Brave-browser Alternatives

Posts

• DuckDuckGo browser disappoints heavily in privacy test [German, translation in comments, Kuketz Blog]
  reddit.com/r/privacytoolsIO | 2021-06-23

  oh I did not know that, I was curious and had a look. I found this issue describing whitelisting some FB domains, which I would agree is more malicious.

• Underwhelming or working incorrectly?
  reddit.com/r/BATProject | 2021-06-22

  Make sure you're using the latest version of Brave v1.26.67 https://github.com/brave/brave-browser/releases/tag/v1.26.67

• Announcement: Brave Search beta now available in Brave! The first independent privacy search/browser alternative to big tech.
  reddit.com/r/BATProject | 2021-06-22

  Suggestion to have Brave Search Engine pop up at the main homepage link from: https://brave.com/

• I feel as tho this needs to be reposted again due to our privacy being infringed upon . But please feel free to add in anything or ideas to add further privacy options. Another thing i was going to get a new phone soon what would i have to do to implement this. Thinking of a note 10 ultra
  reddit.com/r/Monero | 2021-06-22

  Github issue in which they discussed the introduction of this whitelist: link

• Release Channel 1.26.67
  reddit.com/r/brave_browser | 2021-06-22

  Brave Github repository

• Website not verified for 2 months... but it is? Please help
  reddit.com/r/BATProjectCreators | 2021-06-20

  May be related to this: https://github.com/brave/brave-browser/issues/14330

• If you want some reassurance about crypto's validity while the markets are down, be sure to check out /r/buttcoin
  reddit.com/r/CryptoCurrency | 2021-06-20

  One user suggested that Unstoppable Domains is a sketchy centralized service that's closed source, and that Brave integrating the protocol is meaningless because Brave's code is closed source. He literally couldn't be bothered to google brave browser github or unstoppable domains github and click on the FIRST LINK. When I presented him with these links their response: claiming that the code isn't going to be audited, as though Brave has nobody watching what they do. The guy had written multiple pages long posts on a special subreddit he created just to shit on crypto about Unstoppable Domains, and wasn't even aware that the resolution happened by looking up the info on the Ethereum chain. He also insulted me throughout the entire conversation.

• Defend against font fingerprinting
  reddit.com/r/brave_browser | 2021-06-19

  This issue is tracked by Brave here and here. It looks like it's a low priority, but ScriptSafe might help; "prevent system fonts from being enumerated through elements."

• Firefox alternatives
  reddit.com/r/privacytoolsIO | 2021-06-19

  How so? The github looks complete

• How to history supposed to be synced with Sync v2?
  reddit.com/r/brave_browser | 2021-06-19

  It took me a while to find the bug report in Brave's Github area but History Sync does NOT sync all of your history. It only syncs typed in URLS not URLS that you click on per https://github.com/brave/brave-browser/issues/11196#issuecomment-784454316

• White flash when loading web pages
  reddit.com/r/brave_browser | 2021-06-18

  #16078

• Brave, the false sensation of privacy | BlackGNU
  reddit.com/r/browsers | 2021-06-18

  The fact that he double-post and his second post is deleted after that he delete his first post. https://github.com/brave/brave-browser/issues/8793#issuecomment-601936610

• Brave, the False Sensation of Privacy
  news.ycombinator.com | 2021-06-18

  Breaking this response up into a few comments:

  "Their adblocker is just a fork of uBlock Origin…"

  Claims like this should be supplemented with links to our source code (see https://code.brave.com), if true. I'm not sure what gave the author this impression; Brave's built-in ad-blocking does use public lists in addition to our own efforts, but that isn't the same as being a fork of uBlock Origin. That being said, uBO is a fine extension, and you should definitely be using it (if you're not using Brave).

  "They’re whitelisting trackers from Facebook and Twitter, so they can use scripts in third parties' websites to track you across the web."

