TOR through Brave really NOT secure at all

Description of the issue: Browser easily identified even through TOR; very strong fingerprinting vector.
How can this issue be reproduced?

  1. Go to (or any other website with the same functionality) and take note
  2. Go to the said website through TOR embedded in Brave browser
  3. Check Results
  4. Results will be same unless measures taken prior. (Blocking javascript directly etc.)

Expected result: Fingerprints should NOT match, ever.

Fingerprints also match when juggling private tab and non-private tab. My firefox install somehow is able to make the said fingerprint not-match, no idea how. Have multiple open-source plugins installed on Firefox.

Brave Version( check About Brave): 1.58.137

Additional Information: Tested on Manjaro Linux

@Dwelled2461 it seems you may have some wrong expectations on a lot of things. For example, Tor is a proxy to help hide your IP address. That’s all it does.

Fingerprint protection in Brave does its thing and a lot of stuff gets randomized. Some things will remain the same. Like it will always show you’re using Chromium, it will show your timezone, etc. But things like your fonts, screen size, and a lot of other little things will be different each time.

So perhaps let me ask:

  • How are you thinking fingerprint protection is supposed to work?

  • What are you claiming it’s picking up when you say fingerprints match?

1 Like

That thing has at least two backdoors the (((tor foundation))) has refused to fix, even attacking those daring to call out. I wonder why, goy.

Hello. Talking honest, hand to god here, i do not have any expectations on how Brave does any of it’s things; neither do i care whether Brave just has the option for connecting to the TOR network as “a proxy” to “help hide” anybodies IP address, though i have expectations on the implementation that’s in the browser to at least make itself clearly known to any possible high-risk people that using the implementation that’s in the browser might just be you know… Not private? And possibly at least eliminate a few more fingerprinting vectors by default on routed pages so maybe and just maybe it’s a tiny-tiny bit harder to let’s say, distinguish. Also please don’t say “Oh there is a clear warning on the bottom left of the screen when you fire up TOR in Brave!” as that “warning” doesn’t mention that it’ll quite literally just use the network as a proxy and not at all do anything else.

Meh, i can’t say anything on that.

Umm, it is private though. It comes with various levels of protection and capabilities. I’m asking you to provide more details on what you’re claiming isn’t private or how you believe you’re getting fingerprinted?

@Dwelled2461 What I’m explaining is that Brave does indeed have fingerprint protection and randomizes. The big issue is a lot of assumptions made. I’m one of those people that also had the assumptions and had to make inquiries. I thought fingerprint protection would hide things like which web browser I’m using, my operating system, etc.

But then after speaking with some of the security team, they advised that many sites broke when it was hidden. So some of those minor things like OS, timezone, browser, etc aren’t hidden. Those aren’t enough to individually fingerprint anyone either.

They do explain often about the various things they do over at

And they also explain how Brave with Tor works over at

1 Like

Could you try these steps and give back your findings, please?

Checking here, i don’t know whether any of the listed vectors are the cause for the said issue i’ve addressed here but i must add that i believe this might just be seen as severe, as it’d mean that Brave is doing nought of what’s necessary to keep fingerprinting to a minimum on a platform that’s supposed not to have much of any whenever possible.

@Dwelled2461 I have several from where I was tracking at the sites below:

So for example:




I know when you start up Tor in Brave, you get the message below:


When I just went to all it shows is below:

If I visit without Tor, it shows below:

And if I visit while using VPN, it shows below:

And visiting once more with Tor:

What it’s showing is because I’m in the same session. I haven’t exited Brave completely and all. They are trying to say it’s unique based on the IP address and cookies, if you’re allowing the cookies.

IP address gets revealed through your internet provider no matter where you go. Only way to hide that is through proxy or VPN. And even then you have to be mindful about extensions and programs you’re running on your device, as they can “leak” details.

1 Like

Great, Linux only **** then.

^ Not through TOR

^ Through TOR

@Dwelled2461 Also have to ask, which Shields settings are you using? I went with the following:

The above is more aggressive for testing. On normal sites I don’t do aggressive fingerprint because sites tend to break.


Main things I’ll make sure to point out in addition:

  • Tor is just to mask your IP address

  • Private windows only are to delete your History and cookies upon exit. So it’s only “local” privacy, like if you were worried a family member in your home might see what you did online.

  • Fingerprinting can cover a lot of various things. The more extensions we use, additional programs connected to the internet or with our browsers, etc will be more options to leak.

  • Part of what can make the “fingerprinting tests” kind of show different is how Brave will use ephemeral cookies and all. Places might be able to identify us as we visit their sites because we have that temporary storage, but it blocks them from being able to track and identify us across multiple websites.

I’m not using tor on Brave, this is just report.



^ just these

Try with default profile, maybe that’ll change the result.

Also please don’t write like chatgpt in slow-motion, i honestly believe there is no literal need for formality on a report of this sort.

Sorry, also wanted to ask. When you showed the images you did of your tests, were all of those from today?

Like I mentioned earlier, Brave will randomize info. So as you exit Brave, it should randomize a bit. But especially as you visit on a different day. That would be one of the interesting things to perhaps keep an eye out on as well.

Just created a new profile and left it all at default settings. So first, with no Tor or anything:

Then I switched on Tor, it seems to be frozen like below:

So I refreshed and the page changed:

So suddenly it’s not allowing for the live demo and instead is trying to push for the free trial. Also it was trying to get me to accept cookies.

Actually typed the above and then started screwing with things. Was trying to test some various ideas. Hence the delay. Sorry, I lose myself in things sometimes.

All today, in 1 hour at max

Try it a few times, found it for some reason does that until you like refresh the connection some times

Out of curiosity, check to see what it’s like for tomorrow. Well, assuming you actually exit Brave and perhaps even shutdown your computer.

I know as had been stated before, they (Brave/Shields) randomize info per session. So if we keep pulling it up while using, it’s going to stay the same or similar.

And if you saw the three links I shared with you earlier, they provide a lot more details on things that can be looked at. If you keep track over multiple days (as I did), you’ll notice what is and is not randomized.

I’ll restart pc now, maybe latest Linux version broke something as the fingerprint stays the same even after restarting browser, i remember it quite literally randomising every session on amiunique

Well, Brave also changed. They went from wanting it to look as unique as possible each time to having a shift of trying to get everyone to kind of look as similar as possible. Ever since that shift, a lot of people have freaked out. And even then they keep changing stuff to find the balance. I forget where we stand fully in 2023. The last big article they wrote was in 2020, which is

I know I’m still learning, but had at least some from Brave trying to explain things to me a few weeks ago. That’s where I’m trying to answer some things, but not really able to go fully in-depth. Also trying to make sure I’m not going to say anything wrong.

1 Like

Restarting pc and ID still same on

Also what the ****? I’m using a version of brave that doesn’t exist?


What version of brave are you on

Created new profile for test and same result…