I was testing Brave’s capabilities to defend against a malicious attack. The test procedure was divided in 2 halves :
Phase 1 : I used 25 Phishing & 40 Malicious sites, both of these samples were fresh [as of 8th April & 9th April].
Nearly most of these samples were caught by third party anti-malware engines like ESET, BitDefender, Kaspersky, Avira, QuickHeal, Emsisoft, TrendMicro & list goes on [Verified via Virustotal]. Brave on the other side, detected 3 phishing sites & 9/40 sites with Malicious payload. Google phishing malware & protection provided by defeat in brave was enabled while conducting the analysis.
Phase 2 : Downloading Malicious Payload/script. I temporarily disabled the adblocking module & surfed across a couple of websites with malicious scripts [That Brave missed on first place] Most of these injected either adware + trackers & cryptomining scripts. I enabled the adblocking module again but unfortunately the damage had been done, even after the adblocking module was enabled again, the annoying pop-ups & banners followed by across different tabs. CPU reached 96% +
Most of these sites that contained malicious payload were blocked by ESET, Avira, Kaspersky, TrendMicro, BitDefender, QuickHeal, Emsisoft & Sophos
The issue here is, there isn’t a permanent fix [Yet]. Even if I hand over a bunch of sites I used during analysis, brave shall block it but tomorrow there will be another bunch of new malicious sites with same payload but brave won’t be able to block these as they shall have a completely new signature & IP. There are hundreds of thousands of new malicious+phishing sites published everyday & for a company that provides & grinds for browsing experience, it’s hard to manage database for such threats & trust me protection from Google is practically useless since it has outdated signatures & doesn’t keep up with the threat protection
So a permanent fix would be integrating a third-party antimalware engine or just using a DNS from a antimalware company that provides cloud protection & route users request through that DNS to filter out & block malicious sites There are companies out that who might provide a free security engine for brave if negotiations are carried out.
It wouldn’t make sense if the company that focuses on raw-burst privacy wouldn’t consider security as one of the main priority. And by security, here I mean online security excluding the bugs in browser code. Brave falls back in maintaining an optimal balance between privacy & security. And browsers have used third-party malware engine for better security against phishing & inBrowser exploit prevention.
The version I used was the latest release [as of 11th April 2018, 13:00 UTC]
It’s just a feedback/Opinion/fact from my side.
Expecting for a response from Devs on what they think about this.