1 (edited by twelph 2013-09-13 10:00:23)

Topic: Epic Review & Suggestions

I began using Epic Browser a week ago after reading an article about it on Slashdot. I spend a small part of each day keeping updated on the latest privacy and encryption news. Needless to say, the revelations of the past few months have made this more of a requirement than a hobby. I almost skipped over the Epic Browser announcement when I saw that it was based on Chromium code, having switched to Firefox primarily due to privacy concerns. Thankfully there were enough details on the website to convince me that the team had spent a significant amount of time securing Chromium in much the same way that I focus on Firefox using extensions and editing the configuration. I've been using it as my main browser since it was installed, and have been impressed with many of the customizations that have been implemented.

Things I Like

  • The amount of changes made. I came into this expecting a few popular chrome extensions replicated and nothing more. The more I use it, the more apparent it is to me that this is a serious effort from people passionate about security and privacy.

  • Not allowing people to accidentally worsen their security. Making the decision to disable extensions is a tough choice that I believe to be the right one. If you are able to replicate all of the security functions that extensions provide in Firefox, then the browser will be perfect for me. The only thing you might consider in the future is to white-list a few essential applications like Lastpass as long as they don't introduce any vulnerabilities.

  • So far, you seem to be making a substantial effort to answer questions in these forums. If you are able to incorporate the promised changes quickly, then this project will evolve nicely.

  • The program seems snappier than default chrome with privacy extensions installed.

  • The proxy is a great feature, though an option to disable it for those of us behind VPNs might be useful, even if the option is buried somewhere so regular users don't compromise their security.

  • Bult in search engine returns acceptable results.

Things That Need Improvement

  • Forced HTTPS when available. If there is one deal breaker in this browser for me, it is the lack of functionality that HTTPS-Everywhere provides. If you are not already working on this and plan on implementing a similar feature soon, I would strongly suggest allowing HTTPS-Everywhere to be white-listed as an available extension.

  • Having a portable version of your browser that can be installed on a USB drive would be a large step in making the software more secure.

  • Browser Fingerprinting is one of the greatest threats to our privacy even with users using a VPN service. Please work on obtaining a better score at Panopticlick. I understand that it's troublesome and there is not a standard way of fighting this, but making progress in this area is one of the most important things we need right now to maintain our privacy.

  • Remove features like "Sign into Epic through your Google account".  This is a step backwards for a browser focused on privacy mode, as is the next point on this list...

  • Turn off "offer to save passwords" as a default option.

  • Begin implementing NoScript features. Since you are changing the code of Chromium and not just making another extension, you are in the best position to offer options that only Firefox was able to allow access to.

  • The web site mentions that on close, Epic clears all of your browsing data. Where is that data stored, on your hard drive? Would it be a better option to store it in ram? Have you considered overwriting the data with random information instead of just deleting it?

  • On the epicsearch results page, your logo and sidebar look greyed out. This is really distracting.

  • I don't know why your web site says "No Spell-Check." Is spell check a privacy issue somehow? Anyways, it seems to be working fine while typing this up.

Questions

  • What caused you to go from a browser customized for Indians to a privacy focused browser?

  • Since the original Epic was based on Firefox, what led to the decision to switch to Chromium?

  • What is your opinion on the current state of privacy online since all of these new revelations have surfaced recently?

Despite my criticisms, I am extremely impressed with your initial efforts and will be watching this project very closely!

Edit: Got HTTPS-Everywhere installed without a problem, I don't know if that's a good or bad thing.

Re: Epic Review & Suggestions

Thanks so much for the great feedback!!  Thanks so much for the kind words & your support!!  And also letting us know what you don't like & what we can do better! 

On the Things You Like - super!   Thanks for pointing out that we remove options to possible make Epic non-private...that is you're right one of our principles though we hadn't articulated it as such to others before.   Allowing extensions is the most vocal suggestion we're receiving...so we're working to address that soon! 

I'll go through the Things You Don't Like -- please let us know if this solves some of the issues as relevant.

HTTPS Everywhere -- Not sure if I understood your comment, did you mean you want to be able to turn this off on a per-site basis?  In Epic you can do that via the umbrella button.  So for a site, click on the top-right umbrella button, turn Encrypted setting off, then reload it as http://

Sign In - accident, will be removed soon, nice catch!

