Brave #40

Closed
opened 9 months ago by poipa · 32 comments
poipa commented 9 months ago

There are a few issues on the page about brave "https://spyware.neocities.org/articles/brave.html"
(At least on GNU/Linux systems, more specifically only tested on Arch and Linux Mint)

"Auto-updates"
This entire section is irelavant on GNU/Linux systems and only allows updating via the package manager or by recompiling.

"Anti-privacy search engine by default"
Again on GNU/Linux systems this is not true, when you start brave for the first time it will ask you what search engine you want to use, with the preselected being blank, google however is one of the options.

Possible issues:

"Brave's start page contains analytics"

I think it should be mentioned that they (Brave) claim this is done without any logging.

I think it's wrong to classify brave as worse for privacy than Palemoon, which is regarded as "Medium" while Brave is "High" since on every point palemoon is worse.

Especially since Brave is one of the best browsers out of the box, for non techie people, of cause using umatrix and blocking the whitelisting of embedded facebook, twitter etc. posts, is better than the default, but it's still better than palemoon from a privacy standpoint out of the box, and brave can be made to be as privacy respecting with some tweaking (Eg. Installing umatrix, and changing some of the settings).

There are a few issues on the page about brave "https://spyware.neocities.org/articles/brave.html" (At least on GNU/Linux systems, more specifically only tested on Arch and Linux Mint) "Auto-updates" This entire section is irelavant on GNU/Linux systems and only allows updating via the package manager or by recompiling. "Anti-privacy search engine by default" Again on GNU/Linux systems this is not true, when you start brave for the first time it will ask you what search engine you want to use, with the preselected being blank, google however is one of the options. Possible issues: "Brave's start page contains analytics" I think it should be mentioned that they (Brave) claim this is done without any logging. I think it's wrong to classify brave as worse for privacy than Palemoon, which is regarded as "Medium" while Brave is "High" since on every point palemoon is worse. Especially since Brave is one of the best browsers out of the box, for non techie people, of cause using umatrix and blocking the whitelisting of embedded facebook, twitter etc. posts, is better than the default, but it's still better than palemoon from a privacy standpoint out of the box, and brave can be made to be as privacy respecting with some tweaking (Eg. Installing umatrix, and changing some of the settings).
Owner

Thank you for your thoughts. A few things to note though:

The article is outdated. I'm in the process of retesting the browser as of the moment and after I document my findings on SeaMonkey, I'll be rewriting the article on Brave. You may want to see #39 for more details.

Brave as of yesterday seems to make connections to laptop-updates.brave.com && go-updater.brave.com on Debian Buster. These seem to me to be automatic update checks. If they don't automatically update on major Linux distributions, then I think it's a major design flaw worth noting for the developers of Brave to have their browser make these kinds of connections and doesn't excuse the fact that these requests were made to begin with.

As for the default search engine, I'm glad they made it super easy now to switch the default search engine to something besides Google on the first run. This doesn't really change the fact that google is still the default search engine to begin with. An important note is that the default search engine doesn't effect the spyware rating. It's only mentioned to show that the developers may not have the best intentions at heart, which can be a red flag when it comes to software that claims to be privacy driven.

If it's true that brave uses analytics without storing the data collected, it's better than using analytics and storing the data collected. However, the fact that there's data collection in the first place alone would suffice as spyware and what they'd do with the collected data is merely a side note. I'm skeptical though that someone would use analytics and not store the collected data, that seems to me to defeat the purpose of using analytics in the first place.

To understand why the site gives ratings the way it does, you may want to look at https://spyware.neocities.org/guides/faq.html. The reason why Brave browser has High instead of Medium is because you can't fully disable all of the connections Brave makes in the browser settings. I was seriously thinking of and still am thinking of making an exception for Brave and making it Medium instead of High the same way Firefox is High instead of Medium. Even though you can disable all connections Firefox makes, it's very hard to do so and it seems like after every version change you have to revise everything to keep up with the changes. Brave appears to be the opposite case, that although you can't disable everything in the browser, the domains that are used to make those connections are constant and hardly require maintenance.

I fail to see how Pale Moon out of the box is worse than Brave out of the box from a spyware point of view, but I would like to add a quick note about the whitelisting trackers. The fact that Brave whitelists trackers doesn't show Brave being spyware as much as it shows Brave's privacy protections being nothing more than snake oil. When I rewrite the article, I'll be sure to make that note.

