Feedback: Is security a joke with Brave?


#1

Today, I downloaded Brave to check out the Tor integration and went through the settings dance, because no browser today, of which I am aware, respects privacy out of the box. I was disappointed to find some privacy nightmares in there.

Pocket integration: wow. If you’re not aware of Pocket, it’s something. I had a back and forth discussion with a PR member on this for awhile and came away even more concerned. If you have questions, I suggest asking them, but don’t expect to get more than canned answers and propaganda. Otherwise, they were professional and polite.

DuckDuckGo: I’ve never received an answer, from DDG or otherwise, about why on earth people would trust this company for security. Their main offices are in the US and are, as such, required to comply with US law. Imagine a scenario where the US government, in the form of an alphabet agency, required them to turn on logs and provide tracking information. Is that a far-fetched scenario?

Extensions: Passwords and torrent viewer sum up those. Out of all the possible extensions available to help protect privacy, why those? see https://www.darknet.org.uk/2017/03/lastpass-chrome-extension-leaking-passwords/

Anybody that uses browser extensions to manage passwords is asking for trouble.

I was pleasantly surprised to find a way to disable WebRTC, thank you! That’s a step in the right direction. Now, if we had a way to minutely configure Brave like we do Firefox, I would switch in a heartbeat. As it is, though, I don’t know if Brave forbids pings, beacons, webgl, and a whole host of privacy-destroying browser technology.

Thank you for all the hard work. It seems that I will still have to pass on Brave as a daily driver; however, I’ll keep watching it to see if it will truly stand up for privacy. Oh, and almost forgot, Discourse doesn’t exactly protect privacy, either:

https://www.discourse.org/privacy


#2

Hi @sd992 I think it’s widely understood the Brave first and foremost is browser company but not created with the prospect of being just another browser company, the original founders and everybody (though I can’t speak for every one) who has joined them and users who continuously use the browser appreciate their principal and notion as to why it was created.

In regard to the extensions/integrations, I think the handful that are currently available were included out of necessity temporarily, soon you’ll have many other carefully selected options to choose from and as for DDG, they have supported and contributed to open-source solutions greatly including critical security software and are trusted unlike many other similar services to never log personal information, tracking, IPs and other identifiable information and fundamentally encrypt data. On the other hand, Brave does allow other search engines, perhaps you may like StartPage.

One more thing in regards the privacy, I once emailed one of them regarding how integrating one security solution to be detrimental providing evidence and reports about negligence and he’d removed it from the list of future extensions to be added. Furthermore he once said,

'Nothing has been particularly decided on what will not be implemented, it’s really just a function of priority vs user signal & time/resources available.

In enabling a particular extension, there is some checking to make sure it doesn’t compromise user security or privacy.’

So I think we can trust the team to make the righteous decision in not including a particular extension if it is detrimental to users or they don’t stick to their principals on security and privacy.

In relation to the browser, naturally you’d expect quite a few faults with a new browser and you could argue that is no longer new anymore but I wish you’d appreciate the fact that they have recently made a decision to remove a critical part of the browser in favour of something more efficient, which without argument many of us would concur that it should have been set in the beginnings of its development.

So they’re in the process now and have been for some period of deprecating their fork Moun which plays a huge part now in the front-end of Brave for a more efficient and reliable Chromium outlook to do away with plenty of concerns such as the ones you present and many more that Moun brings and probably will continue to bring if they don’t migrate.
Hopefully and I’m sure it’s more likely because of this decision they could put more of their efforts in actually competing with other the other top 3 major browser and I honestly believe that they could and will.

Here’s a couple of links to keep you update-to-date of their latest development timeline before and just after v1.0 which believe it or not is sooner than you think.

Current milestone concerning current issue - https://github.com/brave/browser-laptop/milestones 1

If you’re still interested of looking into this, I created another similar topic in the following link including a Soundcloud link. Follow the description about which parts to stick to and I’m sure you’ll appreciate their efforts even though it doesn’t directly pertain to Brave - Is Mozilla’s new Quantum engine not an option anymore?


#3

And which browser do you use that it is more secure?

Do you use a chromium based browser? well, any chrome based browser (with brave as an exception) phone google servers, if you use Opera it will be worst, since people have mentioned how it even phones to china servers besides google servers.
Firefox? the ones that make the telemetry opt-out so many computers are giving information because they only installed it and started using it without reading that?
Waterfox? well still firefox-fork without the telemetry thing, but they partnered with Ecosia, the ones that garbage talk about “saving earth” and “planting trees” which is a complete lie, and do you know who gave money to Ecosia? Microsoft.