Portable Version - we'll have something ready-made coming soon we hope! Good thought!

Spell-Check - sorry, confusion here!  there are two spell-check options for chromium, one local and one that accesses google servers.  the former is on, the latter off.  we need to make this clearer! 

Not Saving Passwords - we've gone back & forth on its default option, I personally side with you but many other users found it very useful.  we want to make it one-click global off at least in the future.

Clearing Data - yes, deleted from hard drive.  good point to move it to RAM...tricky in chromium's design, we looked into it at one point i know?! 

Grey Logo - actually we thought as grey, it would be less distracting, we'll work on this!

Fingerprinting - we actually have worked a lot on this and could "improve" our panopticlick score literally overnight, the problem is that from our vantage point, it wouldn't actually thwart any fingerprinters!  we're blocking tons of fingerprinting scripts right now - so you have protection in Epic.  that being said we do want to make fingerprinting effectively impossible but it's hard!  panopticlick is overall great but technically misleading in many ways - actually if you're 1 in 3 million you could be extremely safe IF your data is not-stable. fingerprinting depends on two things: uniqueness + stability...so even if you're quite unique, if you're not stable, you're hard to track.  but more than that there are many more ways to fingerprint you beyond javascript and even flash - we want to do something more comprehensive here before we make any claims (beyond blocking known fingprinters' scripts).  we need to have a separate thread & discussion on this - as a community we need to work on this!!

Mozilla/Chromium.   mozilla didn't support us at all to be honest (though they are very open/online to their credit & easy to work with) and we and others feel they've fallen behind chromium as the best browser base.  for example, it was a ff issue that let tor users recently get hacked.  we wish mozilla the best and are very happy there are alternatives though - competition is extremely important - they also have $1 billion in the bank thanks to google (for firefox) so we hope that enables them do amazing things in the future.

Privacy.  we actually have been working on this for about 12 months - thanks so much for recognizing the work & thought that has gone into the new epic!  we all felt that the invasion of our privacy online was insane, privacy was important and that it was a core browser problem that should be addressed by a niche browser.  BUT we of course had no idea that privacy would become such an explosive issue!!  we also had no idea privacy would be soooo hard (chromium is also difficult to work with)!!

3 (edited by twelph 2013-09-14 11:59:13)

Re: Epic Review & Suggestions

Thanks for the detailed response! I think a few of the problems I was having might be because your website has so much information, I might have overlooked a few things buried in some tabs. Though I have to say that I can't really fault your browser for having so many features that it's hard to make sure I've read everything!

Concerning HTTPS Everywhere: I did not realize that your encrypted data option attempts HTTPS on each web site. Looking at it briefly, I had thought it needed to be turned on each time. I just now found this feature under the Surveillance Protection tab on the web site. Might I suggest changing the settings text to Attempt Secure Connection or something similar to better portray this feature's purpose? You might not want this to toggle off every time the web site is not using HTTPS. A user can just as easily look into the address bar at the lock button to find out if it was able to make a secure connection. Having it toggle to the off position makes me want to toggle it back on thinking that it had been switched off globally.

Also, how does your browser choose which sites to try and enable a secure connection? Instead of attempting on each site, the EFF recommends using a white list so as not to introduce more security vulnerabilities. Maybe you can just grab the white list they use for their extension?

EFF HTTPS Everywhere FAQ wrote:

Q. Why use a whitelist of sites that support HTTPS? Why can't you try to use HTTPS for every last site, and only fall back to HTTP if it isn't available?

A. There are several problems with the idea of trying to automatically detect HTTPS on every site. Firstly, there is no guarantee that sites are going to give the same response via HTTPS that they give via HTTP. As of 2010, LiveJournal is a good example of this problem: compare these HTTP and HTTPS responses. Secondly, we don't think it's possible to test for HTTPS in real time without introducing security vulnerabilities (What should the extension do if the HTTPS connection attempt fails? Falling back to insecure HTTP isn't safe).