I wish you could disable all of the unsolicited connections made by the browser, but as of the moment you can't. It appears though it's on Brave's low priority list to add an option to do so: https://github.com/brave/brave-browser/issues/5576.

Thank you for your thoughts. A few things to note though: The article is outdated. I'm in the process of retesting the browser as of the moment and after I document my findings on SeaMonkey, I'll be rewriting the article on Brave. You may want to see https://codeberg.org/shadow/SpywareWatchdog/issues/39 for more details. Brave as of yesterday seems to make connections to laptop-updates.brave.com && go-updater.brave.com on Debian Buster. These seem to me to be automatic update checks. If they don't automatically update on major Linux distributions, then I think it's a major design flaw worth noting for the developers of Brave to have their browser make these kinds of connections and doesn't excuse the fact that these requests were made to begin with. As for the default search engine, I'm glad they made it super easy now to switch the default search engine to something besides Google on the first run. This doesn't really change the fact that google is still the default search engine to begin with. An important note is that the default search engine doesn't effect the spyware rating. It's only mentioned to show that the developers may not have the best intentions at heart, which can be a red flag when it comes to software that claims to be privacy driven. If it's true that brave uses analytics without storing the data collected, it's better than using analytics and storing the data collected. However, the fact that there's data collection in the first place alone would suffice as spyware and what they'd do with the collected data is merely a side note. I'm skeptical though that someone would use analytics and not store the collected data, that seems to me to defeat the purpose of using analytics in the first place. To understand why the site gives ratings the way it does, you may want to look at https://spyware.neocities.org/guides/faq.html. The reason why Brave browser has High instead of Medium is because you can't fully disable all of the connections Brave makes in the browser settings. I was seriously thinking of and still am thinking of making an exception for Brave and making it Medium instead of High the same way Firefox is High instead of Medium. Even though you can disable all connections Firefox makes, it's very hard to do so and it seems like after every version change you have to revise everything to keep up with the changes. Brave appears to be the opposite case, that although you can't disable everything in the browser, the domains that are used to make those connections are constant and hardly require maintenance. I fail to see how Pale Moon out of the box is worse than Brave out of the box from a spyware point of view, but I would like to add a quick note about the whitelisting trackers. The fact that Brave whitelists trackers doesn't show Brave being spyware as much as it shows Brave's privacy protections being nothing more than snake oil. When I rewrite the article, I'll be sure to make that note. I wish you could disable all of the unsolicited connections made by the browser, but as of the moment you can't. It appears though it's on Brave's low priority list to add an option to do so: https://github.com/brave/brave-browser/issues/5576.
baobab added the due date 2021-01-03 9 months ago
Poster

It seems very weird, that if it still sends requests for updates, since i yesterday realised i had version "1.14.xx" installed, and after re-adding the ppa on Linux Mint, and updating it i now have version "1.18.75", and there didn't seem to be any indication in the browser that i was running an outdated version. (In neither the settings or the about page that shows the version, where firefox would tell you if there was a newer version available)

If they do send those requests without actually being update requests (EDIT: At least on the mentioned distros, then they would have have no reason to be sent) would seem concerning, could it maybe updates for addons (extensions)?

and IIRC the analytics are only for the user

It seems very weird, that if it still sends requests for updates, since i yesterday realised i had version "1.14.xx" installed, and after re-adding the ppa on Linux Mint, and updating it i now have version "1.18.75", and there didn't seem to be any indication in the browser that i was running an outdated version. (In neither the settings or the about page that shows the version, where firefox would tell you if there was a newer version available) If they do send those requests without actually being update requests (EDIT: At least on the mentioned distros, then they would have have no reason to be sent) would seem concerning, could it maybe updates for addons (extensions)? and IIRC the analytics are only for the user
Owner

Some of the requests that are being made to go-updater.brave.com are definitely used to update the extensions. However, I'm not entirely sure yet if that explains all of the connections being made to laptop-updates.brave.com && go-updater.brave.com. Even if it were to explain why Brave was spamming connections to laptop-updates.brave.com && go-updater.brave.com, I don't think that changes much on a spyware level. I'll make a note that although connections being made by Brave are the same as if automatic updates were enabled, there seems to be no automatic updates for the browser itself on GNU/Linux. Mainly because self updating extensions is a big upgrade from self updating the browser itself (control-over-your-own-software wise not spyware wise).

As for the analytics, I'm very skeptical about that. If the analytics were just for the user, there would be no need to make requests to begin with. According to https://brave.com/privacy-preserving-product-analytics-p3a, they seem to store this information for several days on their servers. Even if they didn't store any of the information that was collected, it still doesn't really change the fact that the Brave makes the requests in the first place.

