Are there any valid privacy or security concerns in this discussion?

https://web.archive.org/web/20210618144519/https://www.ebin.city/~werwolf/posts/brave-is-sh1t/

Replace 1 with i in this link… I couldn’t post without changing it because of the word sh1t

Brave is a chromium based browser, which comes with a built-in adblocker and with a “rewards” program, that is supposed to make you earn money. But the relevant part today is that Brave is advertised as a “private browser by default”.

Brave has taken the false privacy approach similar to other companies (yes Apple, I’m looking at you), they use “privacy“ for marketing but in reality they provide a hypocritical service that “blocks tracking” but instead tracks you and profits from you.

But Brave is more private than Firefox by default
No, not at all. People who claim this have fallen for Brave’s marketing strategy which consists on telling lies and flawed arguments.

I’ll give you numerous facts and counter-arguments that will prevent yourself from falling for Brave’s lies.

Brave’s built-in adblocker
Block data-grabbing ads and trackers

One of the biggest Brave’s selling points is their built-in adblocker. But let me tell you a couple of things about Brave’s adblocker:

Their adblocker is just a fork of uBlock Origin, which isn’t necessarily bad. The problem comes when you realise that it has a hardcoded whitelist. They’re whitelisting trackers from Facebook and Twitter, so they can use scripts in third parties’ websites to track you across the web. This was their response:

Loading a script from an edge-cache does not track a user without third-party cookies or equivalent browser-local storage, which Brave always blocks and always will block. In other words, sending requests and receiving responses without cookies or other means of identifying users does not necessarily create a tracking threat.

This is completely false. They’re blatantly lying to their users. Anyone who knows a bit about how JavaScript works and it’s capacities to track you without the need of using cookies will be laughing after reading that.

Using Facebook’s and Twitter’s scripts is more than enough to track and identify you. Blocking cookies doesn’t help.

I mean, what’s the point on making a “private” browser if Facebook’s scripts (that are everywhere btw) will track you?

Another problem with their built-in adblocker is that it’s better for extensions to be separated from the core of the browser, since they don’t follow each other’s update cycles. This means that you need to update the entire browser to fix a bug in the adblocker. Stup1d, isn’t it?

Another reason to avoid using Brave is that uBlock Origin works best on Firefox and there isn’t anything that Brave can do about it.

The limitations are Chromium’s fault and Google isn’t going to do anything about it. Brave is dependent on Google and they’ll always be limited by this fact. Since they’re based on Google’s browser and web engine, Google takes development decisions over the 95% of Brave. It’s important to bring focus to the fact that Brave isn’t more than Chromium with another skin and a built-in adblocker with reduced functionality.

Other side effect of using a browser which is made by Google is that Google will take decisions that benefit their advertisement business, like making impossible to use adblockers on any Chromium based browser. And of course, this will affect Brave.

However, of course that they won’t tell you anything of this on their homepage. Part of their marketing strategy consists on making their “privacy shield” look like the best and unrivaled adblocker in the world, when it is just a really limited uBlock Origin, with a hardcoded whitelist.

Brave Rewards
Rewards is their shitty program that will replace ads displayed on websites with their own. They claim that you can earn money with it. Well, they aren’t lying to you on this. If earning half a penny in a month is okay for you, in exchange of your privacy, because of course, they’re tracking you with Rewards, then enjoy your money. But remember, Brave’s fee is 30% of your earnings.

If you don’t mind that and you decide to use Rewards, it’s important to say that Rewards uses Uphold, which has an excellent policy /s:

To verify your identity, we collect your name, address, phone, email, and other similar information. We may also require you to provide additional Personal Data for verification purposes, including your date of birth, taxpayer or government identification number, or a copy of your government-issued identification

Uphold uses Veriff to verify your identity by determining whether a selfie you take matches the photo in your government-issued identification. Veriff’s facial recognition technology collects information from your photos that may include biometric data, and when you provide your selfie, you will be asked to agree that Veriff may process biometric data and other data (including special categories of data) from the photos you submit and share it with Uphold. Automated processes may be used to make a verification decision.

