How secure is Brave, being based off Chromium?


#1

I’m interested in adopting Brave as a primary browser; right now, after Firefox Quantum (which I can’t stand), I started using Pale Moon; however, there are security concerns. So, somebody at Void Linux forums suggested Brave.

My questions are:

  1. Does Brave contact Google automatically and at different periods, like Chromium, without the user’s permission? From research I’ve done, all Chromium-based browsers automatically contact Google.

  2. Are there ways to address, disable or modify webrtc, webgl, prefetch, etc? Basically, are there ways to disable any IP leak possibilities?

  3. Is there a way to stepup ad protection? I tried visiting an ad-heavy page in Brave and in Pale Moon with massively different results.

  4. How intertwined is Brave’s code base with Chromium? According to one review I read, Brave suffers from the WebRTC leak problem, since it based off Chromium.

  5. Can one get rid of the unused search engine options? I have Duckduckgo selected and do not need or want the other search engines. In Firefox, I was able to completely delete the unused search engines entireley. Is there a way to do this in Brave?

Thank you in advance for your help.


#2

Hi @sd992,

No. Brave based on Chromium, yes. But have no Google code (account, sync, etc) that can phone home. Brave is open source, you can see the code here github.com/brave

will cc @suguru for answer. And Brave have no something similar to about:config, yet, IIRC.

You can add custom filter. Type about:adblock in URL bar and navigate to the bottom of page.

Also cc-ing @suguru

Not at this time. But there’s an open issue to give users ability to edit/add search engine. So, I think, in the future, yes. :slight_smile:


#3

Hi @sd992 I too would also like to ascertain this further. I think without a shadow of doubt that the team take the security with the utmost precaution, which is why they’re on such programs as HackerOne though I don’t think they’re on BugCrowd.

They always push to the latest Chromium build into next releases and you’re probably aware of this already but to answer one part of your second question, I’m under the understanding that WebRTC is blocked by default with ‘Fingerprint Protection’ on.

Regarding ad protection and tracker, to be quite honest they certainly need to improve upon tracker and ads because I too notice huge differences in blocks compared to uBlock Origin. I’ve mentioned this also before but I wish Brave users don’t greatly demand additional third-party blockers, however coherently, I can understand why they would.

Without going too off topic @sd992 I was wondering if you wouldn’t mind skimming through a topic I created which is in reference to your ‘…Firefox Quantum (which I can’t stand)’ which I’m surprised you would say because I personally noticed a positive difference on Quantum.


#4

Thank you for taking the time to address this; specifically, what I have read is that all Chromium-based browsers contact Google at the beginning due to a DNS setting. I found the reddit conversation that concerns this question.

Edit:
Okay, so I ran an ethernet sniffer to watch traffic as I opened Brave and it contacts Amazon for DNS, not Google. That brings up another question:

Can I change the DNS it uses? I don’t want any connection to Amazon in my browser, and definitely not Google. I have my DNS set on my systems and router, and Brave bypassed those. Specifically, it contacted: 66.70.211.246 DNS Standard Query 0x3d64 A s3.amazonaws.com
52.216.228.211 - this was contact often during my capture sessions, as a “Hello” and then a ping (or, so it looks like).


#5

Anybody know if I can disable the DNS Brave uses or change it? There’s a reason I set my primary/secondary DNS on my router and desktop: I do not want large corporations watching what I browse and where I go online. Amazon can get all that information by being the primary DNS server. This is certainly not a secure or private way to browse the Internet.


#6

forgive the arrogance or heavy-handedness of my reply, but a browser is for browsing. For me, router-level security/blocking is the most elegant solution.

without outright telling you what to do as far as ad-blocking @Numpty, perhaps going and checking out ab-solution.info might give you some ideas/food for thought. the new amtm script makes it a breeze to set up all sorts of…well, you have options you can choose to exercise other than browser choice to optimize your internet experience to your taste

as far as DNS pings go @sd992, the link above might also give you some ideas/food for thought. (dnsmasq, dnscrypt)

I’ve taken my privacy and security a step farther by running both a VPN server and client on my router so that every client on my network needs credentials (even my mobile devices when I’m away from wifi), and their traffic is encrypted through the WAN-side tunnel, and ads are blocked to reduce traffic everywhere. brave as default browser w/ shields catches whatever ads slip past my router.

