Feedback: Is security a joke with Brave?


#1

Today, I downloaded Brave to check out the Tor integration and went through the settings dance, because no browser today, of which I am aware, respects privacy out of the box. I was disappointed to find some privacy nightmares in there.

Pocket integration: wow. If you’re not aware of Pocket, it’s something. I had a back and forth discussion with a PR member on this for awhile and came away even more concerned. If you have questions, I suggest asking them, but don’t expect to get more than canned answers and propaganda. Otherwise, they were professional and polite.

DuckDuckGo: I’ve never received an answer, from DDG or otherwise, about why on earth people would trust this company for security. Their main offices are in the US and are, as such, required to comply with US law. Imagine a scenario where the US government, in the form of an alphabet agency, required them to turn on logs and provide tracking information. Is that a far-fetched scenario?

Extensions: Passwords and torrent viewer sum up those. Out of all the possible extensions available to help protect privacy, why those? see https://www.darknet.org.uk/2017/03/lastpass-chrome-extension-leaking-passwords/

Anybody that uses browser extensions to manage passwords is asking for trouble.

I was pleasantly surprised to find a way to disable WebRTC, thank you! That’s a step in the right direction. Now, if we had a way to minutely configure Brave like we do Firefox, I would switch in a heartbeat. As it is, though, I don’t know if Brave forbids pings, beacons, webgl, and a whole host of privacy-destroying browser technology.

Thank you for all the hard work. It seems that I will still have to pass on Brave as a daily driver; however, I’ll keep watching it to see if it will truly stand up for privacy. Oh, and almost forgot, Discourse doesn’t exactly protect privacy, either:

https://www.discourse.org/privacy


#2

Hi @sd992 I think it’s widely understood that Brave first and foremost is a browser company but not created with the prospect of being just another browser company, the original founders and everybody (though I can’t speak for every one) who has joined them and users who continuously use the browser appreciate their principal and notion as to why it was created.

In regards to the extensions/integrations, I think the handful that are currently available were included out of necessity temporarily, soon you’ll have many other carefully selected options to choose from and as for DDG, they have supported and contributed to open-source solutions greatly including critical security software and are trusted unlike many other similar services to never log personal information, tracking, IPs and other identifiable information and fundamentally encrypt data. On the other hand, Brave does allow other search engines, perhaps you may like StartPage.

One more thing in regards to privacy, I once emailed one of them regarding how integrating one security solution would be detrimental providing evidence and reports about negligence and he’d removed it from the list of future extensions to be added. Furthermore he once said,

'Nothing has been particularly decided on what will not be implemented, it’s really just a function of priority vs user signal & time/resources available.

In enabling a particular extension, there is some checking to make sure it doesn’t compromise user security or privacy.’

So I think we can trust the team to make the righteous decision in not including a particular extension if it is detrimental to users or they don’t stick to their principals on security and privacy.

In relation to the browser, naturally you’d expect quite a few faults with a new browser and you could argue that it is no longer new anymore but we should appreciate the fact that they have recently made a decision to remove a critical part of the browser in favour of something more efficient, which without argument many of us would concur that it should have been set in the beginnings of its development.

So they’re in the process now and have been for some period of deprecating their fork Moun which plays a huge part now in the front-end of Brave for a more efficient and reliable Chromium outlook to do away with plenty of concerns such as the ones you present and many more that Moun brings and probably will continue to bring if they don’t migrate.
Hopefully and I’m sure it’s more likely because of this decision they could put more of their efforts in actually competing with the other top 3 major browser and I honestly believe that they could and will.

Here’s a couple of links to keep you update-to-date of their latest development timeline before and just after v1.0 which believe it or not is sooner than you think.

Current milestone concerning current issue - https://github.com/brave/browser-laptop/milestones 1

If you’re still interested of looking into this, I created another similar topic in the following link including a Soundcloud link. Follow the description about which parts to stick to and I’m sure you’ll appreciate their efforts even though it doesn’t directly pertain to Brave - Is Mozilla’s new Quantum engine not an option anymore?


