Slashdot Mirror
Epic: A Privacy-Focused Web Browser
Rob @CmdrTaco Malda writes
"I've been advising Epic Browser, a startup building a privacy-focused, Chrome-based browser that starts where incognito mode ends. Epic employs a host of tactics designed to make what happens inside your browser stay there, to the tune of a thousand blocks in a typical hour of browsing. They also provide a built-in proxy service. If the corporations and governments are going to watch us, there's no reason to make it any easier for them. Epic has Mac and Windows builds for now. Their site goes into far greater detail about how they block tracking methods most browsers don't."
But 1000 blocks an hour is way short of what Ad-block plus gets with the standard list.
You're basing this on a browser made by one of the companies known to have been cooperating with the NSA every step of the way, including the latest revelations about said companies inserting backdoors into their products?
Sounds like a good idea to me.
Liberty in your lifetime
...closed source browser
I can decript my data, use browsers to erase cookies, but without spoofing IP addresses, the websites know where I am accessing from and when I access the site. If I would then use a major email (instead of my own email server), then the NSA has their hands on my emails and any cloud stuff I save. Everything in the internet needs to be reworked for privacy, not just the browser...
Of course the The United Surveilla^H^H^H^H^H^H^H^H States Government is not going to let that happen.
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"First things first -- but not necessarily in that order"
-- The Doctor, "Doctor
I have said for years that Private Browsing in Firefox is what Incognito Mode wants to be when it grows up. Looks like that is about to happen.
I am not your blowing wind, I am the lightning.
Things like this only serve to foster and spread an illusion of security and privacy. It may make life a little harder for the commercial maggots, but the government worms? You're as good as owned already.
If it has not already been compromised, by technology or force of law, it soon will be. Bet on it.
Scruting the inscrutable for over 50 years.
The summary is incorrect. This browser is based on the open source Chromium, not Chrome, a subtle but important difference since Chrome has Google's extra tracking goodness. However, I have to wonder why they didn't start with Firefox, which is truly open source and not connected at all with Google, which has pretty much become the poster child of privacy invasion these days.
Proxy is a nice option, except when you don't know where the Proxy is... Easy to implement a Proxy and have a look at users communications...
Wouldn't using some special snowflake browser like this make you especially vulnerable to fingerprinting?
I'd try it..Linux pls..
that computing in the 21st century would become so exciting?
If Pandora's box is destined to be opened, *I* want to be the one to open it.
Sounds a lot like SRWare Iron* to me - that's a long existing Chromium-based fork altered for enhanced privacy.
At a first glance, I cannot make out any advantages of Epic over Iron. Aside from the removal of all user tracking which Chrome brings, they only provide a 1-click-proxy functionality. Which, if I used it, would leave me and my privacy at the mercy of an India based startup. Instead, I'd also rather suggest JAP** which is also long and well established.
So what am I missing that makes Epic Browser worth a Slashdot post?
[1] https://www.srware.net/en/software_srware_iron.php
[2] http://anon.inf.tu-dresden.de/
From their page::
... They get paid for searches they drive but those searches don't have any ads or tracking? Again, where does the money come from?
Epic like most browsers earns a commission on searches we drive. So the more you use Epic’s default search engine, the more you support Epic and our continued privacy efforts : - ) And best of all your searches always remain exceptionally private since they’re routed via a secure, encrypted connection over a proxy – so private by design when you use EpicSearch.me that we literally can’t know what you’re searching for nor anyone else. Ads and search results never include any personalized results or tracking of any sort and are only based on your search term and general geographical location.
So
+++ATH0 NO CARRIER
Closed source? Seems legit.
Epic is useless on a proxied LAN. Under Settings, Advanced Settings, Network, "Change proxy settings..." is disabled and a message indicates "Your network proxy settings are being mangaed by an extension". However, going over to Extensions yields the message, "Epic does not allow extensions for security & privacy reasons".
While blocking cookies or ads are fine, once the data is sent out into the ether its going to be picked up an decrypted, no browser is going to stop that.
If you want privacy on the web, stop using the web.
I haven't thought of anything clever to put here, but then again most of you haven't either.
I just gave Epic a try...
In Proxy settings it says "Your network proxy settings are being managed by an extension."
In Extensions link it says "Epic does not allow extensions for security & privacy reasons e.g. read this (right click and open in a new tab)"
So what extension is managing network proxy settings? I don't trust this browser any more than Chrome.
a software product company founded by Alok Bhardwaj and based in Washington DC
In the "About Us" section of the web site. US-based, so it won't protect your privacy against the spooks (Patriot Act *wink* *wink*). Neverthless, it's nice to see more software made with privacy in mind.
