Epic: A Privacy-Focused Web Browser 223
Rob @CmdrTaco Malda writes
"I've been advising Epic Browser, a startup building a privacy-focused, Chrome-based browser that starts where incognito mode ends. Epic employs a host of tactics designed to make what happens inside your browser stay there, to the tune of a thousand blocks in a typical hour of browsing. They also provide a built-in proxy service. If the corporations and governments are going to watch us, there's no reason to make it any easier for them. Epic has Mac and Windows builds for now. Their site goes into far greater detail about how they block tracking methods most browsers don't."
Maybe I'm an excessive user (Score:5, Interesting)
But 1000 blocks an hour is way short of what Ad-block plus gets with the standard list.
Re: (Score:2)
But 1000 blocks an hour is way short of what Ad-block plus gets with the standard list.
Ok, now it makes sense. I'd originally read that as 1000 BUCKS an hour in the summary and was trying to figure out what the hell they meant!
Re: (Score:3)
Re: (Score:2)
APK and mess with HOSTS
You fool! Youll awaken him!
Comment removed (Score:4, Informative)
Re: (Score:2)
You fool! You've summoned APK! Do not call up that you cannot put down.
Chrome? (Score:4, Insightful)
You're basing this on a browser made by one of the companies known to have been cooperating with the NSA every step of the way, including the latest revelations [theguardian.com] about said companies inserting backdoors into their products?
Sounds like a good idea to me.
Re:Chrome? (Score:5, Informative)
Based off Chromium, not Chrome. The first is open source.
Re: (Score:2)
Which, in my experience, means it's the same thing but less polished and stable.
My first experience with Chromium was running it on a fresh install of Ubuntu, and getting the window *STUCK* on my mouse pointer when I tried to drag it around. No matter what keys or clicks, it wouldn't stop following the mouse. Even after restarting X, it wouldn't go away.
Ended up having to reboot, then when it happened a second time, uninstall Chromium.
Re: (Score:3)
and every line of every library it uses?
This is pretty important. Use the Fedora build of Chromium if you care about this. Tom "spot" Callaway has been fighting this battle for years - rebuilding Chromium with dependencies on system libraries, rather than private, stashed, local copies of libraries as it's wont to do.
Since we now know that the spooks pressure companies to put back doors into their products, if that happened with Chrome/Chromium, the smart place to do that would be, not in the main produc
Re: (Score:2)
Ready to wet your pants? Think about this:
How do you know that Intel and AMD haven't included back doors in their processors that elevate a running thread to ring 0? (or -1?)
Re: (Score:2)
How do you know that Intel and AMD haven't included back doors in their processors that elevate a running thread to ring 0? (or -1?)
Why shouldn't they? :D
I mean, one of those corporations is named "INTEL", come on
Re: (Score:2)
Hell, the aliens have been inserting nanobots to pwn all of our electronics since they first gave us the tech to fabricate microprocessors!!
Re: (Score:2)
so concerned about privacy = doesn't care about keeping up to date with web technology?
"You whippersnappers with your javascript and your canvas! HTML 4.1 was fine for me, and we didn't use javascript back in my day! It was considered bad practice even!"
Comment removed (Score:4, Interesting)
Re: (Score:2)
Linux kernel code is constantly vetted, and well, by a huge userbase.
There are few enough kernel experts, though. Do you think for a moment that the NSA doesn't have a set of 0-days for the Linux kernel? That they didn't put some of them there? That they haven't had someone making (mostly) good and useful contributions for 10+ years? The Linux kernel isn't small.
I'd perhaps trust BSD in this regard. The codebase is a lot smaller. SecureBSD has been intensively audited, with several engineers going line-by-line through the kernel. The US government's obvious dislike of
Re: (Score:2)
...You mean OpenBSD? Do you not know what you're talking about, or was that just a brain cramp? :p
Re: (Score:2)
I've been good at brain-cramp on /. today!