  This is also quite misleading. It stems from a claim made back in 2018 about our now-retired "Muon" build of Brave. We had a file which listed third-party scripts which shouldn't be blocked (so as not to "break the Web"). Among these were particular Facebook and Twitter scripts, because Facebook and Twitter content is embedded all throughout the Web (think of embedded Tweets, posts, videos, etc.). As such, it's important to permit this content to load, but to prevent it from utilizing any persistent storage (e.g. cookies). Not only were these scripts prevented to accessing storage, Brave also modified or discarded the referrer header on these request. This wasn't ever a case of "whitelisting trackers".

  "They’re blatantly lying to their users. Anyone who knows a bit about how JavaScript…"

  Responding to a previous explanation for the "whitelist", the author emphatically claims the engineers at Brave don't understand how JavaScript works. If I'm not mistaken, the author is responding to Brendan Eich (Brave's CEO), who happens to also be *the creator of JavaScript*.

  "Another problem with their built-in adblocker is that it’s better for extensions to be separated from the core of the browser, since they don’t follow each other’s update cycles. This means that you need to update the entire browser to fix a bug in the adblocker. Stupid, isn’t it?"

  Agreed, which is why Brave's ad-blocking logic is broken out into a distinct component. You can see it enumerated on brave://components, and even request updates from that page as well. It would have been very unwise to require a full browser update just to deliver updates to ad-blocking rules, etc.

  > Note: By this point, it should be clear to the reader that the author is unqualified to conduct such a review. A cursory review of Brave's source (bold in the archived 'Muon' repo and our active code.brave.com endpoint) would have answered many of their questions. A review of Brave's network activity, such as the one I conducted this year (see https://brave.com/popular-browsers-first-run/), would have addressed many claims to follow.

  "It’s important to bring focus to the fact that Brave isn’t more than Chromium with another skin and a built-in adblocker with reduced functionality."

  Wrong, again. Brave is a heavily patched version of Chromium, deviating in many ways (see https://github.com/brave/brave-browser/wiki/Deviations-from-...) from the base project. Again, this would have been quite clear to the author if they compared the network activity of Chrome and Brave (see https://brave.com/popular-browsers-first-run/).

  "Rewards is their shitty program that will replace ads displayed on websites with their own."

  Another easily-disproven claim, showing the author likely has never used Brave. Brave *does not replace ads on websites*. Brave's Ad system is opt-in, user-configurable, and displays ad notifications as native system notifications. These appear as prompts on your desktop or screen, outside of the browser itself.

  "…they’re tracking you with Rewards…"

  Again, where is the network analysis or source code to substantiate this claim? The author doesn't provide anything, because it's simply not true. Brave Rewards is designed to preclude tracking. Rather than having user data flow out to remote servers (the way Google Ads and more work today), Brave Rewards keeps the user's data on their device, and routinely downloads a regional ad catalog. This inverts the traditional digital advertising model. I covered this system in a bit more detail recently in a 5-minute talk on the history of digital advertising, and how Brave is fixing the industry. You can watch that talk at https://www.youtube.com/watch?v=LsrrT502luI.

  Continued below...

  news.ycombinator.com | 2021-06-18

  "…it’s important to say that Rewards uses Uphold…"

  The author then takes a jab at KYC, the process of confirming your identity by providing ID and other information. No user of Brave Rewards is required to do this. Users are able to opt-in, participate, earn, and pass along rewards to content creators and publishers. If a user wishes to "cash out," however, they do have to verify their identity in compliance with relevant laws and regulations. But this is not handled by Brave; we do what we can to stay away from your data. Instead, Uphold (and soon Gemini) handles this process.

  "Contrary to popular belief, Rewards isn’t opt in."