Google is very upfront about what is collected and what they do with it and who they do and do not share what data with. As someone who actually follows this stuff closely and READS agreements and doesn't just rely on Slashdot hype, I am 100% comfortable with everything Google does and what they do with the data, and also with how hard they fight back against governments who want that data. Google doesn't sell your data to ANY third parties, they use it INTERNALLY for their own stuff. As such it is actually VERY private. The data you share with Google is a lot more private than the data you share with your telco or cable company or bank in this respect.
Compare this to Facebook or LinkedIn or even Twitter, who are NOT upfront about what is collected and shared, and who not only share data with governments, but ALSO 3rd party companies at will as part of their business models. As well as your bank, your telco, etc again - all of whom routinely sell client lists including names, addresses, and phone numbers.
Who is the poster child again?
No source code, no verifiable improvement over SRWare Iron, and the company gets paid from...
Epic like most browsers earns a commission on searches we drive. So the more you use Epicâ(TM)s default search engine, the more you support Epic and our continued privacy efforts : - ) And best of all your searches always remain exceptionally private since theyâ(TM)re routed via a secure, encrypted connection over a proxy â" so private by design when you use EpicSearch.me that we literally canâ(TM)t know what youâ(TM)re searching for nor anyone else. Ads and search results never include any personalized results or tracking of any sort and are only based on your search term and general geographical location.
by tying in to the industry that is even more hostile to the concept of user privacy than the USGov...
Thanks, but I'll pass.
What will keep a NSL from telling them to give the NSA the key's to their proxy?
Comment removed based on user account deletion
Comment removed based on user account deletion
Chromium obviously is open source already, but they do plan to opensource their additions too.
So this could actually be the good stuff.
You either trust Google with your data, and use their services, or you don't. Same with Facebook, et. al. If you're using this browser, you're trusting this company that they're doing what they say. Maybe you'll peruse the OS code, maybe not. But it's still who and how much you trust. Ultimately, if you want better privacy than what's out there, you need to roll your own browser. Find an open-source project you like, put the features you want in it, take the features you don't want out of it, and go on your merry way.
A privacy-focused browser is fine as far as it goes, but the problem is more with the network transporting data insecurely, and on the server side, where you put your trust into faceless entities that have their own interests at heart, not yours. So I don't see this helping much, if at all.
You see? You see? Your stupid minds! Stupid! Stupid!
Only sort of. Ideally it will make you precisely match everyone else using a browser like this, which is probably more people than have your special snowflake of fonts and plugins and extensions and ...
It will make you stand out, but it won't identify you as uniquely when people look closer.
It is being made by an American company. Rest of the world does not and should not trust you anymore.
NSA: Hey Epic Exec, insert this complied module into your app
Epic Exec: Go fuck yourself NSA. We are all about protecting users here
NSA: I see. I also see that you visited a gay bar in SF last week and Boston the week before. Are you going to tell your wife and children or should we?
Epic Exec: Oh I see you are talking about National Security. Why didn't you say that before? Here at Epic we are loyal Murcans and we will be happy to help anyway we can.
NSA: That's a good bitch. Next time roll over and show your belly faster or else.....
I see nowhere on their site where the source code is available. That's just a scummy move.
Post the source.
Can either of them defeat Panopticlick? I don't see anything on Epic's site about hiding font lists. (And on that point, Epic is a bad name choice since it's vaguely synonymous with the death of objectivity in news reporting.)
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
You can delete them from within your profile. HOWEVER as soon as you update again it reinstalls them.
Rather annoying behavior, but it IS circumventable.
Hadn't noticed that they're now considered 'internal objects' however.
Tried Epic out for myself. Looks nifty, but clearly not polished yet. Biggest issue is that it still leaks all the data from the user-agent and plugins. Disabling the plugins helped, but I had an even more unique user-agent string than normal. Seems like this should be near the top of the list for a privacy browser, but they don't even mention it on their site, at least from a cursory browse. Tested at https://panopticlick.eff.org
-- If it aint broke, fix it till it is. --
presumably, if they're being any serious at all, you'll look to panopticlick like any other dude using the browser(well, lying about screen resolution might cause some problems down the line).
world was created 5 seconds before this post as it is.
Is it based on Chrome or Chromium? Is that not an important distinction to make?
Signature intentionally left blank.