#3

And which browser do you use that it is more secure?

Do you use a chromium based browser? well, any chrome based browser (with brave as an exception) phone google servers, if you use Opera it will be worst, since people have mentioned how it even phones to china servers besides google servers.
Firefox? the ones that make the telemetry opt-out so many computers are giving information because they only installed it and started using it without reading that?
Waterfox? well still firefox-fork without the telemetry thing, but they partnered with Ecosia, the ones that garbage talk about “saving earth” and “planting trees” which is a complete lie, and do you know who gave money to Ecosia? Microsoft.

So which search engine do you use? it’s not like you have to use DuckDuckGo, I mean, the default is Google and you change to whatever you want. in the end, you use a search engine, they will have some of your information. do you really think US is the problem here? the whole world doesn’t care about you and your privacy, any government anywhere in the world is against you as a citizen. they try to get and suck and leech on your money and privacy and life and anything because that’s how politicians and governments are regardless of the ideology they profess and the promises they make.

Also as I understand the extensions you see integrated on brave aren’t really integrated but more like a temporary workaround until Brave brings full support for Chrome extensions but without the code that calls google servers and give information to google. So as long as Brave doesn’t phone google servers as they promise when they bring all chrome extensions, then everything would be better than other browsers.
But I am sure people will end up installing extensions that will not be good for them, or extensions that will break privacy and share too much information, how can you control what people do? bringing support for most extensions would be easier and better than waiting 80 years for Brave team to implement extensions in brave.

But you gotta question: can you really trust anyone? how can you even trust Brave team? I try, and that’s what I am using it. But what if they show the same “garbage” that other silicon valley companies have shown? where can we go? I am still using and liking Brave. And I think it has a better privacy future for people (I hope) than any other browser.


#4

As for as I know Pocket or password managers are not enabled by default. It is users choice if needed.
DDG is AFAIK best in terms of respecting privacy among the search engines available. It does not store our searches. I guess. So no need of giving details to others. DDG also privies privacy essential addon which takes care of trackers.

But other than brave I use Firefox + ublock origin + HTTPS everywhere + privacy badger + Decentralyses + Cookie autodelete.

But yes. You are right. It is still maturing. Waiting for v 1.0.
Thanks
Nellai


#5

Thank you all for the response.

I have to use (unfortunately) Firefox. The great thing about Firefox is that I can disable all the anti-privacy junk through about:config. It takes about an hour to go through and undo the settings, but it’s worth it. Also, I use a minimum amount of extension:

  • uBlock Origin
  • Decentraleyes
  • Privacy Badger
  • HTTPS Everywhere
  • Popup Blocker Ultimate

After that I use settings from user.js, which I enter manually developed by pyllyukko. Most people would not believe at how much these browsers actually do to track us, and it seems that Brave is right there with them; of course, the developers label it “convenience”, but the fact remains that the amount of data they can, and do, collect is scary.

I found that Brave contacted Amazon servers instead of Google, and for me, that’s a problem. I posted that information late last year and never got a satisfactory answer about default DNS settings and why it was contacting Amazon. I posted my Wireshark results in that discussion.

@Numpty Thank you for the links, I will definitely look into them.

@nellaiseemai For me, many of the settings were enabled by default, I had to explicitly disable them. I should have taken screen shots, but I didn’t think about it then, I was just shocked that I had to do that. My search engine is:

https://eu.startpage.com

I’ve emailed people at startpage and have gotten replies within days, sometimes the same day and once from the CEO when I was asking questions about security, funding mechanisms, etc. I have never, not even once, received an email back from DDG. And, I asked them the same questions.

For Brave to be my daily driver, I would need a way to verify that all the crap technology is actually disabled (webgl, webrtc, beacons, pings, telemetry, etc). I can do that in Firefox through about:config. And, I understand that I am trusting that they’re not hiding anything, but I can verify the frequency and amount of information sent through ethernet sniffing, if not the content. Right now, I just have to trust the Brave/Chromium base, and so far, I cannot, though I am hopeful.

