Brave, the false sensation of privacy(ebin.city)
ebin.city
Brave, the false sensation of privacy
http://ebin.city/%7Ewerwolf/posts/brave-is-shit/
498 comments
There are more lies in that article. This one for example is so often repeated but untrue:
> Rewards is their shitty program that will replace ads displayed on websites with their own.
Brave doesn't replace ads with their own. Brave ads are displayed as desktop pop-ups. They can also be easily disabled (which, surprise, the author doesn't mention because of his bias). And the idea behind Brave ads is to give you tokens which are then distributed to the content creators you engaged with. This is the default setting. Their idea is not to shovel you with ads or offer you "get rich with crypto" schemes. Idea is to block ads but still provide revenue to the content, based on how many users engage with that content.
When I see people saying "Brave replaces ads with their own" I have to wonder if they have tried using Brave themselves before writing these critique articles.
> Rewards is their shitty program that will replace ads displayed on websites with their own.
Brave doesn't replace ads with their own. Brave ads are displayed as desktop pop-ups. They can also be easily disabled (which, surprise, the author doesn't mention because of his bias). And the idea behind Brave ads is to give you tokens which are then distributed to the content creators you engaged with. This is the default setting. Their idea is not to shovel you with ads or offer you "get rich with crypto" schemes. Idea is to block ads but still provide revenue to the content, based on how many users engage with that content.
When I see people saying "Brave replaces ads with their own" I have to wonder if they have tried using Brave themselves before writing these critique articles.
I still don't really get how brave is supposed to work:
You watch significantly fewer ads than before, these ads are then supplied to whoever you yourself engage with. That seems like watching these fewer ads directly on the site, just with a few hoops in between.
The difference is that now you watch fewer ads in total, and you have the Brave-browser as an inbetween, which also somehow has to survive. This means that you get potentially even less money, since less ads are watched and the ones that are watched are more diluted (even if brave currently doesn't take a cut at the moment: At some point they have to pay their developers, too).
Also, why do they pay out in BAT? (other than the fact that they cooperate with "uphold" a crypto-exchange and that they also really really want to jump on the crypto-bandwagon)
Somehow there has to be money going into the system that supports its own existance. If brave had something like a subsciption service or other way to get additional funds into the Network, then it might be more understandable, but even then: Why should I support someone by using BATs instead of paypaling/patreoning/whatever-elseing him the money directly?
You watch significantly fewer ads than before, these ads are then supplied to whoever you yourself engage with. That seems like watching these fewer ads directly on the site, just with a few hoops in between.
The difference is that now you watch fewer ads in total, and you have the Brave-browser as an inbetween, which also somehow has to survive. This means that you get potentially even less money, since less ads are watched and the ones that are watched are more diluted (even if brave currently doesn't take a cut at the moment: At some point they have to pay their developers, too).
Also, why do they pay out in BAT? (other than the fact that they cooperate with "uphold" a crypto-exchange and that they also really really want to jump on the crypto-bandwagon)
Somehow there has to be money going into the system that supports its own existance. If brave had something like a subsciption service or other way to get additional funds into the Network, then it might be more understandable, but even then: Why should I support someone by using BATs instead of paypaling/patreoning/whatever-elseing him the money directly?
I recently did a 5 minute video on the history of digital advertising, with an introduction to Brave's model: https://youtu.be/LsrrT502luI.
Per https://brave.com/rewards and https://creators.brave.com, users opt-in to Brave Rewards and begin participating with privacy-preserving Ads. Each ad nets you, the user, 70% of the associated revenue.
Rewards come in the form of BAT, which moves more easily and comes with considerably less friction. The blockchain enables users to effortlessly and anonymously participate. This also means that everybody with attention (and not necessarily disposable income) can support the content they love online.
As for paying out in BAT, creators can choose to have BAT auto-converted into Bitcoin, US Dollars, etc. Users can also have their rewards converted into another type of asset or currency via Uphold too. BAT is simply a utility token, whose utility is currently best demonstrated within the Brave ecosystem.
To your last point, the "money going in" comes from advertisers. They pay in fiat currencies, or via BAT. If they pay us in dollars, we purchase BAT as needed from the market. Users can also self-fund their wallet, if they have disposable income.
Per https://brave.com/rewards and https://creators.brave.com, users opt-in to Brave Rewards and begin participating with privacy-preserving Ads. Each ad nets you, the user, 70% of the associated revenue.
Rewards come in the form of BAT, which moves more easily and comes with considerably less friction. The blockchain enables users to effortlessly and anonymously participate. This also means that everybody with attention (and not necessarily disposable income) can support the content they love online.
As for paying out in BAT, creators can choose to have BAT auto-converted into Bitcoin, US Dollars, etc. Users can also have their rewards converted into another type of asset or currency via Uphold too. BAT is simply a utility token, whose utility is currently best demonstrated within the Brave ecosystem.
To your last point, the "money going in" comes from advertisers. They pay in fiat currencies, or via BAT. If they pay us in dollars, we purchase BAT as needed from the market. Users can also self-fund their wallet, if they have disposable income.
I understand that money goes in through the advertisers: But how is that money sufficient to maintain the current websites?
You watch fewer ads than before, which means (if the ads pay the same) that each website gets on average (i.e. if the split is the same as before) less money. As you describe it, only 70% of the ad-revenue actually reaches the user, meaning even if you watch the same amount of ads, websites get 30% less money, and that ignores that many people just opt-out of ads. (BTW do you know where that 30% go to?)
> The blockchain enables users to effortlessly and anonymously participate.
That actually makes sense. But if you want to get money out of BAT, don't you have to pay a transaction fee? And if you don't, then how does Uphold make any money to pay their developers?
For me it seems that there's money vanishing at every point and very little or nothing to replace it.
Also, wouldn't brave have a quasi-monopoly on ads in this configuration? Even if brave is an honorable company (and I have no reason to doubt that), it makes me uneasy to know that we are breeding another potential "too-big-to-fail" giant like Facebook/Amazon/Google.
Edit:
Rereading your comment again and noticing the "users can distributed bought BAT directly" part: Then the monetization system makes a little more sense. Do you have stats on how much people are paying in? Is the ultimate goal to get rid of ads entirely or at least shift over to a "pay for what you use" model? In that case I can understand that. (though the monopoly on website monetization part still makes me kind of uneasy)
You watch fewer ads than before, which means (if the ads pay the same) that each website gets on average (i.e. if the split is the same as before) less money. As you describe it, only 70% of the ad-revenue actually reaches the user, meaning even if you watch the same amount of ads, websites get 30% less money, and that ignores that many people just opt-out of ads. (BTW do you know where that 30% go to?)
> The blockchain enables users to effortlessly and anonymously participate.
That actually makes sense. But if you want to get money out of BAT, don't you have to pay a transaction fee? And if you don't, then how does Uphold make any money to pay their developers?
For me it seems that there's money vanishing at every point and very little or nothing to replace it.
Also, wouldn't brave have a quasi-monopoly on ads in this configuration? Even if brave is an honorable company (and I have no reason to doubt that), it makes me uneasy to know that we are breeding another potential "too-big-to-fail" giant like Facebook/Amazon/Google.
Edit:
Rereading your comment again and noticing the "users can distributed bought BAT directly" part: Then the monetization system makes a little more sense. Do you have stats on how much people are paying in? Is the ultimate goal to get rid of ads entirely or at least shift over to a "pay for what you use" model? In that case I can understand that. (though the monopoly on website monetization part still makes me kind of uneasy)
I think you're conflating the user with the publisher here; the user received 0% of the ad revenue in the past. With Brave, the user receives 70% of the ad revenue (the other 30% goes to Brave, which builds and maintains this apparatus).
You're correct that publishers lose revenue when ads are blocked on their sites, but not blocking ads means users are at an increased risk of being abused by malicious third-party actors. This is one of the main issues with ad and content blockers: they keep users safer, but they take revenue from content creators.
Brave is working on a model that reduces fraud, increases rewards for content creators, and rewards users for their attention. This won't be built overnight, let alone over a few short years. That said, we are making tremendous progress, now settling over 8-figures each month for verified content creators.
As Brave matures and develops, more options will become available for users and content creators to earn more.
As for transaction fees when converting BAT, you are correct. There are often transaction fees involved. But those often depend on how much you're moving around, if you're buying or selling, etc. Uphold and Gemini (our other partner in this space) may also differ between each other.
You're right about heavily centralization around Brave too. This is why we're working on THEMIS (https://brave.com/themis/), a protocol for decentralizing the Brave Ads ecosystem. We recently wrapped-up an effort in that space and blogged about progress: https://brave.com/themis-rfcc-wrap-up/.
We don't have stats to share on how many Brave users are self-funding their wallets vs earning with Rewards. That said, the latter category is naturally going to be much, much larger. It is also not an either-or thing either; many people opt-in to Brave Ads and also buy BAT to supplement their attention-based earnings.
I don't think the goal is to get rid of ads entirely, but rather to yield power to the user. Not everybody has disposable income, and therefore many people would prefer to opt-in to privacy-respecting ads, earn rewards for their attention, and support the Web by those means. For those who wish to self-fund, that is possible. They don't need to opt-in to Brave Ads either.
You're correct that publishers lose revenue when ads are blocked on their sites, but not blocking ads means users are at an increased risk of being abused by malicious third-party actors. This is one of the main issues with ad and content blockers: they keep users safer, but they take revenue from content creators.
Brave is working on a model that reduces fraud, increases rewards for content creators, and rewards users for their attention. This won't be built overnight, let alone over a few short years. That said, we are making tremendous progress, now settling over 8-figures each month for verified content creators.
As Brave matures and develops, more options will become available for users and content creators to earn more.
As for transaction fees when converting BAT, you are correct. There are often transaction fees involved. But those often depend on how much you're moving around, if you're buying or selling, etc. Uphold and Gemini (our other partner in this space) may also differ between each other.
You're right about heavily centralization around Brave too. This is why we're working on THEMIS (https://brave.com/themis/), a protocol for decentralizing the Brave Ads ecosystem. We recently wrapped-up an effort in that space and blogged about progress: https://brave.com/themis-rfcc-wrap-up/.
We don't have stats to share on how many Brave users are self-funding their wallets vs earning with Rewards. That said, the latter category is naturally going to be much, much larger. It is also not an either-or thing either; many people opt-in to Brave Ads and also buy BAT to supplement their attention-based earnings.
I don't think the goal is to get rid of ads entirely, but rather to yield power to the user. Not everybody has disposable income, and therefore many people would prefer to opt-in to privacy-respecting ads, earn rewards for their attention, and support the Web by those means. For those who wish to self-fund, that is possible. They don't need to opt-in to Brave Ads either.
Even if a site made significant effort to have "non-malicious ads" I don't think brave would not block them with and put in their own.
I.e Brave is bootstrapping on manipulation of the intent of the publisher.
A cleaner aproch may be to approach publishers offer them a "better way" and decuple it from the browser marketing privacy / reduced ad load.
Likewise standards bodies, NGOs and Gov agencies need to protect users in the web and app ecosystems making it a more level in respecting user privacy / reduced harm. To control publisher / advertising / user relationship in a fair way.
But we live in a time of fast pace asymmetrical software mediated warfair and a few eggs are going to be cracked along the way in to trying to build something better.
I.e Brave is bootstrapping on manipulation of the intent of the publisher.
A cleaner aproch may be to approach publishers offer them a "better way" and decuple it from the browser marketing privacy / reduced ad load.
Likewise standards bodies, NGOs and Gov agencies need to protect users in the web and app ecosystems making it a more level in respecting user privacy / reduced harm. To control publisher / advertising / user relationship in a fair way.
But we live in a time of fast pace asymmetrical software mediated warfair and a few eggs are going to be cracked along the way in to trying to build something better.
Brave does not touch first-party ads; you can do all of the first-party advertising you like. Unfortunately, whether the third-party ads are malicious or not is not up to the publisher. The publisher is simply asked to add a bit of JavaScript to their page, and that's it.
Brave doesn't inject ads onto webpages; so there is no scenario where you (as a publisher) would have our ads displayed on your page (unless you, yourself displayed them).