Same here and haven't had a problem with it and unlike this browser its used by millions (coming with Comodo Internet Security with VM mode for secure banking) so you are not gonna stick out like a sore thumb.
The problem with going TOO niche is it would make you stick out all the more, if everyone wears a blue shirt and your shirt is a slightly different hue of blue? probably not gonna be noticed and won't trip any flags, if your shirt is neon orange? You might as well be holding a giant neon sign that says "Look at me, I'm up to something!". Its no different than how guys carrying pot really shouldn't be driving flashy red sports cars but driving some boring blue 4 door instead, you want to go off the radar without attracting attention for doing so.
So while I'll keep an eye on this for the time being I'll stick with Comodo Dragon, it too has increased security and unlike this it is offered with most of Comodo's security products (and since nobody ever unchecks the defaults millions have it) and since it uses the same secure DNS that Comodo uses on their enterprise products you can just blend into the crowd. I wouldn't be surprised if some 3 letter agency has gotten a memo about this thing this very day, /. isn't exactly under the radar ya know.
ACs don't waste your time replying, your posts are never seen by me.
Chromium is at least open source.
Can I opt out of slashvertisements?
It lost me at "Chrome-based"...
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
Uhhhh...buying adblock would be as pointless as trying to "buy" Linux, there is already a dozen variations thanks to the source being out there. While I'm not a big fan of FOSS (since i think a lot of their so called "advantages" are built upon false premises) this is one thing they do have an advantage in, in that there really isn't any way to control any one project by buying it. If you are unsure of adblock there is adblock plus, one I think called "super adblock" or something like that, or if you want to go to the trouble you can do like old APK and mess with HOSTS or just run your own recursive DNS like I do, not hard to get blacklists of advertising servers these days.
As far as trusting Firefox? So don't, again not like you don't have options. There is Comodo Icedragon, Seamonkey, IceWeasel and Kmeleon, and those are just sticking with the gecko engine, if you were to add the Chromium engine you would have another half a dozen easy to choose from and then of course there are those that use their own engine like QTWeb (uses QT framework with Webkit from KHTML) or OffByOne. again no need to stick with something you aren't sure of, plenty of choices out there. Frankly if the NSA wants to follow you though they have access to the backbone, all the obfuscation in the world isn't gonna protect you from a MITM attack.
ACs don't waste your time replying, your posts are never seen by me.
If slashdice cared about, well, anything, they would also run a {slashdot}.onion site as well.
Do you even lift?
These aren't the 'roids you're looking for.
One wonders what is the excuse this time that the patches have not been submitted upstream to Chromium?
Then he said, google's customers don't care about privacy and would gladly sell google the rope used to hang them.
http://quotes.liberty-tree.ca/quote/vladimir_lenin_quote_068c
Some drink at the fountain of knowledge. Others just gargle.
Your proxy server sucks. A properly functioning proxy server will cause lag issues with twitch-gaming, but not anything noticeable with web surfing or even streaming videos.
It's actually Chromium based, not Chrome
Chromium is open source:
http://www.chromium.org/
I don't read your sig. Why are you reading mine?
Can any Chromium-based browsers do real ad blocking? That's the main thing keeping me on Firefox these days. Adblock Plus on Firefox can keep embedded ad images and crap from even loading at all, but the last time I checked, Chrome could only hide them from view (you're still wasting your bandwidth and risking your privacy downloading the ad garbage from their domain). Has that changed?
#5 Claims of either privacy or security on either Windows or OS X are bogus. Both operating systems are irreparably compromised by the respective manufacturers, affiliates, and the law enforcement, and so all claims about an app being able to deliver privacy are lies.
Uhhh...Comodo is an Indian company that does enterprise security products, don't know where you got your info from. they have a branch in the USA but more large corps do, that don't make 'em a US company.
I've personally been using them a couple of years now and have yet to see their browsers send a single bit of data I didn't specifically authorize and I do check my logs. If you opt in for their secure DNS then your DNS will naturally go through their servers (the same ones that they use for corporate deployments so its not like your data will be segregated, it'll be in the same pool as thousands of corps) and as far as their certs go? They had a break in, reported it to the public within a day and had the keys revoked upon finding out about the breach. personally I'd rather have a corp that admits when there is a breach, informs me, and then does everything they can to close the breach immediately than to have one that covers it up, but maybe that is just me. Again not like you don't have options and you can always build from source if none of them suit you.
ACs don't waste your time replying, your posts are never seen by me.