Maybe I will try to contact a developer and see what they plan and if it works for my idea of privacy, like I did with search engines and other software (I’ve contacted Mozilla about Firefox several times over the years). Thinking about it, DDG is the only company from whom I’ve not received an answer… I hope the Brave developers are not like that…


#6

It would be really interesting if you dont mind sharing what are the things you normally change on firefox from about:config page.
I would like to do that as well if possible.

Probably it is not the correct forum to talk about that. But since Brave is a browser which focuses on privacy I guess the developers wont mind.

AFA Brave is concerned,
To me the addons which are enabled by default are PDF viewer and Torrent viewer. I disable Torrent viewer myself. Plus WebRTC i enable Disable non-proxied UDP. I also disable “show top site suggestions”, “send anonymous feed back”, “hardware accelaration”. “strict site isolation” is not mature enough to enable.

Thanks
Nellai


#7

@nellaiseemai Absolutely, I’ll put together something here today and post what I have. I believe Brave could/would benefit from at least studying if not implementing some of the security issues solved by Firefox’s about:config changeability.


#8

Well my situation was like I was deciding which browser to install, I use(d) Edge Browser (because to be honest, the only way to try to have some privacy is by not being on internet) but Facebook wasn’t working so I couldn’t comment on live streams, so I thought I would find a 2nd browser while it was fixed.
Thought about Vivalvi, Opera and then saw it was pretty much the same as using Chrome with a different skin, then I thought about Firefox and waterfox but I don’t even like Mozilla and never liked how slower it is compared to other browsers and how Flash doesn’t even work well on it. Then I remembered about Brave, which I installed when it pretty much came out years ago, and I remembered about Brendan Eich and how/why Brendan Eich left Mozilla, so that was my reason to install it and not others, a political reason lol.

I still like Brave, but i have had many problems playing videos and accessing some websites because adblock seems to block alot of things, more than it should and we don’t have much control over what it does or not.

I hope Brave can deliver what the promise but still give all the features we need, I hope they even let us add our own adblock filter lists or something. I don’t know if they will do it, But I guess we can say that it’s still a beta product and maybe when it hits 1.0 we will have a complete (almost) bug free experience and we’ll all be happy, so I am giving the benefit of the doubt.

But I have seen more and more reports of brave privacy and what it may send and where, Amazon sounds awful to me, I wonder why it does that. But I have been dubious about this browser as well since couple days.

I might go back to Edge, in the end, even if I dislike Microsoft and what they stand for, it’s what works for me most of the time. It’s not like any browser will give a crap about our privacy, and what can we do? unless we disconnect from internet we won’t gain any privacy ever. and if I can’t stand Microsoft (and I was using Bing and Edge), I can’t stand way less Google or Mozilla. So I wish Brave would be different and more transparent but as I have seen on many talks, that doesn’t don’t seem to be the case. but let’s wait and see.

I guess I will try startpage, I would rather support something better than DDG only because I don’t use Bing anymore.


#9

Vivaldi and Opera are based on Chromium which is open-sourced. But still Vivaldi and Opera are propitiatory. I like Vivaldi the most among all the chromium based browsers (Opera, Yandex, Epic, Comodo Dragon etc).
Firefox Quantum is really responsive to me. It is as fast or even faster than Chrome.

But of course I understand browser usage is personal decision.

Thanks
Nellai


#10

Even though we have little privacy when we go on the net, it doesn’t have to be that way. Do you close your blinds when you change your clothes? Do you lock your house door and/or car door? Do you not want the public to see your medical records? There are strong arguments for increased privacy and security.

Your data are more valuable than you, perhaps, know. What they can reveal about you as a person can be intimate and fairly accurate. Bob the Accountant who lives in Dakar has absolutely no right to my information; although that individual is fictional (maybe?), it illustrates the point that these people who intrude upon your very being are just that: people, with all the good and bad that implies. Historically, governments and large corporations have NOT been a trustworthy vehicle to house your information. And, because of that, we should fight every last breath we have against such intrusion.

