❌ Software Removal | Brave #649
Comments
I agree. Leaking things like fonts and the browser info when there's a small user base is very bad. Tor browser with Tor disabled is a better option. I'd like to hear more opinions. @bbondy could you comment on the fingerprinting issue? |
|
Can't agree more! I don't get why brave is recommended. |
|
There are many misrepresentations in the original post. I'll clarify some of the big ones. In addition to NoScript, HTTPS Everywhere, Ad Block, Tracking protection, Fingerprinting protection, Tor support, Cookie blocking and more, we've spent a significant amount of time and resources in disabling privacy invasive things in Chromium. Please see the documentation here:
That isn't true, we disguise ourselves to look like Google Chrome.
This is a misunderstanding. We block all ads. There are 2 types of ads we disable by default but allow users to turn on if they'd like to:
Both of these are off by default. One would do that if they'd like to have user private ads and can earn BAT if they do. Note that users can also decide to turn on normal ads if they'd like to as well.
We have many fingerprinting measures, you can read about it here: This 90% figure seems like a an arbitrary number that was pulled out of thin air though. Feel free to remove but please do it on the basis of true claims and not misrepresentations. |
|
@bbondy you talk about chromium and privacy which doesn't work. And you don't remove all Google tracking, right?! Also every fork of a browser is more unique then the original base. No matter what you do. The only fork which do it, is Tor browser which isn't only a normal fork. |
Why? |
|
@Shifterovich I said already. Chromium have Google (tracking) stuff included |
|
Why couldn't it be removed? |
|
Network analysis with Fiddler say:
Here is an old list of these URLs (that lacks the telemetry ones). |
|
Related comment. |
|
Just wanted to mention Chromium is not immutable and we do a lot of patching and disabled a lot of things. The disabled things are described above in the link. We run a network audit script on each build as part of our CI to make sure nothing new is calling out to Google that we haven't removed. There are dozens of things that we've removed that call out to Google services, these are easier to spot more recently since network annotator information is available for all services with network code. |
|
@bbondy
Which fails miserably. Again maybe read the whole post? Do you do this intentionally or does Brave have the literally worst developers ever? I said before you stuffed up 10 vectors but leave 490 others open. And from those 490 others you can easily see that someone is using Brave regardless how desperately you try to fake it (look at Braves issue tracker I opened those issues months ago, those got "closed" (some even closed as fixed) but yet I can still abuse most of those vectors in upstream git). And if you know they are using Brave again they are followed more easily than on Chrome since your user base is irrelevant (0.000001% ?)
I did not say you weren't I said Braves purpose is to hijack ads (or do you want to tell me that the BAT thing is just a little joke?). I even specifically said in my last sentence (which you clearly intentionally ignored) that if you can fingerprint users that easily you don' need to inject malware/actually hjiack ads or anything. Your users are so easily fingerprintable that it is irrelevant what they do. If Javascript is enabled they lost regardless what as logn as they use Brave. This cannot be a bug seeing the scope of it meaning it is intentional meaning Brave is just a cash grab for Brendan Eich. If it is a bug then the Brave devs are a terrible joke.
So did you read the document yourself? Or do you even know how fingerprinting works? Because what Brave does only can mean that either Braves devs are incompetent trolls (like you), or that Brendan Eich devised Brave as a cash grab after being butthurt about getting fired at Mozilla And now that Firefox eveloved into a Browser that actually can stop fingerprinting/zombie cookies and tracking in a real way I can see how butthurt Mr. Eich has to be. If Brave didn't advertise itself as private/secure Browser everything would be fine because those are blatant lies. And yes "selling user data" is also by indirectly allowing third parties to track users easier which is exactly what Brave does.