Some of the requests that are being made to go-updater.brave.com are definitely used to update the extensions. However, I'm not entirely sure yet if that explains all of the connections being made to laptop-updates.brave.com && go-updater.brave.com. Even if it were to explain why Brave was spamming connections to laptop-updates.brave.com && go-updater.brave.com, I don't think that changes much on a spyware level. I'll make a note that although connections being made by Brave are the same as if automatic updates were enabled, there seems to be no automatic updates for the browser itself on GNU/Linux. Mainly because self updating extensions is a big upgrade from self updating the browser itself (control-over-your-own-software wise not spyware wise). As for the analytics, I'm very skeptical about that. If the analytics were just for the user, there would be no need to make requests to begin with. According to https://brave.com/privacy-preserving-product-analytics-p3a, they seem to store this information for several days on their servers. Even if they didn't store any of the information that was collected, it still doesn't really change the fact that the Brave makes the requests in the first place.
baobab removed the due date 2021-01-03 9 months ago
baobab added the due date 2021-01-04 9 months ago
Owner

I'll actually rewrite the article on Brave today

I'll actually rewrite the article on Brave today
Poster

I just tried installing brave-nightly and testing with mitmproxy

it requests as the second thing "https://laptop-updates.brave.com/promo/custom-headers" with a get request.

And the response is (JSON Response)

"
[
{
"cookieNames": [],
"domains": [
"coinbase.com",
"api.coinbase.com"
],
"expiration": 31536000000,
"headers": {
"X-Brave-Partner": "coinbase"
}
},
{
"cookieNames": [],
"domains": [
"softonic.com",
"softonic.cn",
"softonic.jp",
"softonic.pl",
"softonic.com.br"
],
"expiration": 31536000000,
"headers": {
"X-Brave-Partner": "softonic"
}
},
{
"cookieNames": [],
"domains": [
"marketwatch.com",
"barrons.com"
],
"expiration": 31536000000,
"headers": {
"X-Brave-Partner": "dowjones"
}
},
{
"cookieNames": [],
"domains": [
"townsquareblogs.com",
"tasteofcountry.com",
"ultimateclassicrock.com",
"xxlmag.com",
"popcrush.com"
],
"expiration": 31536000000,
"headers": {
"X-Brave-Partner": "townsquare"
}
},
{
"cookieNames": [],
"domains": [
"cheddar.com"
],
"expiration": 31536000000,
"headers": {
"X-Brave-Partner": "cheddar"
}
},
{
"cookieNames": [],
"domains": [
"upbit.com",
"sg.upbit.com",
"id.upbit.com",
"ccx.upbit.com",
"ccx.upbitit.com",
"ccxsg.upbit.com",
"cgate.upbitit.be",
"ccxid.upbit.com",
"cgate.upbitit.tv"
],
"expiration": 31536000000,
"headers": {
"X-Brave-Partner": "upbit"
}
},
{
"cookieNames": [],
"domains": [
"eaff.com",
"stg.eaff.com"
],
"expiration": 31536000000,
"headers": {
"X-Brave-Partner": "eaff"
}
},
{
"cookieNames": [],
"domains": [
"sandbox.uphold.com",
"api-sandbox.uphold.com",
"uphold.com",
"api.uphold.com"
],
"expiration": 31536000000,
"headers": {
"X-Brave-Partner": "uphold"
}
},
{
"cookieNames": [],
"domains": [
"www.grammarly.com",
"grammarly.com",
"static.grammarly.com",
"gnar.grammarly.com"
],
"expiration": 31536000000,
"headers": {
"X-Brave-Partner": "grammarly"
}
}
]
"

And a few other requests while i did the setup, but after the setup completed and i let it idle it keeps sending post requests to "https://p3a.brave.com/" with one of them beng this text "CSZiJMqipSmPEkADLG90aGVyLGxpbnV4LWJjLDEuMjAuNDcsbmlnaHRseSwyMDUzLDIwNTMsbm9uZSwy
AAAAAAAAAAAAAAAAAAAA"

I suspect the first request is to get affiliate links? But what could the p3a.brave.com be? It looks like it's sending a request about every minute, this is without changing anything at all.

And it comes with the brave ads disabled by default but the sponsored new tab images are enabled by default.