Please see this 5-minute overview of the problems facing digital ads, and Brave's proposed model: https://youtu.be/LsrrT502luI
Brave doesn't inject ads onto webpages; so there is no scenario where you (as a publisher) would have our ads displayed on your page (unless you, yourself displayed them).
Please see this 5-minute overview of the problems facing digital ads, and Brave's proposed model: https://youtu.be/LsrrT502luI
Nice video, but it almost completely misses the point:
Even if all ads on all websites were made in a privacy-respecting way, people would still use adblockers.
This is because people simply hate ads in their browser. It is because they make browsing experience miserable. They add bloat. They distract from the content. They add cognitive overhead. They slow down browsing. They are literally unwanted guests in our browsers.
So Brave’s model replaces one set of ads with another, basically achieving nothing to mitigate the problem itself - very existance of ads in the first place. What makes Brave’s ad model worse is that it offers people a monetary incentive for doing an activity (watch ads) that we know they are trying to avoid (by using a browser with an ad-blocker). So the very premise of this setup seems to be that people hate ads just because they are not privacy-respecting. But reality is that people normally simply do not want to be exposed to ads.
(btw the only ad based business model that would align all incentives is one in which users would be paying to see the ads)
Even if all ads on all websites were made in a privacy-respecting way, people would still use adblockers.
This is because people simply hate ads in their browser. It is because they make browsing experience miserable. They add bloat. They distract from the content. They add cognitive overhead. They slow down browsing. They are literally unwanted guests in our browsers.
So Brave’s model replaces one set of ads with another, basically achieving nothing to mitigate the problem itself - very existance of ads in the first place. What makes Brave’s ad model worse is that it offers people a monetary incentive for doing an activity (watch ads) that we know they are trying to avoid (by using a browser with an ad-blocker). So the very premise of this setup seems to be that people hate ads just because they are not privacy-respecting. But reality is that people normally simply do not want to be exposed to ads.
(btw the only ad based business model that would align all incentives is one in which users would be paying to see the ads)
Different people want different things; many people install ad-blockers because they don't like ads, period. Others install them because they aren't comfortable with the security and privacy risk. Quite a few people are conflicted when it comes to blocking ads, knowing that it cuts off the funding for content creators. Brave is for everybody; no ads by default, and privacy-respecting ads for those who would like to support content creators on the Web.
The argument is akin to saying you are working for a company that sells cigarette quitting kits but also sells cigarettes because "different people want different things".
And the content creator argument has long been debunked as smoke screen planted by companies in the ad business (and Brave qualifies as one), because monetizing any content through ads is the least efficient way to monetize creative work. What this model actually does though is incentivizes the creation of large quantities of low quality content.
And the content creator argument has long been debunked as smoke screen planted by companies in the ad business (and Brave qualifies as one), because monetizing any content through ads is the least efficient way to monetize creative work. What this model actually does though is incentivizes the creation of large quantities of low quality content.
This step in the chain of progress may require people to adapt to the idea of making less money in exchange for a healthier web.
if user buy BAT directly than distribute to the content creator, the story sounds similar to likecoin
I started using it. Found it fast. I get many 4 ads a day. They don't appear on the website they appear near the button to the side. Really small ad, just text. It is so out of the way.
The model for profit is around the bat coins gaining popularity. The payouts are extremely low for everyone.
The model for profit is around the bat coins gaining popularity. The payouts are extremely low for everyone.
> The model for profit is around the bat coins gaining popularity
Incorrect. Their revenue is in USD, and their payout is calculated using the revenue in USD. The price of the token does not affect them in any way.
Their model from profit is unbelievably simple. They are an ad network that uses the browser as a distribution vehicle. More people using the browser, more advertisers will be buying ad space, more revenue for them.
They do have a published roadmap about offering more services in the crypto-space (built-in web3 wallet with direct connection with crypto exchanges, use of NFTs to access features and services on different websites, etc) which are very interesting and it might even become a bigger play than the existing ad network. At the end of the day however, they can have a solid and sustainable business just with the ad distribution network.
Incorrect. Their revenue is in USD, and their payout is calculated using the revenue in USD. The price of the token does not affect them in any way.
Their model from profit is unbelievably simple. They are an ad network that uses the browser as a distribution vehicle. More people using the browser, more advertisers will be buying ad space, more revenue for them.
They do have a published roadmap about offering more services in the crypto-space (built-in web3 wallet with direct connection with crypto exchanges, use of NFTs to access features and services on different websites, etc) which are very interesting and it might even become a bigger play than the existing ad network. At the end of the day however, they can have a solid and sustainable business just with the ad distribution network.
I think the idea is this:
- Most people won't paypal/patreon/send money directly
- The current system uses ads as a shorthand for attention. If you're able to get attention you get more ad traction and more money.
- Ads suck and are a corrupting influence on everything, if there was a way to directly award attention without ads that would be better.
- Brave replaces ads by tracking attention directly and attempting to reward it directly with BATs. These is done instead of cash because (I'm not really sure why) - I suspect because it's easier to manage and easier to split into tiny amounts.
- Flattr from the late 2000s (2007?) was similar, but with cash (Flattr = Flat Rate) the idea being you'd put in $XX/month and it'd distribute it depending on what pages you viewed. It was created by some of the Pirate Bay founders iirc. It never got much traction.
The issues I have with these services:
- Ads are bad, but the attention economy is the underlying problem. Removing ads is good, but still incentivizing attention for $$ isn't great.
- In the case of 'privacy' Brave has now inserted themselves as the tracker of all attention, this is very high risk and not a lot better than the ad companies. Sure you don't see ads but a lot of the bad slot machine incentives around content remain.
- I don't want to necessarily pay everyone based on what I view, what if what captures my attention is crap? What if I'm reading something for context, but don't support it?
---
I get what they're trying to do, reward people without ads and without making users pay - but I'd rather the ad model just die and if some businesses can't survive without it we probably don't need them. I recognize this isn't super realistic because companies compete on a global stage.
A business truly operating in the interest of users would make a browser that had ad blocking built in without tracking - and worked on subverting ads full time (what users actually want). This includes real privacy by not being a new middle man tracking attention. Apple is the closest to doing stuff like this with their new onion router VPN, making it easy to block tracking from apps in the store, etc.
Brave pretends its interest is privacy and browser users, but it feels like a rationalization to me. Brave's core business is attention tracking and taking a cut of that, if not now - when they have more power. Its user's attention is what they monetize - those incentives don't lead some place good.
- Most people won't paypal/patreon/send money directly
- The current system uses ads as a shorthand for attention. If you're able to get attention you get more ad traction and more money.
- Ads suck and are a corrupting influence on everything, if there was a way to directly award attention without ads that would be better.
- Brave replaces ads by tracking attention directly and attempting to reward it directly with BATs. These is done instead of cash because (I'm not really sure why) - I suspect because it's easier to manage and easier to split into tiny amounts.
- Flattr from the late 2000s (2007?) was similar, but with cash (Flattr = Flat Rate) the idea being you'd put in $XX/month and it'd distribute it depending on what pages you viewed. It was created by some of the Pirate Bay founders iirc. It never got much traction.
The issues I have with these services:
- Ads are bad, but the attention economy is the underlying problem. Removing ads is good, but still incentivizing attention for $$ isn't great.
- In the case of 'privacy' Brave has now inserted themselves as the tracker of all attention, this is very high risk and not a lot better than the ad companies. Sure you don't see ads but a lot of the bad slot machine incentives around content remain.
- I don't want to necessarily pay everyone based on what I view, what if what captures my attention is crap? What if I'm reading something for context, but don't support it?
---
I get what they're trying to do, reward people without ads and without making users pay - but I'd rather the ad model just die and if some businesses can't survive without it we probably don't need them. I recognize this isn't super realistic because companies compete on a global stage.
A business truly operating in the interest of users would make a browser that had ad blocking built in without tracking - and worked on subverting ads full time (what users actually want). This includes real privacy by not being a new middle man tracking attention. Apple is the closest to doing stuff like this with their new onion router VPN, making it easy to block tracking from apps in the store, etc.
Brave pretends its interest is privacy and browser users, but it feels like a rationalization to me. Brave's core business is attention tracking and taking a cut of that, if not now - when they have more power. Its user's attention is what they monetize - those incentives don't lead some place good.
You seem to have missed a critical point: The “attention tracking” Brave does stays completely on device.
The browser is sent a list of ads, and the browser decides which ads to serve based on its metrics. Brave doesn’t see this data and the user can choose to participate or not.
There are no easy answers, but this is an interesting model and a reasonable compromise for many.
The browser is sent a list of ads, and the browser decides which ads to serve based on its metrics. Brave doesn’t see this data and the user can choose to participate or not.
There are no easy answers, but this is an interesting model and a reasonable compromise for many.
> That seems like watching these fewer ads directly on the site,
The ads from Brave are completely separate from the website. They are presented as an OS notification pop-up.
> Somehow there has to be money going into the system that supports its own existance.
Yes, of course. Their revenue coming from the advertisers that get to place ads on their notifications. They only pay to the users a share of this revenue. If for some reason they stop getting advertisers, they will stop paying the users. Simple as that.
> This means that you get potentially even less money.
This is making the very bad assumption that they have a fixed revenue. As their user base grows, more advertisers will be interested in placing ads on their network and their revenue will increase.
> Also, why do they pay out in BAT?
Primarily, because it simplifies the logistics and allows them to escape the regulatory hurdles of having to become licensed money transmitters, and lets them outsource all of that crap to the crypto exchanges. A second-order but also important effect is that it attract users who want to speculate on the token.
> Why should I support someone by using BATs instead of paypaling/patreoning/whatever-elseing him the money directly?
Whynotboth.jpg?
Patreon is not bad, but they are not in a business that can fight surveillance capitalism. Patreon does not have a way to block Facebook from tracking my browsing. Brave does. Patreon does not block the Youtube ads from the people that you want to support. Brave does.
The ads from Brave are completely separate from the website. They are presented as an OS notification pop-up.
> Somehow there has to be money going into the system that supports its own existance.
Yes, of course. Their revenue coming from the advertisers that get to place ads on their notifications. They only pay to the users a share of this revenue. If for some reason they stop getting advertisers, they will stop paying the users. Simple as that.
> This means that you get potentially even less money.
This is making the very bad assumption that they have a fixed revenue. As their user base grows, more advertisers will be interested in placing ads on their network and their revenue will increase.
> Also, why do they pay out in BAT?
Primarily, because it simplifies the logistics and allows them to escape the regulatory hurdles of having to become licensed money transmitters, and lets them outsource all of that crap to the crypto exchanges. A second-order but also important effect is that it attract users who want to speculate on the token.
> Why should I support someone by using BATs instead of paypaling/patreoning/whatever-elseing him the money directly?
Whynotboth.jpg?
Patreon is not bad, but they are not in a business that can fight surveillance capitalism. Patreon does not have a way to block Facebook from tracking my browsing. Brave does. Patreon does not block the Youtube ads from the people that you want to support. Brave does.
To play devil advocate.
On one side, Brave come with an adblocker that will remove any ads from the website you're visiting. On the other, they provide their own ads through the reward program.
So it can be seen as "replacing website ads by its own".
I approve that line of reasoning, but I think that what the author meant.
On one side, Brave come with an adblocker that will remove any ads from the website you're visiting. On the other, they provide their own ads through the reward program.
So it can be seen as "replacing website ads by its own".
I approve that line of reasoning, but I think that what the author meant.
To play the devil's devil's advocate :)
Brave allows you to do whatever you want. You can see publisher ads without Brave ads. You can see Brave ads without publishers ads. You can see both. Or you can disable both.
Since individual users can achieve any configuration of ads they like, to me it seems that some people are only unhappy with this because they want to push their moral stances on everyone else. Like, for example, stating that the ability to block publisher ads while enabling Brave ads is immoral and shouldn't be allowed.
Brave allows you to do whatever you want. You can see publisher ads without Brave ads. You can see Brave ads without publishers ads. You can see both. Or you can disable both.
Since individual users can achieve any configuration of ads they like, to me it seems that some people are only unhappy with this because they want to push their moral stances on everyone else. Like, for example, stating that the ability to block publisher ads while enabling Brave ads is immoral and shouldn't be allowed.