Contrary to popular belief, Rewards isn’t opt in. Don’t believe me? Check it yourself. Brave will recurrently make requests to the following domains, no matter if you use Rewards or not:

rewards.brave[dot]com
api.rewards.brave[dot]com
grant.rewards.brave[dot]com
The names can be a bit confusing but these domains aren’t just for updates and they fetch affiliates for Brave Rewards, with pings such as Grammarly, Softonic, Uphold, etc.

So despite explicitly opting out, Brave’s Rewards will still be used to track you.

Brave sends requests to numerous domains
They also make requests to various domains that are believed to be related to the crypto aspect of Rewards. I won’t elaborate here since it’s better explained on this article. Here you have a list with the different domains that Brave sends a request to:

variations.brave[dot]com
laptop-updates.brave[dot]com
static1.brave[dot]com
brave-core-ext.s3.brave[dot]com
There isn’t a way to opt out from sending this requests.

It is also worth mentioning that Brave has built-in telemetry. Brave will make a ton of requests to the domain p3a.brave[dot]com as telemetry. This telemetry can be opted out, but a lot of people believe in their marketing and think that Brave is private out of the box.

Suspicious behavior which installs 5 extensions
brave-core-ext.s3.brave[dot]com fetches 5 extensions and installs them. It is said that this might be a backdoor. But I don’t want to get conspiracist. I prefer giving you verifiable facts. I’ll limit myself to inform you about suspicious activities.

Brave Today
There is a ton of criticism about Firefox’s Pocket. But Brave has something similar, which is called Brave Today.

It is displayed in every blank tab. This feature sends lots of requests to Brave’s servers. It can’t be disabled.

So your only option would be setting the tabs to blank, but you’ll still have this shady crap enabled. At least on Firefox you can easily disable Pocket.

Brave’s “SafeBrowsing”
This features is intended to “protect” the user from “unsafe” websites and extensions. However, it seems to have a contrary effect, since it sends requests to fetch the information required And it wouldn’t be too far-fetched of Brave to use Google’s SafeBrowsing. I’ll elaborate on the next section.

Brave makes requests to Google’s Gstatic
Brave makes requests to static1.brave[dot]com. If you put this on a browser you’ll find that it was directed to Google’s error 404 page.

Isn’t it weird that one of Brave’s domains redirects to a Google’s page? Well, curl –head static1.brave[dot]com shows that Brave uses Google’s gstatic, which is btw using Cloudflare.

It’s a concerning issue for a “privacy” oriented browser to connect to Cloudflare’s and Google’s domains, since both of them are telemetry.

But Chromium is more secure than Firefox
Well, you have to understand that security and privacy are different things. Anyway, It is true that Chromium has process isolation. However, Firefox is almost there too. It’s known as the Project Fission. You can already enable it on the about:config with fission.autostart (on nightly). Take into account that it’s still under development.

Process isolation is the only advantage in security that chromium has over Firefox right now and it will not help you with privacy. You may even want to enable Fission if you feel like process isolation is a must have.

Auto-updates
Brave will check for updates every time you run it. You can’t turn it off, which implies that Brave’ll make this request every time you launch the browser. Brave’s dedication to privacy is truly amazing /s.

Brave shady practices
Okay, we’ve seen how Brave is everything but private. But I’d still like to list you some of the shady practices they’ve been caught doing in the past, just in case there is someone who still thinks that using Brave is a good idea.

Brave has been caught inserting affiliate codes
In June 2020, a twitter user (@cryptonator1337) discovered that Brave was automatically injecting referral codes into URLs for cryptocurrency exchange sites.

So if you typed “binance.us” into the URL bar and pressed enter, Brave would take you to “binance.us/?ref=35089877”.

There was a huge scandal when this was noted. Later, Brave disabled this in the code, in a “sorry we got caught” style.

