You are not logged in.
Pages: 1
I would highly recommend an option in settings that says something along the lines of "I am currently connected to a VPN" that when enabled, disables the proxy feature altogether. It is extremely frustrating when I need to use Google search and am required to enter in a captcha code to verify that I am not a robot. I find myself having to keep Firefox open at all times just in case Epicsearch can not handle my query, and I don't feel like having to prove that I'm not a robot.
The issue has been resolved. Firefox Beta Channel has finally allowed the Calomel SSL access to more in depth certificate information. It now recognizes your PFS implementation and gives you a higher score. Your current Ciphersuite is TLS_ECDHE_RSA_WITH_RC4_128_SHA . My recommendation is to test out TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as a compromise between maximum security and speed.
According to Calomel. Is anyone else able to reproduce this?
I offer my support as well. Privacy > Features.
A feature request for Epicsearch: Please allow us to use search operators in the search engine. Most importantly, quotes and dashes to group and exclude words. Using Epic as my default browser now, keep up the hard work!
Thanks for the detailed response! I think a few of the problems I was having might be because your website has so much information, I might have overlooked a few things buried in some tabs. Though I have to say that I can't really fault your browser for having so many features that it's hard to make sure I've read everything!
Concerning HTTPS Everywhere: I did not realize that your encrypted data option attempts HTTPS on each web site. Looking at it briefly, I had thought it needed to be turned on each time. I just now found this feature under the Surveillance Protection tab on the web site. Might I suggest changing the settings text to Attempt Secure Connection or something similar to better portray this feature's purpose? You might not want this to toggle off every time the web site is not using HTTPS. A user can just as easily look into the address bar at the lock button to find out if it was able to make a secure connection. Having it toggle to the off position makes me want to toggle it back on thinking that it had been switched off globally.
Also, how does your browser choose which sites to try and enable a secure connection? Instead of attempting on each site, the EFF recommends using a white list so as not to introduce more security vulnerabilities. Maybe you can just grab the white list they use for their extension?
Q. Why use a whitelist of sites that support HTTPS? Why can't you try to use HTTPS for every last site, and only fall back to HTTP if it isn't available?
A. There are several problems with the idea of trying to automatically detect HTTPS on every site. Firstly, there is no guarantee that sites are going to give the same response via HTTPS that they give via HTTP. As of 2010, LiveJournal is a good example of this problem: compare these HTTP and HTTPS responses. Secondly, we don't think it's possible to test for HTTPS in real time without introducing security vulnerabilities (What should the extension do if the HTTPS connection attempt fails? Falling back to insecure HTTP isn't safe).
Gray Logo & Sidebar: The problem with the grayed out sidebar is that it's almost as if the options are unavailable when they are that light. I think the layout of your search engine is just fine, and there is enough white space seperating the sidebar and top search bar so as not to distract from the search results. Also, I think the font and color choice for the epicsearch logo looks great! It would be a shame to keep it hidden like that.
Fingerprinting: It's nice to know that you are looking so hard into it, I do agree that the EFF web site could be a little more clear as to what the numbers actually mean in the real world instead of just looking really scary with all of their big numbers. I wish I could make some suggestions, but all of my attempts at making myself less identifiable have resulted in an annoying user experience. It would be nice to have a subforum or stickied thread in order to have an in-depth discussion concerning this problem. I know that it has made myself along with many other users feel like that no matter what we do, they will always be able to know who we are almost instantly.
A few more suggestions: Have you considered allowing users to connect to a secure DNS server from inside the browser? I know that Comodo offers this option, but I prefer not to use their corporate-controlled services. I believe that some sort of implementation with OpenDNS and DNScrypt would be extremely beneficial, allowing our DNS queries to be encrypted using elliptic-curve cryptography. Since these services are open-source, it might even be feasible to bundle DNScrypt along with Epic Browser to allow a user to change the way DNS is handled for just the browser or alternatively the entire system with a little bit of tweaking.