Exactly so if you have no clue about the techincal parts then don't talk about it (since you clearly don't know how fingerprinting works). If you do understand it though then stop intentionally spreading lies in order to get much users. Silicon valley workflow (1. Get users, 2. develop product, 3. Monetize Users) is already too late. Go tell that pathetic Mr. Eich. Seriously whoever uses Brave unironically cannot be helped. Google Chrome has more privacy than Brave. |
|
Brave should not only be considered harmful seeing how Brave devs react on security issues it should proactively be considered malware. This isn't the first time I see Brave devs seemingly have no clue about fingerprinting vectors at all. And that is just one part of privacy. Also to debunk your argument of "disguise as Chrome" forever: There are at least multiple vectors that are impossible to stuff up that will always uniquely identify you as Brave no matter what happens. Go try it out. You tell us your devs are so good and you run all those netsniffers during CI and shit but you can't find the vectors that expose Brave as Brave? Either your devs are incompetent or this is an intentional cash grab i.e : BRAVE IS ADWARE |
ciampolo
changed the title
|
Sorry I won't engage with trolling. I was asked for clarification so I responded above, but somehow the later comments went from questions to personal attacks. If there are any other questions and if they can be asked in a nice way, then I'll be happy to re-engage. Have a good thread. Wish you guys the best. |
|
...and that's how discussions fall down. When devs jump into discussions, good old etiquette should remind anyone not to flame against devs that can put valuable comments here. |
|
Yes, please. Even if you don't agree with someone, stay polite! |
|
Since I know that Brave devs are terrible (or are told to act terrible) here a very simple explanation of just couple entropy vectors that will always give you away as Brave no matter how much shit you fake
All of those addons change Chromiums behaviour in a certain way which is fingerprintable (and that in multiple ways which are since years live running in the wild). Ad block itself is an entropy vector that coupled with your tracking protection and your "fingerprinting protection" (which leaks terribly) gives you away as Brave. And all of those things combined again gives away another entropy vector in the behaviour of your adware Browser. I also hope I don't have to explain why using Tor inside Brave is literally the dumbest idea someone can do. If @bbondy or Mr. Eich have any logical explanation why the paid developers of a product that advertises itself as "fingerprint protecting" fail miserably on its sole selling point then I will gladly and publicly excuse myself in front of everyone everywhere. Also you can gladly remind your boss Mr. Eich that Firefox has killed off more than 90% of the FP vectors succesfully and even overdone theirselves by releasing containers which you will not have access to with Chromium. |
|
I will agree that Brave is not a place on this list. Perhaps it should be moved to the section "worth mentioning ", but it is better, of course, to remove altogether. But if it is your sponsor and it gives the livelihood of the site, then it makes sense to make a post about it. |
|
@0ndrey No please. We should remove it without any mentioning it's recommend |
|
I mentioned @bbondy because we have had several discussions about Brave and it would be nice to resolve this matter. I would appreciate useful discussion. Even if Brave devs are terrible, arguments first and accusations later. @ciampolo Can you mention some specific vectors by which Brave can be easily identified as Brave? I'd like to hear what @bbondy can tell us about the technical stuff, but for that to happen we need to discuss technical stuff, not accusations.
(Note that I'm not denying any of your claims @ciampolo, you may be 100% right, I just want to see the actual arguments before drawing conclusions like that.) If there is a way to tell that a browser is Brave, that makes it very easy to fingerprint it, assuming there are more things than the browser name leaked -- but it would be very unlikely if nothing else was leaked. So, if anyone can show a realistically exploitable vector by which Brave can be identified as Brave, we will (likely) remove Brave. Though I'd still like to hear what @bbondy can tell us about that. |
|
Sorry had been busy.
You are correct though what you cannot know is that I made multiple issues on the Brave repo which got closed as "wontfix" or "resolved" while they either were essential to fp protection, or they weren't actually fixed which initially made me aware of the scam going on. Assume I am the host Google, and Mr. Eich is the Brave user visiting google.com.
