out of it, and go on your merry way.

Re:Privacy is based on trust

[theprop]

You seem to think building a browser is really easy. And that privacy is really easy. Good luck...we've been working on this for about a year...would love to see your browser, please email it to me! alok at hiddenreflex dot com

Re:Privacy is based on trust

[mistapotta]

I didn't say it was easy. Good privacy is hard. Creating your own robust software is hard. So the options are to become a neo-luddite, or some open-source fascist. Or accept what is out there, for all the benefits and penalties that are out there. It _is_ a matter of trust.

What I did say was if one doesn't like their options, they need to do something about it. Contribute to an open source project. Call out the worst offenders publicly. Support those that do it right.

I'm sorry you saw this as a personal attack on you and your browser.

Fixing the wrong problem

[Junior+J.+Junior+III]

A privacy-focused browser is fine as far as it goes, but the problem is more with the network transporting data insecurely, and on the server side, where you put your trust into faceless entities that have their own interests at heart, not yours. So I don't see this helping much, if at all.

it's a good idea

The problem so far with privacy and no-tracking solutions is that they are usually individual plugins that may require configuration. For the average person, even one with technical know-how, it seems onerous to install these add-ons on all devices and make sure that they are up-to-date or whatever. It will be nice when someone bundles them with sensible defaults alongside a browser as a distro. This is an exaggeration but it's like we are still in the slackware/SLS Linux days and no one has come around with Ubuntu yet

chaff

Instead of blocking, we should just write a browser that is constantly browsing random shit in the background - your session is just sandwiched into a flood of other data. Bonus for filling up the buffers / taps / storage arrays of the listeners with junk. If they want to read what we do, let them choke on it.

Where is the source code???

just asking...

Epic fail

[Taantric]

It is being made by an American company. Rest of the world does not and should not trust you anymore.

NSA: Hey Epic Exec, insert this complied module into your app
Epic Exec: Go fuck yourself NSA. We are all about protecting users here
NSA: I see. I also see that you visited a gay bar in SF last week and Boston the week before. Are you going to tell your wife and children or should we?
Epic Exec: Oh I see you are talking about National Security. Why didn't you say that before? Here at Epic we are loyal Murcans and we will be happy to help anyway we can.
NSA: That's a good bitch. Next time roll over and show your belly faster or else.....

Re:Epic fail

my wife and kids know i'm gay that's why they married me.

Re:Epic fail

No country in the world is trustworthy.

fool me once

[stewsters]

Post the source.

Re:fool me once

[theprop]

Coming soon!! Write us if you want the whole source, any files, anything now!! Sorry for the delay -- we're a small team and want to release it in an organized way, just have been too busy in getting the product out and Chromium has a LOT of files!!!

What if NSA cash is sent to Adblock?

The problem here is NSA/CIA has loads of cash ($52 billion for covert ops FFS), Adblock is probably a tiny operation that could be bought for $50k/year. No court order required to do that and since NSA keeps everything secret claiming 'National Security' no court would ever know if they'd bought off Adblock to help them track people. Even if they used it for domestic spying, they're trying to shut down whistleblowers and have their own staff under close surveillance now to try to prevent it.

I also wonder about Firefox. It has certificates that I do not trust as standard with no way of deleting them. Why would I trust Verisign at this point? I'd have to be a bleeding idiot to think they aren't in the NSA payroll, they're owned by Symantec FFS. Likewise Visa we already know hands over their transaction data. Yet Firefox has Visa as a valid root certificate! They have likely NSA conspirators on the root certificate list FFS!!

I have my doubts even about Open source browsers, that said, Epic is welcome, but I'll still be treating it as suspect.

Re:What if NSA cash is sent to Adblock?

[hairyfeet]

Uhhhh...buying adblock would be as pointless as trying to "buy" Linux, there is already a dozen variations thanks to the source being out there. While I'm not a big fan of FOSS (since i think a lot of their so called "advantages" are built upon false premises) this is one thing they do have an advantage in, in that there really isn't any way to control any one project by buying it. If you are unsure of adblock there is adblock plus, one I think called "super adblock" or something like that, or if you want to go to the trouble you can do like old APK and mess with HOSTS or just run your own recursive DNS like I do, not hard to get blacklists of advertising servers these days.

