Reasons Not to Use Epic Privacy Browser

in #security5 years ago (edited)

Or: Local fool thinks he's good at using computers, attacks innocent browser

Keep in mind that this was written a few weeks ago, so certain things may not apply now—but these issues should be kept in mind.

I've seen some controversy around using Epic Privacy Browser in privacy advocacy circles, so I decided to take a bit of a look into it. I didn't really like what I found. Luckily, much of it can be fixed with one update, so hopefully much of this can be resolved.

I will do my best to be fair and generous to the developers and the program, but I won't take it especially easy on them.

Table of Contents

  1. Epic is Closed Source
  2. Some Analysis
    a. Starting with Windows
    b. Phoning Google on Start
    c. Their "Secure" "VPN"
    d. Fingerprinting
    (d) i. Epic is Outdated
    (d) ii. WOW64
    (d) iii. Reporting Screen Resolution
    (d) iv. Blocking Canvas
    (d) v. Conclusions for Fingerprinting
  3. More Developer Weirdness
    a. DuckDuckNo
    b. Not Releasing Source
  4. Conclusions
  5. Further Reading

Epic is Closed Source

The project is still closed source, despite them saying for years that they intend to provide full source code eventually.

That's not an exaggeration. They've been saying so since at least 2014.

Sorry again, there are a few issues preventing us from releasing all the source, but it's certainly all visible / audit-able. We hope to resolve those issues and release the code soon. Thanks for your support.

The team claims they'd send the files to developers and researchers that want to conduct an audit, but that ends up raising more questions than answers.

That aside, despite their feature list, being "auditable" doesn't really mean anything.

By all means, just about any stupid nerd can fire up Wireshark and analyze Chrome or uTorrent, or sift through their files using various debugging tools. Being "auditable" is just a feature of writing a program. It's not as though a developer has to go out of their way to make sure users can test their programs and pick apart what their programs do.

It's also curious that they still cite vague "issues" and "reasons" for their failure to release their code in full. Such vague answers aren't helpful to anyone that wants to contribute to or audit their program. Alok did tell me that it was due to licensing issues that they've been sorting out with other companies, but that's still hard to take as an answer when going open source has been on the table for half a decade.

Well, at least there's some kind of answer behind it. Moving on...

Some Analysis

Here are a few relatively basic observations about the browser as well as some analysis of its behavior.

This is nowhere near a complete audit, but should at least give readers a few ideas of the odd and bad behaviors that they can expect from the browser.

Installation and Starting with Windows

epic-startup.PNG

Well, that's not a pretty solution to whatever problem they're trying to fix.

What's certainly not pretty about it is that the updater does not quit when you uninstall the browser. You'll have to take this on faith unless you want to test it yourself, but a few days after I've uninstalled the browser, the updater is still running in the background:

epic-updater-in-background.PNG

It also doesn't help that you have no options to customize your installation. When you download the "installer" from their website, the "installer" downloads the actual installer from their website, and then it basically installs in the background. Not terribly different from Chrome.

Here is roughly where the downloader puts the actual installer:

epic-installer-location.PNG

Roughly: C:\Users\(user)\AppData\Local\Epic Privacy Browser\installer\(version)

The mini_installer.exe file will extract as a 7zip file. I used Universal Extractor to extract the program without any issue.

Here are the contents from the extracted mini_installer.exe:

epic-extracted-installer.PNG

This will then extract to:

epic-fully-extracted.PNG

Epic can be run in full from that exe file... So, why install to AppData at all? Why not just put it in a 7zip archive and throw it on the website as-is? Then at least it wouldn't be possible to check on the AppData directory to see if Epic is installed. (See paper in Further Reading].)

Phoning Google on Start

It still connects to Google services on startup, despite their big talk about protecting their users' privacy from corporations and the like.

From ipconfig /displaydns (before closing Epic Browser):

epic-connect-google.jpg

On the bright side, it does clear the DNS cache upon exit. However, that doesn't excuse this behavior.

A little more info from Wireshark:

epic-dns-on-start.PNG

This means, at the very least, Google is likely getting your IP when the browser first starts. It might also help Google tie more information to the user if they end up accessing any Google services, such as anything hosted on Google Hosted Libraries or Google APIs (both of which many websites use). And, since YouTube works in Epic, they're not blocking all traffic to all of Google's services.

I should clarify that this doesn't necessarily mean Google is "tracking" Epic users, but this shouldn't be overlooked.

Their "secure" "VPN"

Another issue is the fact that they're using regular web hosting services from the US for their proxy servers, which they inexplicably call a "VPN" on their front page:

epic-nj-proxy.PNG

Given the US's track record with privacy, and given that DigitalOcean is open for business in the US, it isn't likely that they'll keep your data very private if the government comes knocking.

From the EFF:

The United States currently has no mandatory data retention law. However, if providers of electronic communications [keep] records, the government may [get] the stored data under the Stored Communications Act (SCA), enacted as part of the Electronic Communications Privacy Act in 1986. The SCA also establishes mandatory data preservation, under which providers must preserve stored data for up to 180 days on government request.