If I, Google, want to specifically know if someone is using Brave i just check for all those addons (which obviously is comparably easy). Imagine how many people on the internet are not running Brave but have the exact same combination of those addons (especially if running supposed Chrome)? I doubt the value goes over 0.00000001% of global internet users. And since Fonts (and other stuff) are still leaked (and remember Brave is for "privacy aware" people) this will uniquely identify anyone that is not running inside a VM (which again would make the purpose of Brave obsolete). Also since I don't use Brave (as I am not mentally challenged) I cannot say which vectors are still leaked currently and which aren't. But, if you want to be "smart", anyone can check for the list and then compare it to the one of your visitors. And since their "fp protection" addon is unique to Brave it instantly gives you away as Brave. And yes I didn't think Brave devs would be that dumb but if you look at the issues I opened months ago on their issue trackers you will see yes they actually are that retarded (example: changing TZ, lang etc. to en-US although Mr. Eich has a French IP). And last thing that bothers me heavily: Mr. Eich, butthurt @bbondy 's boss that got fired off of Mozilla, uses Blink/Webkit. But Webkit can't do shit against zombie cookies. So let's assume Braves FP protection works as well as Firefox (which it never will): Now we are in the situation where you can't fingerprint the user but this leaves another other problem open: The advertising and tracking will still go since the hosts will just first party their shit (which many already do) and everything goes on as if nothing happened (again Firefox blocks this easily with containers). Also I'd really love to know a single reason for you to keep Brave on the list as I asked previously. At the very least even if we assume Brave was not adware and just a (miserabely failed) pet project by a (butthurt) developer and you look away of all flaws of Brave it is nothing more than a reskinned Chrome. And you wouldn't include Chrome/Chromium on your list would you? On such a list you should preemptively remove software than add software. This issue just gives me reason to not trust the list. I hope you understand what I am trying to say. |
|
I mean if I pay you however much @bbondy and/or Eich are paying you and you actually add my malware/adware to your site privacytools.io that is a terrible thing to do. Admittingly if it is enough money I can understand OP's position (though you ave some kind of responsibility). But for Brave, as a commercial software company, this is the most pathetic kind of marketing I have ever seen. Just go write viruses you'd be better off (financially and morally). |
|
Well so I answered your question as to how I can uniquely identify Brave as Brave (which makes me suspicious as to why do you want to know this; even if I'd be lying Brave users can still be at least as easily uniquely identified as Google Chrome users which you clearly are aware of) and you still refuse to answer my question as to why keep Brave on the list despite there being obvious privacy/security flaws. Don't you think this is suspicous? The only logical explanation I have is there is money involved. As I said previously I love being enlightened and I love excusing myself publicly in front of everyone for mistakes I do. Though no one has said anything yet that would make me excuse myself. Why that might be?
As you can see I generally only visit other places. Just this Brave listing outraged me enough to actually post it here. Also I am still waiting for @bbondy to prove any single one of my claims wrong. Which obviously won't happen. |
|
Also just to add @Shifterovich you seem to being aware that Brave leaks information (or at least after this discussion). Can you tell me one good reason why Brave is on the list instead of Ungoogled-Chromium? The latter at least doesn't promises stuff it can't hold nor is it commercially backed. See where I get the "Brave payed you" thing from? If you can prove me wrong please for the love of god do so and tell me why Brave is (still) on this list; I asked this 5 times now but yet haven't gotten a single answer although I answered every single question I got asked here and nobody could/wants (to) hold an argument against my accusations. You should at least admit that this is highly suspicious behaviour. |
|
I am more than sure that DDG is on this list for the same reason as Brave. |
|
Can we get proof about what everyone is arguing, please? Concerning DDG, links to studies or articles? |
|
I'm sure you know how to use search engines and make logical conclusions. Some application developers, for one reason or another, refuse to use DDG in their applications, giving solid arguments: https://www.stoutner.com/new-default-homepage-and-search-engine/ |
|
By the way, I would call the Privacy Browser ideal, unlike the garbage advertised here. |
|
Hi, I used to work at EFF, not directly on panopticlick but tangentially. Full disclosure I now work at Brave. The main point I want to note is that Panopticlick is far from a perfect measure of real-world trackability; it is really measuring "how different are you from other people who visit panopticlick.eff.org". https://github.com/brave/browser-laptop/wiki/Fingerprinting-Protection-Mode#why-does-panopticlickefforg-or-some-other-site-say-that-i-am-fingerprintable has more info about why Brave could look bad in the panopticlick results. |
|
That is true. Though note that the easiest way to fingerprint someone is via fingerprintjs2, which seems to be good enough to track Brave browsers. Regarding that wiki link you sent,
This is simply false. It says: Your browser fingerprint appears to be unique among the 2,828,212 tested in the past 45 days.