As far as trusting Firefox? So don't, again not like you don't have options. There is Comodo Icedragon, Seamonkey, IceWeasel and Kmeleon, and those are just sticking with the gecko engine, if you were to add the Chromium engine you would have another half a dozen easy to choose from and then of course there are those that use their own engine like QTWeb (uses QT framework with Webkit from KHTML) or OffByOne. again no need to stick with something you aren't sure of, plenty of choices out there. Frankly if the NSA wants to follow you though they have access to the backbone, all the obfuscation in the world isn't gonna protect you from a MITM attack.

Re:What if NSA cash is sent to Adblock?

"As far as trusting Firefox? So don't, again not like you don't have options. There is Comodo Icedragon, Seamonkey, IceWeasel and Kmeleon, and those are just sticking with the gecko engine, "

Thanks for the info, but 'Comodo' is one of my suspect cert providers so Icedragon is a no-no. When I dug into Comodo it was some Turkish expat that went to the UK (red flag 1) then the US (red flag 2) provided a free email cert (flag 3, nothing is really free), and wanted far more info than I think is needed to verify an email address (red flag 4).

But I'll dig through the others.

Re:What if NSA cash is sent to Adblock?

[hairyfeet]

Uhhh...Comodo is an Indian company that does enterprise security products, don't know where you got your info from. they have a branch in the USA but more large corps do, that don't make 'em a US company.

I've personally been using them a couple of years now and have yet to see their browsers send a single bit of data I didn't specifically authorize and I do check my logs. If you opt in for their secure DNS then your DNS will naturally go through their servers (the same ones that they use for corporate deployments so its not like your data will be segregated, it'll be in the same pool as thousands of corps) and as far as their certs go? They had a break in, reported it to the public within a day and had the keys revoked upon finding out about the breach. personally I'd rather have a corp that admits when there is a breach, informs me, and then does everything they can to close the breach immediately than to have one that covers it up, but maybe that is just me. Again not like you don't have options and you can always build from source if none of them suit you.

Re:What if NSA cash is sent to Adblock?

[lgw]

You fool! You've summoned APK! Do not call up that you cannot put down.

Re:What if NSA cash is sent to Adblock?

[LordLimecat]

APK and mess with HOSTS

You fool! Youll awaken him!

Re:What if NSA cash is sent to Adblock?

Why don't you disprove apk here then http://yro.slashdot.org/comments.pl?sid=4176879&cid=44775791 ? Is it because you're unable to since he only spoke truth? Absolutely.

Actually...

You can delete them from within your profile. HOWEVER as soon as you update again it reinstalls them.

Rather annoying behavior, but it IS circumventable.

Hadn't noticed that they're now considered 'internal objects' however.

No user-agent masking and uncommon choice

[gowmc]

Tried Epic out for myself. Looks nifty, but clearly not polished yet. Biggest issue is that it still leaks all the data from the user-agent and plugins. Disabling the plugins helped, but I had an even more unique user-agent string than normal. Seems like this should be near the top of the list for a privacy browser, but they don't even mention it on their site, at least from a cursory browse. Tested at https://panopticlick.eff.org

Pointless

HAHA! Yeah, Good luck there. With the NSA having cracked every conceiveable protected system on the internet, you really think someone will come up with something uncrackable or secure? HA!

Which is it?

[Reliable+Windmill]

Is it based on Chrome or Chromium? Is that not an important distinction to make?

No source?

[GodWasAnAlien]

Chromium is at least open source.

Can I opt out of slashvertisements?

Cmdr Taco should find another job

This Epic Browser only has the appearance of privacy, without it being actually safe. In that sense, it is s more harmful than using a regular browser. With a FF or Chrome or Chromium or Opera or ...., people will at least consciously take steps to ensure some privacy even if they don't succeed.

Is this some NSA trojan or what ?

Re:Cmdr Taco should find another job

[Skapare]

If you ATTEMPT to get privacy, they will attract their attention towards you. You must have something to hide (which is, of course, yourself).