Uphold
I’ve already shown you how Uphold is everything but privacy respecting. It wouldn’t make any sense for a “privacy friendly” browser to use such a service, unless they didn’t give a fack about privacy and everything was just a marketing strategy…

Incompetence when implementing “privacy features”
Who the fack implements Tor but doesn’t change the DNS? I mean, this is either total incompetence or, even worse, malevolence on the part of Brave’s team.

Anyway, you can read more about this here

Possible scam and theft?
Brave have been accused of scamming people. They’ve been promoting this on their home screen, since they get up to $200 per user that uses their affiliate link. I consider this a scam since they’re making a ton of profit from people who will lose their money. They removed the Reddit post exposing this and the issue on Github.

They were also accused of theft with BAT but this isn’t verifiable so I’ll only link the source for you.

Hostility towards forks
You may have seen in the past a fork of Brave which removed telemetry and other shady practices from Brave. It was called Braver.

Well, that project was given countless lawsuits by Brave, they were forced to rename the project and finally they had to give up out of fear.

So, after all, it seems that being free software, or as they prefer to call it, “open source”, is just another marketing strategy.

They don’t care at all about software freedom and when someone forks their browser and make one that doesn’t spy on their users, they will harass them until the fork dies, since people using forks aren’t profitable. They want you to use Brave so they can sell your data, force you to use affiliate links and take a 30% cut of your “rewards”.

Chromium and Google’s monopoly
I think that at this point it’s clear that Brave doesn’t care about users’ privacy, they only care about making money. But there is something that I haven’t talked about. It’s the fact that Brave is supporting Google’s web monopoly.

Why? How? Well, the answer is pretty simple: Brave is just another Chromium skin. So at the end, when using Brave or any other Chromium based browser, you’re giving marketshare to Google and supporting their evil web empire.

The only browser that does not use Google’s web engine (blink) is Firefox. So if you really want some kind of privacy I’d recommend you switching to Firefox or something Firefox based, like GNU Icecat, since a Google’s monopoly on the browsers market can’t be good for anyone, even if you love Chromium, it is known that monopolies are extremely negative.

And as I mentioned before, this is already happening with Google trying to destroy adblockers. What will be next? Forcing every Chromium browser to use FLOC? Making it impossible to disable JavaScript? We don’t know it yet, but depending on the biggest data miner and advertisement company (Google) development decisions doesn’t seem a great idea if you want to have some kind of privacy.

Conclusion
You shouldn’t trust Brave at all. The smart move would be switching to hardened Firefox, GNU Icecat, Palemoon or the Tor browser.

If you have any counter-argument, any other info that I could add to the blog post or anything to say about it, you can reach me on the fediverse.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

I provided a response to this article years ago on Hacker News You can find it here: https://news.ycombinator.com/item?id=27552530. I’ll provide the full response below.

–

Note: The original criticism and the response which follows were both written several years ago. It should be assumed that many details are no longer accurate. Furthermore, I have redacted a couple instances of profanity/prohibited-terms in quoted portions of the original article with █ characters.

–

“Their adblocker is just a fork of uBlock Origin…”

Claims like this should be supplemented with links to our source code (see https://code.brave.com), if true. I’m not sure what gave the author this impression; Brave’s built-in ad-blocking does use public lists in addition to our own efforts, but that isn’t the same as being a fork of uBlock Origin. That being said, uBO is a fine extension, and you should definitely be using it (if you’re not using Brave).

“They’re whitelisting trackers from Facebook and Twitter, so they can use scripts in third parties’ websites to track you across the web.”

This is also quite misleading. It stems from a claim made back in 2018 about our now-retired “Muon” build of Brave. We had a file which listed third-party scripts which shouldn’t be blocked (so as not to “break the Web”). Among these were particular Facebook and Twitter scripts, because Facebook and Twitter content is embedded all throughout the Web (think of embedded Tweets, posts, videos, etc.). As such, it’s important to permit this content to load, but to prevent it from utilizing any persistent storage (e.g. cookies). Not only were these scripts prevented to accessing storage, Brave also modified or discarded the referrer header on these request. This wasn’t ever a case of “whitelisting trackers”.