Gray Logo & Sidebar: The problem with the grayed out sidebar is that it's almost as if the options are unavailable when they are that light. I think the layout of your search engine is just fine, and there is enough white space seperating the sidebar and top search bar so as not to distract from the search results. Also, I think the font and color choice for the epicsearch logo looks great! It would be a shame to keep it hidden like that.

Fingerprinting: It's nice to know that you are looking so hard into it, I do agree that the EFF web site could be a little more clear as to what the numbers actually mean in the real world instead of just looking really scary with all of their big numbers. I wish I could make some suggestions, but all of my attempts at making myself less identifiable have resulted in an annoying user experience. It would be nice to have a subforum or stickied thread in order to have an in-depth discussion concerning this problem. I know that it has made myself along with many other users feel like that no matter what we do, they will always be able to know who we are almost instantly.

A few more suggestions: Have you considered allowing users to connect to a secure DNS server from inside the browser? I know that Comodo offers this option, but I prefer not to use their corporate-controlled services. I believe that some sort of implementation with OpenDNS and DNScrypt would be extremely beneficial, allowing our DNS queries to be encrypted using elliptic-curve cryptography. Since these services are open-source, it might even be feasible to bundle DNScrypt along with Epic Browser to allow a user to change the way DNS is handled for just the browser or alternatively the entire system with a little bit of tweaking.

With the likely possibility of RSA-1024 encryption keys through SSL being compromised by the NSA, do you plan on allowing us to view the encryption key type of our current SSL connection? As well as the ability to try and force a stronger encryption level similar to what the Calomel SSL Validation extension in firefox is able to do.

Related to the above, I noticed that your epicsearch.in domain is protected by what is considered a weak RC4 Symmetric Cipher, as well as a weak 128 bit Symmetric Key length. Might you consider upgrading to AES-256 and 256 bits respectively?

Thanks for taking your time with these discussions, I believe that honesty and transparency are the most important factors that informed consumers rely on when deciding who to trust with privacy and security software. You guys are off to a great start!

Re: Epic Review & Suggestions

Alok, you rock! I really like Epic, and have made it my default browser, with global proxy enabled.

FWIW, here's a list of 5 privacy extensions  from a chromium-based browser for your consideration:

Disconnect    5.7.1    \jeoacafpbcihiomhlakheieifhpjdfeo\5.7.1_0

G Disconnect    1.6.6    \kglfocodeikakacbeoajjhnplhlaoook\1.6.6_0

Referer Control    0.47    \hnkcfpcejkafcihlgbojoidoihckciin\0.47_0

Tab Cookies    1.0.5    \iahecghojagkcoehfhfknajofkokndjm\1.0.5_0

Window Name Eraser    2    \gabihlffdejcbdmbceagmnnnlopcfmob\2_0

Hope this helps!

Re: Epic Review & Suggestions

@twelph, @jsheehan - thanks as always for super thoughts & for your support!!  here are some of our thoughts below. 

HTTPS - sorry I was unclear, we're based on https everywhere and use a whitelist we've modified a bit (removed sites that didn't work, added a few - we need to send them our changes actually). 

EpicSearch HTTPS - it's actually a PFS so quite strong even if the bit-length seems lower (let me know & i can explain more).

Gray Color design - thanks for more thoughts, makes sense, getting them to our designer.   

Fingerprinting - you're right, we need a big thread just on this

Secure DNS - nice thought, interesting...we'd love to incorporate private dns services in time.  right now not sure about how private comodo or opendns are.   

In regards to Extension Suggestions - thanks & some thoughts: 

Disconnect - we like what they do but we already have tracker/ad blocking built into Epic.  Also I believe they use web services.

Referer Control - we actually will be improving our referer blocking list in the next few weeks - right now we block it at search engines as we know firms are capturing your searches.  would you like to control this more yourself? 

Tab Cookies - interesting.  we had thought of something like this especially for google...BUT at the end of the day we found users like staying logged in for the session & when you close Epic all cookies/data is gone.

Window Name Eraser - Interesting, great find.  It was a few months ago we discussed this - I forget right now what we had decided on this, what kind of a threat it was and what we did, will get back to you on this.   

Please let us know what you think!!!

Re: Epic Review & Suggestions

You guys are really responsive - thanks!