The idea that the experience is equivalent as a result of substitution is incorrect, though, and the author's original heavy implication that Brave's substitution is malicious and selfishly designed does not hold up.
Brave basically aligns advertising incentives to match with viewer incentives. A Google served ad is not the same thing as a Brave served ad from the perspective of a viewer, because Brave ads are optional and some of their value accrues to the viewer.
Is the alignment perfect? No. But I do view it as a substantially better starting point than the currently centralizing, adversarial model that currently exists.
Brave basically aligns advertising incentives to match with viewer incentives. A Google served ad is not the same thing as a Brave served ad from the perspective of a viewer, because Brave ads are optional and some of their value accrues to the viewer.
Is the alignment perfect? No. But I do view it as a substantially better starting point than the currently centralizing, adversarial model that currently exists.
Edit: I don't approve that line of reasoning, but I think that what the author meant.
You can disable seeing ads in settings though. if you choose to see ads however, the website doesn't get anything, you get crypto from it.
In Brave, by default, when a user opts-in and earns rewards from Brave Ads, Brave will enable the user to tip verified sites and content creators (even making automatic, pro-rata contributions possible). This is currently how content creators benefit (indirectly) from Brave Ads. Their users earn rewards, and forward them along. We're currently settling more than 8-figures each month to website owners and more. See creators.brave.com for more information. Further options will come in the future as well.
I'd prefer it if I could contribute cash monthly, and let the browser distribute the funds based on my browsing.
The notion of getting paid to view a separate stream of ads seems bizarre. It's the 'Ad Buddy' model, but with crypto.
The notion of getting paid to view a separate stream of ads seems bizarre. It's the 'Ad Buddy' model, but with crypto.
You can do that today with Brave. Brave Rewards enables users to self-fund, and contribute automatically to the sites they visit, proportional to the time spent on those sites. See https://brave.com/rewards and https://creators.brave.com for more information. The beautiful thing about Brave Ads, however, is that everybody can support the content they love. Even if they don't have the ability to self-fund; they can convert attention into substantive support for content creators.
Okay, but, how do I give them actual money, instead of BAT? Will you redeem BAT for dollars?
Within the Brave ecosystem, BAT is the unit of account for attention and support. Those who receive BAT, however, do not have to hold BAT. We offer creators and publishers the option of automatically converting their received tokens from BAT into various other types of assets and/or currencies. Many keep the BAT, others auto-convert to Bitcoin, and a large portion auto-convert to their regional currency (USD, CAD, etc.).
Possibly what you're looking for, though less browser-dependent: https://coil.com/
I think people are misremembering or misunderstanding a recent controversy where Brave was adding their own affiliate links to the user's browsing session without the user's knowledge or consent: https://www.coindesk.com/brave-browsers-affiliate-link-contr...
I don't think this is it because the article has a separate section about affiliate link controversy.
These points had been true at some point though... Also, brave is constantly astroturfing, so you should always take whatever you read online with a grain of salt.
I used brave's android browser a long time ago as well (at that time these claims were true - but they didn't replace the ads on all pages). I cannot speak about whats the current situation however, as I'm not up to date on the topic.
I used brave's android browser a long time ago as well (at that time these claims were true - but they didn't replace the ads on all pages). I cannot speak about whats the current situation however, as I'm not up to date on the topic.
The long term play might be that, but they would probably never get the market share to exploit it fully
> If earning half a penny in a month is okay for you, in exchange of your privacy, because of course, they’re tracking you with Rewards, then enjoy your money.
Lie. Brave doesn't track you. Your ad data never leave your machine (a bit like your bookmarks). The ad engine works privately on your computer and not on Brave server.
Lie. Brave doesn't track you. Your ad data never leave your machine (a bit like your bookmarks). The ad engine works privately on your computer and not on Brave server.
If it's fetching ads, it has to 100% be sending some data to someone, who is likely able to correlate it and track you. It doesn't take much.
A regional catalog is downloaded routinely. The only "data" going out is your region (e.g. the United States). This returns a protobuf catalog of ads for your region. Your device privately studies this catalog for relevant entries. When an ad is shown, it's presented as a native notification on the OS. This means the user sees a title (text), and a body (text). Screenshots of these notifications are on https://brave.com/rewards. I also covered this model in brief detail recently https://youtu.be/LsrrT502luI (skip to about 3:22 if you like).
> The only "data" going out is your region (e.g. the United States).
Every request Brave makes "home" will transfer private data like IP address of the user and browser fingerprint, regardless of the payload. Can you clarify what is done with this data?
Also if it is true what says in the article that some requests "home" can not be disabled, why is that the case?
Every request Brave makes "home" will transfer private data like IP address of the user and browser fingerprint, regardless of the payload. Can you clarify what is done with this data?
Also if it is true what says in the article that some requests "home" can not be disabled, why is that the case?
What browser fingerprint are you seeing in your research? I don't believe Leith et al found any such issue in their review at https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf, nor did I in https://brave.com/popular-browsers-first-run/.
I'm happy to discuss any requests you like; we also document all of this to the best of our ability on GitHub as well (https://github.com/brave/brave-browser/wiki).
As for disabling requests, this is a valid petition. Our goal is to have no extra requests when and where possible. We've worked hard to keep them to a minimal. There are some requests (e.g. product update requests) that we've been hesitant to make more easily blockable, since this could potentially leave large swaths of Brave users disconnected, and increasingly vulnerable.
I'm happy to discuss any requests you like; we also document all of this to the best of our ability on GitHub as well (https://github.com/brave/brave-browser/wiki).
As for disabling requests, this is a valid petition. Our goal is to have no extra requests when and where possible. We've worked hard to keep them to a minimal. There are some requests (e.g. product update requests) that we've been hesitant to make more easily blockable, since this could potentially leave large swaths of Brave users disconnected, and increasingly vulnerable.
Thanks for the attempt to clarify. My question was, what do you do with the IP address of the user that you get through these “phone-home” requests and I think it is left unanswered?
> We've worked hard to keep them to a minimal.
How is 80 requests minimal? (source: your own above-mentioned article). It seems to me that 0 requests would be minimal.
What is preventing Brave from being a zero-telemetry browser by default?
> We've worked hard to keep them to a minimal.
How is 80 requests minimal? (source: your own above-mentioned article). It seems to me that 0 requests would be minimal.
What is preventing Brave from being a zero-telemetry browser by default?
We drop the IP address. When needed, we'll convert it to a regional identifier (e.g. United States) so that we can have a count of how many users are in the US, UK, etc.
I'm not sure where you saw 80 request; my network analysis post (https://brave.com/popular-browsers-first-run/) shows Brave issuing 70 requests over a 10-minute period. Compare with Chrome (91 requests), Firefox (2,799 requests), Edge (367 requests), and Opera (106 requests).
0 requests is not realistic, IMHO. When you launch a browser you want to make sure the user has a fresh local DB of known-malicious URLs (so you don't have to pipe each request through a look-up service, like Opera does) for client-side checking. You also want to make sure the client has an updated list of blocking rules for other types of content. There's quite a bit of setup needed when you launch a web browser.
Zero telemetry is unwise, assuming you want to build a product that works for a diverse set of users, devices, and environments. The main issue here is not whether you collect telemetry, but [how] you do so, and what that looks like. Brave is careful to preclude abuse from the design phase; see https://www.brave.com/p3a for more on how we handle Privacy-Preserving Product Analytics.
I'm not sure where you saw 80 request; my network analysis post (https://brave.com/popular-browsers-first-run/) shows Brave issuing 70 requests over a 10-minute period. Compare with Chrome (91 requests), Firefox (2,799 requests), Edge (367 requests), and Opera (106 requests).
0 requests is not realistic, IMHO. When you launch a browser you want to make sure the user has a fresh local DB of known-malicious URLs (so you don't have to pipe each request through a look-up service, like Opera does) for client-side checking. You also want to make sure the client has an updated list of blocking rules for other types of content. There's quite a bit of setup needed when you launch a web browser.
Zero telemetry is unwise, assuming you want to build a product that works for a diverse set of users, devices, and environments. The main issue here is not whether you collect telemetry, but [how] you do so, and what that looks like. Brave is careful to preclude abuse from the design phase; see https://www.brave.com/p3a for more on how we handle Privacy-Preserving Product Analytics.
>0 requests is not realistic, IMHO. When you launch a browser you want to make sure the user has a fresh local DB of known-malicious URLs (so you don't have to pipe each request through a look-up service, like Opera does) for client-side checking. You also want to make sure the client has an updated list of blocking rules for other types of content. There's quite a bit of setup needed when you launch a web browser.
It is quite realistic and possible. Both examples you gave can be opt-in. Perhaps I do not want my browser to arbitrarly show a malicious URL warning. Updating content blocker can and should be opt-in as well. Maybe particular rule set work well for my setup and I do not want the update to break it.And maybe I just do not want the browser to send requests home.
And even if both of these are enabled these should be just two requests - what is going on in the remaining 68? It just looks like a very high number even if it is smallest among other test browsers (which doesn't make Brave good, just makes every tested browser broken in this regard).
>Zero telemetry is unwise, assuming you want to build a product that works for a diverse set of users, devices, and environments.
This is based on what? You should really provide an argument when making a bold claim like this.Zero telemetry should be the corner-stone of any privacy respecting product. Only zero telemetry ensures and guarantees that user privacy will be 100% respected. Everything else, even sending just one unwanted request "home" or anywhere else, can and should raise valid questions about what is done with the data including IP address since this will be closed source even in an open-source browser like Brave.
A browser which doesn't update security features upon install, startup, and on a regular interval, is an unsafe browser. Such an application might be okay for a power-user who understands the risks, but not for a popular browser built for all types of users.
Telemetry is crucial to understanding how your product is used, as well as understanding what works and what doesn't. You cannot have one-on-one conversations with 30M+ users, which is how you learn, develop, and improve.
Brave needed to find privacy-respecting ways to achieve similar "conversational" insights. That's what we've done with Privacy-Preserving Product Analytics (https://www.brave.com/p3a/). P3A doesn't collect any user data, operates on a set of published "questions", and uses vague, range-based "answers". We also split up the requests to avoid developing a "fingerprint" from the answers.
Telemetry is crucial to understanding how your product is used, as well as understanding what works and what doesn't. You cannot have one-on-one conversations with 30M+ users, which is how you learn, develop, and improve.
Brave needed to find privacy-respecting ways to achieve similar "conversational" insights. That's what we've done with Privacy-Preserving Product Analytics (https://www.brave.com/p3a/). P3A doesn't collect any user data, operates on a set of published "questions", and uses vague, range-based "answers". We also split up the requests to avoid developing a "fingerprint" from the answers.
The browser should be a secure app to begin with, without making any automatic external requests (if anything, theses can make it less secure). Almost every other application behaves in this way.
Besides, malicious URLs directory and content blocking hardly qualify as 'security’ features.
Telemetry can be useful, and totally feel free to have as much of it as you want, as long as users opt-in into it. You seem to be making a lot of choices on the behalf of the user, when your default setup has whopping 70 requests “home".
There is a way to achieve everything you want, and for a privacy respecting product (or one claiming to be one) these choices absolutely need to be users' and not yours (by the very definition of the term privacy)
Besides, malicious URLs directory and content blocking hardly qualify as 'security’ features.
Telemetry can be useful, and totally feel free to have as much of it as you want, as long as users opt-in into it. You seem to be making a lot of choices on the behalf of the user, when your default setup has whopping 70 requests “home".
There is a way to achieve everything you want, and for a privacy respecting product (or one claiming to be one) these choices absolutely need to be users' and not yours (by the very definition of the term privacy)
The browser is secure "to begin with" because it is designed to adapt to the moving threat landscape of the Web. Attackers aren't static; we don't want to their targets to be static either. A browser that doesn't adapt rapidly, dies.
> private data like IP address of the user and browser fingerprint
Presumably it would send the same data whenever it checks for software updates too.
I can't think of a threat model where downloading updates and downloading ads are different in terms of user privacy (except, of course, that a malicious update can do far more harm).
Presumably it would send the same data whenever it checks for software updates too.
I can't think of a threat model where downloading updates and downloading ads are different in terms of user privacy (except, of course, that a malicious update can do far more harm).
How does it report the ad was viewed?