I’m starting to lose hope on Brave. For months, I was excited, but with no real answers to security questions, it seems as if this is just another money-making scheme to make a few more jet/house/kids’ college tuition/mistress-lover payments. I posted earlier today where Brave had the beacon and ping set up to where they find every device that’s connected to your network. Still no answer on that one :confused:


#11

First off, thanks to everybody - I appreciate all the hints and info posted here!

TIA - just so you know that Nellai isn’t the only one interested in this.

Privacy concerns were my main reasons to try Brave and, well, I feel that it has some way to go yet… but I keep my hopes up.
I have been using Palemoon until some trouble with the NoScript add-on arose. I’ve rather turned to Waterfox instead but I can’t say that Waterfox is now my main browser. Haven’t tried Firefox Quantum yet - my trust in the Mozilla Corporation is rather low these days…

Vivaldi… I kicked it from my system when I noticed that it phoned home every day, even when I didn’t use it, which means that a part of it runs in the background of a Windows system. That’s a big no-no for me.

Opera… I wasn’t aware that new Opera contacts servers in China, wtf :frowning: (I’m not using it, I still have old Opera 12 and use that for certain purposes.)

It’s somewhat configurable in theory, at least you can switch on or off different lists and add your won rules, but…

Yes, that my major problem with Brave in general as it is now: Little control over what it does.

Since several browsers were mentioned, what about Chromium itself?

Something crazy, but worth mentioning to see an extreme solution: Cyberdragon is the most privacy-aware web browser I know of, to the point that it’s quite inconvenient to use - it doesn’t remember anything at all, no passwords, no cookies, no sessions - the problem is browser-fingerprinting because it’s so rarely used.

+1

+10
It seems to be always a trade between convenience and giving away info that you’d rather not but I find myself moving more and more into the direction of inconvenience & higher privacy than in the other direction.

(Link to your post about that inserted into the quote by me.) That looks just crazy, I can’t imagine any (benevolent) purpose behind such a thing.


#12

Im still waiting for a “open bookmarks” icon next to the home, reload page and add bookmark icons. A year has gone and still we dont have it. All other browsers have an open bookmarks icon that open an overlay window you can scroll with all your bookmarks. All of them except Brave. I dont understand the logic behind it since they already have that overlay bookmarks window if you activate the menu top left. The text “bookmarks” will have that function. Why not translate it to a small icon so we can turn off the menu and the ugly bookmark icons that clutter the whole top?

Security/privacy is also at the top of my list. I know you cant trust anything and TOR i havent even used because wasnt that made by the US govt? So how do i know im private/safe while using it? What im going to do is getting one of the best VPN’s out there. The only company that has their own hardware in a bomb bunker in a mountain underground. No logs, no USB connected, no drives or nothing. They even have a court fund set aside from the money they get so that IF a customer is being targeted then they will do everything they can to fight that with you. So far that has never happened and they have been in business for many years. Thanks though for your post. Its getting more and more important that we have privacy since the west is turning more and more authoritarian, and free speech is being trampled on among other things.


#13

Yeah and there are astroids out there. I mean what Is Brave doing about that?


#14

see https://www.darknet.org.uk/2017/03/lastpass-chrome-extension-leaking-passwords/

So an extension had a bug that was found and fixed 16 months ago and it still upsets you today?
Sounds like you need to put your computer in the microwave oven and turn it on high.


#15

It actually took a couple of days, but I put together a user.js that I normally do by hand in about:config. Here’s the file, like anything, please take a look and user what works for you.

@nellaiseemai

I apologize it took a little longer than I thought, but hopefully there are some good things you can use there.


#16

@sd992

Wow!

Thank you very much! You deserve virtual :beer: for sure! Or two: :beers:


#17

Alright.
1.

If privacy & security is the only concern, I don’t see why a user would look for anything except Tor. Just disable all scripts using either NoScript or About:config & you’re fine to go.

Why is this response so satisfying :

Also, did anyone tried the open source searx.me search engine?

I’m 18 y/o and so far, I haven’t seen a single piece of software or automated service that doesn’t have security loop holes or bugs.