On Referer Control - if you'll be improving your blocking list soon, that would be enough for me. It would save people a lot of time messing with settings and so forth.

When signing in to Gmail, I notice there are a couple of ads on the login page that Epic doesn't block. There's an app for that:

Webmail Ad Blocker    3.2.1 cbhfdchmklhpcngcgjmpdbjakdggkkjp\3.2.1_0

This removes the ads and sponsored links and squeezes out the empty space left behind by other ad blockers to give you more room to write your message smile

Re: Epic Review & Suggestions

jsheehan wrote:

You guys are really responsive - thanks!

On Referer Control - if you'll be improving your blocking list soon, that would be enough for me. It would save people a lot of time messing with settings and so forth.

When signing in to Gmail, I notice there are a couple of ads on the login page that Epic doesn't block. There's an app for that:

Webmail Ad Blocker    3.2.1 cbhfdchmklhpcngcgjmpdbjakdggkkjp\3.2.1_0

This removes the ads and sponsored links and squeezes out the empty space left behind by other ad blockers to give you more room to write your message smile

There are several add-ons that will work. Adblock Edge is one that I use.

"Red Warrior needs food badly!"

Re: Epic Review & Suggestions

@Zatris -

Yes, "there are several add-ons that will work. Adblock Edge is one that I use."

But those are Firefox extensions, and Epic is now a Chromium-based browser, with its own adblocking mechanism which works quite well, even with Gmail, except for the sign in page with a couple of ads. Webmail Ad Blocker is a chrome extension which takes care of that.

Re: Epic Review & Suggestions

Thanks for clearing up the difference. I dont see the problem you described (with 4 browsers side-by-side) in my EPB.

"Red Warrior needs food badly!"

Re: Epic Review & Suggestions

Thanks for the thoughts & recommendations as always & the friendly discussion.

Referer List Expanded -- yes coming soon!

Gmail ads -- are the ads you mean for android & ios apps / ads for gmail-related stuff from google on the login page ?  or were they ads on gmail pages?  did the new update happen to review them?  thanks for the addon recommendation - will check it out too.

Re: Epic Review & Suggestions

I don't see the ads on the Google Search page or any other Google page, just on the first Gmail page where you enter your Username and password. I can't seem to get a screenshot, but here's a text-only copy of what I see with EPB:
__________________________________________________________________________________________________

Google New to Gmail? CREATE AN ACCOUNT
Sign in

Username

Password

   Stay signed in
Can't access your account?
Gmail
Experience the ease and simplicity of Gmail, everywhere you go.
   
About Gmail - email from Google
Video chat with a friend, or give someone a ring all from your inbox. See more reasons to switch or check out our newest features.

Bring Gmail to work with Google Apps
Get the Gmail you love with custom email, calendar, video meetings & more for your business. Learn more

© 2013 Google Gmail for Work Terms & Privacy Help   
________________________________________________________________________________________________

Webmail Ad Blocker blocks 3 images shown on EPB, and much of the above text.

On the other hand, the images take time to load, so if you click quickly on Sign in (as I've been doing with EPB) you won't see them at all....

Re: Epic Review & Suggestions

A feature request for Epicsearch: Please allow us to use search operators in the search engine. Most importantly, quotes and dashes to group and exclude words. Using Epic as my default browser now, keep up the hard work!

Re: Epic Review & Suggestions

Thanks!!  Great suggestions regarding more search functionality - if you have a list of functions you'd like, please let us know.

Re: Epic Review & Suggestions

I would highly recommend an option in settings that says something along the lines of "I am currently connected to a VPN" that when enabled, disables the proxy feature altogether. It is extremely frustrating when I need to use Google search and am required to enter in a captcha code to verify that I am not a robot. I find myself having to keep Firefox open at all times just in case Epicsearch can not handle my query, and I don't feel like having to prove that I'm not a robot.

Re: Epic Review & Suggestions

Good thought - we have hard-wired the proxy for Google for safety purposes, but some option out is useful.

We'd like to also avoid so many captchas from Google...we're working on that.

Re: Epic Review & Suggestions

https://productforums.google.com/forum/ … PYNXRA1ahk

i have posted the requests to google chrome forum and got disagreed.
i believe make another version and remove those features from the version is a easy job