Now, privacy from companies doesn't necessarily mean privacy from governments, but the browser can't even seem to handle companies very well.

DigitalOcean seems to take a strong position on user privacy, but that doesn't mean they won't hand over logs for legal investigations. Even putting them aside, Epic Browser's parent company, Hidden Reflex, would likely be forced to comply with legal investigations if a user was used their search engine or their proxies in connection with a crime. That's just the law. Unfortunately, that makes it significantly harder to trust any US-based business.

Fingerprinting

Epic seems to handle fingerprinting scripts very well. Panopticlick gave it a good score and none of the fingerprinting pages I viewed were able to tell too much about the browser itself.

Here is Epic's user agent:

epic-user-agent.PNG

While this doesn't necessarily look bad, it is actually quite ugly. There are two main reasons that this is bad: the browser is based on an outdated version Chromium, and WOW64 wouldn't show up for most Chrome users.

There are various other issues, and we will deal with those after picking apart this user agent.

Just to give non-technical users an idea of what a user agent is: it's the version of your web browser which is given to a server for content negotiation. Put otherwise, Firefox and Chrome might use different styling to show a page correctly.

However, user agents can also be used to track users.

Epic is Outdated

The version I used, the latest version as of writing, was based on Chromium 71.0.3578.98, despite the most up-to-date stable version of Chrome being 72.0.3626.109.

For comparison, here is a newer Chrome user agent:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36

Note that this also has WOW64 in it, that's coming up in a moment. Market share for this updated version is a little over half a percent on Windows 7 (x64):

up to date chrome Windows 7 market share

The same browser's market share is about 3% for Windows 10 (x64):

up to date chrome Windows 10 market share

Huge thanks to Tech Blog (wh) for the statistics. The exact data I'm using is outdated, but here's what I'm working with.

So, Epic browser is outdated. According to Google, 71.0.3578.98 was released on December 12, 2018. That means it is at least two months behind the official stable Chrome build. The stable Chrome build is updated around once a week. I feel like very few teams would be able to keep up with that type of speed reliably.

And, given that Chrome makes it hard to disable automatic updates (short of breaking them), it isn't hard to guess that many users are probably using a fork of Chromium, like Epic.

While others might note that this is only the case while new versions are worked on, I would argue that it's troublesome that it takes so long to push updates for the browser. In fact, (in one article)[https://www.computerworld.com/article/3286605/web-browsers/what-is-the-epic-browser-and-what-makes-it-different.html], the author found Epic was 6 months behind the official Chrome build. That's sure to raise some eyebrows.

This might be fixed if they were to add a plugin or something that automatically detects the newest version of Chrome and spoofs its user agent, but they do not do this.

WOW64

I wasn't sure what WOW64 was until I Googled around for it. WOW64 is an emulator for x86 in 64-bit Windows installations. In other words, it lets 32-bit programs run on 64-bit Windows computers, allowing a lot of older programs to run properly on Windows, and it allows developers to write their programs with older computers in mind.

Well, that doesn't sound like a bad thing, does it?

This is where things get tricky. Google Chrome runs tests on your computer before installing, and those tests tell Google which version of Chrome your computer should use. This means that, normally, it will install 32-bit Chrome for 32-bit Windows and 64-bit Chrome for 64-bit Windows.

In other words, it's signalling to any website that will listen that you're using the wrong version of Chrome for your computer. If your computer was made any time after the release of Windows 7 (mid- to late-2009), it's probably showing that you're using the 32-bit version for 64-bit Windows. That's strange, and maybe even noteworthy for webmasters and companies like Google.

You might remember that I gave a WOW64 user agent earlier. That's because I was using a portable app to check its user agent. While that could introduce some unknowns for webmasters and Google, it's also worth keeping in mind that PortableApps releases new versions pretty regularly, and normally encourages users to update.

This might fixed if the developers released both 32- and 64-bit versions, but they do not do this. It could even be fixed if the dev team took the earlier recommendation to spoof a newer/corrected version of Chrome, but either way, the problem remains.

Reporting Screen Resolution

epic-user-agent.PNG

The strange resolution is because I'm using a virtual machine.

Compare this with how Tor Browser Bundle reports resolution:

tor-user-agent.PNG

Tor doesn't report monitor resolution—instead, it reports the size of the window. It's a much safer way to report the user agent, and they go out of their way to make sure users know that maximizing the window is a bad move in in terms of privacy:

tor-maximized.PNG

This could also be fixed by Epic if they took a similar approach.

Blocking Canvas

Another thing they go on about in their key features page is blocking websites from accessing image canvas data.

Epic blocks fingerprinting scripts and functions like image canvas data access to protect you which no browser extension can do.

This is factually incorrect, see Privacy Badger and CanvasBlocker.

