Announcement

Epic for iOS and Android are live in the App Store and the Android Play Store. We're EpicBrowser on Twitter and on Facebook. Please feel free to also email our Founder directly with issues or questions: alok at hiddenreflex dot com

#1 2014-09-14 08:46:28

zinneken
Guest

new Epic Browser user privacy and security concerns

I don't like all the UDP ports Epic requires to open for its asynchronous DNS to work. I want to disable that feature so that only the DNS from my OS are used. I consider it a security issue for all those UDP ports to be open, and also a privacy issue for the asynchronous DNS to query DNS servers I have no knowledge or control of.

So, how does one disable asynchronous DNS in Epic Browser?

I also would like to know why Epic requests access to very weird hostnames, like:
*.keiabmukvf
*.ouimcmhhab
*.aiskcxpyjr

And what does Epic need to send to or retrieve from *.clients2.google.com ?

Thanks!

Offline

#2 2014-09-15 10:35:56

zinneken
Guest

Re: new Epic Browser user privacy and security concerns

I spent some time trying out more of this browser. Here is what I found:

The FAQ tells:
How does Epic protect my privacy?
Epic does several things to protect your privacy. Epic by default removes all Google services from Chromium so that your browsing does not go through Google’s servers.

Yet, epic connects to client2 from google * even before accessing any web site, and by standard, Epic wants to connect to google IPv6 DNS as soon as it opens. Why not allow people to choose to use their preferred DNS or OS DNS? Why does Epic need to connect to google?

I contacted Epic about DNS, because when I refuse the google DNS sometimes Epic behaves as if it goes for asynchronous DNS trying a plethora of UDP ports. They say by default asynchronous DNS is off, in my experience it is not always off, but I haven’t been able to reproduce reliably when it switches itself on without asking you. I say asynchronous DNS is sometimes on as I sometimes see in my firewall a plethora of UDP ports popping up from Epic, and my guess is it is only asynchronous DNS that would do such variety of UDP port opening in Epic?

Also the epic store/extensions will not function property, in fact won’t open most of the time, when refusing connections to … google.

Looks like chrome and thus google home phoning is still very much in Epic’s DNA.


In the forums there is a post requesting for adding other search engines, post in October 2013. Epic admin tells they’re working on a bug fix “in the next 2 weeks”, yet almost a year later, startpage, ixquick and duckduckgo are not yet allowed. Kind of long to get a bug fixed that unlocks a feature people request ...

Why does Epic only allow for its own search? I think it is fair to say Epic wants to know your searches and therefore disallows other search engines?


I immediately disabled the Epic proxy. I have my own VPN and in terms of privacy, who says Epic does not silently collect data through its proxy? I mean, their FAQ tells no google, but there is plenty of google. So when they say there is no data collection, who says there is none? They need to be making money somehow…

Even with the proxy off, the Epic browser likes to “phone home” to * epicbrowser * for no apparent reason, sometimes even before accessing any web site. I think there is no reason for Epic to do that unless it collects something?


Not accepting chrome extensions is a not so bad thing, kind of protecting people against themselves when it comes to privacy of extensions. But this seems not so exclusive given the epic store has some extensions. You can only get extensions from the epic store and not download them directly from their developer web site.

While adblockplus is great and integrated as standard, I would wish to add ghostery and h*t*t*p*severywhere. Why are they not in the extensions store of Epic, and why would I not be able to install them directly from their respective developer web sites?


My conclusion: Epic Browser is a novel initiative to help people in browsing the net a little more private then just completely open. Its developer took the time to respond to email and reply about some of the above issues (I didn’t raise all of them by email). Epic is however not as transparent and honest (faq and claims vs reality seen on network) as I would wish.

Sadly I won’t be using it as long as these issues are not resolved:
- choice of search engine
- choice of DNS, or at least respect OS DNS and never have asynchronous DNS
- no phoning to epicbrowser or forcing its domain for certain services
- no phoning to google or forcing its domain for certain services
- adding possibility for ghostery/h*t*t*p*severywhere, without needing to go through any store.

Until then, firefox and derivatives allow for these functions which involve privacy, so that’s where my browsing will be.

P.S. since the forum doesn't allow for more then one link in a post and the network connections mentioned are seen as links, I used * in some cases so they wouldn't look as links.

Offline

#3 2014-09-15 13:52:31

sai
Guest

Re: new Epic Browser user privacy and security concerns

Hi Zinneken,

Thank You for such a detailed analysis. We do not make calls to google or any service, here is the first topic (http://forum.epicbrowser.com/viewtopic.php?id=20), after which we have blocked several Google Urls. That one url, possibly would not have been figured out. But thanks for those weird urls as well. We will block them soon.

Possibility of UDP usage is because of quic protocol being integrated into chromium, but by default it is disabled. In this case probably go to chrome://net-internals/#quic and see if it is enabled or go to chrome://flags and make the default values to disabled and see how it works, there by you can have choice of OS DNS. If this does not work, please report again, we will work on fixing this.

Also FYI, we do not log any calls on our proxy servers. 

Also Epic store was only opened because of users request, so that we check these extensions privacy and then allow them on our store.(http://forum.epicbrowser.com/viewtopic.php?id=33)

Offline

#4 2014-09-15 14:17:05

sai
Guest

Re: new Epic Browser user privacy and security concerns

Here is the list of urls that we have blocked
clients3.google.com
www.gstatic.com
tools.google.com
tools.l.google.com
chrome.google.com
js.revsci.net
pixel.quantserve.com
sb.scorecardresearch.com
odb.outbrain.com
icompass.insightexpressai.com
ssl.gstatic.com

Also https everywhere already integrated into Epic.
Please do report if you come across any other urls like this again.

Offline

#5 2014-09-16 15:28:28

sathi
Administrator

Re: new Epic Browser user privacy and security concerns

Hi Zinneken,

The weird url's which you have mentioned are the call to network bios. Mostly these  requests to device drives and printers.

Please check into http://www.techrepublic.com/article/how … lly-works/

http://www.chromium.org/developers/desi … refetching

You can trace route these url's. These url's not reachable from out side world.

We released an update to block client2.google.com.

Please do report us, if you have any issues with Epic.

Offline

#6 2014-09-17 07:43:34

gimpy
Guest

Re: new Epic Browser user privacy and security concerns

You can use different search engines with Epic, use the startpage boxes and type the url of the search engines in them. I use duckduck and ixquick sometimes but I like Epicsearch.

Last edited by gimpy (2014-09-17 10:58:59)

Offline

#7 2018-10-01 09:03:49

yolager
Guest

Re: new Epic Browser user privacy and security concerns

thanku

Offline

Board footer