When the notification pops on screen, you are granted the rewards. If your OS is not able to show the notification (due to Focus Assist, DND, or some other reason) then you are not rewarded (a future update to Brave will let users control visibility from within the browser entirely).
I believe the question was about the mechanism by which you viewing the ad is reported to Brave, not how the ad display was implemented. (A weird interpretation of "reported".)
Our Rewards server distributes virtual tokens to the instance of Brave (which has an associated Payment ID). These tokens can be exchanged when ad notifications have been viewed, and when other ad-related events occur. The tokens aren't tied to any user information.
Not to nitpick, but you still didn’t answer the question. I don’t think anyone is confused over the concept “view ad -> get token”. The parent comment was wondering how you determine an ad was viewed.
Apologies, I thought I did address that. Here's a deep-link to the process of "confirmation," which means a user has viewed an ad: https://github.com/brave/brave-browser/wiki/Security-and-pri....
NP, I appreciate the follow up, thanks!
and how do they prevent users from faking ad views to accumulate bat?
The entire ad catalog is sent on your machine and some ad engine running inside the browser decides which ads to show you. It's funny seeing all these folks nitpicking at Brave but who are fine using Google or Microsoft every day
Do you have to download the chosen ad or is it already on your system? If you selectively downloaded ads, your ip address could give you away and you get a floc like situation
The ad catalog for your region is downloaded; it comes with click-through URLs, titles, body text, and some other information. There is no connection made beyond this to retrieve any other ad-related data. You can see what your own regional catalog contains by visiting https://sampson.codes/brave/ads/my_region/.
Thanks for clarifying!
I don't really care about brave either way, it's just dubious that the ads are somehow untrackable when you apparently get credit for seeing them some how?
We use zero-knowledge proofs and blinded tokens to track when an ad has been viewed by a user. But there is no user data involved here. The magic of cryptography is that you can prove you viewed the ad without telling us anything about you
Do you have any reading material about how you achieved this?
I can't really see how zero-knowledge proofs could solve this. There is no cryptographic way to prove that software executing on a clients machine triggered a notification. Especially on Linux where an open source notification manager could be modified to reject it.
I can't really see how zero-knowledge proofs could solve this. There is no cryptographic way to prove that software executing on a clients machine triggered a notification. Especially on Linux where an open source notification manager could be modified to reject it.
Assuming you have gone through this [0] and it did(n't) click for you.
I'm equally not so convinced on this anonymous ad system they claim to have built. The browser claims to generate an adID based on your history but encrypt this info to the advertiser. Maybe someone who has actually interacted with the ad platform can provide more insight on what information is exposed.
Zero-knowledge advertising sounds practically like an oxymoron to me, but hey they claim to have made it work.
[0] https://brave.com/themis/
I'm equally not so convinced on this anonymous ad system they claim to have built. The browser claims to generate an adID based on your history but encrypt this info to the advertiser. Maybe someone who has actually interacted with the ad platform can provide more insight on what information is exposed.
Zero-knowledge advertising sounds practically like an oxymoron to me, but hey they claim to have made it work.
[0] https://brave.com/themis/
Certainly! Check out the resource detailing our Ad Confirmation process at https://github.com/brave/brave-browser/wiki/Security-and-pri... (it's a little old, but should be helpful). We leverage the Privacy Pass approach too, so reading https://www.petsymposium.org/2018/files/papers/issue3/popets... will also help understand our process. I hope this helps!
Perhaps I am misunderstanding what you sent, but isn't this just a way for the user to report that they viewed an add, not prove that they viewed it?
The cryptographic proofs are baked-into the confirmation and reporting process.
A sufficiently-capable attacker could conceivably trick the browser into thinking a native OS ad-notification was displayed, we do rely on the OS to inform us at this point (though preview versions of Brave do not have this dependency), but we have considered this as well.
The main threat here would be an attacker who attempts to automate the confirmation process, and potentially duplicate it across various VMs or OS instances. Fortunately, we've considered this too. For reasons I hope are obvious, I can't go into greater detail here.
A sufficiently-capable attacker could conceivably trick the browser into thinking a native OS ad-notification was displayed, we do rely on the OS to inform us at this point (though preview versions of Brave do not have this dependency), but we have considered this as well.
The main threat here would be an attacker who attempts to automate the confirmation process, and potentially duplicate it across various VMs or OS instances. Fortunately, we've considered this too. For reasons I hope are obvious, I can't go into greater detail here.
Ah, I hadn't noticed you declaring your financial interest before and was wondering if you were a Brave employee.
You misunderstand. The sensitive data here is your browsing history (and all that it infers). Brave never sees that.
But yes, when you view an ad, that gets recorded somewhere (so that you can get rewards, and the advertiser can be billed).
You decide if you’re comfortable with this or not. The feature is easily turned on or off.
But yes, when you view an ad, that gets recorded somewhere (so that you can get rewards, and the advertiser can be billed).
You decide if you’re comfortable with this or not. The feature is easily turned on or off.
The Epic Privacy Browser Team is integrating uBlock into Epic in their next update and didn't find a significant degradation in performance from any Chrome limitations, nor a significant performance improvement in Brave's implementation.
Epic's mobile browsers were built on Brave/Chromium, but now that Brave has endpoint and other dependencies as mentioned it doesn't explain, it isn't possible to continue to build on them or even test them since Brave features don't work in outsider builds.
Epic's mobile browsers were built on Brave/Chromium, but now that Brave has endpoint and other dependencies as mentioned it doesn't explain, it isn't possible to continue to build on them or even test them since Brave features don't work in outsider builds.
> HTML filtering is the ability to filter the response body of HTML documents before it is parsed by the browser.
> For example, this allows the removal of specific tags in HTML documents before they are parsed and executed by the browser, something not possible in a reliable manner in other browsers. This feature requires the webRequest.filterResponseData() API, currently only available in Firefox.
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b... I'm going to trust Gorhill on this one. If a significant feature _does not exist_ in Epic then the only way that it couldn't hurt performance is if it was somehow useless. I suspect the Epic people (accidentally?) didn't measure that aspect.
> For example, this allows the removal of specific tags in HTML documents before they are parsed and executed by the browser, something not possible in a reliable manner in other browsers. This feature requires the webRequest.filterResponseData() API, currently only available in Firefox.
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b... I'm going to trust Gorhill on this one. If a significant feature _does not exist_ in Epic then the only way that it couldn't hurt performance is if it was somehow useless. I suspect the Epic people (accidentally?) didn't measure that aspect.
"…now that Brave has endpoint and other dependencies as mentioned it doesn't explain…"
What unexplained endpoints/dependencies does Brave have? I believe I demonstrated otherwise (with links to external resources) here: https://news.ycombinator.com/item?id=27552530.
What unexplained endpoints/dependencies does Brave have? I believe I demonstrated otherwise (with links to external resources) here: https://news.ycombinator.com/item?id=27552530.
Why not just use Ungoogled-Chromium?
It doesn't seem to include an automatic updater.
Simply use a package manager.
[insert link to infamous HN Dropbox comment here]
This is the second reference to that in this thread. It's getting pretty old and I don't even think it's relevant
Yeah just download it over FTP bro!
Use GNU GUIX to manage it. It's been packaged for quite a while now
Third party untrusted binaries last I checked
You can build it yourself, but even with a midrange desktop it'll take you at least an hour to build. A laptop would probably take 2-3 at least.
Are you going to read the source to confirm nothing malicious was added?
There's around 4.9k lines of python code and 15.9k lines of patches. That doesn't seem that hard to scrutinize. From a threat model point of view you should be more worried about supply chain attacks from all the third party programs/libraries you have installed on your computer.
You can pull trusted binaries from OpenBuildService now.
I switched because Google removed the ability to log in and sync settings, history, password, etc. (I realize that in this case I'm directly giving Google my data) but it was a super nice feature.
Brave's Sync v2 works decently well.
Brave's Sync v2 works decently well.
I tried this a year ago. Had some trouble first downloading this (afaik the project only provided sources, not binaries, so you had to trust some random guy's website to download the .exe), then it randomly crashed within 5 minutes every time I launched it, then I deleted it.
I am curious why doesn’t Brave block Google ads on its standard (default) ad-blocker settings?
Does integrating it into the browser have any performance benefits over using an extension?
Brave ad blocker is written in Rust and browser extensions in JavaScript, so it should be faster
Not only faster, but we aren't beholden to the APIs offered by Google and others. Manifest v3 threatened the existence of popular content-blockers like uBlock Origin. Since we are the browser, we aren't so limited. A recent example of how we are able to do more was with the introduction of CNAME blocking, which allowed us to identify when a third-party tracker had managed to be requested from a first-party URL: https://brave.com/privacy-updates-6/.
Hey, thanks. One of my favorite computers is a Surface 3 running a Cherry Trail CPU. I tried Brave out and it's noticeably snappier on the old hardware than Firefox or Chrome.
uBlock Origin is using Web Assembly now for certain critical code. Anyway performance differences between the two have always been negligible and often fluctuating.
I find Brave Rewards very egregious. You get lots of BAT and the marketing copy hypes it up immensely without mentioning, anywhere, that you need to provide your SSN and Driver's License to a third-party (Uphold) if you actually, you know, want to cash out.
This seems particularly irritating because, let's say you set your browser to show you the max amount of ads for a while. You saved up for a few months, decided you had enough, tried to cash out only to discover that slap in your face that they never mentioned. Of course this benefits them, but the fact that the browser puts you in the situation of giving up your privacy to receive money is ridiculous for a "privacy" browser.
This seems particularly irritating because, let's say you set your browser to show you the max amount of ads for a while. You saved up for a few months, decided you had enough, tried to cash out only to discover that slap in your face that they never mentioned. Of course this benefits them, but the fact that the browser puts you in the situation of giving up your privacy to receive money is ridiculous for a "privacy" browser.
To add to this, Brave appears to force you to use Uphold in order to "verify" your wallet. So this is absolutely Brave hiding your coins from you until you dox yourself with a third-party.
It's entirely possible to trade bat for many other coins on exchanges without KYC, but Brave forces you to be unable to do that (regardless of your local laws it seems?)
This is something Brave could easily fix by just exposing an API to allow you to do what you want with your BAT instead of forcing you to use a third party KYC service.
It's entirely possible to trade bat for many other coins on exchanges without KYC, but Brave forces you to be unable to do that (regardless of your local laws it seems?)
This is something Brave could easily fix by just exposing an API to allow you to do what you want with your BAT instead of forcing you to use a third party KYC service.
This is true. When you "receive" BAT in your browser, your browser is not a wallet. You can't send it to any address of your choice, or move it to an exchange that doesn't require KYC like Uniswap. The only place you can send that BAT you "received" is "verified creators" in the Brave ecosystem. It's much more like an IOU BAT than real BAT.
If you want to get real BAT that you could send to any address, send to Uniswap, or cash out, you must create an account on Uphold and complete full KYC before you can withdraw. That's when, invisibly, the IOU BAT becomes functional, cryptocurrency-like BAT.
It's like there are 2 BATs in reality despite the marketing. FakeBAT and RealBAT. FakeBAT only works within Brave's approved creators and is what you receive in your browser, and you can convert it to RealBAT which is on Ethereum and ERC20 compliant but only if you do KYC.
If you want to get real BAT that you could send to any address, send to Uniswap, or cash out, you must create an account on Uphold and complete full KYC before you can withdraw. That's when, invisibly, the IOU BAT becomes functional, cryptocurrency-like BAT.
It's like there are 2 BATs in reality despite the marketing. FakeBAT and RealBAT. FakeBAT only works within Brave's approved creators and is what you receive in your browser, and you can convert it to RealBAT which is on Ethereum and ERC20 compliant but only if you do KYC.
An addendum to my statement above: This also means, implicitly, BAT is not a private token. All BAT ultimately comes from people who completed KYC. This means that ultimately, if the government wanted to hunt down where someone's BAT came from, it's really easy when you've KYC'd the entire ecosystem.
And, you might be OK with that for what it is, and might not want money laundering. Fine, but don't advertise it to me as an extension of a privacy browser. This is perhaps the least private cryptocurrency ever outside of USDC.