Putting that aside, while this all sounds great for privacy, you may need to think again. Most browsers have it enabled out of the box, including Chrome and Firefox. Not sending any data singles you out just as much, if not more, than just allowing websites to access that data.

For more info, read here.

In short, so few browsers actually completely block this data that you stick out like a sore thumb by doing so. A better solution would be providing a single random fingerprint per session, as detailed in the article linked above.

Confirmation that Epic outright blocks canvas data, thanks to BrowserLeaks:

epic-canvas.PNG

Conclusions for Fingerprinting

Taking the first two problems into account, webmasters and companies that watch which version of Chromium that is used by Epic can probably tell you're using Epic, even if the user agent is supposed to look like generic Chrome.

Narrowing things down even more by checking monitor resolution can also damage your privacy, especially if your monitor has an unusual or unique resolution. For example, 4:3 (older monitors) and 3:2 (used by newer Microsoft computers) aspect ratios will severely narrow down things for a company that wants to track you, and it could even narrow down what type of computer you're using.

Once you get down to blocking canvas data, it becomes very easy to track you. While this feature might help users avoid sending certain information about their computers to a website, it makes them stick out, making them easily trackable by almost anyone running a website.

Some might think, "Well, I'll just switch proxies," but that just makes it more obvious that they're using Epic Browser specifically. A weird user agent that's blocking canvas data? Coming from different IPs, all around the same time? Okay, they're probably using Epic.

It's almost funny that, in trying to create a browser that disallows companies from tracking its users, they inadvertently made their browser very easy to track. There is some plausible deniability all the way down, but that won't stop companies from being able to draw conclusions about users.

More Developer Weirdness

I don't want to be rude, but the developers have said a few strange things.

DuckDuckNo

One particularly weird thing that Alok himself said is that they do not trust DuckDuckGo as a search provider, and refuse to add it to their browser:

We are unfortunately unable to trust other so-called privacy search engines such as DuckDuckGo and advise you not to as well (so we can't include them as options as it would indicate our recommendation of them which we can not do).

This is before saying you can use Google instead:

You can always with one-click from EpicSearch get to Bing or Google if you need different results.

If the point of Epic browser was to help users retain their privacy, it seems awfully odd that they would implicitly recommend using Google of all things before using DuckDuckGo.

This is despite the fact that DuckDuckGo has a pretty decent privacy policy. They don't use cookies, or store user agents, nor even IP addresses—which is pretty unprecedented when it comes to search engines.

Not Releasing Source

Not to beat a dead horse, however...

We have not been able to release openly all our source code due to certain business reasons (it's taking considerable investment to keep this project going)

I might be able to understand that they want to keep things vague (likely for business reasons), but not disclosing that there are licensing issues, as we've already gone over, is rather odd. If I recall correctly, XBMC for Android didn't support a certain (very common) audio codec for a while due to licensing issues. They were up-front about it and threw a message for it into the app. So, why would the team behind Epic bother with obscuring that?

Conclusions

I've been critical of the browser and the developers behind it, but that's only because they don't really deliver on most of their claims. That doesn't necessarily mean you shouldn't use the browser.

So, should you use Epic Privacy Browser?

The answer is a definitive "maybe." There are a lot of good reasons to avoid it, but there are still good uses for it. A better question to ask is "what do you need it for?"

If you need it to:

  • Avoid any possible tracking or fingerprinting
  • Stop Google from possibly spying on you
  • Gain anonymity from any sort of serious threat (big brother, corporations, etc.)

... Then no, absolutely do not use it—in fact, smack yourself for asking.

If you need it because you want to get around IP bans, for testing/development, to read a few more articles from WSJ per month, or just because you hate ads, then go ahead. If it works with Netflix or something else that's only offered in certain countries, even better.

However, it's not a great browser for privacy or great against tracking. I don't think I would even call it good to stop tracking.

Privacy-oriented users should probably just use the newest version of Ubuntu with the most updated Firefox available.

Either that, or using Windows with Firefox, throwing in an adblocker and a user agent spoofer (spoofing the newest stable Chrome build), which would probably be even smarter. But it's good to keep in mind that no matter what, you're likely going to be tracked.

Maybe, one day, someone will figure out a way to reliably browse around online without being trackable. Until then, there are still better options out there.

Further Reading

People smarter than me, and with better resources than me, have put forward their own analysis of Epic, as well as other privacy-oriented web browsers. Any interested parties should also give them a read.

More on "private" web browsers:

Other resources that might be useful to look at:

  • Hybrid Analysis page for mini-installer.exe - Somebody might be able to make sense of everything presented here and offer an interesting thing or two to note. I personally see little that's interesting other than the installer running a bunch of processes. (It was picked up as malware by a single antivirus, but that's probably not very useful.)
#privacy #anonymity #criticism #epic-browser
5 years ago in #security by
$0.00
    1 vote
    Reply 0

    Coin Marketplace

    STEEM 0.17
    TRX 0.13
    JST 0.029
    BTC 56583.42
    ETH 2984.52
    USDT 1.00
    SBD 2.15