browser recommendation: Brave #78
No reviewers
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#78
Loading…
Reference in New Issue
No description provided.
Delete Branch "brave-browser"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Referring to @diracdeltas on Twitter I added the browser Brave as new recommendation.
I used the place, coloring, styles of IceCat which was placed there some time ago.
It's basically a browser that has some features which can be added as addons to other browsers.
Firefox with addons is better imho (due to security issues, audits, community, support, etc).
@Shifterovich as someone who was the author/maintainer of some of those firefox addons (HTTPS Everywhere, Privacy Badger), i can mention a couple ways that brave is different from FF + addons:
navigator.plugins
fingerprinting attack doesn't really work.Firefox is great and has a fantastic user community, but I think it is good to have diversity in browser engines.
BTW Brave is MPL licensed so it's also free software.
@diracdeltas Oh, I didn't know it's chromium-based (didn't look too much into it).
The backend might be nice, but the frontend is the reason why I personally wouldn't use this browser. And frontend matters a lot (it's a browser) too.
👎 This is a bad idea:
https://www.cnet.com/news/ex-mozilla-ceo-try-braves-new-browser-for-a-faster-private-web/
@johnnagro could you elaborate on why you think it's a bad idea? The article has a very high-level description of the process and a lot goes into it to minimize data leakage. The browser never sends a persistent identifier and all requests are proxied through a CDN that has logging disabled so no IP address or header data that could be used for fingerprinting is available. The browser also takes several steps to prevent fingerprinting by unique sets of categories. The total number of categories sent in any request is limited and it will both suppress real signals and insert fake ones to further obfuscate the data. A very small amount of information does leak. When the ad is delivered the advertiser will see your ip address, but they will not have access to cookies or local storage and javascript access will be severely curtailed. The browser history used to generate the segments never leaves the browser in a form that can be read by anyone else. If syncing is enabled it will be stored remotely, but the data will be encrypted by a browser generated key (think 1password). There is a lot more that goes into it and we are trying to make it as private as possible. If you have any ideas to improve it we would love to hear them and if you still have a problem with it then just don't turn it on. Ads are disabled by default.
I forgot to mention that the requests for the current beta version return a placeholder ad, but when it goes live the request will return a collection of "bids" that the browser can choose from. It could pick one from the current response, one from a previous response that hasn't exceeded a time limit or choose not to display anything at all. This allows the browser to request ads asynchronously and independently of the current page
Also note that the privacy-preserving ad feature does not exist yet and will be off-by-default whenever it comes out. Browsers are supposed to act on behalf of users' interests, and we think users should have a choice in if/how they fund content on the web. Our preferred way is to block ads and let people send automated micropayments, but alternatives are (1) block original ads, insert ads that are less intrusive and (2) just show the original ads like other browsers do.
There is also the option to block ads and not send micropayments. We would prefer that people support content providers and our goal is to help support them in a way that is far less invasive than the current system, but we understand that some people just want to block ads so Brave works for them too
Looks like one of the Brave devs is on the thread, bcrypt herself @diracdeltas - I'm open to hear your thoughts/corrections/comments... At the end of the day, Brave seems to make it's money by either targeting advertising OR micro payments (which must produce an audit log?). Perhaps the fashion in which it's done is better than the way the world works today but, help me reconcile how this isn't by definition producing a form of fingerprinting? Should we be concerned that they exist at the behest of people who want to pay them money to serve you ads? Genuinely want to know.
@johnnagro we have gone to great lengths to protect the privacy of our users with both ads and micropayments. Rather than collecting data server-side, the browser keeps track of everything client-side and submits the data through a process based around Anonize (https://eprint.iacr.org/2015/681.pdf). We worked closely with two of the authors (Abi and Rafael) to help ensure that we were not unintentionally leaking data. We also intentionally designed it in a way that doesn't require you to trust us. We don't collect data and promise we won't use it in evil ways, we just don't collect anything that we could use in evil ways in the first place and that can be easily verified because all the code running on the browser is open source. All the server-side code is open source as well, but you don't have to trust us on that because you know exactly what is being sent. If you're looking for some sinister hidden motive you're not going to find it here. Yes, Brave needs to make money and that money comes from a small cut of micropayments and ads. We are all big privacy advocates and we want to be as transparent as possible about everything we do. There is plenty of code and documentation at github.com/brave so you can see for yourself how it works.
@bridiver I am not suggesting you folks have evil intentions. A couple follow up questions?
@johnnagro
We do need to provide reporting data that takes the place of existing tracking pixels. Advertisers may have specific conversion goals or other metrics they want to analyze and that data is reported by the browser asynchronously using anonize. The current reporting system for micropayments is a good place to start because it's live in beta testing right now.