With the likely possibility of RSA-1024 encryption keys through SSL being compromised by the NSA, do you plan on allowing us to view the encryption key type of our current SSL connection? As well as the ability to try and force a stronger encryption level similar to what the Calomel SSL Validation extension in firefox is able to do.
Related to the above, I noticed that your epicsearch.in domain is protected by what is considered a weak RC4 Symmetric Cipher, as well as a weak 128 bit Symmetric Key length. Might you consider upgrading to AES-256 and 256 bits respectively?
Thanks for taking your time with these discussions, I believe that honesty and transparency are the most important factors that informed consumers rely on when deciding who to trust with privacy and security software. You guys are off to a great start!
I was wondering that as well. I checked the page's source and found out that it's coded to show no matter what browser you are using.
I began using Epic Browser a week ago after reading an article about it on Slashdot. I spend a small part of each day keeping updated on the latest privacy and encryption news. Needless to say, the revelations of the past few months have made this more of a requirement than a hobby. I almost skipped over the Epic Browser announcement when I saw that it was based on Chromium code, having switched to Firefox primarily due to privacy concerns. Thankfully there were enough details on the website to convince me that the team had spent a significant amount of time securing Chromium in much the same way that I focus on Firefox using extensions and editing the configuration. I've been using it as my main browser since it was installed, and have been impressed with many of the customizations that have been implemented.
Things I Like
The amount of changes made. I came into this expecting a few popular chrome extensions replicated and nothing more. The more I use it, the more apparent it is to me that this is a serious effort from people passionate about security and privacy.
Not allowing people to accidentally worsen their security. Making the decision to disable extensions is a tough choice that I believe to be the right one. If you are able to replicate all of the security functions that extensions provide in Firefox, then the browser will be perfect for me. The only thing you might consider in the future is to white-list a few essential applications like Lastpass as long as they don't introduce any vulnerabilities.
So far, you seem to be making a substantial effort to answer questions in these forums. If you are able to incorporate the promised changes quickly, then this project will evolve nicely.
The program seems snappier than default chrome with privacy extensions installed.
The proxy is a great feature, though an option to disable it for those of us behind VPNs might be useful, even if the option is buried somewhere so regular users don't compromise their security.
Bult in search engine returns acceptable results.
Things That Need Improvement
Forced HTTPS when available. If there is one deal breaker in this browser for me, it is the lack of functionality that HTTPS-Everywhere provides. If you are not already working on this and plan on implementing a similar feature soon, I would strongly suggest allowing HTTPS-Everywhere to be white-listed as an available extension.
Having a portable version of your browser that can be installed on a USB drive would be a large step in making the software more secure.
Browser Fingerprinting is one of the greatest threats to our privacy even with users using a VPN service. Please work on obtaining a better score at Panopticlick. I understand that it's troublesome and there is not a standard way of fighting this, but making progress in this area is one of the most important things we need right now to maintain our privacy.
Remove features like "Sign into Epic through your Google account". This is a step backwards for a browser focused on privacy mode, as is the next point on this list...
Turn off "offer to save passwords" as a default option.
Begin implementing NoScript features. Since you are changing the code of Chromium and not just making another extension, you are in the best position to offer options that only Firefox was able to allow access to.
The web site mentions that on close, Epic clears all of your browsing data. Where is that data stored, on your hard drive? Would it be a better option to store it in ram? Have you considered overwriting the data with random information instead of just deleting it?
On the epicsearch results page, your logo and sidebar look greyed out. This is really distracting.
I don't know why your web site says "No Spell-Check." Is spell check a privacy issue somehow? Anyways, it seems to be working fine while typing this up.
Questions
What caused you to go from a browser customized for Indians to a privacy focused browser?
Since the original Epic was based on Firefox, what led to the decision to switch to Chromium?
What is your opinion on the current state of privacy online since all of these new revelations have surfaced recently?
Despite my criticisms, I am extremely impressed with your initial efforts and will be watching this project very closely!
Edit: Got HTTPS-Everywhere installed without a problem, I don't know if that's a good or bad thing.
Pages: 1