So which search engine do you use? it’s not like you have to use DuckDuckGo, I mean, the default is Google and you change to whatever you want. in the end, you use a search engine, they will have some of your information. do you really think US is the problem here? the whole world doesn’t care about you and your privacy, any government anywhere in the world is against you as a citizen. they try to get and suck and leech on your money and privacy and life and anything because that’s how politicians and governments are regardless of the ideology they profess and the promises they make.

Also as I understand the extensions you see integrated on brave aren’t really integrated but more like a temporary workaround until Brave brings full support for Chrome extensions but without the code that calls google servers and give information to google. So as long as Brave doesn’t phone google servers as they promise when they bring all chrome extensions, then everything would be better than other browsers.
But I am sure people will end up installing extensions that will not be good for them, or extensions that will break privacy and share too much information, how can you control what people do? bringing support for most extensions would be easier and better than waiting 80 years for Brave team to implement extensions in brave.

But you gotta question: can you really trust anyone? how can you even trust Brave team? I try, and that’s what I am using it. But what if they show the same “garbage” that other silicon valley companies have shown? where can we go? I am still using and liking Brave. And I think it has a better privacy future for people (I hope) than any other browser.


#4

As for as I know Pocket or password managers are not enabled by default. It is users choice if needed.
DDG is AFAIK best in terms of respecting privacy among the search engines available. It does not store our searches. I guess. So no need of giving details to others. DDG also privies privacy essential addon which takes care of trackers.

But other than brave I use Firefox + ublock origin + HTTPS everywhere + privacy badger + Decentralyses + Cookie autodelete.

But yes. You are right. It is still maturing. Waiting for v 1.0.
Thanks
Nellai


#5

Thank you all for the response.

I have to use (unfortunately) Firefox. The great thing about Firefox is that I can disable all the anti-privacy junk through about:config. It takes about an hour to go through and undo the settings, but it’s worth it. Also, I use a minimum amount of extension:

  • uBlock Origin
  • Decentraleyes
  • Privacy Badger
  • HTTPS Everywhere
  • Popup Blocker Ultimate

After that I use settings from user.js, which I enter manually developed by pyllyukko. Most people would not believe at how much these browsers actually do to track us, and it seems that Brave is right there with them; of course, the developers label it “convenience”, but the fact remains that the amount of data they can, and do, collect is scary.

I found that Brave contacted Amazon servers instead of Google, and for me, that’s a problem. I posted that information late last year and never got a satisfactory answer about default DNS settings and why it was contacting Amazon. I posted my Wireshark results in that discussion.

@Numpty Thank you for the links, I will definitely look into them.

@nellaiseemai For me, many of the settings were enabled by default, I had to explicitly disable them. I should have taken screen shots, but I didn’t think about it then, I was just shocked that I had to do that. My search engine is:

https://eu.startpage.com

I’ve emailed people at startpage and have gotten replies within days, sometimes the same day and once from the CEO when I was asking questions about security, funding mechanisms, etc. I have never, not even once, received an email back from DDG. And, I asked them the same questions.

For Brave to be my daily driver, I would need a way to verify that all the crap technology is actually disabled (webgl, webrtc, beacons, pings, telemetry, etc). I can do that in Firefox through about:config. And, I understand that I am trusting that they’re not hiding anything, but I can verify the frequency and amount of information sent through ethernet sniffing, if not the content. Right now, I just have to trust the Brave/Chromium base, and so far, I cannot, though I am hopeful.

Maybe I will try to contact a developer and see what they plan and if it works for my idea of privacy, like I did with search engines and other software (I’ve contacted Mozilla about Firefox several times over the years). Thinking about it, DDG is the only company from whom I’ve not received an answer… I hope the Brave developers are not like that…


#6

It would be really interesting if you dont mind sharing what are the things you normally change on firefox from about:config page.
I would like to do that as well if possible.

Probably it is not the correct forum to talk about that. But since Brave is a browser which focuses on privacy I guess the developers wont mind.

AFA Brave is concerned,
To me the addons which are enabled by default are PDF viewer and Torrent viewer. I disable Torrent viewer myself. Plus WebRTC i enable Disable non-proxied UDP. I also disable “show top site suggestions”, “send anonymous feed back”, “hardware accelaration”. “strict site isolation” is not mature enough to enable.

Thanks
Nellai