You are not logged in.
In fact, have the ability like Firefox + NoScript to block all scripts on a customized need basis.
Javascript exploit was used on websites to discover the IP address of users at the other end of Tor network, so technically it also can be used on malicious or gray sites while using the proxy. (which I may warn is not a excuse to do illegal behavior as the NJ based Epic proxy could be nailed or monitored for their records)
Javascript is used to "sniff" browsers plug-ins etc., for vulnerabilities by the Black Hole Exploit Kit.
I like the idea behind the Epic Browser, but I don't like Chrome (nor trust Google) and how the onus is all on the browser programmers ability to keep Flash and Javascript secure.
I'd rather have the easy on/off option of not running scripts, until I trust the site, less surface area of attack potential.
Browser speaking, despite the huge funds thrown at Chrome and Webkit, it's still hasn't been all that reliably secure neither.
Users being able to tailor active scripts according to their needs and recent security issues is better option in browsers than Chrome's "we will take care of it all" measures.
Chrome from Google, it's a protection racket, what happens if they put in a backdoor? Why not use Open Source Firefox instead?
I also think the NSA/PRISM blocking angle should be dropped, they have access to everything, including what's going in and out of the ISP's so there is no hiding from them.
Well at least it's going to assist against marketeers and profilers.
Last edited by NobodysBusiness (2013-09-15 17:52:30)
Offline
Great points & post - thanks!
Turn off Javascript. In Epic's settings page, under privacy, you can turn off Javascript and add exceptions. Not quite NoScript...but you can turn off JS. Totally understand your decision to turn on/off scripts on a site-by-site basis - let us know if you'd like something more functional like NoScript integrated into Epic and we can consider it.
NSA/PRISM. We can't give up on privacy - privacy we feel is essential to freedom. You're right though that day by day it's looking more and more difficult as news of backdoors & such are emerging. We feel that using open source proven crypto is critical to at least making it quite difficult for decryption and surveillance - would like to see more sites use PFS https connections the way epicsearch does. It's a very good idea to use a VPN you trust - our partner though with US based servers Spotflux offers a free VPN for example.
Chromium is open source. We used to use Mozilla but didn't get any support from them & like many, weren't happy with its development in the past few years. Chromium's security with each tab as a process is to our knowledge quite good - I don't believe it's been hacked in a serious way except via plugins - but correct me if I'm wrong. In terms of backdoors, we don't think that Mozilla is any more or less vulnerable than Chromium. Google makes tens of billions of dollars a year from advertising - they want to track you to make more ad money (and know everything about you and control your life (!!)). Mozilla gets ~$400 million per year from Google for Firefox search and at least was under IRS investigation in the US - it's no small sum either and they also would be subject to government influence as a US based company and non-profit. It's important we all keep close eyes on both Mozilla and Chromium and make sure the code is what it is supposed to be.
Offline
Turn off Javascript. In Epic's settings page, under privacy, you can turn off Javascript and add exceptions. Not quite NoScript...but you can turn off JS. Totally understand your decision to turn on/off scripts on a site-by-site basis - let us know if you'd like something more functional like NoScript integrated into Epic and we can consider it.
Most definitely!
I found Epic's controls for Javascript and plugins where you said, but deeply buried and all 8 turned ON by default. Not good for the default setting because it's assuming that all 8 are secure, which one has to assume there are new, unknown vulnerabilities and your having your users surfing the net with 8 extra potential avenues of attack instead of just one, the browser itself. (which can't be helped obviously, but the others can be)
Understandably the updating of Epic plugin should be on by default (so that leaves 7 to lock down+ Javascript) and it should check the status of the other plugins despite them being off and also update them or advise accordingly.
The default setting for the rest of the 7 plugins + Javascript should be "Click to Play", and Javascript has no option to be Click to Play currently. Sure there is a way to turn it off Javascript and add exceptions, but the fact is that method is a hassle heading deep into preferences to add the exceptions. Surfing is random, one needs to have their guard up all the time (no scripts) and then once they trust the site, only allow it to run scripts as needed (example: a Master Click to Play button on the toolbar) possibly a "add this site as a exception?" or another method to easily whitelist it. But of course sites can be compromised at any time.
With NoScript, all scripts are OFF as one surfs the web, and if the user has a need to enable scripts, then clicking the Temporary Allow All button allows the scripts that are enabled in the browser preferences to be allowed to run. Which if there is the Click to Play, only allows the plugins one wants to run on the page to run, not all the hidden stuff.
It's not perfect of course, if the user whitelists the site or gives consent, then all bets are off, but it's a lot better that surfing all sites with ones balls hanging out to be smacked.
Firefox of course has been updated with better Click to Play (Activate all plug-ins window) to mitigate Flash sites.