I just tried installing brave-nightly and testing with mitmproxy it requests as the second thing "https://laptop-updates.brave.com/promo/custom-headers" with a get request. And the response is (JSON Response) " [ { "cookieNames": [], "domains": [ "coinbase.com", "api.coinbase.com" ], "expiration": 31536000000, "headers": { "X-Brave-Partner": "coinbase" } }, { "cookieNames": [], "domains": [ "softonic.com", "softonic.cn", "softonic.jp", "softonic.pl", "softonic.com.br" ], "expiration": 31536000000, "headers": { "X-Brave-Partner": "softonic" } }, { "cookieNames": [], "domains": [ "marketwatch.com", "barrons.com" ], "expiration": 31536000000, "headers": { "X-Brave-Partner": "dowjones" } }, { "cookieNames": [], "domains": [ "townsquareblogs.com", "tasteofcountry.com", "ultimateclassicrock.com", "xxlmag.com", "popcrush.com" ], "expiration": 31536000000, "headers": { "X-Brave-Partner": "townsquare" } }, { "cookieNames": [], "domains": [ "cheddar.com" ], "expiration": 31536000000, "headers": { "X-Brave-Partner": "cheddar" } }, { "cookieNames": [], "domains": [ "upbit.com", "sg.upbit.com", "id.upbit.com", "ccx.upbit.com", "ccx.upbitit.com", "ccxsg.upbit.com", "cgate.upbitit.be", "ccxid.upbit.com", "cgate.upbitit.tv" ], "expiration": 31536000000, "headers": { "X-Brave-Partner": "upbit" } }, { "cookieNames": [], "domains": [ "eaff.com", "stg.eaff.com" ], "expiration": 31536000000, "headers": { "X-Brave-Partner": "eaff" } }, { "cookieNames": [], "domains": [ "sandbox.uphold.com", "api-sandbox.uphold.com", "uphold.com", "api.uphold.com" ], "expiration": 31536000000, "headers": { "X-Brave-Partner": "uphold" } }, { "cookieNames": [], "domains": [ "www.grammarly.com", "grammarly.com", "static.grammarly.com", "gnar.grammarly.com" ], "expiration": 31536000000, "headers": { "X-Brave-Partner": "grammarly" } } ] " And a few other requests while i did the setup, but after the setup completed and i let it idle it keeps sending post requests to "https://p3a.brave.com/" with one of them beng this text "CSZiJMqipSmPEkADLG90aGVyLGxpbnV4LWJjLDEuMjAuNDcsbmlnaHRseSwyMDUzLDIwNTMsbm9uZSwy AAAAAAAAAAAAAAAAAAAA" I suspect the first request is to get affiliate links? But what could the p3a.brave.com be? It looks like it's sending a request about every minute, this is without changing anything at all. And it comes with the brave ads disabled by default but the sponsored new tab images are enabled by default.
Owner

The requests made out to the p3a.brave.com domain would be the analytics and the json file you posted looks like it's for the affiliate links.

The requests made out to the p3a.brave.com domain would be the analytics and the json file you posted looks like it's for the affiliate links.
Owner

The request made out to the variations.brave.com domain looks like it has to do with verifying && updating the promoted ads.

The request made out to safebrowsing.brave.com by the looks of the url has to do with Brave's safebrowsing feature.

There are a few more connections that Brave browser seems to make and I haven't finished going over the connections yet.

The request made out to the variations.brave.com domain looks like it has to do with verifying && updating the promoted ads. The request made out to safebrowsing.brave.com by the looks of the url has to do with Brave's safebrowsing feature. There are a few more connections that Brave browser seems to make and I haven't finished going over the connections yet.

Brave is hardly a browser, but a means of which they managed to promote their meme coin by making bad statements and shilling their bad CSS reskin to everyone.

Brave is hardly a browser, but a means of which they managed to promote their meme coin by making bad statements and shilling their bad CSS reskin to everyone.
Poster

Brave is hardly a browser, but a means of which they managed to promote their meme coin by making bad statements and shilling their bad CSS reskin to everyone.

Well Brave is at least better than both Firefox and Chrome out of the box from nearly all perspectives privacy, (a bad) build in ad-blocker, memory usage and speed.

According to my (limited) testing Chrome uses almost double the ram Brave uses.

So if your grandma asked you what browser to install and you weren't there to install the right addons and change the right settings, wouldn't brave be a good choice?

I use it (as my current browser) because it's lighter than most other decent browsers, and because its a lot faster than anything firefox based i have tried but i don't really care about their shit coin.

I used to use pale moon, but when i added their addon blocklist i switched to Firefox, but recently switched back to brave because Mozilla is a sinking ship.