I’m simply telling you what works for me with the equipment I bought before learning any of this stuff. Luckily, there are people out there working on this stuff for people who share our privacy/security concerns who are willing to share their methods/techniques for free, but will gladly accept donations. Brave’s monetization vision is quite advanced, but until they’ve achieved a wider adoption, there’s this kind of thing.


#7

@heysoundude

Thanks for the reply. the problem is that the Brave Browser preempts my router & system DNS, and, so far, there doesn’t seem to be a way to change it in the browser, itself. The only way I see to get around this is to set up a system proxy through which everything goes through 127.0.0.1 and is forwarded to a VPN; but, even then, the browser would still connect to Amazon, just through the proxy/VPN setup, rather than through my regular ISP. My problem is that it connects to Amazon, period, not how it connects to Amazon. If I have both a router and a system DNS, my software should respect that or, at the least, be configurable to respect my settings. If I had not run Wireshark, I would never have known that Brave connects to Amazon DNS.

I will definitely check out that solution.info site, I don’t think I’ve heard of that before. I appreciate the heads up.


#8

ab-solution.info
The main dev is highly and accessible/responsive through his website contact, or here


#9

After seeing this, this morning, I started to track all my DNS queries. I never once saw brave bypass my DNS settings. During my normal browsing. I then disabled my DNS all together (just set it to point back to 127.0.0.1) , purged the DNS cache, and browser cache. If there was any override it would have been very clear.

I did see a lot of calls to s3-1amazonaws.com, but they were not DNS calls, but HTTPS calls. Probably a Telemetry ping back, Brave Payments, and/or Sync system. It did not once override my DNS settings. Which it does this a decent amount.

Which Ethernet sniffer were you using? Depending on the Sniffer, how it’s set up and configured it could easily be something else besides Brave that by passed the DNS. As well the sniffer i was using. The program would get confused at times and labeled packets as packets from brave, when I knew for certain they were not.


#10

Wireshark, a few replies above, I detailed the exact IP address and the Wireshark line specifying the DNS query.

I ran the new Firefox and it respected my router/system DNS. I haven’t tried any other browser yet, like Pale Moon or Iron.

EDIT: I ran a VPN and it did not connect to Amazon; however, without the VPN, it immediately contacted Amazon for DNS, regardless of my system/router settings.

23 5.339104702 192.168.0.xxx 66.70.211.246 DNS 76 Standard query 0xb8d6 A s3.amazonaws.com

1582 38.712626391 192.168.0.xxx 66.70.211.246 DNS 101 Standard query 0xb2d8 A voidlinuxforum.s3-eu-west-1.amazonaws.com

As you can see from above, Brave used the Amazon-specific DNS to get me to Void Linux forums.

Here’s Firefox:

44 9.884552868 66.70.211.246 192.168.0.xxx DNS 132 Standard query response 0x9c19 ns0.opennic.glue

141 16.890797458 66.70.211.246 192.168.0.xxx DNS 281 Standard query response 0x3ef5 A voidlinux.eu A 148.251.199.115 NS c.dns.gandi.net NS a.dns.gandi.net NS b.dns.gandi.net A 173.246.98.1 AAAA 2604:3400:abca::1 A 213.167.229.1 AAAA 2001:4b98:abcb::1 A 217.70.179.1 AAAA 2604:3400:abcc::1


#14

It’s done by Akismet. Maybe the address=... that triggered it (or something else). To avoid this happen again, maybe you can wrapped it with backtick quotes (`).

Also, this forum use Discourse, not Disqus. :slight_smile:


#15

I’ll try that dnsmasq.conf, I took a look at that before, but wasn’t sure if blacklisting the DNS queries whether or not it would break Brave, or, would it then default to my system DNS. Guess the only way to find out is to try it and see what happens.

As for Void, do you have a link or citation for that claim? I found his Google+ page and the github for Void, but I couldn’t find anything else, such as what the developer does for work, for whom he works, etc.

I’ll post on Void’s forums, too. Don’t know what response I’ll get, but, again, won’t know until I try.


#16

Apparently your reply wasn’t approved? Did you have a link to support the Google connection to Void Linux’ developer?

Thanks, btw


#18

About the DNS, I posted what was captured above, I can only state what I witnessed. When I visited a website using Brave, a DNS query was sent to Amazon. Without Brave, the DNS query acted as expected.


#20

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.