This is also wrong. Changing canvas fingerprint on each request is a boolean value for tracking browsers. Combine that with HTTP_ACCEPT and stuff like that and you can very easily track a specific Brave browser. |
|
@Shifterovich That is my fault and I excuse myself for it still I hope you understand where I come from since issues like this get to my heart. I do not want(ed) to attack you. You have to understand my position though since I opened the issues over at Braves issue tracker months ago and now I see this. Though let me be clear I attack everyone who works at Brave with a burning passion (obviously metaphorically), or at least anyone who is aware of this scam which has to be multiple people (including Mr. Eich, @bbondy and that pink haired "security" guy). Again you can't tell me that paid developers fail so miserably at something so "easy". This is your sole selling point and you fail at it miserably. For the panopticlick test: Now remember that the panopticlick test is one of the worst fingerprinters out there (and ignores lots and lots of entropy values). I (with Firefox under Linux, and some addons that I don't know how they influence the result) get an entropy value of 18.11, though I have resistFingerprinting enabled i.e. I literally just have Tor fingerprint. Admittingly strange though that that gives away ~18 bits of entropy. Also if you want to be on the safe side you don't just remove Brave from the list but you add a disclaimer saying that using Brave is less private then using stock Google Chrome. Let's help destroy this cash grab product that is abusing users wish for privacy in a way that North Korea could only dream of.
Obviously there isn't besides them saying it. I said that among my first posts :) Let me guess the next answer will be "Panopticlick is shit". Yes it is shit which makes it even worse since it can identify you without any problem while not even doing the e.g. size "tricks" I showed in Braves issue tracker (which althoug has been closed is still not actually fixed) or using audio api or fonts or whatever else (Panopticlicks way of getting fonts is dated and can be cheated, but they don't even do that). again @Shifterovich I excuse myself but I hope you understand where I am coming from and why I am so enraged if someone even slightly argues in favour of Brave (or to keep it on a list or sth.). I'd rather trust North Korean government spies than "Brave Software Inc.". |
And now add to the fact the unique addon combination of Brave. As I said in the beginning Brave is easier to fingerprint than a stock Google Chrome and even the Brave employees (indirectly) admit that. |
|
It's important to keep in mind that generally the less trackable your browser is, the more unique it is, thus being ... more trackable (using other vectors). It's important to find the right balance. In a way, Windows 10 with Chrome and US settings is the hardest to track using some vectors, since it's so common, but the easiest to track using other vectors. |
|
I agree with you completely but regardless of all this it should be clear by now that you gain nothing by using Brave over stock Google Chrome. Contrary it makes you worse off privacy wise. Do you agree with this @Shifterovich after seeing the results? For your point: That is the problem I have with resistFingerprinting. Although Germany has the most Firefox users in the western world, I doubt there are many people who actually have resistFingerpinting enabled. That is a huge dilemma that I could not solve yet. The only way to really solve it is to run Firefox inside a Windows 10 VM or sth like that. |
|
Please avoid saying things like
And yes, it's easy to say that Panopticlick is bad. But the claims on Brave's wiki don't make sense. I hope to get answers to my issues with the wiki claims. A project which lies about its features deserves to be mentioned as snake oil, @diracdeltas. While I like the idea of a private Chromium-based browser, I don't like projects that say things which aren't true. |
|
Just to add (because I think I can guess their answers if they even come at all): Panopticlicks way to fingerprint is terribly dated, it only checks for a few vectors and some of those vectors can easily be bypassed and legitemetly faked with couple lines userscripts. Yet Brave still fails this test appearently even worse than Google Chrome which I didn't even know. |
|
Panopticlick uses only fingerprintjs2 for the client-side fingerprinting I think. |
|
@Shifterovich what part isn't true? are you referring to "Panopticlick also compares you against old browsers. For instance, if the plurality of Panopticlick visits were from people using Firefox 3 many years ago, then a person using Firefox 3 could appear as not-very-identifiable even though there are extremely few Firefox 3 users on the web in 2017 (or at least one would hope)."? That was true when I wrote the doc a few years ago. If it's no longer true I'm happy to remove it. |