And, you might be OK with that for what it is, and might not want money laundering. Fine, but don't advertise it to me as an extension of a privacy browser. This is perhaps the least private cryptocurrency ever outside of USDC.
Isn't this for legal reasons? I'm pretty sure my crypto exchange couldn't give less of a crap about my ID but due to anti-money laundering laws every exchange I've used has had to ask me for it.
This is the law; it's not Brave's design. Our design enables you to opt-in, earn, and give to content creators without having to provide any information. The law, however, requires and compels Brave to add KYC into the mix when you wish to self-fund or cash out. Anti-money laundering is not something we can or would circumvent.
Seems like a pretty important piece of information to share with potential users up front though, for something marketing itself with a privacy focus.
No, because KYC is not mandatory to use rewards and anonymously contribute to your favorite sites and channels. Only if you want to add funds or take out some or all of your revshare is it required. It's not required by default, which is why it should not be advertised as if mandatory. HTH
>KYC is not mandatory... except when you want to add or take out funds.
This is Brave's own cryptocurrency that they use to sell their privacy-based browser. It's an important distinction.
This is Brave's own cryptocurrency that they use to sell their privacy-based browser. It's an important distinction.
Lol. This is like Tesla saying regulations prevent them from releasing full self driving. Don't advertise something you can't deliver.
We deliver exactly what we advertise; users can enjoy the default ad-free experience, or opt-in, earn, and support content creators across the Web. Nowhere in our marketing or elsewhere do we suggest you can anonymously receive cash from companies like Amazon, Twitch, Walmart, etc.
You don't have the ability to offer private money collection and your advertising should reflect that.
He just said they don't advertise the ability to offer private money collection. Are you claiming they do? If not, then it would seem their advertising already correctly reflects this fact.
They claim to be a privacy focused browser that can pay users via cryptocurrency. Yet there is no point to pay via cryptocurrency when there is no privacy for receiving it.
As I understood it, they claim to be a privacy focused browser that distributes some sort of currency-like tokens to users, which the users can then distribute to websites they want to reward, or optionally pay out as cryptocurrency to recipients that may (or may not?) be identical with the users themselves.
That this optional payout requires identification seems to be A) a legal requirement, and B) an implementation detail of second-rank importance in the grand scheme of things.
Feels far-fetched to get one's knickers in a bunch over stuff like that not being at the forefront of their marketing.
That this optional payout requires identification seems to be A) a legal requirement, and B) an implementation detail of second-rank importance in the grand scheme of things.
Feels far-fetched to get one's knickers in a bunch over stuff like that not being at the forefront of their marketing.
Knickers to you may be outer garments to others. This browser has made a habit of asking users to interpret their actions "the right" way.
Look, maybe this is a good idea, and it is the future of getting people to pay for stuff like news or software. If so then they need someone who understands that vision and can project it with confidence. Right now I have no idea who runs Brave or what person I would look to for understanding their goals. For such an innovative concept you really do need a visible delivery vehicle with whom people can relate.
Look, maybe this is a good idea, and it is the future of getting people to pay for stuff like news or software. If so then they need someone who understands that vision and can project it with confidence. Right now I have no idea who runs Brave or what person I would look to for understanding their goals. For such an innovative concept you really do need a visible delivery vehicle with whom people can relate.
You could still the user of this during onboarding, or before the start seeing any BAT ads.
[deleted]
This is false. it is not a law. KYC is required for 3k+ and only in select countries. Brave is international.
So... I dunno... Just ignore the whole BAT/Rewards nonsense? I use none of that shit, though I do use Brave for a (very) few things that require a Chrome-like browser (i.e. Won't work in Firefox with my battery of plugins). I don't regard it primarily as a high-privacy tool (FF is better at that, though far from perfect) but it's better than using Chrome on non-Goog sites.
Ah, the world has become a strange place. I currently use no less than 5 different browsers for different contexts, but mainly Chrome for Goog properties on the seldom occasion I have to go there, FF for almost everything else. Then the corner cases...
Ah, the world has become a strange place. I currently use no less than 5 different browsers for different contexts, but mainly Chrome for Goog properties on the seldom occasion I have to go there, FF for almost everything else. Then the corner cases...
Isn’t this only an issue if you actually want to cash out your $2 or whatever. The bigger benefit of Brave is that you can contribute money to websites or content creators that your prefer. This is like the “old” internet where ads didn’t care what content they were shown next to, giving much more freedom of expression on the net. Say YouTube thought your video joking about COVID meant they thought you deserved to demonetize your whole channel, we’ll now brave donations still allows you to make some sort of ad profit. That actually ads up for people from pennies from millions of people together. Cashing out for a few dollars a year is not really the intent of the system.
You can’t cash $2. There’s a 25 BAT minimum
I have been testing Brave for some time and i have not received lot of BAT since using it, i can summarize in few words but Brave are so cheap on paying BAT at the cost of giving you ads. For privacy better stick with Firefox or LibreWolf and earn crypto somewhere else.
Web ads are in general incredibly cheap per impression, so while I don’t know (nor particularly care to find out) where Brave’s ad prices come from, it’s not necessarily surprising or nefarious for them to be low.
How does KYC benefit them? Seems like (if legally allowed) they would want to reduce the friction as much as possible.
It's a shame how Brave Inc. has fumbled the execution of this concept. It's a great idea in principle: users earn currency for their attention (watching ads) or by outright purchasing it and avoiding ads, they get to choose which services they want to support and with how much, publishers get paid without slimy advertisers and GDPR headaches, while still keeping advertising in the loop but in a much more indirect and controllable way. It's brilliant. It would eventually allow getting rid of advertisers from the loop entirely with novel ways of earning currency.
Of course this is a pipe dream with the modern ad-powered web. Why would tech giants have a desire to make changes that would affect their main revenue stream? Advertisers wouldn't be thrilled either.
Still, I think it's the best idea that actually has some merit of working at scale to change how the web is monetized today. And we need more of those. Just maybe not executed by Brave Inc.
Of course this is a pipe dream with the modern ad-powered web. Why would tech giants have a desire to make changes that would affect their main revenue stream? Advertisers wouldn't be thrilled either.
Still, I think it's the best idea that actually has some merit of working at scale to change how the web is monetized today. And we need more of those. Just maybe not executed by Brave Inc.
Isn't cashing out the tokens as a user sort of pointless anyway? I'm an impoverished student and Brave gives me a way to tip my favorite Youtubers at no cost to myself. They can decide for themselves if they want to sign up and cash out. I think that's really the main intent of the BAT system, nothing deceptive about it. If I wanted to earn trivial amounts of money anonymously, there are plenty of ways to do that.
> you need to provide your SSN and Driver's License to a third-party (Uphold) if you actually, you know, want to cash out.
This is the government's fault not Brave's. There are laws that enforce the requirements. We do not have the freedom to move value or money around freely any more.
This is the government's fault not Brave's. There are laws that enforce the requirements. We do not have the freedom to move value or money around freely any more.
And I completely understand that. But Brave is still guilty of not mentioning on their product page that for all the privacy things they do, Brave Rewards isn't private, and also has a conflict of interest incentivizing them to not tell people about it.
It's Brave's fault if they only give you access to your BAT coins after signing up with Uphold. There should be no reason they hide access to your coins until you use a third party service to dox yourself.
Brave may not be implementing the dox'ing, but they appear to be requiring you to use someone else's implementation which is absolutely their fault.
Brave may not be implementing the dox'ing, but they appear to be requiring you to use someone else's implementation which is absolutely their fault.
I am guessing that the parent comment has it right. This is admittedly outside my area of expertise, but I would assume that the system they have for managing BATs is subject to the US's Know Your Customer laws, which require financial institutions (including crypto exchanges) to, well, know their customer. Personally.
They have to figure all that out before they give you access to your account. Which means, yeah, there may well be a good reason for them to require you personally identify yourself before giving you access to the tokens: if they didn't, they'd risk getting into serious trouble with the authorities.
They didn't technically need to contract that stuff out to a third-party company, of course. But, from a practical perspective, they did. They're a small browser company and financial regulation compliance would be a huge and burdensome departure from their core skill set. I don't think they could have afforded to do it themselves.
They have to figure all that out before they give you access to your account. Which means, yeah, there may well be a good reason for them to require you personally identify yourself before giving you access to the tokens: if they didn't, they'd risk getting into serious trouble with the authorities.
They didn't technically need to contract that stuff out to a third-party company, of course. But, from a practical perspective, they did. They're a small browser company and financial regulation compliance would be a huge and burdensome departure from their core skill set. I don't think they could have afforded to do it themselves.
And that's all right and good, I'm actually OK with this being the requirement for a system like this if a browser that rewards you with crypto is available.
What I'm not OK with is that Brave isn't upfront about this.
What I'm not OK with is that Brave isn't upfront about this.
Indeed. It's weird to see an organization whose entire sales pitch is, "Trust us, we're trustworthy," that persists in acting unnecessarily skeezy at seemingly every turn. Like, you half expect their next blog post to be, "We've been trying to reach you about your car's warranty..."
kyc laws only applies to exchanges that allow cashing out. I don't understand why kyc would be required here. The browser user should be the miner getting a reward as a private key. They should be able to move it to any exchange (this is where kyc is required) or trade privately.
Why they chose to implement the design in this way is not what I would expect.
Why they chose to implement the design in this way is not what I would expect.
> kyc laws only applies to exchanges that allow cashing out. I don't understand why kyc would be required here.
Because cashing out is kind of the entire point of BAT?
If creators couldn't redeem their BATs for actual spendable currency, they wouldn't really be any different from a Facebook Like button that people have to pay to click.
Because cashing out is kind of the entire point of BAT?
If creators couldn't redeem their BATs for actual spendable currency, they wouldn't really be any different from a Facebook Like button that people have to pay to click.
People sell their redditor accounts frequently for their digital tokens (upvotes) - reddit does not require people to use KYC.
Yes, I understand there is an implicit difference here, but this just shows how dumb KYC laws are to begin with as they can be easily bypassed by criminals and serve only to dox the law abiding citizens.
I, as a pro-social, well behaving, net positive contributor to society - have to trust everyone I do business with with my personal information. It's honestly absurd, if I were a criminal I would bypass this with great ease, yet because I want to behave legally I put myself at risk for identity theft frequently just to be able to do business with other people who also likely don't want to be responsible for securing my private information.
Yes, I understand there is an implicit difference here, but this just shows how dumb KYC laws are to begin with as they can be easily bypassed by criminals and serve only to dox the law abiding citizens.
I, as a pro-social, well behaving, net positive contributor to society - have to trust everyone I do business with with my personal information. It's honestly absurd, if I were a criminal I would bypass this with great ease, yet because I want to behave legally I put myself at risk for identity theft frequently just to be able to do business with other people who also likely don't want to be responsible for securing my private information.
You are also forgetting that another option is coming soon. Most of the userbase hates uphold, and they are adding Gemini soon, which should be much better.
[deleted]
KYC, AML, CYA, IANAL
KYC stands for "Know Your Customer" and it's a reference to laws that require businesses to have a clue who they're doing business with. It's not a legitimate response to the concern here. The concern is failure to provide adequate information about the consequences of your actions up front. They're going to benefit from the ads, and they won't necessarily have to pay for that benefit, because they didn't adequately obtain informed consent before they began by informing you that you need to pony up PII to a third party.
AML is probably Anti-Money Laundering. It again has nothing to do with informed consent. It is possible to prevent money from being laundered by telling a person up front, before they agree to sign up, that they have to give their private information to a third party.
CYA is probably "Cover Your Arse". Again, it's not a legitimate concern for the same reason as above.
IANAL is obviously not a response to the original concern but merely intended to reduce the risk of the reply. But there's no legal issues being raised. The issue is purely whether or not a business who praises their privacy credentials should clearly let their customers know that, if they choose to engage in business with them, their private information will need to be shared with a business who they may not trust.
If OP's story is true, Brave is not above engaging in distrust for dollars. That's the lesson to be learnt here. Brave doesn't care about your privacy. They just hope that by marketing privacy, they can get a few customers. And they will and apparently do engage in shady practices that compromise your privacy. No acronym can justify that, other than something that stands for "Businesses need to be responsible for their actions, not just their profits".