“They’re blatantly lying to their users. Anyone who knows a bit about how JavaScript…”

Responding to a previous explanation for the “whitelist”, the author emphatically claims the engineers at Brave don’t understand how JavaScript works. If I’m not mistaken, the author is responding to Brendan Eich (Brave’s CEO), who happens to also be the creator of JavaScript.

“Another problem with their built-in adblocker is that it’s better for extensions to be separated from the core of the browser, since they don’t follow each other’s update cycles. This means that you need to update the entire browser to fix a bug in the adblocker. ██████, isn’t it?”

Agreed, which is why Brave’s ad-blocking logic is broken out into a distinct component. You can see it enumerated on brave://components, and even request updates from that page as well. It would have been very unwise to require a full browser update just to deliver updates to ad-blocking rules, etc.

Note: By this point, it should be clear to the reader that the author is unqualified to conduct such a review. A cursory review of Brave’s source (both in the archived ‘Muon’ repo and our active code.brave.com endpoint) would have answered many of their questions. A review of Brave’s network activity, such as the one I conducted this year (see https://brave.com/popular-browsers-first-run/), would have addressed many claims to follow.

“It’s important to bring focus to the fact that Brave isn’t more than Chromium with another skin and a built-in adblocker with reduced functionality.”

Wrong, again. Brave is a heavily patched version of Chromium, deviating in many ways (see https://github.com/brave/brave-browser/wiki/Deviations-from-…) from the base project. Again, this would have been quite clear to the author if they compared the network activity of Chrome and Brave (see https://brave.com/popular-browsers-first-run/).

“Rewards is their ██████ program that will replace ads displayed on websites with their own.”

Another easily-disproven claim, showing the author likely has never used Brave. Brave does not replace ads on websites. Brave’s Ad system is opt-in, user-configurable, and displays ad notifications as native system notifications. These appear as prompts on your desktop or screen, outside of the browser itself.

“…they’re tracking you with Rewards…”

Again, where is the network analysis or source code to substantiate this claim? The author doesn’t provide anything, because it’s simply not true. Brave Rewards is designed to preclude tracking. Rather than having user data flow out to remote servers (the way Google Ads and more work today), Brave Rewards keeps the user’s data on their device, and routinely downloads a regional ad catalog. This inverts the traditional digital advertising model. I covered this system in a bit more detail recently in a 5-minute talk on the history of digital advertising, and how Brave is fixing the industry. You can watch that talk at https://www.youtube.com/watch?v=LsrrT502luI.

“…it’s important to say that Rewards uses Uphold…”

The author then takes a jab at KYC, the process of confirming your identity by providing ID and other information. No user of Brave Rewards is required to do this. Users are able to opt-in, participate, earn, and pass along rewards to content creators and publishers. If a user wishes to “cash out,” however, they do have to verify their identity in compliance with relevant laws and regulations. But this is not handled by Brave; we do what we can to stay away from your data. Instead, Uphold (and soon Gemini) handles this process.

“Contrary to popular belief, Rewards isn’t opt in.”

The author here conflates calls to certain endpoints with program participation. They are correct that Brave would make calls at times to our own rewards server, but not because the user has been auto opted-in. Those calls would attempt to locate rewards for the current user, and they would respond with an error or an empty balance, since the user hasn’t opted-in. We’ve been working on cleaning up these types of unnecessary calls; I think this one resulted when the user clicks on the Rewards panel. By default the panel would expand and ask the user if they would like to opt-in. If the user were already opted-in, the panel would expand and attempt to retrieve their balance. The buggy behavior here was the attempt to retrieve a balance in both states. If you ever spot an issue like this, please do let us know But again, no ad notifications are shown, and no ad catalogs are downloaded until a user opts in.

“…they fetch affiliates for Brave Rewards, with pings such as Grammarly, Softonic, Uphold, etc.”