Re: (Score:2)
More on this [slashdot.org]. I remember back when SELinux came out, some people were speculating that the bugs they did find were actually inserted there intentionally by the NSA. Sounded paranoid back in 2000, but who knows now?
By "SecureBSD," did you mean this [draenor.org]?
Re: (Score:2)
"Linux kernel code is constantly vetted, and well, by a huge userbase. And it works very well for the kernel."
Really? This is exactly the same "reasoning" that gets us:
- who needs AV? I don't run it and I've never been compromised
- you don't need to patch Windows, I have an unpatched WinXP box directly on the Internet and it has never been compromised
- you don't need to patch linux, I have an unpatched linux box directly on the Internet and it has never been compromised
All of these b
Re: (Score:2)
IIRC the Linux kernel had a pretty big issue a few years back when they discovered a bug that was believed to have been maliciously inserted into the kernel several years prior.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Yeah, look. Pat yourself on the back for being 'up-to-date' all you want but you are missing the point. You cannot have privacy and an ecmascript based substitute for the web, they are mutually exclusive. No matter what else you tighten up on the browser end, if your browser is required to trust the server it will be compromised in short order. This is not a matter of old vs new it's a matter of fundamental logic.
Re:Chrome? (Score:4, Interesting)
There's no browser company that doesn't have backdoors, including Mozilla. Whether willingly or not, well - only IE does it willingly.
What do you think encryption research from FIPS 140 is for? Gov't has been given the keys to OS-level encryption for over 8 years, now.
What about on the "Web" itself... (Score:2)
Of course the The United Surveilla^H^H^H^H^H^H^H^H States Government is not going to let that happen.
Re: (Score:2)
That is what proxies are for, and things like tor.
Literally spoofing an IP will not work since it if does not match your network segment your provider is not going to route that traffic.
Comment removed (Score:5, Interesting)
Re: (Score:2)
Uhhhh...its already been reported that NSA is running several Tor exit nodes to collect the data, you DO know this, right?
You don't have to be an exit node to run Tor. You don't even have to run as a relay, though if you can, that helps everybody's speed.
Re: (Score:2)
Re: (Score:2)
At this point, using a VPN is kind of a must if we want to have even a bit of privacy. I've been doing my homework starting with things like TorrentFreak's Guide To VPN Services That Take Anonymity Seriously, 2013 Edition [torrentfreak.com] and the informational comments left on that article, and hopefully this month I'll finally have figured out which to go with.
Private Browsing (Score:2)
I have said for years that Private Browsing in Firefox is what Incognito Mode wants to be when it grows up. Looks like that is about to happen.
Re: (Score:3, Informative)
I was kinda curious what he meant, myself, so I checked out this old-ish paper.
http://crypto.stanford.edu/~dabo/pubs/papers/privatebrowsing.pdf [stanford.edu]
I don't know if things have changed much, but their fairly thorough review seems to indicate firefox and chrome are pretty similar.
Looking at their table, one possible area of concern they listed (that Chrome might no longer have a problem with) is zoom level.
That could give information to a site that it is the same person, if they cared, although, that seems to be a
Fail (Score:3)
Things like this only serve to foster and spread an illusion of security and privacy. It may make life a little harder for the commercial maggots, but the government worms? You're as good as owned already.
If it has not already been compromised, by technology or force of law, it soon will be. Bet on it.
Re: (Score:3)
Based on Chromium, not Chrome (Score:5, Interesting)
Re: (Score:3)
I haven't looked at it in some years, but I suspect that, being a younger project, Chromium's codebase is a lot cleaner and easier to work with than Firefox's.
NB: It's in the nature of code to build up cruft. This isn't intended as an endorsement or insult to either group's coding or design styles and abilities.
"Poster child of privacy invasion" hyperbole (Score:5, Insightful)
Google is very upfront about what is collected and what they do with it and who they do and do not share what data with. As someone who actually follows this stuff closely and READS agreements and doesn't just rely on Slashdot hype, I am 100% comfortable with everything Google does and what they do with the data, and also with how hard they fight back against governments who want that data. Google doesn't sell your data to ANY third parties, they use it INTERNALLY for their own stuff. As such it is actually VERY private. The data you share with Google is a lot more private than the data you share with your telco or cable company or bank in this respect.