Now I understand that making Javascript and other plug-ins Click to Play by default is going to break a lot of websites, but the reason people use this browser is for privacy which also entails security, which some sacrifice over convenience is in order, however the hassle factor can be mitigated if done cleverly.
Perhaps a "Reload with Scripts on" button on the toolbar?
I've been running NoScript for years, I can count it protecting me on two instances that I know of where compromised plugins (Java and Flash) got nailed for others. Javascript being blocked by default also stops those tricky windows that look like one needs to do something and it's a trojan install.
SO YES, you can most certainly do users a great help and the web in general in this area, especially know it's known that Javascript can be used to get a users IP around the proxy and god knows what else.
Offline
...would like to see more sites use PFS https connections the way epicsearch does
Agreed, just read up on elliptic curve, ephemeral Diffie-Hellman, signed by an RSA key
("Perfect Forward Secrecy can block the NSA from secure web pages" - Computerworld)
Offline
Hello all,
I would like to second this request. A simple way to temporarily or permanently add exception to JavaScript blocking would be wonderful. If it can become as complex as NoScript it's even better ; But a simpler implementation would already be very good !
Keep up the good work !
Offline
I agree too.
Noscript is really the best add-on to have. After that prolly HTTPS-Everywhere.
I'd like to add that part of the functionality of NOscript means we dont have to "go into settings" and change,add or subtract whatever it takes for each page to work and view or not view as we want, going into settings, when the default JS is off, every time we visit a new page or old can become a hassle.
Last edited by Zatris (2013-09-17 11:46:31)
"Red Warrior needs food badly!"
Offline
PFS -- ahh, thanks for reading our comments & reading the research!! we hope many more sites implement PFS. For example, facebook's key is so weak (and just one key unlike in PFS) it's very likely already broken by the NSA and all past data anyone's ever sent to FB is probably stored by them and decrypted. And any-length key in practical use today will likely get broken soon b/c of quantum computers & such, so PFS is really important.
HTTPS Everywhere -- yes, incorporated into Epic, we have modified their list a bit for sites not working (need to send them our changes) but that support is there.
NoScript Functionality -- great thoughts & very very true that for ultimate security+privacy, it's a great tool. Also, you've all exactly guessed why we allowed flash, js, - without it or even at click-to-play most users get confused and the internet gets broken. Apple is so big they can say they don't support flash on iOS & the whole web accommodates them but unfortunately flash is still essential for the desktop (hopefully html5 will keep growing!). if you would like this, please let us know...we're definitely exploring supporting this!
Offline
Of course Epic needs something like NoScript AND Requestpolicy (https://www.requestpolicy.com/)
Do you really think that a browser for everyday use can do without any JS?
Even worse that switching off JS is forcing users to allow all JS on a page.
Offline
The answer has already been given as a built-in feature of Chromium:
chrome://settings/content
Disable JS globally, allow exceptions otherwise. No extension needed. As a matter of fact, I have all settings on that page disabled.
And the settings are not buried deep at all. On the contrary, if you need to re-enable settings per site, click small icon to the left of the URL in the omnibox and enable them there.
Offline
Rockman -- great points, I should have made them before.
Yes, the built-in js-control support in chromium / epic's settings is quite robust -- disabling js for all sites is simple via the settings/advanced options/privacy/content settings.
You're exactly right about clicking on the little icon to the left of the url in the address bar to enable js again for any website.
We'd like to see the ability to import/export whitelists/blacklists, but for blocking JS with only a few exceptions, adjusting the settings works great for now!
Offline
1: Epic is not secure enough out of the box for newbies. Therefore I recommend the following :
A: Do not hide the advanced setting behind a link, it's slightly deceptive like your trying to hide things.
B: The most vital privacy settings are hidden yet again behind another link. Better to put all the options on one page.
C: Default settings for Privacy> Content Settings should be:
a: Keep local data only until I quit my browser (not 'Allow local data to be set')
A Privacy browser is exactly that, nothing should remain when it's closed and only by a user choosing to change it to save the data, thus with the warning they are undermining the privacy feature. In fact the Epic files should be encrypted to defeat SSD wear leveling.
Perhaps have a window appear before closing to ask to clear all user data (default Yes) with the option to turn it off. (re-enable in settings) The whole object is to generate trust that Epic is indeed interested in maintaining a users privacy. The word of mouth advertising will certainly follow like it does for CCleaner.
The object is not to defeat the NSA here, just to make sure Grandma doesn't see Juniors wild bondage fetishes or a PC tech later blackmailing the guy who's computer he just fixed.
b: Block third-party cookies and site data (check on)
c: JavaScript off by default (with a always on option) a "Trust this site to run scripts' button on the toolbar.