Another basic mistake from this author. They’re referring to custom headers. These don’t ping anybody. We document the headers on GitHub (see https://github.com/brave/brave-browser/wiki/Custom-Headers), explaining there that these serve as a substitute for a custom user-agent string (which Brave lacks). These don’t identify the user to anybody, make any bad-door network calls, or anything. Again, the user is clearly not qualified to discuss these technical topics, and has done little (if any) homework on the matter.

“They also make requests to various domains… There isn’t a way to opt out from sending this requests.”

A few domains are shared, but these again aren’t explored any more deeply. I covered these endpoints in my network analysis (see https://brave.com/popular-browsers-first-run/); many are also covered in the document detailing proxies (see https://github.com/brave/brave-browser/wiki/Deviations-from-…) we have setup with Google services to prevent users from making contact with Google. This is yet another example of where the user could have opened a Web Proxy Debugger like Fiddler or Charles and examined the network activity to understand what’s going on.

“Brave has built-in telemetry. …a lot of people believe in their marketing and think that Brave is private out of the box.”

Telemetry and Privacy aren’t necessarily at odds with one another; it depends on how your telemetry is implemented. We have detailed our approach in detail on our Blog (see https://brave.com/privacy-preserving-product-analytics-p3a/). We also document the questions and possible answers on GitHub at https://github.com/brave/brave-browser/wiki/P3A.

“Suspicious behavior which installs 5 extensions”

The author is, again, showing their lack of experience and effort in this area. Again, they could have found this information covered in our source code (see https://code.brave.com), in my network analysis (see https://brave.com/popular-browsers-first-run/), or even by inspecting the CRX files themselves in something like Rob Wu’s CRX Viewer (see https://robwu.nl/crxviewer/).

“There is a ton of criticism about Firefox’s Pocket. But Brave has something similar, which is called Brave Today.”

Brave Today is available on the new tab page, but doesn’t actually make any network calls unless you open it up. This was important to us, since we aim to keep Brave as clean and quiet as possible. From a new tab page, you have to scroll down to trigger network activity. But this deferring of request isn’t all we’ve done to make this system as private as possible. Brave also drops request headers, pads resource bytes, and more. The padding of resource bytes is really neat; no matter which image is being requested from the Brave CDN, its file-size is always the same (meaning no network-connected sleuth can infer your network activity by watching image file sizes). We talk about this system in greater detail on our blog. See Brave’s Private Content Delivery Network (see https://brave.com/brave-private-cdn/).

The author then takes aim at Brave’s “SafeBrowsing”. Brave uses Google’s SafeBrowsing service to protect users from harmful sites and more. Similar services are used by practically all major browsers today (many using SafeBrowsing). What matters most here, again, is implementation. SafeBrowsing has a LookUp API and an Update API. One of these sends data with each request to Google for their judgement. The other routinely downloads a database of potentially harmful URLs and performs the lookup locally, on the user’s device. Brave takes the latter route. And the routine database updates are proxied through Brave server’s, meaning users aren’t making any direct contact with Google. This was also covered in my network analysis (see https://brave.com/popular-browsers-first-run/) earlier this year. Compare and contrast with something like Opera to see how others perform similar lookups.

“It’s a concerning issue for a “privacy” oriented browser to connect to Cloudflare’s and Google’s domains, since both of them are telemetry.”

The author here is referring to proxied URLs, which were already addressed. They claim these are “telemetry,” which is absurd. Telemetry is about understanding how users and products intersect. To suggest Brave is doing any telemetry here, or assisting Google/Cloudflare with Telemetry, would require the author to provide something substantive. They don’t, however, because they aren’t technically qualified to conduct this type of review in the first place. Also, they note receiving a 404 when attempting to access these endpoints. This is because the user failed to note that these receive POST requests, rather than GET requests. The latter results in a 404.

“Brave will check for updates every time you run it. …Brave’s dedication to privacy is truly amazing /s.”

Yes, and? Software that remains up-to-date typically remains safer and more secure. We’re not about to have our 30+ million users running outside, vulnerable, and brittle versions of Chromium which have known, published exploits in the wild.