It will only make you stand out if it identifies itself as Epic instead of standard Chrome.
How does that help to have no address bar? Just make sure the web server cannot read it. People need to have a way to be sure they actually got to the site they intended to go to.
now we need to go OSS in diesel cars
not just scummy -how can anything closed be trusted to not be full of Ms style backdoors?
If you ATTEMPT to get privacy, they will attract their attention towards you. You must have something to hide (which is, of course, yourself).
now we need to go OSS in diesel cars
Screen resolution is the big one for me, since I browse from inside a virtual machine. If the VM isn't full-screen, it has a quite distinctive "screen resolution". A good answer is to lie by using the closest (or perhaps next smaller) frequent size, then making sure you still render acceptably.
Socialism: a lie told by totalitarians and believed by fools.
You fool! You've summoned APK! Do not call up that you cannot put down.
Socialism: a lie told by totalitarians and believed by fools.
The best place to hide is in the crowd. DO NOTHING. Then they won't be interested in you.
now we need to go OSS in diesel cars
Perhaps you know something about browser fingerprinting that I don't...
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
https://epic.org/ is EPIC, the Electronic Privacy Information Center, a stalwart defender of online privacy. EPIC does not appear to have any connection to this browser. This so-called "epic browser" doesn't look like much more than Iron, which was merely a ploy to make money off of ads on the download page. I'm not saying Epic Browser is that same ploy, but the browser doesn't really do anything that Chromium doesn't already do in Incognito mode (most of those 11 potential privacy leaks that epic blocks are Google features not available in Chromium or else can be disabled trivially).
This introduces a potential lag time in security updates (and updates to trackers pulled in from e.g. adblock or noscript) and rides on EPIC's good name. Shame on the developers for naming it so similarly.
Use my userscript to add story images to Slashdot. There's no going back.
Can either of them defeat Panopticlick? I don't see anything on Epic's site about hiding font lists.
It doesn't, either. I just tried installing it.
Your browser fingerprint appears to be unique among the 3,356,831 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 21.68 bits of identifying information.
It's mostly the font list that gives the show away.
Welp. Mark that one as torpedoed. The really aggressive "doesn't require cookies!" tracking/ad services rely on stuff like Panopticlick's tricks, I'm pretty sure.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
1. They will be sued until they are broke.
2. The search engines will be told to blacklist their site.
APK and mess with HOSTS
You fool! Youll awaken him!
Bingo! You nailed it!
There are some other good comments but I like yours.
Turns out "Sign into Epic" ... means NOTHING!!
Because wanna see what happens when you actually click it? (I sacrificed my click for the good of Slashdot!)
Wait for it ...
"Sign in to Epic with your Google Account to save your personalized browser features to the web and access them from Epic on any computer. You'll also be automatically signed in to your favorite Google services."
AND
"Sign in to ******Chrome******
Sign in to get your bookmarks, history, and settings on all your devices. Learn more" (Emphasis mine)
So they didn't even bother finishing their copy and paste of junk??!
Even Bruce Schneier struggled to begin the discussion of what we can do to unroll the big bad security machine. But now I'm really pretty sad that the founder of Slashdot, back when it had chops, presents such a bad browser that they didn't even bake it ... and label it as a "Security Browser"?!
There's the old joke about comp engineers being lazy and preferring pizza and boffo sword fights to actually working (xkcd joke!), but when you guys really get a bit riled and sit down to crunch stuff, there's a few heavy hitters out there. So to see such a ridiculously sloppy item, is just more upsetting because this is THE hot button topic of the age, so if we're gonna try to fix it, these bogus attempts are a mess.
Let's look a little more. ... wait for it ... "Blocked Google Analystics"!
Their main site is https://www.epicsearch.in/
I'm running three browsers here to do all this! (This one while I'm typing)
So if we take their lead site and drop it into vanilla Firefox with Ghostery, Ghostery reports
Whois says: ...
Domain Name:EPICSEARCH.IN
Created On:05-Oct-2011 11:34:48 UTC
Last Updated On:01-Oct-2012 14:02:48 UTC
Expiration Date:05-Oct-2013 11:34:48 UTC
Registrant Name:Alok Bhardwaj
Registrant Organization:Hidden Reflex
So the domain expires ... *next month*??!
I'll stop there because I'm a humanities fella and don't know anything even more telling. But let's try the long shot: Did 'Taco even endorse this for real? Or ... is his name being co-opted for street cred beyond his better judgement!?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Check out SecretAgent (for Firefox). It automatically rotates the user agent string the browser reports through a list of about 50 possibilities. Happens every time you restart the browser. Your browser may be unique today, it may be unique tomorrow, but it won't be identified as the same unique browser both times..