What good browsers could you recommend then? The only ones i can think of is ungoogled-chromium, Tor Browser and GNU Icecat. Of cause there is also the smaller browsers (Qutebrowser, Suckless Surf, Otter browser and most terminal browsers) but they don't have any neccasary addons if any.

> Brave is hardly a browser, but a means of which they managed to promote their meme coin by making bad statements and shilling their bad CSS reskin to everyone. Well Brave is at least better than both Firefox and Chrome out of the box from nearly all perspectives privacy, (a bad) build in ad-blocker, memory usage and speed. According to my (limited) testing Chrome uses almost double the ram Brave uses. So if your grandma asked you what browser to install and you weren't there to install the right addons and change the right settings, wouldn't brave be a good choice? I use it (as my current browser) because it's lighter than most other decent browsers, and because its a lot faster than anything firefox based i have tried but i don't really care about their shit coin. I used to use pale moon, but when i added their addon blocklist i switched to Firefox, but recently switched back to brave because Mozilla is a sinking ship. What good browsers could you recommend then? The only ones i can think of is ungoogled-chromium, Tor Browser and GNU Icecat. Of cause there is also the smaller browsers (Qutebrowser, Suckless Surf, Otter browser and most terminal browsers) but they don't have any neccasary addons if any.

HURRRR DURRRR RAM
I can run Firefox (Debian) with 2GB of ram with a rusting hard drive coupled with the sheer power of an old pentium proccesor from 2007... And you can run webapps that are heavily reliant on Javascript.

And no It is no better out of the box than Chrome, Brave does jack to prevent fingerprinting as it is literally Chromium rebranded and packaged with a trash ad-blocker that allows trackers, HTTPS everywhere that doesn't do much and Privacy Badger which is going to get killed off soon, in other words just use Firefox with all the stuff turned off and call it a day.

>HURRRR DURRRR RAM I can run Firefox (Debian) with 2GB of ram with a rusting hard drive coupled with the sheer power of an old pentium proccesor from 2007... And you can run webapps that are heavily reliant on Javascript. And no It is no better out of the box than Chrome, Brave does jack to prevent fingerprinting as it is literally Chromium rebranded and packaged with a trash ad-blocker that allows trackers, HTTPS everywhere that doesn't do much and Privacy Badger which is going to get killed off soon, in other words just use Firefox with all the stuff turned off and call it a day.
Owner

Please try to act in a professional way. I changed some of your wording to make it more appropriate for a codeberg thread.

Please try to act in a professional way. I changed some of your wording to make it more appropriate for a codeberg thread.

and no I would just install Firefox remove some annoying features like Pocket, clean up the interface a little bit, remove useless features like VR or other stuff like web assembly, Install Ublock, remove the telemetry and call it a day.

inb4 inb4 inb4

and no I would just install Firefox remove some annoying features like Pocket, clean up the interface a little bit, remove useless features like VR or other stuff like web assembly, Install Ublock, remove the telemetry and call it a day. inb4 inb4 inb4

@RoloRolow You have to be 13 years old to create an account in any website.

@RoloRolow You have to be 13 years old to create an account in any website.
Owner

I'm going to lock this thread so only collaborators can comment. If you guys have further questions, I recommend you hop on xmpp to ask.

I'm going to lock this thread so only collaborators can comment. If you guys have further questions, I recommend you hop on xmpp to ask.
baobab locked as Too heated and limited conversation to collaborators 9 months ago
Owner

Here is a rough draft of what I'll add to the Brave article:

Brave sends a request to fetch the dictionary for spellchecks.

Brave sends a request that seems like it's used to verify the promoted ads.
After that Brave fetches the list of affiliates through laptop-updates.brave.com

On the first run, Brave fetches five extensions from brave-core-ext.s3.brave.com and tries to install them.

Brave is self updating software. On GNU/Linux distributions it seems that only the extensions are self updating. The domains that are used for both cases would be laptop-updates.brave.com and go-updater.brave.com.

Brave made a connection to https://static1.brave.com, which looks like it's used to fetch plugin information? When I entered the url into the browser to explore, redirects to google's error 404 page.^1 This seems kind of unsettling to me that one of Brave's domains would do that.
@qorg11 decided to do curl --head static1.brave.com, and I wasn't really pleased with the results. It appears Brave uses Google's gstatic.

Brave has a rewards program. At first glance it looks like the rewards program is an opt in, but the browser makes connections to these domains regardless if you sign up or not:

rewards.brave.com
api.rewards.brave.com
grant.rewards.brave.com

Brave browser uses safebrowsing. It's a feature that tries to protect the user from unsafe websites. However, it sends requests to fetch the information needed.