  The author here conflates calls to certain endpoints with program participation. They are correct that Brave would make calls at times to our own rewards server, but not because the user has been auto opted-in. Those calls would attempt to locate rewards for the current user, and they would respond with an error or an empty balance, since the user hasn't opted-in. We've been working on cleaning up these types of unnecessary calls; I think this one resulted when the user clicks on the Rewards panel. By default the panel would expand and ask the user if they would like to opt-in. If the user were already opted-in, the panel would expand and attempt to retrieve their balance. The buggy behavior here was the attempt to retrieve a balance in both states. If you ever spot an issue like this, please do let us know But again, no ad notifications are shown, and no ad catalogs are downloaded until a user opts in.

  "…they fetch affiliates for Brave Rewards, with pings such as Grammarly, Softonic, Uphold, etc."

  Another basic mistake from this author. They're referring to custom headers. These don't ping anybody. We document the headers on GitHub (see https://github.com/brave/brave-browser/wiki/Custom-Headers), explaining there that these serve as a substitute for a custom user-agent string (which Brave lacks). These don't identify the user to anybody, make any bad-door network calls, or anything. Again, the user is clearly not qualified to discuss these technical topics, and has done little (if any) homework on the matter.

  "They also make requests to various domains… There isn’t a way to opt out from sending this requests."

  A few domains are shared, but these again aren't explored any more deeply. I covered these endpoints in my network analysis (see https://brave.com/popular-browsers-first-run/); many are also covered in the document detailing proxies (see https://github.com/brave/brave-browser/wiki/Deviations-from-...) we have setup with Google services to prevent users from making contact with Google. This is yet another example of where the user could have opened a Web Proxy Debugger like Fiddler or Charles and examined the network activity to understand what's going on.

  "Brave has built-in telemetry. …a lot of people believe in their marketing and think that Brave is private out of the box."

  Telemetry and Privacy aren't necessarily at odds with one another; it depends on how your telemetry is implemented. We have detailed our approach in detail on our Blog (see https://brave.com/privacy-preserving-product-analytics-p3a/). We also document the questions and possible answers on GitHub at https://github.com/brave/brave-browser/wiki/P3A.

  "Suspicious behavior which installs 5 extensions"

  The author is, again, showing their lack of experience and effort in this area. Again, they could have found this information covered in our source code (see https://code.brave.com), in my network analysis (see https://brave.com/popular-browsers-first-run/), or even by inspecting the CRX files themselves in something like Rob Wu's CRX Viewer (see https://robwu.nl/crxviewer/).

  "There is a ton of criticism about Firefox’s Pocket. But Brave has something similar, which is called Brave Today."

  Brave Today is available on the new tab page, but doesn't actually make any network calls unless you open it up. This was important to us, since we aim to keep Brave as clean and quiet as possible. From a new tab page, you have to scroll down to trigger network activity. But this deferring of request isn't all we've done to make this system as private as possible. Brave also drops request headers, pads resource bytes, and more. The padding of resource bytes is really neat; no matter which image is being requested from the Brave CDN, its file-size is always the same (meaning no network-connected sleuth can infer your network activity by watching image file sizes). We talk about this system in greater detail on our blog. See Brave's Private Content Delivery Network (see https://brave.com/brave-private-cdn/).

  The author then takes aim at Brave’s “SafeBrowsing”. Brave uses Google's SafeBrowsing service to protect users from harmful sites and more. Similar services are used by practically all major browsers today (many using SafeBrowsing). What matters most here, again, is implementation. SafeBrowsing has a LookUp API and an Update API. One of these sends data with each request to Google for their judgement. The other routinely downloads a database of potentially harmful URLs and performs the lookup locally, on the user's device. Brave takes the latter route. And the routine database updates are proxied through Brave server's, meaning users aren't making any direct contact with Google. This was also covered in my network analysis (see https://brave.com/popular-browsers-first-run/) earlier this year. Compare and contrast with something like Opera to see how others perform similar lookups.

  Continued below...

• BAT not syncing to Uphold between two different computers?
  reddit.com/r/brave_browser | 2021-06-17