AML is probably Anti-Money Laundering. It again has nothing to do with informed consent. It is possible to prevent money from being laundered by telling a person up front, before they agree to sign up, that they have to give their private information to a third party.
CYA is probably "Cover Your Arse". Again, it's not a legitimate concern for the same reason as above.
IANAL is obviously not a response to the original concern but merely intended to reduce the risk of the reply. But there's no legal issues being raised. The issue is purely whether or not a business who praises their privacy credentials should clearly let their customers know that, if they choose to engage in business with them, their private information will need to be shared with a business who they may not trust.
If OP's story is true, Brave is not above engaging in distrust for dollars. That's the lesson to be learnt here. Brave doesn't care about your privacy. They just hope that by marketing privacy, they can get a few customers. And they will and apparently do engage in shady practices that compromise your privacy. No acronym can justify that, other than something that stands for "Businesses need to be responsible for their actions, not just their profits".
It was just a funny comment. They absolutely let you know in the docs on and the site and in every interview the CEO does that it is a requirement to complete KYC to receive the funds. I don't know what to say, it's all there, in the docs. In the FAQ: https://support.brave.com/hc/en-us/articles/360032158891-Wha...
I think your anger is misplaced - you should be angry at government who requires Brave (and eBay, and Etsy, and any company that is paying out money to people) to require this. If this wasn’t legally required they (and every other company) wouldn’t do it.
That, at least, does have a reason. Uphold is an online exchange and crypto wallet more popular in Europe but very similar to Coinbase. The government doesn't want money laundering and other financial crimes, and you might disagree with KYC but at least there's some argument there.
I don't like that Brave doesn't say, on their Brave Rewards page, warning: You will need to give up your privacy to cash out. If that's OK with you, great; if not, don't set your browser to show ads for months before you try cashing out or you'll get a nasty surprise.
From Brave's perspective, there's also a conflict of interest here. Remember, when an advertiser spends BAT to show an ad, 30% goes to Brave and 70% to the ad receiver. Brave has every incentive to get that 30%, don't they? If that means you were fooled into leaving your browser showing ads thinking you could cash out without losing your privacy, they benefit. And that's why it really smells fishy that they don't mention it on their product page.
I don't like that Brave doesn't say, on their Brave Rewards page, warning: You will need to give up your privacy to cash out. If that's OK with you, great; if not, don't set your browser to show ads for months before you try cashing out or you'll get a nasty surprise.
From Brave's perspective, there's also a conflict of interest here. Remember, when an advertiser spends BAT to show an ad, 30% goes to Brave and 70% to the ad receiver. Brave has every incentive to get that 30%, don't they? If that means you were fooled into leaving your browser showing ads thinking you could cash out without losing your privacy, they benefit. And that's why it really smells fishy that they don't mention it on their product page.
[deleted]
I guess some users don't ever cash out and just use the rewards to fund the content they consume.
Sites like eBay would require user identity verification whether or not the government required it. Can you imagine the scale of fraud on eBay if users were allowed to set up anonymous accounts and accept irreversible currency transactions to anonymous sellers? It would be a scammer’s dream come true.
I wouldn’t have any interest in using such marketplaces.
As for Brave: Whether or not KYC or other regulations explain their behavior, any cryptocurrency rewards program has an inherent incentive to make it as difficult as possible to cash out. People who cash out almost always sell their coins, putting downward pressure on the price. If they can use dark patterns to reduce the number of people selling coins, the coin price stays higher.
The ideal cryptocurrency rewards program (for the crypto, not the users) would give people coins but almost force them to hold those coins and make it as difficult as possible to sell. This simultaneously hypes the coin by spreading awareness and removes downward price pressure by making it difficult to sell. This almost always means the company or founders have a lot of the coin that they plan to sell off as it becomes popular.
Virtually everything that comes attached with arbitrary crypto tokens or rewards is a scam to make the founders wealthy while the users chase pennies.
I wouldn’t have any interest in using such marketplaces.
As for Brave: Whether or not KYC or other regulations explain their behavior, any cryptocurrency rewards program has an inherent incentive to make it as difficult as possible to cash out. People who cash out almost always sell their coins, putting downward pressure on the price. If they can use dark patterns to reduce the number of people selling coins, the coin price stays higher.
The ideal cryptocurrency rewards program (for the crypto, not the users) would give people coins but almost force them to hold those coins and make it as difficult as possible to sell. This simultaneously hypes the coin by spreading awareness and removes downward price pressure by making it difficult to sell. This almost always means the company or founders have a lot of the coin that they plan to sell off as it becomes popular.
Virtually everything that comes attached with arbitrary crypto tokens or rewards is a scam to make the founders wealthy while the users chase pennies.
Using this dark pattern is probably necessary, as it is the only robust way to protect them from being click-frauded.
You can earn only small rewards by watching ads in a single browser, so there is a big incentive to run as many automated brave instances as possible. Then send it all to one wallet and cash out.
But one would need to complete KYC for each instance. You can't move the tokens without it, so it can't be scaled up.
Brave, Inc has no requirement to be located in the US that does require these laws, hardly the fault of the government they are choosing to be incorporated under that Brave chooses that particular geographical position, especially since the US probably has some of the worst examples in recent history for disregarding the privacy of citizens and non-citizens alike.
I'm pretty sure the US government is notorious for enforcing its financial laws well beyond its borders.
Is there a reason why brave has to do it but services like bing rewards doesn't? Also, AFAIK paypal allows you to do small transfers without verifying anything.
Not sure why you are downvoted.
I guess users could also send the tokens elsewhere to try and find an exchange that doesnt care about money laundering laws - but governments get quite involved in crypto.
Or is transfering tokens not possible?
I guess users could also send the tokens elsewhere to try and find an exchange that doesnt care about money laundering laws - but governments get quite involved in crypto.
Or is transfering tokens not possible?
Not with Brave, it is not. All of your tokens go into Uphold, and you must go through full KYC (providing your Driver's License and SSN), before you can move them to any other wallet. And no, the tokens your browser says you have, they aren't actually yours or transferrable until your KYC Verification is complete. The amount of tokens in your account before you complete Uphold verification is more of an IOU BAT until you create an account and get the actual BAT.
This is what is also egregious. Yes, BAT is decentralized when you move it around in wallets, but as far as the browser is concerned, all BAT you earn from receiving ads is actually quite centralized.
This is what is also egregious. Yes, BAT is decentralized when you move it around in wallets, but as far as the browser is concerned, all BAT you earn from receiving ads is actually quite centralized.
Thanks for clarifying - that indeed should have a big red warning sign for anyone signing up trying to collect BAT via Brave.
Let's presume this were true - that the Government was also at fault (I don't agree) - why does that excuse Brave's behavior?
If I go look at any other service which requires that kind of information, it's always right up front. Want a Robinhood account? Great, you have to provide the info when you open an acocunt.
If I go look at any other service which requires that kind of information, it's always right up front. Want a Robinhood account? Great, you have to provide the info when you open an acocunt.
I use brave and rewards but have never cashed out so didn’t provide any KYC info.
I just donate BAT to sites.
Brave does “request info up front” for users who want to use the wallet. Requesting it from users who won’t need it is a waste of time.
All Robinhood users perform financial transactions, very few Brave users do.
I just donate BAT to sites.
Brave does “request info up front” for users who want to use the wallet. Requesting it from users who won’t need it is a waste of time.
All Robinhood users perform financial transactions, very few Brave users do.
Is the lack of other options to send micropayments to sites the reason you do this? If there was a way to one click send micropayments to sites from a browser that did not require you to watch ads, but you send your own money, would you do it?
Honestly it’s because I’ve never had enough tokens to qualify for the minimum. So I just leave stuff in my wallet and transfer every once in a while.
I would prefer a wallet that I have control over, but I kind of ignore the BAT stuff and just use it because it’s a clean browser that’s easier for me than managing adblocker plug-ins. The tokens are just a bonus.
I would prefer a wallet that I have control over, but I kind of ignore the BAT stuff and just use it because it’s a clean browser that’s easier for me than managing adblocker plug-ins. The tokens are just a bonus.
I always find it odd that we worry so much about how much our browsers are tracking us, but almost nothing about what our ISPs are doing. Every time I've looked into it, it seems much worse. As far as I can tell, ISPs are legally allowed to sell your browsing history to third parties: https://arstechnica.com/tech-policy/2017/03/for-sale-your-pr...
ISPs can see a lot, but it does have limits. As long as we're using SSL (and I suppose, assuming it hasn't been cracked), the ISP really only knows what domains I'm visiting. So they might know that I'm going to WebMD, but they don't necessarily know that I'm reading up on treatment options for nose fungus. They also don't necessarily know exactly which member of my household is going to that website, nor can they link it up with any browsing I do from the coffee shop.
Browser-based tracking, on the other hand, can see just about everything, because it's looking at the state of the data after it's been decrypted. And it can, with a reasonable degree of confidence, individually identify people, even when more than one person shares an internet connection, and even when one person uses more than one device or connects to the Internet from more than one location. The higher fidelity of that signal does imply that it's a greater privacy threat.
Browser-based tracking, on the other hand, can see just about everything, because it's looking at the state of the data after it's been decrypted. And it can, with a reasonable degree of confidence, individually identify people, even when more than one person shares an internet connection, and even when one person uses more than one device or connects to the Internet from more than one location. The higher fidelity of that signal does imply that it's a greater privacy threat.
do we need randomized dom nodes ?
No.
I guess I'd have to hear more details to know exactly what you're thinking, but my first instinct is to say that doing something like that would break CSS and accessibility without actually offering any significant impediment to tracking.
I guess there are feasible attacks if the ISP is sufficiently motivated. They can't read the data transmitted, but they know how many bytes is in it, and with a cross reference on page sizes in the domain you're on, they might be able to narrow it down considerably.(maybe even to 1 possible page)
A more far-fetched attack is a sort of timing attack: if you first visit arstechnica.com and then shortly afterwards visit Amazon.com, one could look for links to Amazon on arstechnica and from there have a decent guess what product you viewed on Amazon. This becomes a lot more feasible when paired with the first attack mentioned above.
A more far-fetched attack is a sort of timing attack: if you first visit arstechnica.com and then shortly afterwards visit Amazon.com, one could look for links to Amazon on arstechnica and from there have a decent guess what product you viewed on Amazon. This becomes a lot more feasible when paired with the first attack mentioned above.
These are all smart thoughts but you’ve clearly never worked for or with an ISP. As business entities in general they don’t have that kind of technical sophistication. They are more on the level of “we have to hire these vendor consultant groups to install VMs for us” than “we build a crawler so that we can use domain plus byte count to drink-anonymize visited pages.”
It doesn’t matter that most of them might not be that capable. They just hoard this data and sell it to the people with the means and resources.
It's not that easy to hoard when you have less than one competent engineer in the company and have to contract out to some vendor to build the data lake where they can hoard it.
Hoarding itself is beyond the sophistication of most service providers in the present day.
Hoarding itself is beyond the sophistication of most service providers in the present day.
BT (a UK ISP) were up to hijinks in 2008 - "BT and Phorm: how an online privacy scandal unfolded"
https://www.telegraph.co.uk/technology/news/8438461/BT-and-P...
https://www.telegraph.co.uk/technology/news/8438461/BT-and-P...
Yes. The problem for them is that times have changed.
[deleted]
ISPs do not know as much as Google/FB thanks to SSL, but they know a lot more than you'd think by analyzing connection metadata.
Also many ISPs are also carriers, which makes things worse.
Source: worked for telecos, have seen a lot of shady stuff myself.
Also many ISPs are also carriers, which makes things worse.
Source: worked for telecos, have seen a lot of shady stuff myself.
ISPs have perfect knowledge of your IP, so if they can get even basic traffic logs from _anything else_ can reconstruct your browsing history more accurately than any other third-party. Since you are probably visiting your ISP's site regularly to pay your bill, there are also a lot of possibilities for them to regularly associate third-party cookies with your login. They also have the highest-quality ambient location data (outside of explicit app permissions) to link with all of that.
ISPs didn't even want to log IP data until 70+ year old people forced them to collect that info. Sorry for the rant against older gents, but this is the current reality.
Now they might think differently because there is a market for info. Thank you government...
Now they might think differently because there is a market for info. Thank you government...