Brave has a feature called Brave Today, which is similar to Firefox's Pocket. It makes lots of connections without your consent.

^1 https://archive.is/wWgtG

Here is a rough draft of what I'll add to the Brave article: Brave sends a request to fetch the dictionary for spellchecks. Brave sends a request that seems like it's used to verify the promoted ads. After that Brave fetches the list of affiliates through laptop-updates.brave.com On the first run, Brave fetches five extensions from brave-core-ext.s3.brave.com and tries to install them. Brave is self updating software. On GNU/Linux distributions it seems that only the extensions are self updating. The domains that are used for both cases would be laptop-updates.brave.com and go-updater.brave.com. Brave made a connection to https://static1.brave.com, which looks like it's used to fetch plugin information? When I entered the url into the browser to explore, redirects to google's error 404 page.^1 This seems kind of unsettling to me that one of Brave's domains would do that. @qorg11 decided to do <code>curl --head static1.brave.com</code>, and I wasn't really pleased with the results. It appears Brave uses Google's gstatic. Brave has a rewards program. At first glance it looks like the rewards program is an opt in, but the browser makes connections to these domains regardless if you sign up or not: rewards.brave.com api.rewards.brave.com grant.rewards.brave.com Brave browser uses safebrowsing. It's a feature that tries to protect the user from unsafe websites. However, it sends requests to fetch the information needed. Brave has a feature called Brave Today, which is similar to Firefox's Pocket. It makes lots of connections without your consent. ^1 https://archive.is/wWgtG
Owner

I'll rewrite the article with this information tomorrow.

I'll rewrite the article with this information tomorrow.
baobab removed the due date 2021-01-04 9 months ago
baobab added the
enhancement
label 9 months ago
Owner

@poipa Personally I use webbrowser/werefox. It's a fork of palemoon without the spyware, windows support/bloat.
https://git.nuegia.net/webbrowser.git

@poipa Personally I use webbrowser/werefox. It's a fork of palemoon without the spyware, windows support/bloat. https://git.nuegia.net/webbrowser.git
Owner

@poipa There's also netsurf which I have heard good things about, but it can't really do JavaScript.

Librewolf and SecBrowser require further testing.

@poipa There's also netsurf which I have heard good things about, but it can't really do JavaScript. Librewolf and SecBrowser require further testing.
Owner

@poipa I use NetSurf as my daily browser and it's awesome. I think Werefox is slightly behind in security patches right now, so you may want to just use Pale Moon instead.

@poipa I use NetSurf as my daily browser and it's awesome. I think Werefox is slightly behind in security patches right now, so you may want to just use Pale Moon instead.
Owner
@poipa Here's a in-no-particular-order list of browsers I've come across that I find interesting: https://github.com/conformal/xombrero https://www.phoronix.com/scan.php?page=news_item&px=Fiber-Web-Browser-Engines https://next.atlas.engineer https://github.com/atlas-engineer/next https://github.com/lirios/browser https://minbrowser.github.io/min/ https://gnumdk.github.io/eolie-web/ https://wiki.gnome.org/Apps/Web https://github.com/Arora/arora https://browser.yandex.com/desktop/main/ http://conkeror.org/ https://www.uzbl.org/ http://www.dillo.org/ http://www.netsurf-browser.org/ https://binaryoutcast.com/projects/borealis/ http://links.twibright.com/ https://www.paprikaapp.com/ (this one is a joke) https://github.com/AnErrupTion/Simfast-Browser https://github.com/libremonde-org/paper-research-privacy-matrix.org https://wiki.hyperbola.info/doku.php?id=en:project:iceweasel-uxp https://browser.taokaizen.com/ https://superbird-browser.com/ https://www.brightbrowser.com/ I can't vouch for any of them though, as TMK no testing has been done.
Owner

Due to the fact that @qorg11 doesn't seem to have the ability to comment on locked threads, I'm going to unlock this. Please act in a professional manner.

Due to the fact that @qorg11 doesn't seem to have the ability to comment on locked threads, I'm going to unlock this. Please act in a professional manner.
baobab unlocked this conversation 9 months ago
Owner

@poipa Oh, Midori and GNU IceCat are also well-regarded.

@poipa Oh, Midori and GNU IceCat are also well-regarded.
Owner

I'm going to add something like this to my hosts file tomorrow. This should disable any connections made by Brave that was made without the consent of the user.