Compare this to Facebook or LinkedIn or even Twitter, who are NOT upfront about what is collected and shared, and who not only share data with governments, but ALSO 3rd party companies at will as part of their business models. As well as your bank, your telco, etc again - all of whom routinely sell client lists including names, addresses, and phone numbers.
Who is the poster child again?
Re: (Score:2)
Google is very upfront about what is collected and what they do with it
Except when that collection and disclosure is requested via a national security letter.
Re: (Score:2)
That's true, but the only solution to those is to not use the Internet at all. Since you're on Slashdot, and not even AC, I'm guessing that's not an option you're considering.
I don't think Google's as not-evil as it used to be, but I'm guessing that they are less evil and more privacy-advocating and -protecting than most corporations, such as...every major ISP.
As much as I'm against mass surveillance, the bottom line hasn't changed in many years: if you need serious privacy, either use strong encryption or
Re: (Score:2)
Aren't they legally prohibited from doing so? If I'm correct, then are you suggesting they should blatantly break the law, and thus presumably be fined?
Sergey Brin pounds shoe on table (Score:2)
Then he said, google's customers don't care about privacy and would gladly sell google the rope used to hang them.
http://quotes.liberty-tree.ca/quote/vladimir_lenin_quote_068c [liberty-tree.ca]
Re: (Score:2)
Re: (Score:2)
Compare this to Facebook or LinkedIn or even Twitter, who are NOT upfront about what is collected and shared, and who not only share data with governments, but ALSO 3rd party companies at will as part of their business models. As well as your bank, your telco, etc again - all of whom routinely sell client lists including names, addresses, and phone numbers.
Who is the poster child again?
Oh I get it. The problem is everyone EXCEPT Google. Thanks for clearing that up.
Re: (Score:2)
Re: (Score:2)
Wait, you claim to have actually read Google's revised AUP? And your fine with the "we protect the correlated data so that only those we knowingly give it to (contractors, customers and the government) can have it"? It isn't stated *quite* that succinctly, but it wasn't far removed from it either. I haven't read it since the change and at the time they were revising it without notice (next day to get a quote for someone and the wording had been altered) but I seriously doubt that the gist of it is any diffe
Re: (Score:2)
Re: (Score:2)
You can't build on Chrome since Chome is closed source.
Re: (Score:2)
Re:Based on Chromium, not Chrome (Score:5, Informative)
Proxy ? (Score:3, Interesting)
Re: (Score:3, Informative)
Indeed. And accessing using HTTPS isn't even guaranteeing anything in this browser since the proxy service and the browser is provided by the same party, so they can trivially add their own CA and sign certificates for whatever sites they want.
Oblig.. (Score:3)
Who would have thought... (Score:4, Insightful)
that computing in the 21st century would become so exciting?
Why another? (Score:5, Interesting)
Sounds a lot like SRWare Iron* to me - that's a long existing Chromium-based fork altered for enhanced privacy.
At a first glance, I cannot make out any advantages of Epic over Iron. Aside from the removal of all user tracking which Chrome brings, they only provide a 1-click-proxy functionality. Which, if I used it, would leave me and my privacy at the mercy of an India based startup. Instead, I'd also rather suggest JAP** which is also long and well established.
So what am I missing that makes Epic Browser worth a Slashdot post?
[1] https://www.srware.net/en/software_srware_iron.php [srware.net]
[2] http://anon.inf.tu-dresden.de/ [tu-dresden.de]
Re: (Score:2)
Re: (Score:2)
So what am I missing that makes Epic Browser worth a Slashdot post?
EPIC is well-known in the electronic privacy realm and their actions are frequently a Slashdot topic.
Wait, this is the Electronic Privacy and Information Chromium, right? Because market-confusion among names would be pretty confusing.