The browser locally stores information necessary to give each site you visit a "score". That score is used to determine the relative distribution of your payment. The score translates into a probability that any given site will receive a "vote". For each vote the browser randomly selects a site based using the calculated probabilities. For each reporting period (one month) the browser gets 30 votes. 30 independent anonize "surveys" are created to collect those votes. The surveys cannot be connected and anonize allows us to ensure that there is only one vote per browser/survey without knowing which browser/user submitted the vote. What we end up with is essentially an anonymous sample of the data. This allows us to pay both big and small sites without a detailed browsing history. Here is the explanation from Rafeal:
The reporting is done over randomized intervals and a very similar system will be used for ad reporting. You should be able to see a few issues here, one of which is that the submissions can potentially be linked by IP address. We don't log IP address, but you can't verify that so we are taking advantage of other services to hide the IP from ourselves. In the beta we're using a 3rd-party proxy service, but we'd like to split the messages across a variety of different channels which could include Tor, IM, etc..
The other issue is related to ads. When the ad is actually displayed by the browser the creative will come from the advertiser, not us (it would be cost prohibitive to proxy all the creatives). We block cookies, limit javascript, etc... as described above, but the advertiser will still see your IP address. At best this would allow an advertiser to infer a small amount of data based on the targeting criteria of the ad and link that to your IP address. That data could be added to any existing data the agency/advertiser has connected to your IP through other means (online purchases, logins, etc...). IPs are often shared and both IPs and targeting segments have varying lifetimes so the data leakage is minimal. A perfect system in this respect just isn't practical right now, but the current system is much, much worse.
I think everyone understands that "free" content isn't free and we need some way to compensate publishers for their work, but that method shouldn't be the privacy nightmare that it is today. To a large extent we have to make this work within the limitations of the existing ad infrastructure and I think we've done a very good job of doing that while still providing very good privacy. Other ad blocking companies which shall remain nameless take large payments to whitelist ads. The whitelisting criteria focus almost entirely on presentation and are completely silent on the subject of tracking. We think we can do a lot better than that.
@bridiver
TLDR:
I'm not opposed to Brave being listed provided it was done with a more accurate and transparent description of what it is. I don't think perfection should stand in the way of progress - assuming users understand the compromises and choices made for your cause. Keep in mind, some of the readers of these recommendations have much higher stakes involved than just removing annoying ads.
RTFM:
I appreciate that you guys are trying to take a swing at one of the fundamental tensions on the web today (advertising funding it all). You've clearly had to make compromises in order to try out this experiment (fair to say experiment?). I'm not one who believes perfection should stand in the way of progress however, I am big on transparency and personal choice. If you are to be listed, I would think that the description "browser with ad-blocking built in" would be disingenuous (through omission) - it is not in the spirit of what your team is trying to accomplish. Remember, this page is about more than just removing annoying ads. Some of the readers have much higher stakes than that.
At the end of the day, you are white-listing advertisers who serve their creative to your users directly while you take a cut. It is a little greyhat to call out your competitors for doing something similar. You are trying to sandbox that, i get it, but arguably so is chrome, firefox, etc and yet malware ads still seem to compromise them from time to time. Furthermore, to me it sounds like as long as there is a direct connection between the advertiser and the user they can (over time) profile people - despite your efforts to obfuscate that.
Maybe you'll work out all these issues. It sounds like there are a few opportunities for your organization to put your weight behind some important projects like tor or i2p. Just be careful with comments like "we're working on [the next tor]". They are dangerous to the ill-informed and the insincerity of it will piss-off the well-informed very quickly.
A few final points:
As you said it's progress and not perfection. I think micropayments are extremely good from a privacy perspective and will be essentially "perfect" imo when other IP anonymizing services are added to supplement the existing method. Ads are more difficult right now because of the delivery issue, but we are working on an integrated webtorrent client and a few other ideas that could potentially help address it.
Great discussion and good suggestion. Thanks
I am not so sure about
Having 0 plugins means no Flash? That is sacrificing usability.
@Shifterovich we have flash support, but it is click-to-play and @diracdeltas can comment on whether or not that is exposed through navigator.plugins after clicking
Having no Flash may mean losing usability on some sites, but given the vulnerabilities of Flash (1213 CVE's and the increasing number of sites using HTML 5 instead of Flash - if for no other reason than to be usable on IOS - I'm not sure that I'd call it a sacrifice.
@PrivacyCDN Increasing number, but a lot still stick to Flash.
Safari has shipped without Flash installed for quite a while and Chrome is also trying to kill it. Brave doesn't ship with Flash, but you can install it and enable for click-to-play. Click-to-play mitigates some of the issues with Flash, but once you click all bets are off
"Brave doesn't ship with Flash, but you can install it and enable for click-to-play."
Well Chrome does the same apart from the fact that it does ship with Flash - but it's not enabled by default.
@Shifterovich I'm not making any claims about Brave vs Chrome, I'm just clarifying that you can use Flash with Brave
I used it as an example. Not shipping with Flash is sacrificed usability but isn't any more secure than Chrome's approach.