I'm going to add something like this to my hosts file tomorrow. This should disable any connections made by Brave that was made without the consent of the user.

Anyways, if you get the ip info of static1.brave.com. you'll see that it's not only a redirect to google, but also a cloudflared website.

Anyways, if you get the ip info of static1.brave.com. you'll see that it's not only a redirect to google, but also a cloudflared website.
Owner

That isn't good. Google's gstatic seems to use cloudflare.

That isn't good. Google's gstatic seems to use cloudflare.

well, brave is chainloading man in the middles, ad companies and spyware

well, brave is chainloading man in the middles, ad companies and spyware
Poster

But does it connect to the "Brave" safebrowsing domain if you turned of safe browsing in the settings?

If i block the gstatic domain and/or the Brave updater domains will the extensions update as well?

But does it connect to the "Brave" safebrowsing domain if you turned of safe browsing in the settings? If i block the gstatic domain and/or the Brave updater domains will the extensions update as well?
Poster

Anyways, if you get the ip info of static1.brave.com. you'll see that it's not only a redirect to google, but also a cloudflared website.

If this is for plugin information wouldn't this be applied to all chromium browsers as well?, With the notable exeption being ungoogled-chromium (Since this dosen't support the google extension store directly)

(I will assume a best case scenario on in the following paragraph)
Could the reason it links to static.brave.com instead of google directly be to act like a proxy? So it would look like it's Brave connecting instead of the user?

I know it's possible to download (and later install) the .crx files from 3. party sites, which will download them from the google extension store, but would it be possible to create an extension store not affiliated with google and with the same 2 buttons to install layout instead of manually downloading the files and then installing them in developer mode?

> Anyways, if you get the ip info of static1.brave.com. you'll see that it's not only a redirect to google, but also a cloudflared website. If this is for plugin information wouldn't this be applied to all chromium browsers as well?, With the notable exeption being ungoogled-chromium (Since this dosen't support the google extension store directly) (I will assume a best case scenario on in the following paragraph) Could the reason it links to static.brave.com instead of google directly be to act like a proxy? So it would look like it's Brave connecting instead of the user? I know it's possible to download (and later install) the .crx files from 3. party sites, which will download them from the google extension store, but would it be possible to create an extension store not affiliated with google and with the same 2 buttons to install layout instead of manually downloading the files and then installing them in developer mode?
Owner

If it does apply to all Chromium based browsers, that would mean that at best, Brave browser is no worse than vanilla Chromium spyware wise. That's not a very good bar to set for browsers. It doesn't apply to all Chromium browsers though, because there are plenty of Chromium based browsers that don't do this.

Blocking gstatic shouldn't prevent the extensions from updating. I'll test that later on tonight after when I make a rough draft of the article. I actually don't really know for sure what the gstatic connections are for, they seem to fetch plugin information of some kind. They don't seem to do much else.

The safebrowsing should be able to be disabled via the settings, although I haven't tested it out yet. Based on the fact that Brave uses Google's gstatic, I wouldn't put it past them to use Google's safebrowsing.

If they're using static1.brave.com as a proxy for gstatic, that would arguably be worse then just using gstatic. This is because your requests are being sent to two servers instead of just one.

They don't seem to use the Google Chrome's extension store for its bundled extensions. So they already do what you wanted in that regard.

If it does apply to all Chromium based browsers, that would mean that at best, Brave browser is no worse than vanilla Chromium spyware wise. That's not a very good bar to set for browsers. It doesn't apply to all Chromium browsers though, because there are plenty of Chromium based browsers that don't do this. Blocking gstatic shouldn't prevent the extensions from updating. I'll test that later on tonight after when I make a rough draft of the article. I actually don't really know for sure what the gstatic connections are for, they seem to fetch plugin information of some kind. They don't seem to do much else. The safebrowsing should be able to be disabled via the settings, although I haven't tested it out yet. Based on the fact that Brave uses Google's gstatic, I wouldn't put it past them to use Google's safebrowsing. If they're using static1.brave.com as a proxy for gstatic, that would arguably be worse then just using gstatic. This is because your requests are being sent to two servers instead of just one. They don't seem to use the Google Chrome's extension store for its bundled extensions. So they already do what you wanted in that regard.
Poster

If they're using static1.brave.com as a proxy for gstatic, that would arguably be worse then just using gstatic. This is because your requests are being sent to two servers instead of just one.

Again it was pure speculation, but wouldn't it be better that Brave gets the information (and pinky promise not to keep logs) than google which will definately use it against you?