|
@diracdeltas maybe you or @bbondy could also give an explanation as to why your Browser advertises iself with "privacy" while having worse "privacy" than stock Google Chrome? Also the fact that you linked a document while appearently not being aware of the accuracy of its content. Is this a bad troll? @Shifterovich just go remove Brave and add a remark saying that using Brave is worse than using stock Google Chrome. |
|
Edited https://github.com/brave/browser-laptop/wiki/Fingerprinting-Protection-Mode#why-does-panopticlickefforg-or-some-other-site-say-that-i-am-fingerprintable to clarify that out-of-date bullet point is no longer true. Happy to accept more constructive feedback like this; hope you all agree that we are basically working toward the same thing here (better privacy on the web). |
|
Yes. That as well as the second paragraph I mentioned ( Also:
This didn't work for me, as I mentioned:
Perhaps this changed as well and they now recognize that you are one user, possibly based on your IP? |
|
@Shifterovich thanks for the info, i will re-test and update the doc if i find the same thing as you. @ everyone else: I'm going to cease responding to this discussion because I don't feel like assuming malice on our part (versus just not having enough time to fix all these things as they come up) is productive. (Also I personally do not have strong feelings about whether Brave is listed on privacytools.io) If you have further feedback we welcome it on our issue trackers. |
It has been two years since Brave started (even more), and multiple months since I opened the issues but still they are not fixed. Hell worse the issues have been labeled fixed but they are still exploitable. This is literally malicious intent. You not responding means you just go into the same path as @bbondy meaning probably your boss told you to stop responding. @Shifterovich Tell me your analysis of the situation please because for me this only leaves one possible explanation. it is always the same with Brave developers. You point them at being wrong they "fix" it but then instantly leave the discussion. |
|
Your assumptions of Brave being evil are not helping with them leaving the discussions. If someone said they're rather trust NK govt than me, I'd leave the discussion simply because I have better ways to use my time. I'd prefer a fact-based discussion where no one accuses anyone of anything and we simply suggest issues with Brave and other people (such as Brave devs) respond. |
|
I don't understand your point though. You saw that the only thing @diracdeltas replied to was you requesting to remove something. He didn't reply to your questions though as to whether Brave actually is placebo. Why do you think he did that? Same for @bbondy . He took out what he could reply to in my op and just straight up ignored the rest of it. I mean how much more proof do you need? And the NK thing comes because this is a psyops marketing scheme. There is no reason to suggest it is not. Brave has been aroudn since 2015 and still is where it was 3 years ago with its fp protection (in a practical sense). Don't you think something's going wrong here? Think yourself Brave Software is a commercial entity that has a specific "privacy" engineer (that pink haired guy). But a company that has someone for that position fails exactly at this point? This isn't coincidence is it? And then Brave/Eich teaming up with multiple advertisers. We got far you yourself said it is snake oil but now again backed out what is wrong here I really don't get it. Do you think I am a competitor to Brave or why do you want to listen to @bbondy or @diracdeltas after you yourself seeing how terrible Brave is. |
Updating documentation is good, though I'd appreciate if @diracdeltas gave her own explanation rather than linking the wiki, since that could address my concerns. Though again please don't accuse people of random shit if you want them to talk to you. |
This reverts commit e06a193. We, the maintainers of Brave, do not have the necessary bandwidth to respond to all complaints and/or trolling about Brave as a result of it being listed on privacytools.io. Fix https://github.com/privacytoolsIO/privacytools.io/issues/649
|
So now @diracdeltas deletes my comments without reading them. See @Shifterovich this is damage control what they are doing. They saw you talking about snake oil and now got scared. What do? Yes remove it ourselves so we don't have to add the disclaimer that Brave is worse than Google Chrome. |
|
I deleted your comment. And I will address it. #657 will not contain any flame. |