Where does the money come from? (Score:4, Interesting)
Epic like most browsers earns a commission on searches we drive. So the more you use Epic’s default search engine, the more you support Epic and our continued privacy efforts : - ) And best of all your searches always remain exceptionally private since they’re routed via a secure, encrypted connection over a proxy – so private by design when you use EpicSearch.me that we literally can’t know what you’re searching for nor anyone else. Ads and search results never include any personalized results or tracking of any sort and are only based on your search term and general geographical location.
So
Re:Where does the money come from? (Score:4, Informative)
Ads and search results never include any personalized results or tracking
So, ads yes, tracking no. Or in other words, what search engine ads were like before Google. Something relevant to exactly what you typed in, nothing more.
Or at least that's the claim.
Re: (Score:2)
Read the text you quoted. There are ads. These ads do not include tracking, they're based only on your search terms and general location.
Thank you NSA and GCHQ (Score:3, Informative)
Closed source? Seems legit.
Turns out I am wrong ... (Score:3)
Chromium obviously is open source already, but they do plan to opensource their additions too.
So this could actually be the good stuff.
Cool but (Score:3)
While blocking cookies or ads are fine, once the data is sent out into the ether its going to be picked up an decrypted, no browser is going to stop that.
If you want privacy on the web, stop using the web.
Nice but there is one problem (Score:2)
a software product company founded by Alok Bhardwaj and based in Washington DC
In the "About Us" section of the web site. US-based, so it won't protect your privacy against the spooks (Patriot Act *wink* *wink*). Neverthless, it's nice to see more software made with privacy in mind.
I am unconvinced... (Score:3)
No source code, no verifiable improvement over SRWare Iron, and the company gets paid from...
Epic like most browsers earns a commission on searches we drive. So the more you use Epicâ(TM)s default search engine, the more you support Epic and our continued privacy efforts : - ) And best of all your searches always remain exceptionally private since theyâ(TM)re routed via a secure, encrypted connection over a proxy â" so private by design when you use EpicSearch.me that we literally canâ(TM)t know what youâ(TM)re searching for nor anyone else. Ads and search results never include any personalized results or tracking of any sort and are only based on your search term and general geographical location.
by tying in to the industry that is even more hostile to the concept of user privacy than the USGov...
Thanks, but I'll pass.
Their own proxy! (Score:2)
What will keep a NSL from telling them to give the NSA the key's to their proxy?
Comment removed (Score:5, Interesting)
Re: (Score:2)
Re:What does sign into Epic mean? (Score:2)
Bingo! You nailed it!
There are some other good comments but I like yours.
Turns out "Sign into Epic" ... means NOTHING!!
Because wanna see what happens when you actually click it? (I sacrificed my click for the good of Slashdot!)
Wait for it ...
"Sign in to Epic with your Google Account to save your personalized browser features to the web and access them from Epic on any computer. You'll also be automatically signed in to your favorite Google services."
AND
"Sign in to ******Chrome******
Sign in to get your bookm
Fixing the wrong problem (Score:2)
Epic fail (Score:4, Funny)
It is being made by an American company. Rest of the world does not and should not trust you anymore.
NSA: Hey Epic Exec, insert this complied module into your app
Epic Exec: Go fuck yourself NSA. We are all about protecting users here
NSA: I see. I also see that you visited a gay bar in SF last week and Boston the week before. Are you going to tell your wife and children or should we?
Epic Exec: Oh I see you are talking about National Security. Why didn't you say that before? Here at Epic we are loyal Murcans and we will be happy to help anyway we can.
NSA: That's a good bitch. Next time roll over and show your belly faster or else.....
fool me once (Score:3)
No source? (Score:2)
Chromium is at least open source.
Can I opt out of slashvertisements?
Real ad blocking? (Score:2)
Can any Chromium-based browsers do real ad blocking? That's the main thing keeping me on Firefox these days. Adblock Plus on Firefox can keep embedded ad images and crap from even loading at all, but the last time I checked, Chrome could only hide them from view (you're still wasting your bandwidth and risking your privacy downloading the ad garbage from their domain). Has that changed?
