Epic, a privacy browser with a fatal flaw

I ran across this new browser recently, Epic.

Why should I use Epic?

When you use the Epic Privacy Browser, you get privacy in a fast, simple browser! Have a fabulous browsing experience and gain privacy over what you browse and search. Protect your browsing and searches from hundreds of companies and governments.

Awesome, except for one thing – The software is closed source, and worse is supported by essentially a form of advertising.

Epic like most browsers earns a commission on searches we drive. So the more you use Epic’s default search engine, the more you support Epic and our continued privacy efforts

Combine this with the fact it is owned by a private company based out of the US (and thus subject to NSL and the like.)

Hidden Reflex is a privately-funded software start-up company based in the United States

Sadly, great idea, bad execution. If you want to have a higher assurance of privacy, you shouldn’t use this, use an open source browser with appropriate security related plugins – NoScript, RequestPolicy, Adblock edge (Not Adblock plus, which has been compromised). These are a good start, there are others out there that can help even more.

Sadly, if you are a company that wants to provide a believable amount of privacy, you must do at least the following:

  • Your company cannot be based out of the US (Lavabit had to shut down, likely to avoid being forced to put backdoors in it’s software). I am forced to assume that any organization based out of the US is (or can be) similarly compromised.
  • Your company needs to have it’s software open sourced. You can keep the copyright on the brand however. (Open Sourced software allows for more public review of the code.)
  • You company needs to not use servers in the US to store your code or installer and you should have a hash of your installer to assure it’s not been tampered with.

Without those 3 things, you can no longer claim your software has privacy in mind and be believed anymore.

4 thoughts on “Epic, a privacy browser with a fatal flaw

  1. To be fair, the powers that be have backdoor access to Microsoft, Google, Yahoo and all the other big players so no browser will ever be able to block them. What Epic seems to do is to block all the commercial trackers straight out of the box. For non technical users or people who can’t be bothered slowing down their browsing with a plethora of plug-ins, this is a simple solution that works pretty well.

    1. Firefox (or iceweasel) are both open source. Their code can be reviewed out of the box. From a security perspective. This gives them a very strong position on privacy. Far more than a private system.

  2. Alok, founder from the Epic Privacy Browser Team here. If you’re able to revise this to be more accurate, it’s much appreciated & thanks for the review & feedback!! 100% of our code is audit-able. We’ve had many requests for files and code — mostly for help, it seems that most people haven’t audited our code which is understandable given that it’s 10s of millions of lines of code in chromium. We hope to open source (basically publicly release) all the code very soon — there are a few things delaying that but nothing that has diminished our commitment to open source software and transparency.

    More than that, it’s inaccurate to believe that open source software is in and of itself private or secure. Unfortunately, it’s not. The best example of this is the recent heartbleed bug in open ssl. In our case, the chromium code base is just enormous and it’s doubtful that it can be audited thoroughly — though it would be great for anyone so inclined to do so or work on this.

    One of the best things one can do is use a tool like Little Snitch on the Mac or Wireshark to make sure there are no aberrant calls going out.

    All development is done in India. As a US citizen who could be subject to a gag order or something else, I can not on my own alter the code. The company is domiciled in the U.S.

    Installation is highly secure — but good point on making more user-checks to be sure there are no MiTM or other attacks.

    We’re a small team of a few people, so unfortunately everything’s not quite done or perfect, but we’re working on it and we’re very glad that hundreds of thousands of people have chosen to browse and search privately with us.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s