Check out SecretAgent (for Firefox). It automatically rotates the user agent string the browser reports through a list of about 50 possibilities. Happens every time you restart the browser. Your browser may be unique today, it may be unique tomorrow, but it won't be identified as the same unique browser both times..
Actually, SecretAgent seems to rotate with every page load. And not just the user agent, but some other headers, too. I find it works best if you edit the list of possibilities to remove the ones that often display screwy (few websites are optimized for Mosaic anymore).
Epic blocks loads of fingerprinting scripts which is quite effective in terms of general surveillance that goes on. To otherwise make your browser is un-fingerprintable is very hard to solve unless you block Flash which effectively "breaks the internet". It's no more/less fingeprint-able by the way than any other browser -- and in general you're much safer since we block the known companies that do use fingerprinting. If you're Edward Snowden and you're being targeted, well that's a different story!
Epic is open source code. Sorry, we're a very small team and Chromium is a HUGE code base and we've made tons of code changes all over the place. We've been working very hard to get to this release, and haven't had a chance to release our code in an organized way. Anyone who wants to know any changes or see any code is more than welcome to e-mail me anytime -- alok@hiddenreflex dot com . Sorry for the delay again,
We've been Epic for awhile now (had a previous incarnation:-). It's difficult to hide font lists from Flash, and disabling flash effectively "breaks the internet". We block many fingerprinting scripts though -- and are working on methods that would make your browser un-fingerprintable but it's very difficult (that's why no one has done it!). With your support, I'm sure we can do it but it's not going to happen overnight (or again someone would have done it already!).
Please let us know any Chromium backdoors!!! We have found MANY privacy leaks in default chrome/chromium and closed them...but if you find any backdoors, any privacy leaks we may have missed, let us know! Thanks -- alok, epic browser team , alok at hiddenreflex dot com
An understandable trepidation. Alas, I can't exactly mod you up. Good luck!
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Sorry -- great catch! Somehow the Sync wasn't removed in the release version. Will remove it in an update very soon. Thanks! We don't have our sync service at this point so it was meant to be removed. Chromium is designed to be somewhat easily brand-able such that changing the name once changes it in many places -- removing the need for a lot of cut&paste (though quite a bit is still necessary actually). Will try to see why google analytics is being pinged -- it did used to run on our search page but has been long removed -- will investigate, thanks! Our domains auto-renew every year. Nothing to worry about!
Thanks, we can allow #1 and will work to add such links though that install process is good for many users with slower connections who'd like to quickly start a background installation process. #4 should have been removed -- will be removed soon though later we would like to offer a privacy-friendly sync service. #3 any code you want to see, just write us, Epic is open source but we just haven't had a chance to release all code in an organized way, chromium is huge. #2 will try to alert the user in-product with more details on the proxy, thanks!
I would say not unless it blocks Javascript. Just using Firefox with NoScript reduces my fingerprint to 14 bits apparently. Enable JS and it becomes uniquely ID'able in the panopticlick DB.
The "backdoors" leak from Snowden shows how money and threats corrupt even large corporations to speak nothing of small VPN companies. I wouldn't be surprised to learn one day that popular VPN providers were incentivised/coerced by CIA/NSA and such into deploying backdoors. After all, very few people can remain honest when a promise of tens of millions of dollars is dangled with one hand while threats are dangled with the other. To be sure, this might not be possible with all VPN providers in all countries, but the reach of CIA is very long, and combined with the local govt's own secret service...
rotating on each request is a bad idea. Your ip remains valid for 12-24 hours, so the website can assume that two requests from the same ip are the same user. When the fingerprint is rotating, they have a good criteria: You're the only one with the paranoia plugin.
Better rotate it on browser start. New session, new identity.
... at least their top 11 are just annying chrome functions disabled. So use firefox (disable some annoying functions as well) and be happy.
Has anyone done a complete code audit of the Chromium source, as has been mentioned above as having been done on other pieces of open source software?
Liberty in your lifetime
wrong way to look. You have to look at whether the crypto used is already compromised. It's not even a question of chromium as much as a question of what encryption methods you're using.
If they're NSA approved or FIPS approved, you have no security. That includes the executable's method of encryption, as well.
Anything using AES or triple-DES is guaranteed to be compromised at this point.
Until they are and then they'll have all the information on you.