Relying on a VPN company rather than Tor. So You’re telling me, You would avoid an open source material that the top activists, hacktivists & cyber journalists use, just to rely on a service that is provided by a completely third party company and their assets you don’t really know how they operate or who they are secretly in ties with & who can access their servers through which your traffic is going or what kind of encryption mechanism they use or how often they change the keys and you really do believe a VPN company, let’s say worth $10 million, will stand to defend a single user against an agency that is backed by a government of whole nation. Looks like you haven’t been active in this cyberspace thoroughly because well known VPN companies THAT CLEARLY CLAIMED TO HAVE " A STRICT NO LOG POLICY " (ON THE WEBSITE AS WELL AS IN THE PRIVACY POLICIES IN BOLD LETTERS) HELPED NATIONAL AGENCIES TO TRACK DOWN INDIVIDUAL CRIMINAL SUSPECTS Trust me @Numpty knows about this just as much as I do about such cases of VPNs. We both had a nice & long back&forth conversation about this topic. No offense mate, but VPN over Tor, not a smart move.

This guy needs an Oscar :heart:

Opera is a privacy nightmare. Hands down.
Yandex, operated in Russia and “We Cooperate With Any Legal Agencies To Avoid Frauds”. Do I need to say anymore?
Browsers like UC & CM are no where to be mentioned in a thread related to privacy. I guess we all know how those companies work.
I tried using a browser called dooble when I was about 13. Didn’t really like it. Thought it was complicated back then. At least for me.
Remaining are Google Chrome, Firefox, Chromium, Brave and minors like Comodo Icedragon or comodo dragon or Avant or proprietary browsers that come packed with Antivirus. Let’s eliminate the minor one’s since the chances are, less people use such browsers & hence less chance of discovering hidden vulnerability. Back to main browsers, we got Good ol’ Google’s Chrome. Since this thread is about privacy, let’s eliminate chrome. Next comes Firefox. Now if what I believe is true then Firefox is HIGHLY Customisable with respect to better privacy, hardening security & to be easy on resources. Just like @sd992 said, open the about:config & begin the magic. I’ve been using Firefox for a long time & I do agree with what @Emi had to say about Mozilla but a little bit of tweaking & you’re ready to run with a highly secure & private browser. Moreover, extensions like NoScript, Privacy badger & uBlock origin + “Always Use Private Browsing” enabling does the trick of making the browsing experience smooth & sluggish free. Again. That was my personal view, just an opinion.

I differentiated Privacy & Security into 2 different sections in this thread. You might wanna have a look. You won’t regret it :slight_smile: :

Coming back to Brave. Users need to understand that brave is a respectively new browser made from the guys with a specific vision. Bugs and a little inconvenience is expected since not all the features that users expect are available as brave barely have about 100 employees (including Devs I believe). Chrome Firefox Opera have been in this game for years. So can’t really fight on that. Speaking of security, yes, Brave does Lacs some stuff like better malware & phishing protection. A well built exploit can be executed & chances are, chrome would block it & brave wouldn’t just because it Lacs capabilities to detect & neutralise malicious payload like chrome or Firefox or Opera do. That’s definitely an issue but I’m sure Devs would sooner or later find a solution about this because I trust them & I have a lot of hopes with the Brave Devs. And
Yes. Extensions are major threats. Which is why brave has minimal amount of extensions that have cleared a numerous amount of tests that an extension has to go through to make it to the brave store. These includes verification of their privacy policy. But the chances of exploiting the extension to deliver malicious payload still remains.


#18

Brave doesn’t state that they will do anything about asteroids; however, they DO state that they are in the browser business. Not only are they in the browser business, they purport to be in thesecure browser business.

Strawman argument aside, people like me are helping Brave; I could just move on and continue to use an inferior product (i.e., Firefox), but, I have hope that Brave can straighten their act out and provide some concrete privacy/security enhancements in their browser.


#19

Sounds to me like the fat lady has sung? :rofl:


#20

Alright. First of all, People who recommended Opera as a “Privacy Focused Browser” should really surf the internet a little bit.