Can Brave see my sync data like bookmarks, history, open tabs, etc since the sync data is only client-side encrypted and not end-to-end encrypted?
They can’t:
We use the built-in custom passphrase feature from Chromium sync and encrypt everything client-side. Instead of letting the user pick a passphrase, which may be weak, we force the passphrase to be the BIP39 encoding of the sync seed. The rest of the encryption is handled by Chromium as follows:
- BIP39 phrase is key-stretched using scrypt(N = 2^13, r = 8, p = 11). New clients need the scrypt salt in order to derive the key.
- Then the stretched key is used directly as a AES128-CTR-HMAC encryption key.
https://github.com/brave/sync/wiki (old wiki but design is the same):
Brave Sync is a new way to automatically sync browsing data (bookmarks, preferences, history) between devices running the Brave browser. It uses client-side encryption such that no one’s servers cannot read your data, since they do not have access to the encryption keys. (Not even Brave’s servers can read your data!) Brave Sync is not designed for data backup; that is, if you delete Brave browser from all your devices and don’t have a backup of your sync encryption key, you will not be able to decrypt old browsing data.
What gets encrypted
In
components/sync/protocol/sync.proto, eachSyncEntitycontainsEntitySpecificswhich is the actual data of each data type. For example,That is the field that will get encrypted and can only be seen by the client.
What sync server is able to see
Other essential fields used for communication and sync conflict resolution will remain plaintext, like device name and type, opaque IDs for synced items and their parents, item version, creation time, etc.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.