Why? Because JavaScript is seriously malicious shit. It's too much capability. It can track the mouse pointer, create fake popup windows, sniff the history, lock the dam browser up tighter than shit. Epic IS susceptible to the FBI MoneyPak browser lock. Seriously guys, why can JavaScript be allowed to lock up your browser like that?
With JavaScript turned off by default as a user surfs, their machine is more private and secure. Then if the user wishes they can whitelist certain sites and ones in their bookmarks.
d: Plugins should be Click to Play by default.
Flash's security is out of your control as perhaps is a lot of other plug-ins as well. Plugins should NOT be on all the time, only when necessary, being on all the time is how machines get pwned. If one comes to a Flash site and they trust it, that's what the "Trust this site to run scripts' button on the toolbar is for. Give the control to the user, not automatically assume Plugins are secure, which we have been proven repeatedly that they are not.
e: Pop ups off by default (you got that one right!) But why you don't have pop-unders licked yet? The "Trust this site to run scripts' button would work to reduce them because of JavaScript being off most of the time.
Epic users are focused on privacy, therefore they should not be used as lab rats for unproven technology like JavaScript and other plugins.
f: Track physical location (ask) seems right enough.
But somewhere you should warn/instruct users if they give a site permission for one's location, how frigging accurate it is and how it's acquired via Google's Streetview vehicles mapping people's Wifi locations etc. to within a few feet. If they don't want their WiFi being used advise to add "_nomap" to the end of their SSID.
Again, develop trust your in the users camp.
2: Squid proxy server
Your using Squid as a proxy server.
Squid can use SquidGuard which it would be certainly much appreciated to enable the cp blacklist from Squidblacklist.org. It's only a $5 USD a month.
Word can get around that your browser is safer for legal adult content without getting ambushed.
In the Settings a option to block all adult sites based upon the full blacklist should also be a option with a password lock. Perhaps other blacklists as required (ie military, hack sites, warz etc.)
3: Also to be able to lock the browser from downloads with the password would also be nice.
In fact being able to lock the Settings with a password combined with the above would make for a ideal Children's/Kiosk type browser.
4: Bad eyesight:
You got web page zoom which is great, but the browser UI type size and button sizes are not scale-able. It's likely a tall order, but being able to scale those up would make it ideal for older users and those with eyesight issues.
Epic is certainly a nice privacy browser, there are a few more adjustments that can make it worthwhile for daily use.
Thanks for providing it and hope to see some more paranoid level improvements soon!
Offline
BananaRepublic -- wow, great thoughts!!!
First key thought I'd have to share (unfortunately) is that we've already tested the browser you propose!! A browser with a more hard core approach with JS/Flash click-to-play...when we tested that browser, unfortunately no one used it very much and got confused as to why so many websites weren't working. At this point on the desktop, the internet really gets "broken" without js and flash. Though you're right it's much more secure/private when both are turned off.
We shouldn't hide advanced options & make it easy to toggle some of the key privacy settings -- as of now we've defaulted to the chromium layout/organization...but good thought to re-arrange some of that.
Local data gets deleted on-close but we should still change that setting -- great catch.
Thanks for the squid blacklist recommendation -- interesting. We do need to set up a service to stop malicious websites so that could be quite helpful, thanks! (right now we aren't using other services as they generally involve sending all your browsing through their servers).
Interesting recommendation too regarding a master password -- we will be supporting some password manager addons soon.
Unfortunately the UI buttons can't be scaled easily -- we actually have spent a fair amount of time trying to change the size of some of the UI buttons and such and weren't able to do it in a consistent way (grrr!, nothing in chromium is simple even though it seems like it should be...)...
Thanks for your support & the great thoughts again -- do keep them coming!
Offline
I agree with the OP. I really liked my Firefox, ABP, NoScript, Ghostery combo before the switch. Using NoScript showed me a lot about JS usage on sites, and one of the features I really appreciated about it was how easy it was to selectively enable JS. Sometimes you're on a site that pulls JS from many sources, and you only trust one or two enough to enable them. This falls outside of the current use-case, which is basically an all-or-nothing gamble. If NoScript-like capability is added to Epic, I'd really appreciate the above feature.
Offline
The good ideas in this thread are still waiting to be implemented!
Whenever I do a new install or reset Epic, I have to go through all the preferences to get a workably "private" environment.
As to JavaScript, I do disable it globally, then selectively allow it for single pages/domains. Here, obviously, the problem remains that I cannot select within that allowed page which scripts to allow, and which not to allow. But this is a central point about privacy issues like tracking!
Offline
Note that Epic supports extensions so that there's a lot of flexibility now in terms of JS management including tools built-into Epic's Ad Blocker.
Offline