They don't seem to use the Google Chrome's extension store for its bundled extensions. So they already do what you wanted in that regard.

Thats positive, but any connection made to google should be avoided so a 3. party extension store would be the best alternative i could think off since thats the only current connection to google that can be somewhat excused.

It oviously wouldn't need to have all chrome extensions, but a small store with a strick policy to not spread malware, that could include the essential addons. Umatrix, Ublock origin, Decentraleyes, IPFS, Sponsorblock, various password manager extensions and some styling extension like stylus and/or Darkreader. Would more than suffice for most people and would allow people on chromium based browser to completely discard google for getting extensions.

Blocking gstatic shouldn't prevent the extensions from updating.

But aren't extensions self(/auto)updating? How would the extensions be updated without a connection somehow reaching the extension store? (I might be wrong on this last statement)

> If they're using static1.brave.com as a proxy for gstatic, that would arguably be worse then just using gstatic. This is because your requests are being sent to two servers instead of just one. > Again it was pure speculation, but wouldn't it be better that Brave gets the information (and pinky promise not to keep logs) than google which will definately use it against you? > They don't seem to use the Google Chrome's extension store for its bundled extensions. So they already do what you wanted in that regard. Thats positive, but any connection made to google should be avoided so a 3. party extension store would be the best alternative i could think off since thats the only current connection to google that can be somewhat excused. It oviously wouldn't need to have all chrome extensions, but a small store with a strick policy to not spread malware, that could include the essential addons. Umatrix, Ublock origin, Decentraleyes, IPFS, Sponsorblock, various password manager extensions and some styling extension like stylus and/or Darkreader. Would more than suffice for most people and would allow people on chromium based browser to completely discard google for getting extensions. > Blocking gstatic shouldn't prevent the extensions from updating. But aren't extensions self(/auto)updating? How would the extensions be updated without a connection somehow reaching the extension store? (I might be wrong on this last statement)
Owner

Well the problem is that if Brave is proxying the connections to Google, that means both Brave and Google gets the request, which is worse than just Google getting the request.

Technically speaking whether or not a single request is sent to two servers or a hundred servers doesn't impact the fact that the request was made to begin with. So the fact that Brave forwards some of the requests it receives to Google doesn't impact the spyware rating. All it would mean is that Brave misuses the data they collect, which would be a bad business practice that has nothing to do with the browser itself, which don't get me wrong is still worth noting.

I have a repository here on codeberg that I use to use back when Iridium/Chromium was my daily browser: https://codeberg.org/baobab/iridium-tools, but I haven't updated it in a while and I don't think rebasing counts. As a way of installing and updating extensions, I recommend going to the git repository of the extension you want and manually install or update it. Note that I haven't used extensions for almost a year now and I don't know of any Chromium extension stores without Google. Things may have changed since then.

I haven't tested my theory yet, but I think Brave uses componentupdater.brave.com, laptop-updates.brave.com, and go-updater.brave.com as a way of updating the Brave extensions. I don't think Brave's gstatic has anything to do with it, I could be wrong though.

Well the problem is that if Brave is proxying the connections to Google, that means both Brave and Google gets the request, which is worse than just Google getting the request. Technically speaking whether or not a single request is sent to two servers or a hundred servers doesn't impact the fact that the request was made to begin with. So the fact that Brave forwards some of the requests it receives to Google doesn't impact the spyware rating. All it would mean is that Brave misuses the data they collect, which would be a bad business practice that has nothing to do with the browser itself, which don't get me wrong is still worth noting. I have a repository here on codeberg that I use to use back when Iridium/Chromium was my daily browser: https://codeberg.org/baobab/iridium-tools, but I haven't updated it in a while and I don't think rebasing counts. As a way of installing and updating extensions, I recommend going to the git repository of the extension you want and manually install or update it. Note that I haven't used extensions for almost a year now and I don't know of any Chromium extension stores without Google. Things may have changed since then. I haven't tested my theory yet, but I think Brave uses componentupdater.brave.com, laptop-updates.brave.com, and go-updater.brave.com as a way of updating the Brave extensions. I don't think Brave's gstatic has anything to do with it, I could be wrong though.
baobab referenced this issue from a commit 9 months ago
Owner

Since the article on Brave is updated, I'll go ahead and close this issue.

Since the article on Brave is updated, I'll go ahead and close this issue.
baobab closed this issue 9 months ago
Sign in to join this conversation.
No Milestone
No Assignees
5 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.