Oh not to mention, this might soon change as eSNI/ECH is adopted! Then the only information being leaked would be the IP address of the server. And with widespread use of CDNs nowadays would make the information collected pretty useless.
Ofcourse that is if your DNS queries are not leaking everything. (which they are! Use DNS-over-HTTPs guys!)
I only know enough about networking to be dangerous but I am convinced Comcast is doing shady shit with my modem when I change the DNS settings to use non-Comcast servers. Every once in a while I’ll attempt to use Wireshark to try to make sense of what’s happening but I’m pretty clueless and don’t really know what I’m looking at/for.
If anyone knows any good resources to learn about the ISP nuts and bolts that make internet magic happen between my modem and everyone else’s servers I would be most appreciative.
If anyone knows any good resources to learn about the ISP nuts and bolts that make internet magic happen between my modem and everyone else’s servers I would be most appreciative.
I found The UNIX and Linux System Administration Handbook (5th Edition), chapters about networking and DNS very instructive, and they list a ton of additional references if you want to dig deeper.
>I am convinced Comcast is doing shady shit with my modem when I change the DNS settings to use non-Comcast servers
Well that's vague. What are the symptoms? How would comcast even know that you changed DNS settings? It's possible to infer that from DNS queries to their servers dropping off and traffic to 1.1.1.1 or 8.8.4.4 increasing, but I doubt comcast is competent enough to build that sort of detection system.
Well that's vague. What are the symptoms? How would comcast even know that you changed DNS settings? It's possible to infer that from DNS queries to their servers dropping off and traffic to 1.1.1.1 or 8.8.4.4 increasing, but I doubt comcast is competent enough to build that sort of detection system.
On my home network I just run a transparent proxy and direct all outbound traffic bound to port 53 to my local dns server, it’s not hard.
Interestingly enough, this is almost exactly how ISPs do it when they really want to get your attention. A couple years ago I forgot to update an expired credit card that I used to pay my spectrum cable bill. One morning every DNS request resolved to their "your account is about to be closed due to nonpayment" page. As I also use my own DNS sever I was surprised by this, and sure enough everything going out of my network on 53 was being grabbed up by their CGNAT and sent to their DNS server.
I just block all outbound port 53 traffic, any device or app that doesn't honor my DHCP-provided DNS resolver can suck it.
Looking at you, Chromecast that tries 8.8.8.8 40 times an hour even though you know perfectly damn well that 10.10.10.1 is working
Looking at you, Chromecast that tries 8.8.8.8 40 times an hour even though you know perfectly damn well that 10.10.10.1 is working
The DNS provided by many ISPs is not to be trusted, as per this thread, so how else can your Chromecast act to find a trustworthy DNS?
And with newer decides that use DoH, you can no longer prevent devices from contacting their own DNS provider without totally firewalling them (or perhaps using some IP blacklist or whitelist, if available?)
https://en.wikipedia.org/wiki/DNS_over_HTTPS
And with newer decides that use DoH, you can no longer prevent devices from contacting their own DNS provider without totally firewalling them (or perhaps using some IP blacklist or whitelist, if available?)
https://en.wikipedia.org/wiki/DNS_over_HTTPS
When I said blocking all outbound 53 I meant no exceptions, my local forwarder already uses DoH to an outside resolver.
Everything that I don't have complete visibility into the network stack of goes on a VLAN that does not forward traffic to the internet, it advertises a proxy via WPAD and DHCP option 252. I have a whitelist of hostnames that each device is allowed to make CONNECT requests to, so far there is only one.
If it's not a plain unencrypted HTTP request to my proxy, or a CONNECT request involving a server/device pair I've decided to trust, it's not going anywhere.
This breaks a lot of things that I would just as soon rather do without. I can't change my universal remote hub settings from the vendor portal, boo-hoo. I can't view my cameras from the hardened VLAN or from the internet (unless I VPN in first since the only copy of the recordings is on my local NAS)... good.
Everything that I don't have complete visibility into the network stack of goes on a VLAN that does not forward traffic to the internet, it advertises a proxy via WPAD and DHCP option 252. I have a whitelist of hostnames that each device is allowed to make CONNECT requests to, so far there is only one.
If it's not a plain unencrypted HTTP request to my proxy, or a CONNECT request involving a server/device pair I've decided to trust, it's not going anywhere.
This breaks a lot of things that I would just as soon rather do without. I can't change my universal remote hub settings from the vendor portal, boo-hoo. I can't view my cameras from the hardened VLAN or from the internet (unless I VPN in first since the only copy of the recordings is on my local NAS)... good.
I should think they just detect traffic from your IP address on port 53 to any IP address that's not one of their nameservers.
I agree with you that comcast is incompetent, but everything becomes cheaper and easier over time and network hardware/software products that perform "deep" packet inspection at line rate as well as provide analytics on that returned data are now trivial and pretty much table stakes for Cisco, Juniper, Palo Alto et al.
Specifically for detecting if a user is not using their DNS, yes you could correlate a user's http requests (unless you are using ESNI the requested domain is in plaintext by design) with traffic logs on their DNS server and observe that there was no DNS request to the ISP DNS server before a request was made, I don't think that would be necessary. Most users use the ISP default DNS - that's your baseline. If most customers hit your DNS X times per Mb of web traffic, then someone using a custom DNS is going to stand out like a sore thumb.
Again, 100% agree that ISPs are not very technically competent (to put it mildly), but as time marches on the ability to both capture and more importantly analyze and report on that data is becoming cheaper and easier. ISPs want to get value from (sell) your data and vendors want to sell ISPs subscriptions to analytics and other platforms that bring them reoccurring revenue. Data from customer DNS is one of the most valuable sources of information an ISP has and I would be surprised if there was not at least an attempt to know how many customers did not use it.
Specifically for detecting if a user is not using their DNS, yes you could correlate a user's http requests (unless you are using ESNI the requested domain is in plaintext by design) with traffic logs on their DNS server and observe that there was no DNS request to the ISP DNS server before a request was made, I don't think that would be necessary. Most users use the ISP default DNS - that's your baseline. If most customers hit your DNS X times per Mb of web traffic, then someone using a custom DNS is going to stand out like a sore thumb.
Again, 100% agree that ISPs are not very technically competent (to put it mildly), but as time marches on the ability to both capture and more importantly analyze and report on that data is becoming cheaper and easier. ISPs want to get value from (sell) your data and vendors want to sell ISPs subscriptions to analytics and other platforms that bring them reoccurring revenue. Data from customer DNS is one of the most valuable sources of information an ISP has and I would be surprised if there was not at least an attempt to know how many customers did not use it.
Sorry, I didn't get into details because I wasn't intending to ask HN to troubleshoot for me. But, since you asked...
I have an "XFi Gateway" combination modem/router provided by Comcast (perhaps my first mistake) so the DNS settings are restricted and cannot be changed. I have the Comcast modem/router set to bridge mode and connected my own router where I can control the DNS settings.
My understanding is the DNS settings closer to the client control. So in addition to having set my router to Cloudflare's DNS I also set my devices as well. One day, maybe a year ago or so, I'm on HN and I click an archive.is link, read the article, and go to the discussion thread only to see several comments about how archive.is is blocked by Cloudflare DNS. I checked the DNS settings on my MacBook and router and I was indeed using Cloudflare DNS but for some reason I was able to access the "blocked" address.
So I went to the terminal, cleared the cache, and checked nslookup archive.is and it responded correctly. Then I checked a nonsense DNS server: nslookup archive.is 5.9.3.7 or something and it still responded correctly. I tried the same with different websites and got the same result. So I searched "see my DNS server" or something and found a few websites but they all showed Cloudflare. Very odd.
When I logged in with my VPN, Mullvad, and changed the DNS settings on the router and my laptop to Mullvad's and repeated the experiment it finally returned NXDOMAIN. Then I disconnected from the VPN but left Mullvad's DNS settings, repeated the experiment again with the same results - even when I was using a totally bogus DNS server it was returning the correct IP address.
That's when I installed Wireshark and, lo and behold, I could see the requests that should have been going to 1.1.1.1 or 5.9.3.7 going to 75.75.75.75. Comcast.
A call to Comcast was, as expected, a complete waste of time. First they told me it was using their DNS settings because of "their firewall" and then they told me that if I used their built-in router rather than mine + bridge mode I wouldn't have the issue at all.
Messing around in Wireshark I eventually determined the issue had something to do with one specific port that was making the requests (I can't recall how but I think because I could see Mullvad VPN was using a different port for DNS?) so I fiddled around and forced (or maybe redirected?) my router to use that port too and that finally worked in avoiding the Comcast servers. But, knowing just enough to be dangerous and not entirely sure what I was doing, I didn't keep the forced port and decided I'd have to get my own modem and use my VPN in the meantime.
Before I had gotten around to buying a new modem (this was somewhat early in the pandemic) I saw a post on HN about NextDNS and decided I'd see if I ran into the same issue. I didn't, as far as I could tell at least. When I run Wireshark now (I still use NextDNS) I don't see any contact with 75.75.75.75 or 75.75.76.76. I think this is because NextDNS uses DoH? But who knows.
Like I said, I only know enough to be dangerous so perhaps I just had something configured in an odd way that made the Comcast servers step in as a fail-safe and there's a totally innocent explanation. But based on my experience as a Comcast customer I don't really think they're deserving of the benefit of the doubt so I've definitely got a bit of a tin foil hat when it comes to them secretly messing around with my traffic through the leased modem.
I have an "XFi Gateway" combination modem/router provided by Comcast (perhaps my first mistake) so the DNS settings are restricted and cannot be changed. I have the Comcast modem/router set to bridge mode and connected my own router where I can control the DNS settings.
My understanding is the DNS settings closer to the client control. So in addition to having set my router to Cloudflare's DNS I also set my devices as well. One day, maybe a year ago or so, I'm on HN and I click an archive.is link, read the article, and go to the discussion thread only to see several comments about how archive.is is blocked by Cloudflare DNS. I checked the DNS settings on my MacBook and router and I was indeed using Cloudflare DNS but for some reason I was able to access the "blocked" address.
So I went to the terminal, cleared the cache, and checked nslookup archive.is and it responded correctly. Then I checked a nonsense DNS server: nslookup archive.is 5.9.3.7 or something and it still responded correctly. I tried the same with different websites and got the same result. So I searched "see my DNS server" or something and found a few websites but they all showed Cloudflare. Very odd.
When I logged in with my VPN, Mullvad, and changed the DNS settings on the router and my laptop to Mullvad's and repeated the experiment it finally returned NXDOMAIN. Then I disconnected from the VPN but left Mullvad's DNS settings, repeated the experiment again with the same results - even when I was using a totally bogus DNS server it was returning the correct IP address.
That's when I installed Wireshark and, lo and behold, I could see the requests that should have been going to 1.1.1.1 or 5.9.3.7 going to 75.75.75.75. Comcast.
A call to Comcast was, as expected, a complete waste of time. First they told me it was using their DNS settings because of "their firewall" and then they told me that if I used their built-in router rather than mine + bridge mode I wouldn't have the issue at all.
Messing around in Wireshark I eventually determined the issue had something to do with one specific port that was making the requests (I can't recall how but I think because I could see Mullvad VPN was using a different port for DNS?) so I fiddled around and forced (or maybe redirected?) my router to use that port too and that finally worked in avoiding the Comcast servers. But, knowing just enough to be dangerous and not entirely sure what I was doing, I didn't keep the forced port and decided I'd have to get my own modem and use my VPN in the meantime.
Before I had gotten around to buying a new modem (this was somewhat early in the pandemic) I saw a post on HN about NextDNS and decided I'd see if I ran into the same issue. I didn't, as far as I could tell at least. When I run Wireshark now (I still use NextDNS) I don't see any contact with 75.75.75.75 or 75.75.76.76. I think this is because NextDNS uses DoH? But who knows.
Like I said, I only know enough to be dangerous so perhaps I just had something configured in an odd way that made the Comcast servers step in as a fail-safe and there's a totally innocent explanation. But based on my experience as a Comcast customer I don't really think they're deserving of the benefit of the doubt so I've definitely got a bit of a tin foil hat when it comes to them secretly messing around with my traffic through the leased modem.