No trouble @ all, Hairyfeet: How/Why?

"or if you want to go to the trouble you can do like old APK and mess with HOSTS" - by hairyfeet (841228) on Friday September 06, 2013 @12:30PM (#44775941)

Per my subject-line above: Well - you know -> http://yro.slashdot.org/comments.pl?sid=4176879&cid=44775791

* :)

(It's no hassle, since I've FULLY "AutoMagically" automated it, courtesy of "yours truly" via code in the link above + data, & a dozen++ sources in the security community for more blocking data!)

APK

P.S.=> "Onward & Upward"... apk

Sergey Brin pounds shoe on table

[goombah99]

Then he said, google's customers don't care about privacy and would gladly sell google the rope used to hang them.

http://quotes.liberty-tree.ca/quote/vladimir_lenin_quote_068c

There is no privacy on the internet or anywhere

[stevez67]

The whole privacy paranoia only serves to employ people who feed the paranoia while deriving an income from the paranoia.

Re:There is no privacy on the internet or anywhere

[Skapare]

The best place to hide is in the crowd. DO NOTHING. Then they won't be interested in you.

Re:There is no privacy on the internet or anywhere

[gdy]

Until they are and then they'll have all the information on you.

Real ad blocking?

[JDG1980]

Can any Chromium-based browsers do real ad blocking? That's the main thing keeping me on Firefox these days. Adblock Plus on Firefox can keep embedded ad images and crap from even loading at all, but the last time I checked, Chrome could only hide them from view (you're still wasting your bandwidth and risking your privacy downloading the ad garbage from their domain). Has that changed?

Re:Real ad blocking?

Chromium has had the ability for a long time now (since version 17 I think?) via the 'webRequest' API. All of the ad-blockers for Chromium seem to use this.

There is also the 'declarativeWebRequest' API, which does the same sort of thing with a different (supposedly faster) implementation behind the scenes, but nobody seems to use it (I assume that there must be some kind of limitation that makes it unsuitable as a drop-in replacement for 'webRequest').

Neither of the APIs can block navigation requests.

There's the 'URLBlacklist' policy as well, which does block navigation requests, but it only allows for a limited (1000 I believe, though it only takes a one-line change to up that limit) number of URLs, and it doesn't block resource requests (though that is a recent change, so perhaps the responsible patch could still reversed as-is).

Note that the pre-rendering/network prediction stuff seems to override any extension-based blocking, so unless you disable that, you'll still get blocked resources downloading in the background (I assume the browser extracts the URLs from the pages and downloads them directly into the cache without asking the request APIs first), even though the pages won't be able to access them.

Anyway, Chromium does indeed support proper ad-blocking. The element hiding, at least in ABP, is still pretty unreliable, though (you can see blocked elements briefly when pages load, and sometimes they stay visible for some bizarre reason).

Re:AdBlock's short of this

Can you just please die in a fire already? Nobody in his right mind would install an app written by you.

Re:AdBlock's short of this

Why don't you prove what he says is wrong then? You can't, obviously.

OffByOne browser leaves NO footprint

The Off By One Browser is an oldie but goodie that I use all the time as a supplemental browser, especially if I don't trust a particular site. It cannot execute scripts of any sort, it caches everything completely to RAM, and is even small enough to fit on a floppy. Relocate the ob1.ini it creates from the Windows folder to the OffByOne folder, write-protect the HPSW.CKI cookies file (or disable them altogether), and your footprint is pretty much non-existent. It is quite fast and useful on sites where I am mostly interested in reading articles or random surfing. You don't even have to install this; you can run it right off a USB stick if you prefer.

Obviously this isn't going to load YouTube videos or do anything remotely fancy, so it isn't going to complete with the mainstream browsers, but it is a nice browser to have on the side. *posts with it now*

Re:Feedback

[melikamp]

#5 Claims of either privacy or security on either Windows or OS X are bogus. Both operating systems are irreparably compromised by the respective manufacturers, affiliates, and the law enforcement, and so all claims about an app being able to deliver privacy are lies.

Privacy?

