Epic for iOS and Android are live in the App Store and the Android Play Store. We're EpicBrowser on Twitter and on Facebook. Please feel free to also email our Founder directly with issues or questions: alok at hiddenreflex dot com

#1 2017-03-21 07:55:11


Transparent policies needed; VPN internal/external vulnerabilities.

Transparency needed regarding the free, unlimited, and with no subscription built-in VPN service related both eventual internal and external vulnerabilities.

Hi. Regarding the VPN service, the discrete lack of transparency rise some legitimate concerns not only regarding internal vulnerabilities, technical related, (, but also regarding external vulnerabilities, juridical related.

By offering such a service aimed to enhance privacy and even for free of charge, it rises concerns essentially regarding the privacy, about leakages which indeed do occur behind VPN services (paid or not). Would it be fair enough to require from the Hidden Reflex Company Epic Privacy Browser, which acts also as the VPN service provider, to inform and document transparently once for all, in a clear form its on-line documentation regarding the present lacks?

Currently a growing range of techniques like fingerprinting detection attempts, through Canvas elements, like Canvas font access, audio (via the AudioContext API), WebGL (via the WebGL API), battery (via the Battery API), device enumeration (via the WebRTC API), Gamepad enumeration (via the Gamepad API), WebVR enumeration (via the WebVR API), through calculating Client’s element rectangles, or through clipboard interference, decrease instantaneously the very effectiveness of VPN services.

However for now, protection against those attempts unfortunately requires in web browser a third-party add-on, that may not be worth of trust. The fact that only one add-on of that nature is currently present for download in the add-on collection available, may not be a surprise for the few who were aware of the challenging situation in protecting even using VPN. At least the following internal vulnerabilities related questions seemed pertinent for the present matter.

Does Epic Privacy Browser indeed use for tunneling and data encapsulation the PPTP protocol, which is fundamentally insecure due to using short length encryption keys and password hashes that can be cracked by a skilled individual or the L2TP/IPSec protocol, which has already been tampered successfully by the NSA. In case Epic Privacy Browser uses a more secure protocol, may the traffic remain vulnerable because of the use of insecure ciphers?

Does the VPN service require use of Perfect Forward Secrecy ciphers, so VPN network traffic can not be saved, and subsequently decrypted later if the encryption keys or algorithms have been compromised.

At last, while VPN services usually do protect web traffic, many do not or loosely protect DNS lookups, meaning that user’s browsing history can still be reconstructed from DNS lookups. How does Epic Privacy Browser protect DNS lookups from DNS leakage if it even does?


#2 2017-03-27 23:53:54


Re: Transparent policies needed; VPN internal/external vulnerabilities.

Hi, great post -- we've always been very transparent about what Epic does and doesn't do.

Our encrypted proxy is not a VPN runs over HTTPs and does have PFS.  Btw, PPTP is crack-able, correct.  L2TP / IPSec is highly secure though. 

If Epic's proxy is on, you're safe from DNS leaks...DNS lookups happen on our server in that case.

In terms of fingerprinting, Epic blocks commonly used scripts and techniques such as image canvas data.  In a new update we hope to block some of the newer techniques you've mentioned particularly Audio Context fingerprinting which is important.  Epic does not block all of those techniques though.  The TOR browser does a much more comprehensive job of blocking fingerprinting -- the most important piece of that being blocking plugins (you can do this in Epic as well for maximum privacy or set them to click to play).


Board footer