No address bar? (Score:2)
How does that help to have no address bar? Just make sure the web server cannot read it. People need to have a way to be sure they actually got to the site they intended to go to.
This is *not* EPIC (Score:4, Insightful)
https://epic.org/ [epic.org] is EPIC, the Electronic Privacy Information Center, a stalwart defender of online privacy. EPIC does not appear to have any connection to this browser. This so-called "epic browser" doesn't look like much more than Iron [wikipedia.org], which was merely a ploy [wikipedia.org] to make money off of ads on the download page. I'm not saying Epic Browser is that same ploy, but the browser doesn't really do anything that Chromium doesn't already do in Incognito mode (most of those 11 potential privacy leaks that epic blocks [epicbrowser.com] are Google features not available in Chromium or else can be disabled trivially).
This introduces a potential lag time in security updates (and updates to trackers pulled in from e.g. adblock or noscript) and rides on EPIC's good name. Shame on the developers for naming it so similarly.
It will last until one of two things happen... (Score:2)
2. The search engines will be told to blacklist their site.
Their privacy features ... (Score:2)
... at least their top 11 are just annying chrome functions disabled. So use firefox (disable some annoying functions as well) and be happy.
Re: Interesting (Score:5, Interesting)
Wouldn't using some special snowflake browser like this make you especially vulnerable to fingerprinting?
Re: (Score:3)
Re: (Score:2)
It will only make you stand out if it identifies itself as Epic instead of standard Chrome.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Check out SecretAgent (for Firefox). It automatically rotates the user agent string the browser reports through a list of about 50 possibilities. Happens every time you restart the browser. Your browser may be unique today, it may be unique tomorrow, but it won't be identified as the same unique browser both times..
Actually, SecretAgent [dephormation.org.uk] seems to rotate with every page load. And not just the user agent, but some other headers, too. I find it works best if you edit the list of possibilities to remove the ones that often display screwy (few websites are optimized for Mosaic anymore).
Re: (Score:3)
rotating on each request is a bad idea. Your ip remains valid for 12-24 hours, so the website can assume that two requests from the same ip are the same user. When the fingerprint is rotating, they have a good criteria: You're the only one with the paranoia plugin.
Better rotate it on browser start. New session, new identity.
Re:Interesting (Score:5, Informative)
I see nowhere on their site where the source code is available. That's just a scummy move.
Re: (Score:3)
It lost me at "Chrome-based"...
Re: (Score:3)
It's actually Chromium based, not Chrome
Chromium is open source:
http://www.chromium.org/ [chromium.org]
Re:Interesting - Epic is open source, founder (Score:2)
Re:Interesting (Score:5, Interesting)
Re: (Score:2)
presumably, if they're being any serious at all, you'll look to panopticlick like any other dude using the browser(well, lying about screen resolution might cause some problems down the line).
Re: (Score:2)
Screen resolution is the big one for me, since I browse from inside a virtual machine. If the VM isn't full-screen, it has a quite distinctive "screen resolution". A good answer is to lie by using the closest (or perhaps next smaller) frequent size, then making sure you still render acceptably.
Re: (Score:2)
Can either of them defeat Panopticlick [eff.org]? I don't see anything on Epic's site about hiding font lists.
It doesn't, either. I just tried installing it.
Your browser fingerprint appears to be unique among the 3,356,831 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 21.68 bits of identifying information.
It's mostly the font list that gives the show away.
Re: (Score:2)
Re:Interesting - Founder Comment on Panopticlick (Score:2)
Re: (Score:2)
Comment removed (Score:4, Interesting)
Re: (Score:3, Insightful)
If slashdice cared about, well, anything, they would also run a {slashdot}.onion site as well.
Re: (Score:2)
If you ATTEMPT to get privacy, they will attract their attention towards you. You must have something to hide (which is, of course, yourself).
Re: (Score:2)
The best place to hide is in the crowd. DO NOTHING. Then they won't be interested in you.