The first thing they asked me for was my email address.

No address bar?

[Skapare]

How does that help to have no address bar? Just make sure the web server cannot read it. People need to have a way to be sure they actually got to the site they intended to go to.

This is *not* EPIC

[Khopesh]

https://epic.org/ is EPIC, the Electronic Privacy Information Center, a stalwart defender of online privacy. EPIC does not appear to have any connection to this browser. This so-called "epic browser" doesn't look like much more than Iron, which was merely a ploy to make money off of ads on the download page. I'm not saying Epic Browser is that same ploy, but the browser doesn't really do anything that Chromium doesn't already do in Incognito mode (most of those 11 potential privacy leaks that epic blocks are Google features not available in Chromium or else can be disabled trivially).

This introduces a potential lag time in security updates (and updates to trackers pulled in from e.g. adblock or noscript) and rides on EPIC's good name. Shame on the developers for naming it so similarly.

Re:This is *not* EPIC

[theprop]

The Epic Browser has been around for 3+ years and has hundreds of thousands of users -- probably more people than have even heard of epic.org. Epic's previous incarnation wasn't completely focused on privacy hence we're promoting it now as the Epic Browser by Hidden Reflex. We had to keep the Epic name for various reasons. I can't speak for Iron, but I don't think it's correct to say they simply wanted to make ads from the download page.

Re:Feedback

Shut up GNUtard.

It will last until one of two things happen...

[WeeBit]

1. They will be sued until they are broke.
2. The search engines will be told to blacklist their site.

Re:What does sign into Epic mean?

[TaoPhoenix]

Bingo! You nailed it!

There are some other good comments but I like yours.

Turns out "Sign into Epic" ... means NOTHING!!

Because wanna see what happens when you actually click it? (I sacrificed my click for the good of Slashdot!)

Wait for it ...

"Sign in to Epic with your Google Account to save your personalized browser features to the web and access them from Epic on any computer. You'll also be automatically signed in to your favorite Google services."
AND
"Sign in to ******Chrome******
Sign in to get your bookmarks, history, and settings on all your devices. Learn more" (Emphasis mine)

So they didn't even bother finishing their copy and paste of junk??!

Even Bruce Schneier struggled to begin the discussion of what we can do to unroll the big bad security machine. But now I'm really pretty sad that the founder of Slashdot, back when it had chops, presents such a bad browser that they didn't even bake it ... and label it as a "Security Browser"?!

There's the old joke about comp engineers being lazy and preferring pizza and boffo sword fights to actually working (xkcd joke!), but when you guys really get a bit riled and sit down to crunch stuff, there's a few heavy hitters out there. So to see such a ridiculously sloppy item, is just more upsetting because this is THE hot button topic of the age, so if we're gonna try to fix it, these bogus attempts are a mess.

Let's look a little more.
Their main site is https://www.epicsearch.in/
I'm running three browsers here to do all this! (This one while I'm typing)
So if we take their lead site and drop it into vanilla Firefox with Ghostery, Ghostery reports ... wait for it ... "Blocked Google Analystics"!

Whois says:
Domain Name:EPICSEARCH.IN
Created On:05-Oct-2011 11:34:48 UTC
Last Updated On:01-Oct-2012 14:02:48 UTC
Expiration Date:05-Oct-2013 11:34:48 UTC ...
Registrant Name:Alok Bhardwaj
Registrant Organization:Hidden Reflex

So the domain expires ... *next month*??!

I'll stop there because I'm a humanities fella and don't know anything even more telling. But let's try the long shot: Did 'Taco even endorse this for real? Or ... is his name being co-opted for street cred beyond his better judgement!?

You want privacy?

Umm... TAILS much?
https://tails.boum.org/

Re:Feedback

#3 - Must have source and repeatable build process. Trust doesn't work, it is the enemy of security. Transparency works, it is the friend of security.

See ken's Reflections on Trusting Trust, which demonstrates how to set up a very nice repeatable build process producing a security-critical application (the unix 'login' binary) from source.

"Source and repeatable build process" != transparency. When the NSA owns your OS (kernel, system libraries, compiler and all), repeatable build process isn't nearly enough...