I agree with you assuming the browser is already fingerprintable via other methods. However if we are talking about fingerprinting solely using canvas, then I believe this statement is true: " For instance, if Brave browser randomized canvas fingerprints on every page request, then it would be impossible for a site to track a specific Brave user across requests using canvas fingerprinting." [EDIT: i see what you mean about this being a binary flag; but it still seems to me that "this is the same user but their canvas keeps changing" versus "these are two different users" is not distinguishable from each other, unless you have other ways of tracking available to you.] The intent of the statement was to point out that repeated instances of panopticlick seeing the same value would lead to it calculating a lower entropy for that value. This disincentives developers from using randomization versus a globally-constant value when spoofing canvas fingerprint. (It has come up in discussions with Tor browser too.) Anyway you are completely fair in pointing out that we haven't been prioritizing looking at our panopticlick results and keeping the doc up to date. I will do some more testing today and open issues as needed. |
|
@diracdeltas Now my question how comes that a Browser whose sole selling point is "privacy" fails at it although it has been in developement for more than 2 years? It is like me saying "I have developed application X that can do functionality Y". Then after 3 years developing people realize that it still can't do functionality Y. Please elaborate why. I said before if you prove me wrong I will gladly excuse myself. |
Does Panopticlick just sum the amount of bits of the fields which it considers unique due to reaching a certain threshold of uncommonness, or does it look at the combination of your specific values? |
|
I'm locking this thread, it's full of nonsense. Let's continue in #657. Though note that I will remove anything but technical information from that thread. We've had enough of threads full of spam. |
ghost
locked as too heated and limited conversation to collaborators
|
Closing as a duplicate of #161. |
Description
I saw the other issue but that I didn't have any technical reasoning so I wanted to make a distinct issue. If you think this is wrong then please merge it.
The reason I see people initially added Brave to the list is because of Brave advertising itself as having "fingerprinting protection". The tracking protection is irrelevant since umatrix/ublock are way more mature and feature rich than Braves own one (which is pretty emberassing since those are simple webextensions made by a private person). Also quick remainder that Firefox has working protection against fingerprinting, tracking and zombie cookies which are toggled by just setting flags to true.
If you actually run fingerprinting/zombie scripts on Brave you will realize that it's easier to fingerprint than a stock Google Chrome. This is due to Brave having no relevant amount user base in combiniation with leaking lots of information (fonts, content Size, window decoration size, JS timings, JS audio api, and many more) which (appearently intentionally) does not get fixed (or the devs are incompetent, you decide).
I think people here seem to forget that Brave's purpose is to hijack ads, not to protect you.
Also Brave is a Chromium fork which already should exclude it from the list. A chromium based Browser cannot offer protection against fingerprinting/zombie cookies etc.. Just look at the Tor explanation. And if you don't want to protect against those kind of stuff you can just use Chromium itself. Or even Vivaldi since that one actually has useful features compared to Brave. Vivaldi doesn't try to hijack ads, nor does it advertise itself with blatant lies like Brave does. Also it is EU based, again contrary to Brave. Though obviously neither Brave nor Vivaldi should be on this list.
Honestly you'd be better of using stock Google Chrome (yes Chrome, not Chromium) before you use Brave since Chrome has a much larger user base and does not attempt to provide "fingerprinting protection" while still leaking 90% of fp vectors as Brave does. It heavily undermines the credibility of privacytools in my opinion.
I'd really like to hear techincal reasoning to include Brave, a browser that increases entropy and as thus does the opposite of providing "privacy" on such a privacy-focused list instead of saying "it advertises itself as having fingerprinting protection". Tbh I think the actual objective of Brave is to gain users, fool them into thinking it actually protects them and then sell all the data to the advertisers. You don't need to build in any backdoor into the browser if you can fingerprint them that easily.
The text was updated successfully, but these errors were encountered: