Open discussion: Brave: the good, the bad and the ugly

For everyone curious and learning about Brave. This is a little feedback from what I’ve been learning about Brave.

The good

  1. It looks like to have nice engineering regarding privacy source1 source2
  2. Fingerprint randomization
  3. The integration of a adblock written rust right in the core of Brave outperforms any other browser (even Chrome and its Chromium-based friends) regarding page load speed and memory consumption. This February 2020 benchmark shows just that
  4. Wayback machine integration
  5. Private window with TOR integrated
  6. Disruptive approach how web ad words are monetized with BAT
  7. Great effort of Ungoogling the Chromium
  8. (and many others)

The bad

  1. No clear SLA, advisories or policies regarding security vulnerabilities
    EDIT: changelogs will include security fixes in the future
    EDIT2: more clarifications here and here

  2. Some studies/news seem to be biased. For example study finds Brave to be the most private browser trends to question how Brave chooses relevant ads and is still private:

A truly stunning level of corruption in this reporting – Chrome gets brutally firewalled and they call it “out of the box”. Brave happily builds a local database that gets transmitted when it updates its advert repository and that just gets graciously ignored. They never even look for stealthy transmissions a la curl either.

EDIT: it looks like this comment is a false claim

  1. No sync support for a long time. It looks like the team don’t have the enough resources to make such an important feature happen quickly

The ugly

  1. Another step to a monopoly of Chromium-based web browsers

  2. Despite all the privacy implementations it was removed from privacytools.io
    EDIT: explanation here

  3. Brave is also funded by a member of the Facebook Board of Directors who also heads Palantir Technologies, a private American software company that specializes in big data analytics, which is a contradiction to everything that Brave says to be defending source

  4. Brave rewards can’t be used by private individuals:

You may not access or use our Services if
(a) you are using our Services for personal, family or household purposes
(in BAT terms of service)

EDIT: this is also a false claim. source

Hope this article doesn’t contain too much false claims.
Happy browsing.

P.S. i love the images of the new page :slight_smile:

4 Likes

I have a feeling there will be more bad and ugly than good. IMO

2 Likes

No 15 sucks. Why the corporate bias? What is the motivation for something that is likely to drive people away regardless of the vagueness of the terminology?

What clown dreamed this one up?

2 Likes

Edited first post with new information debunking point 10 and 15

2 Likes

Thanks,

https://old.reddit.com/r/brave_browser/comments/ffcix2/-/fk2zuuc/ includes:

  • a link to the Internet Archive blog post by Mark Graham
  • off-topic links to comparable extensions for Firefox, one of which is developed by the Internet Archive and Mark Graham.
1 Like

I noticed Brave is offering me to use Google Translate and Google’s push notifications in their browser, which I don’t understand. Brave is talking about privacy, beating Google, etc, so it doesn’t really make sense?

1 Like

Not integral to the browser, it’s an extension:

For in-page translation of entire pages (without opening a separate tab): you’ll probably find that Google’s extension sometimes, or often, succeeds where alternative methods fail.

Alternatives

An extension from NewTranx Information Technology. For Firefox:

– and for Chromium-based browsers:

Unfortunately, the product in Chrome Web Store fails to install with both Google Chrome and Brave Browser. There’s an alternative version (probably inferior) at http://www.newtranx.com/Home/Index/index/id/8.html?l=en-us but this, too, can not be installed.

Also

2 Likes

re: security policy, this is linked on brave.com and various other places: https://hackerone.com/brave. could you amend your claim that there’s no security policy or suggest how it could be clearer?

4 Likes

Thank you @yan . The hacker one initiative is awesome. Didn’t know about that. I saw that people are engaging in that platform, but the reports didn’t resulted in any advisory?

And you never see any mention to the security-fixing also in the release notes ?

If Brave is affected by a vulnerability, according to the public release notes or github I can’t know if I was affected and if it is fixed in a newer release.

3 Likes

With the browser itself as the starting point, I thought first of About Brave:

No mention there, so I followed the direction from that page to help – where (unless I’m missing something) seeking security does not find what’s required. So maybe add something with a suitable title that can be found in the help centre.

1 Like

There’s much to like/love about PTIO however, with respect to all concerned:

There are signs of unconscious bias and occasional prejudice – maybe not overt at https://forum.privacytools.io/ or in GitHub, but I have seen enough elsewhere for me to believe that their decision-making processes might be not entirely respectable.

Suspicions, bias and prejudice are, to some degree, human nature (my own bias: Firefox and Waterfox). However: where such things have an unacceptably negative effect – e.g. on a decision to de-list, or mis-portraying something as a sell-out – it becomes reasonable to point the finger of suspicion back at the individuals, or groups, who passed judgment.

Distrust breeds distrust. Suspicion breeds suspicion. There is, I believe, a filter bubble of sorts at PTIO.


Off-topic from Brave Browser, for a moment, consider this:

it’s a shame that this company which has done such good work for users is being dragged through the mud.

– I wholeheartedly agree; the treatment of Startpage.com was, and is, somewhat shameful.

Nearly everything that followed the comment about shame was entirely off-topic from the de-listing – and flagged as off-topic – but none of the OT commentary has been hidden (as can be done, quickly and easily, with Discourse).

A suspicion person might claim that it’s easier to have off-topic, deflective commentary, than to address shameful behaviour.

Refocusing on Brave. Echoed from https://old.reddit.com/r/privacytoolsIO/comments/f83jvd/brave_browser/fimc2um/, with added emphasis:

the Brave guys requested directly to the PTIO team remove Brave from the website.

True, but that was explicitly in response to complaints and/or trolling about Brave as a result of it being listed on privacytools.io. Neither a mid-point in the big picture, nor the entire picture, and the pull request was closed, not merged.

A more relevant point of reference might be https://github.com/privacytoolsIO/privacytools.io/pull/1169#issue-308265812 (merged).

Looking back, AFAICT the addition was in response to a 2016 tweet from Yan Zhu (Chief Information Security Officer), who helped to build HTTPS Everywhere.

At a glance: Brave responded positively to both pull requests.

2 Likes

thanks for the suggestion! i asked our release team going forward to make sure security issues get into the changelogs. for now, you can see fixed security issues by going to https://github.com/search?o=desc&q=org%3Abrave+label%3Asecurity&s=created&state=closed&type=Issues.

4 Likes

re: privacytools.io, we actually requested ourselves be removed because we couldn’t support the large volumes of complaints/questions that resulted from us getting listed. you can see this thread: https://github.com/privacytoolsIO/privacytools.io/pull/657

4 Likes

Perhaps my comment about Google Translate wasn’t fully clear.
What I meant to say: the Google Translate extension sends all input to Google (duh). This input is being used by Google in more ways than just translating it, we all know that. So, this is a privacy concern. I think it is not fair that Brave is offering to install the Google Translate plugin, because users will easily download it, while there are plenty of privacy-friendly alternatives.

1 Like

What are the privacy-friendly alternatives?

1 Like

A few days ago a cross reference was created from Google Translate and Translate this page … does Translate this page work for you?

About security, here’s an example why it is not transparent and there’s any kind of SLA or KPIs for security releases.

Brave just released V1.5.113 a few hours ago. Changelog is the following:

Release Notes V1.5.113

  • Upgraded Chromium to 80.0.3987.149. (#8728)

Chromium 80.0.3987.149 was released two days ago(!!) and the changelog is the following:

  • [1051748] High CVE-2020-6422: Use after free in WebGL. Reported by David Manouchehri on 2020-02-13
  • [1031142] High CVE-2020-6424: Use after free in media. Reported by Sergei Glazunov of Google Project Zero on 2019-12-05
  • [1031670] High CVE-2020-6425: Insufficient policy enforcement in extensions. Reported by Sergei Glazunov of Google Project Zero on 2019-12-06
  • [1052647] High CVE-2020-6426: Inappropriate implementation in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-02-16
  • [1055788] High CVE-2020-6427: Use after free in audio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-02-25
  • [1057593] High CVE-2020-6428: Use after free in audio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-02
  • [1057627] High CVE-2020-6429: Use after free in audio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-02
  • [1059349] High CVE-2019-20503: Out of bounds read in usersctplib. Reported by Natalie Silvanovich of Google Project Zero on 2020-03-06
  • [1059686] High CVE-2020-6449: Use after free in audio. Reported by Man Yue Mo of Semmle Security Research Team on 2020-03-09

Two full days (looks a little too much) to release such high-impacting security fixes (should it be released in maximum 24 hours? 48? is there any metric?) plus no reference to any security fixes in the official changelog

Unless I google it, by just reading the brave changelog I have no idea of the fixes (or if I was exposed and in the case I’m waiting for a fix for a known vulnerability, if it was deployed)

@daiquiri,
We have a wiki on our Github that goes over what we do to Chromium before anything gets pushed into Brave (WIP): https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)

2 Likes

2 days is actually quite short in the browser release time scale. Chromium does major upgrades every 6 weeks and clients only check for updates only about once a day IIRC. In fact according to https://www.w3counter.com/globalstats.php most Chrome users are still on Chrome 79 even though 80 is out. Furthermore, Chromium security issues are kept under embargo for 14 weeks after landing according to https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#TOC-Can-you-please-un-hide-old-security-bugs-. So even in the worst case scenario, a security issue is not generally exploitable for 8 weeks after the fix is released. Brave will always update to the latest Chromium in less than 8 weeks - usually we update within a few days.

5 Likes

thank you for the clarification @yan and @Mattches . Updated original post with your two posts also