Building the best browser to surf anonymously

Discussion in 'privacy technology' started by The_PrivaZer_Team, Apr 18, 2014.

  1. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    599
    Location:
    US
    Hello,

    here is the PrivaZer Team.

    Maybe this is the start of something big ! :)

    We intend to develop a new software to protect your privacy when surfing the web :
    the best web browser ever, ensuring that you surf and search the web anonymously , blocking online tracking companies, protecting your personal information.

    EDITED : it will be open source

    Many "privacy browsers" and "privacy extensions" already exist, but are you 100% satisfied with them?
    We want to build a unique tool, with all features included and we would need you to build it.

    Do you think there is a need for it?
    Would you like to join?
    What would be the features to include?
     
    Last edited: Apr 19, 2014
  2. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Is it going to be open source? The truly paranoid wouldn't use anything but.

    And without things like https://www.eff.org/https-everywhere and http://noscript.net/ I wouldn't even pretend that my browser is secure- you'd have to at least add support for stuff like this. You have to be serious in making a privacy based browser that isn't just a product- it's important.

    edit

    You also have to ask yourselves, how can you compete with such things as Tails/the Tor browser bundle?

    edit2

    And if you're going to be serious in offering people true privacy, you must work with things/groups that all strive for the same goal- like Tor and EFF.
     
    Last edited: Apr 18, 2014
  3. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    599
    Location:
    US
    Hello Veeshush,

    yes, it will be OPEN SOURCE :)

    Feature list, so far :
    - "https everywhere" or VPN
    - "no script"
    - "Tor" support
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    So how soon is the beta group for this project to be assembled? ;)
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, although i applaud your intentions, if it's just going to be a browser with AddOns etc, no matter how good they "might" be/are, then how else will it differ from others ?
     
  6. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    599
    Location:
    US
    @EASTER
    beta group as soon as possible.

    @CloneRanger
    That is a good point and what we want to discuss here with you.
    The goal is to help normal users and paranoids to have an easy-to-use tool offering maximum security coverage.
    Suggestions, comments etc. are welcome.
     
  7. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    I think a portable chromium based browser with HTTPSB and homegrown DomElement hiding(similar to yarip) and Proxy selector(similar to Proxy Selector) add-on is a good start.
     
  8. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Oh wow, that's actually really great to hear! I wasn't expecting that. I'd really try to keep it open, I just don't think a closed sourced security/privacy browser would live long.

    I'm guessing you guys will be making a fork of chromium or Gecko based (or other)?

    And what are your plans with plugins such as Adobe Flash, Java and that sort of stuff that's just constantly exploited? Having a strong click to play whitelisting kind of setup would be a must for me. Or even would you exclude plugins like Adobe/Java stuff entirely? For instance some people use a 2 browser approach when web surfing with maybe one browser (like Tor browser bundle, or even just Firefox without plugins) for their "secure" setup, and then use their second browser (like IE) for Flash or Java. Basically, the "secure browser" isn't always what people tend to use for their 24/7 web surfing for a lot of reasons. You know, people want to be secure and private but they also want their sites to work, and then it's the age old "well this is a pain, so I'll just disable this security/privacy feature and hope for the best!". Or like how I could never use something like Tails for a 24/7 system. Where do you meet practical daily use without loosing some of the security/privacy features, you know?

    And then obviously it should come with an arsenal of privacy based bookmarks and search engines.
     
  9. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    599
    Location:
    US
    1. Yes a fork of Gecko or Chromium.
    2. It should run on main OSes like Windows, OS X, Linux. Tails is not that convenient for daily use.
    3. We can add a toggle button allowing the user to change his settings between "secure browsing" and "normal browsing"
    4. Privacy search engines available by default.
     
  10. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    My point was more how to go about in offering users privacy/security without making something that's either too tedious or impractical for daily use that it turns users away. I don't mean "stupid proofing" it either, I mean more "practical" for daily use but without also being vulnerable. I mean, that's an age old thing with every security based software made probably, but it is really affecting how people handle their browsers.

    I think back to the Tor extension Torbutton and all of its issues: https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton
    I don't only mean this for Tor, I'm talking about the idea of toggling on/off features.

    That's the real thing to me anyway- how do you make a browser that you'll want to use for daily use without stripping it of features that make it private. I don't know if even troggle is the way to go about it. Maybe even two separate browses entirely that open, one for "trusted sites" and more lax security and the other for surfing with strict privacy features would make sense. I just think if you were to end this kind of "duel browser" approach that a lot of people use with "this is my secure browser I use for this and this is my daily browser I use for daily stuff" without having your browser fall into either group.

    The only other thing I can think of is heavy use of site whitelisting.

    I don't know, I'm just bouncing ideas around and things people have tried before.
     
    Last edited: Apr 19, 2014
  11. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Yandex browser based on Chrome includes various extensions by default like adblock, flashblock, lastpass manager, WOT and so on. I think, that approach is better then creating your own extensions included in browser, because focusing on too many areas always results in fail, Include privazer somehow. ;)
     
  12. Aeolis

    Aeolis Registered Member

    Joined:
    Apr 10, 2010
    Posts:
    60
    Hello folks,

    Well, I am really pleased to see a reliable and privacy committed company like PrivaZer Team with such a great objective! Yes, it's needed. Yes, I would like to join. Here are my suggestions:

    - Open Source browser;
    - Fully portable. I mean stealth, NO traces are left in Registry and NO traces are left in host PC. The browser must not write to Registry at all and all data must be written to its folder. The only exception would be when user want browser integration with system, but user should be warned that it will write to Registry in this scenario;
    - Based on Gecko engine;
    - If based on Chromium engine, remove all the privacy violation related stuff from it;
    - Built-in private data secure eraser. With options to clean cache, cookies etc. when required and on browser exit. Secure eraser option would be one-pass, two-pass, DoD method etc.;
    - Compatible with current browser engine extensions;
    - If possible, DNS-spoofing protection by checking addresses against a secure database with warns to user when there is a mismatch;
    - If possible, Ad-Blocker engine with support to block elements based on lists (ABP based, Malware Domains List, MVPS host, hp hosts etc.) and with support to block elements by user input;
    - If possible, script protection like NoScript;
    - If possible, general privacy protection like HTTP Switchboard;
    - If possible, when a web page is closed clean all traces of it like Self-destruction cookies, but erase all traces not only cookies;
    - If possible, multi-language support;

    I hope it helps. If you need help translating it to "pt-BR" - here I am!:thumb:

    Best regards,

    Aeolis
     
  13. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    I'd add to that maybe it should only save cache and cookies to ram unless you set it otherwise (like a cookie to a site you login everyday). Then everything would be cleared when you exit, and ram recovery methods are a lot harder than hard disk methods (but there could also be an option to wipe the ram on close). I think even the Tor Browser bundle does this already (minus saving cookies you'd want).
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    :thumbd:
    :thumb:
    :thumb:
     
  15. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    I'm not sure if you have influence over these things if you're forking:
    Support the latest TLS standards(TLS 1.2, AES-GCM(and not only the 128 bit versions like FF and Chrome), OSCP stapling, make sure OCSP/CRL isn't just for EV certificates and check all certs in the chain(not just server certificate, also intermediate), certificate pinning.)
    Make use of DEP, ASLR, SEHOP, and anti-ROP techniques.
    Run browser processes with Low or Untrusted integrity.
    Support for DNSSEC verification in the browser.
     
  17. mlauzon

    mlauzon Registered Member

    Joined:
    Aug 9, 2011
    Posts:
    107
    Location:
    Canada
    Why not do something that no browser maker has yet to do, follow the standards by 100%!
     
  18. mlauzon

    mlauzon Registered Member

    Joined:
    Aug 9, 2011
    Posts:
    107
    Location:
    Canada
    What makes your browser better than any of the other security focused browsers that are also based on Chromium, and have been out for much longer..?!
     
  19. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    I'm not using the Aviator browser. I mentioned it because I had already been using some
    settings they have incorporated into their browser. The difference being they (WhiteHat Security)
    do it by default whereas I had to manually configure some of these settings into my browser.
    Whatever browser I'm using (tried several) I don't leave them on default settings.
     
  20. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Definitely Gecko based. Open source and highly configurable, leaving geeks the ability to fine tune, tweak and trim everything possible. An Adblocker built in, like Adblock Edge for example. Forget phishing filters, Google "safe browsing" and things of the sort... those present possible privacy abuse. How do I really know what's being sent back to their servers? I disable it in Firefox and in Sandboxie. Maybe add something like WOT or TrafficLight for that purpose. Or a proper DNS service to filter bad sites. And using a privacy friendly meta search engine like Ixquick, that won't compromise their integrity or the safety of their end users by adding "suggested sites" to anyone that shoots them a few bucks.

    I'd like it to be a lot like Firefox "can" be when power tweaked... and then some... having many of the things you must modify in their about:config to make yourself safe/private already that way by default. Like for example "geo.enabled", referrers, etc... It should come out of the box this way because this project is targeted at geeks like us, not the average user.

    Seems obvious, but a Private browsing mode. And also sandboxed tabs like Chrome has. Or at least something like the addon "Private Tab" for Firefox. No plugins... no Java, no Flash... but rather HTML5.

    And VPN/Tor friendly, as you pointed out.

    And I agree with what Aeolis & BoerenkoolMetWorst said. Great advice there. Specifically supporting TLS 1.2 AES 256_GCM.
     
  21. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    I am still using an old version of Opera v12.15, because I don't like the switch to a chrome based engine.

    Definitely no chrome for me.
     
  22. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    just pick up where Opera 12.16 left off.

    and put in an easy to use URL blocker that also allows to import other lists, etc.

    portable, open source, no connections to google, etc.

    would be great
     
  23. Nanoflow

    Nanoflow Registered Member

    Joined:
    Oct 28, 2012
    Posts:
    6
    Location:
    Seattle, WA
    Another question that I would have ask is where is the funding for your project coming from (e.g. donation,VCs, or crowd-sourced)?
     
  24. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    599
    Location:
    US
    Hello Nanoflow,

    we will certainly crowdfund it to determine :

    1. if we can reach enough people
    2. if there is a need for such a tool
    And we would like to thank all of you for your suggestions so far...
     
  25. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    As an update to this... I've reassessed my position on this subject as of late. Especially considering Heartbleed, my mistrust of the elliptic curve which I believe is intentionally broken and backdoored. Among other things. I trust more time tested, tried & true cryptography. I think a good place to start is look at places like TOR and (what I feel are) trustworthy VPN's, and see what they're using. Funny how I see none deploying the curve, and elect to use CBC over AEAD GCM. Using good ol' Calomel I see this used (generally) across the board among them:

    Perfect Forward Secrecy [PFS]: YES
    Ciphersuite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    Key Exchange: DHE [PFS]
    Signature: RSA
    Bulk Cipher: AES 256 bit
    MAC: SHA-256

    Issued to: SHA-256 With RSA @ 2048 bit
    Issued by: SHA-256 With RSA @ 2048 bit (4096 even better "if" it doesn't sacrifice usability too much)

    Most of them are even using AES 128, and SHA-1 instead, but I tossed in what I consider ideal too along with what they all seem to feel is most trustworthy. None on them are using the curve or AEAD GCM. I always see Google sites employing it that stuff... and many sites that were compromised by Heartbleed.
     
Loading...