“Brave has been caught inserting affiliate codes…”

Not much of a scandal here. Brave shipped an update which would offer users affiliate-versions of particular URLs. The goal here was to detect pre-search input (no network activity involved), and offer up an affiliate link if one was available. The user could then decide to visit a URL with or without traffic attribution. We blogged about this in “On Partner Referral Codes in Brave Suggested Sites (see https://brave.com/referral-codes-in-suggested-sites/)”. As stated there, the intent was to offer referral options during searches. Our mistake was also matching fully-qualified URLs. Once the issue was found, it was quickly resolved. It’s important to note that traffic attribution is not necessarily malicious, anti-privacy, or a matter of security. The author has been suggesting users switch to Firefox; has the author conducted a search from Firefox? Is the author aware, as revealed in a network analysis (see https://brave.com/popular-browsers-first-run/), that keystrokes are asynchronously fed to Google, and that each request is marked with a Firefox identifier for traffic attribution?

“Who the ████ implements Tor but doesn’t change the DNS?”

Ah, that issue. Again, the user hasn’t done their homework. What they’re referring to here was the recent bug with Brave’s Tor context which would emit a DNS lookup, potentially exposing your traffic to your ISP. Let me be quite clear, that is bad. Really bad. Which is why we fixed it without hesitation. That said, was this an example of Brave not knowing how Tor works? Or how DNS works? Not at all, as the author seems to have left out some important context.

Brave has supported Tor for a long time, and without any DNS lookup issue. So what caused this issue? It was actually Brave’s effort to remain ahead of the industry in terms of security and privacy, believe it or not. In late 2020 we blogged about Fighting CNAME Trickery (see https://brave.com/privacy-updates-6/), and the growing trend of third-party trackers finding ways to plant themselves on first-party domains. To combat this, Brave added a DNS lookup to resolve first-party endpoints and evaluate the endpoint with our block lists and more. This gave Brave the unique ability to identify third-party trackers even when they masquerade as first-party requests. But, we failed to limit this feature only to standard browsing contexts. Having a feature like this makes you one of the most secure and private browsers on the market. Having it in a Tor context, however, means potentially leaking some network activity. This was not a case of Brave failing to understand how Tor or DNS works; this was a case of Brave taking the initiate to do something bold, and stumbling in the process. When you lead, everybody gets to see your mistakes.

“Possible scam and theft?”

Betteridge’s law of headlines is an adage that states: “Any headline that ends in a question mark can be answered by the word no.” One issue the user does bring up here (by link, not explicitly) are a set of changes made to Brave’s UX/UI following feedback from content creators in 2018. We blogged about this in greater detail at https://brave.com/rewards-update/. In summary, our UI/UX was somewhat confusing. We made a few rapid changes, which resulted in a substantially much better system. This was, in my opinion, a stellar example of how crucial community feedback is to developing a solid product.

“Hostility towards forks”

More nonsense. Brave has no problem with forks; we do have a problem with those wishing to copy and paste Brave under the name “Braver”. That should be quite obviously a bad-faith gesture. The individual(s) behind this proposed browser (there were at most 2 or 3 people) soon realized how much work goes into developing a browser, and the effort fell apart. But forks of Brave exist today; Dissenter (don’t use this browser! (see https://twitter.com/BraveSampson/status/1350685642846572546)) and PreSearch for iOS being a couple examples.

In summary, if you want a technical review of Brave, don’t get it from randos on the Internet. Look instead to competent engineers, such as the work done by Douglas Leith (see https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf) and others at Trinity College in Dublin. Their abstract is as follows, “We measure the connections to backend servers made by six browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge and Yandex Browser, during normal web browsing. Our aim is to assess the privacy risks associated with this back-end data exchange. We find that the browsers split into three distinct groups from this privacy perspective. In the first (most private) group lies Brave, in the second Chrome, Firefox and Safari and in the third (least private) group lie Edge and Yandex.”

Fin.