I am Epic Founder -- fingerprinting

[theprop]

Epic blocks loads of fingerprinting scripts which is quite effective in terms of general surveillance that goes on. To otherwise make your browser is un-fingerprintable is very hard to solve unless you block Flash which effectively "breaks the internet". It's no more/less fingeprint-able by the way than any other browser -- and in general you're much safer since we block the known companies that do use fingerprinting. If you're Edward Snowden and you're being targeted, well that's a different story!

Re:Interesting - Epic is open source, founder

[theprop]

Epic is open source code. Sorry, we're a very small team and Chromium is a HUGE code base and we've made tons of code changes all over the place. We've been working very hard to get to this release, and haven't had a chance to release our code in an organized way. Anyone who wants to know any changes or see any code is more than welcome to e-mail me anytime -- alok@hiddenreflex dot com . Sorry for the delay again,

Re:Interesting - Founder Comment on Panopticlick

[theprop]

We've been Epic for awhile now (had a previous incarnation:-). It's difficult to hide font lists from Flash, and disabling flash effectively "breaks the internet". We block many fingerprinting scripts though -- and are working on methods that would make your browser un-fingerprintable but it's very difficult (that's why no one has done it!). With your support, I'm sure we can do it but it's not going to happen overnight (or again someone would have done it already!).

Re:Chrome? - Epic Founder Question

[theprop]

Please let us know any Chromium backdoors!!! We have found MANY privacy leaks in default chrome/chromium and closed them...but if you find any backdoors, any privacy leaks we may have missed, let us know! Thanks -- alok, epic browser team , alok at hiddenreflex dot com

Re:Interesting - Founder Comment on Panopticlick

[Samantha+Wright]

An understandable trepidation. Alas, I can't exactly mod you up. Good luck!

Re:What does sign into Epic mean?

[theprop]

Sorry -- great catch! Somehow the Sync wasn't removed in the release version. Will remove it in an update very soon. Thanks! We don't have our sync service at this point so it was meant to be removed. Chromium is designed to be somewhat easily brand-able such that changing the name once changes it in many places -- removing the need for a lot of cut&paste (though quite a bit is still necessary actually). Will try to see why google analytics is being pinged -- it did used to run on our search page but has been long removed -- will investigate, thanks! Our domains auto-renew every year. Nothing to worry about!

Re:Feedback

[theprop]

Thanks, we can allow #1 and will work to add such links though that install process is good for many users with slower connections who'd like to quickly start a background installation process. #4 should have been removed -- will be removed soon though later we would like to offer a privacy-friendly sync service. #3 any code you want to see, just write us, Epic is open source but we just haven't had a chance to release all code in an organized way, chromium is huge. #2 will try to alert the user in-product with more details on the proxy, thanks!

Re:AdBlock's short of this

says the cowardly little loser who trolls as anonymous coward.

Their privacy features ...

[allo]

... at least their top 11 are just annying chrome functions disabled. So use firefox (disable some annoying functions as well) and be happy.

Re:Chrome? - Epic Founder Question

[J'raxis]

Has anyone done a complete code audit of the Chromium source, as has been mentioned above as having been done on other pieces of open source software?

APK knock ya out again? Yes

With a challenge to you troll, here http://yro.slashdot.org/comments.pl?sid=4176879&cid=44789325 ? Yes he did. You're reduced to mere trollery instead of disproving what apk says on custom hosts value to end users of them. You can't manage getting the best of apk via facts, and you run (which is all your trolling behaviour illustrates to us).

Where's the source? What 'advice' is Rob giving?

If it's based on open source software, where's the source for this derivative software? How can we trust it?

And what 'advice' is Rob giving them? How to get ad placement on slashdot?

Re:Chrome? - Epic Founder Question

[poetmatt]

wrong way to look. You have to look at whether the crypto used is already compromised. It's not even a question of chromium as much as a question of what encryption methods you're using.

If they're NSA approved or FIPS approved, you have no security. That includes the executable's method of encryption, as well.

Anything using AES or triple-DES is guaranteed to be compromised at this point.