Comcast isn't doing anything to your DNS. They're the largest ISP in the country, there'd be a huge uproar if they were doing something like that. There are plenty of experts who are subscribers who'd be able to figure out exactly what's going on.
There's already a huge uproar around Comcast. But Comcast isn't losing any customers, because they have monopolies.
Yeah, uproar around prices and speeds and stuff like that. Nothing like screwing with third-party DNS requests.
Actually, I have heard that claim more than once, about various providers (up to, and including, “when I changed my DNS settings and the traffic slowed down, the tech got me to change them back, and the traffic sped up”).
It's less common, I think, because more people know how to check their speed than change their DNS.
It's less common, I think, because more people know how to check their speed than change their DNS.
The only way I can think of that working is if the provider is intercepting DNS requests for popular speed tests to redirect to an internally-hosted version that would be faster. Otherwise, I can't think of any realistic way DNS settings can affect actual throughput.
So, suppose I'm Huge Video Streaming Corp X, and I get a DNS request asking me for the address of my servers. Well I have over a thousand servers around the globe, which one do you need? Any of them would work, but you likely want the fast nearby one, right? So I can try to guess based on the IP address the query came from...
I know the best answer for a Comcast DNS server in New York is the server I physically installed in a New York Comcast rack, but when a public DNS server asks me from Paris, maybe I suggest a London server, 'cos that's pretty close to Paris, shame that New York isn't.
EDNS Client Subnet is a feature that lets a DNS server say OK, I'm asking on behalf of somebody from 10.20.30/24 and so my system can do the same trick with ECS. But doing this unwinds most of the privacy benefit of using a public service, so several famous public DNS servers explicitly do not use ECS.
Obviously the cheap bulk host used for some Single Serving site like "Is pizza rat mayor of New York yet?" isn't affected, that is only one server and it is wherever it is, but somebody like Netflix absolutely is affected by this because they have their machines close to the customers to deliver better performance and if they don't know where the customer is that inteferes.
QUIC has an optional feature called Connection Migration to help improve this, the remote server is like "Um, now that you're connected to www.example.com here in Glasgow, Scotland, I notice your IP address is from Tokyo, Japan, and this is just a suggestion, but maybe talk to my identical twin also named www.example.com in Tokyo, Japan for better performance? Here is the IP address to try"
I know the best answer for a Comcast DNS server in New York is the server I physically installed in a New York Comcast rack, but when a public DNS server asks me from Paris, maybe I suggest a London server, 'cos that's pretty close to Paris, shame that New York isn't.
EDNS Client Subnet is a feature that lets a DNS server say OK, I'm asking on behalf of somebody from 10.20.30/24 and so my system can do the same trick with ECS. But doing this unwinds most of the privacy benefit of using a public service, so several famous public DNS servers explicitly do not use ECS.
Obviously the cheap bulk host used for some Single Serving site like "Is pizza rat mayor of New York yet?" isn't affected, that is only one server and it is wherever it is, but somebody like Netflix absolutely is affected by this because they have their machines close to the customers to deliver better performance and if they don't know where the customer is that inteferes.
QUIC has an optional feature called Connection Migration to help improve this, the remote server is like "Um, now that you're connected to www.example.com here in Glasgow, Scotland, I notice your IP address is from Tokyo, Japan, and this is just a suggestion, but maybe talk to my identical twin also named www.example.com in Tokyo, Japan for better performance? Here is the IP address to try"
That's not what I meant by "actual throughput." The fact that a download is slower from a server halfway around the world versus one in the same datacenter where my ISP has a peering agreement near me isn't because my connection slows down when I'm hitting the far away server.
This explanation makes a lot of sense. It also has a slight feeling of Hanlon's Razor, although there isn't necessarily incompetence involved (unless you count the technology's inability to find the absolute fastest/closest server [for whatever reason] as incompetence).
If the ISP is checking for DNS lookup of speed test websites, then allocating higher bandwidth to the connection for a brief period of time?
Or, somehow more cynically, the ISP makes money from selling the data collected from DNS, so punishes people who use a different DNS provider. (DNS is plaintext-by-default, so I don't quite see how this would work, but it's possible.)
Or perhaps the system uses DNS lookups as a proxy for “is a human browsing the web”; if there aren't enough, it's clearly some kind of automated computer program that doesn't deserve internet access.
Or, somehow more cynically, the ISP makes money from selling the data collected from DNS, so punishes people who use a different DNS provider. (DNS is plaintext-by-default, so I don't quite see how this would work, but it's possible.)
Or perhaps the system uses DNS lookups as a proxy for “is a human browsing the web”; if there aren't enough, it's clearly some kind of automated computer program that doesn't deserve internet access.
Your first example would be dead simple to detect and take advantage of to get those boosted speeds all the time. Your other two examples are a bit wild.
The first example is a real-life example. The other two are speculative, because I've heard a case where it wasn't the first example.
"Come on, what are you worried about? I'm sure it's fine, somebody must have inspected it."
I find Comcast’s fuckery to be limited to their business practices. Their actual IP network seems to be very solid.
100% agreed. And I've been a Comcast customer long enough to have seen the days when that certainly wasn't the case. They've made some pretty big mistakes in the past, but they seem to have learned their lesson.
Weren't they the ones who pioneered DNS hijacking of unknown domains to serve their own recommendations and ads?
No, that was VeriSign back in 2003: https://www.icann.org/en/announcements/details/advisory-conc...
Ah, OK. I didn't realize verisign did that too. Comcast followed not long after...
https://arstechnica.com/tech-policy/2009/08/comcasts-dns-red...
https://arstechnica.com/tech-policy/2009/08/comcasts-dns-red...
Comcast used to do a lot of messed up stuff. As I mentioned in a comment somewhere close to here, I've been a customer long enough to have seen those bad days and how they've managed to change since those days.
Have they really though? They still do DNS hijacking and bandwidth caps and speed boost for a few seconds only and automatic price increases and worthless bundles and such, don't they? They were so bad they had to rename to Xfilthy or something but their practices didn't really change as far as I can tell. What are some examples of things they've improved?
That's aside from all the political shenanigans they pull, trying to kill municipal broadband and net neutrality. There's scarcely a more evil ISP.
I switched away from Comcast as quickly as I could, and never had trouble with either smaller cable companies or fiber providers.
That's aside from all the political shenanigans they pull, trying to kill municipal broadband and net neutrality. There's scarcely a more evil ISP.
I switched away from Comcast as quickly as I could, and never had trouble with either smaller cable companies or fiber providers.
That couldn't be more wrong. They literally published an IETF draft standard on how they do it.
https://datatracker.ietf.org/doc/html/draft-livingood-dns-re...
https://datatracker.ietf.org/doc/html/draft-livingood-dns-re...
That draft is referring to the operation of their own DNS servers, not messing with third-party DNS.
"... except in reasonable and justifiable cases where a user has been placed into a so-called "walled garden" for reasons of abuse, security compromise, account non-payment, new service activation, etc."
Their own words
Their own words
What's your issue with that? In that scenario, the user doesn't even have Internet access. If they didn't force the DNS to specific servers, the user would only see that their service isn't working with no indication as to what's going on. It's clearly not something they do with normal, functional users and I never said that they didn't have the capability to do it.
That was a pretty rapid shift from "Comcast isn't doing anything to your DNS" to "So what if they are? There are times when they should!"
Yeah, wow I guess I should have included the caveat "Comcast isn't doing anything to your DNS... except when you literally don't have Internet access and couldn't reach a third-party DNS server anyway"
If you wanted to be honest you could have said "I have literally no idea what Comcast is doing with DNS, but I will attempt rationalizing everything they do as I am gradually informed of it"
[deleted]
The recommendation of _The UNIX and Linux System Administration Handbook_ is a good one.
As far as Comcast, I'm stuck with them, too. At least in my experience, they don't monkey with DNS - I run and use my own DNS servers, and have never seen interference.
They do run deep packet inspection, and if they detect you, for instance, torrenting commercial media, they'll inject scary messages in port 80 traffic. Given that nearly all web traffic is encrypted now, the main effect of this is to break things like automated `apt-get update`s.
One thing you can do to detect transparent DNS hijacking is to ask a nonexistent server a question. Something like `dig @13.14.15.16 news.ycombinator.com` should not give you an answer. If it does, someone's spying on and/or gaslighting you.
As far as Comcast, I'm stuck with them, too. At least in my experience, they don't monkey with DNS - I run and use my own DNS servers, and have never seen interference.
They do run deep packet inspection, and if they detect you, for instance, torrenting commercial media, they'll inject scary messages in port 80 traffic. Given that nearly all web traffic is encrypted now, the main effect of this is to break things like automated `apt-get update`s.
One thing you can do to detect transparent DNS hijacking is to ask a nonexistent server a question. Something like `dig @13.14.15.16 news.ycombinator.com` should not give you an answer. If it does, someone's spying on and/or gaslighting you.
Curious: how can they detect whether you're torrenting commercial media if you've enabled Bittorrent protocol encryption? Surely all they can see then is the outer (envelope) of the packets...?
This is a bit of a misconception. Copyright holders have always gone after seeders based on people connecting to swarms, tracker info, and crawling DHT. There’s no reason to use DPI when the list of uploaders is just given out by trackers and DHT for free. See: https://www.usenix.org/legacy/event/woot10/tech/full_papers/...
You're right that is how it generally operates, but in the case of Comcast I think this meme doesn't want to die because in the late 00s Comcast really did do DPI to interfere with torrents: https://www.techdirt.com/articles/20071029/020756.shtml
Fairly googleable with "Comcast sandvine". Afaik they haven't done anything like that for years, though.
Fairly googleable with "Comcast sandvine". Afaik they haven't done anything like that for years, though.
Bittorrent trackers by design have a list of all IPs in the swarm and give to anyone who asks (that's how peers coordinate).
I'm getting this second hand, but I've heard that some isps will redirect dns traffic to their servers based on it going to port 53.
I don't always find it odd, but when I do I find it odd that we worry so much about applications when the entire cell telephony networking layer is completely and unpatchably hacked.
Because you can work around that pretty easily with authenticating encryption. Even if the networking layer weren’t hacked, you should assume it was.
I have a feeling that you mean "easily" in the same sense the infamous Dropbox demo comment did.
EDIT: I wasn't thinking, OP is completely right. Sorry for the snark.
EDIT: I wasn't thinking, OP is completely right. Sorry for the snark.
You can just use whatsapp or whatever. The phone network with SIP/SS7 etc. is hopeless, but you don't have to use it, and most people I know prefer other forms of communication anyway.
Ah right, sorry understood. You're completely right...I wasn't thinking in terms of IP-based services.
I mean more like not just the data transfer layer, but the whole cell telephony baseband firmware enables privileged access to your phone. This can be the entry vector for multiple exploits that go way below the application layer. E2E encrypt is meaningless at this level.
>but the whole cell telephony baseband firmware enables privileged access to your phone
This is very outdated, at least for a significant number of smartphones (including all iPhones, but not limited just to those). Apple and IIRC other manufacturers long since isolated the baseband, treating it simply as a standard USB or PCIe peripheral (and in the latter case using an IOMMU with it amongst other things). It has zero special access to anything on the rest of the phone which in the smart phone era is where everything of interest actually lives and happens.
This is very outdated, at least for a significant number of smartphones (including all iPhones, but not limited just to those). Apple and IIRC other manufacturers long since isolated the baseband, treating it simply as a standard USB or PCIe peripheral (and in the latter case using an IOMMU with it amongst other things). It has zero special access to anything on the rest of the phone which in the smart phone era is where everything of interest actually lives and happens.
^ This. Prior to Apple, the phone OEMs and carriers had hooks all into your baseband firmware for all kinds of things; firmware updates, CALEA hooks, automatic provisioning, etc...
Source - used to certify these things in a lab environment.
Source - used to certify these things in a lab environment.
That's great to know. I'd like to feel reassured but I'm sure there's new exploits somewhere, the carrier level i think is just so attractive to large scale actors. Any internet links to read up on this, and on the next generation of possible carrier level exploit vectors?
It’s always been known that your carrier has access to your unencrypted cell traffic (including voice and text) and that carriers are slimy. You’re also protected by using secure services over IP. I think that the set of people for whom this will cause a threat model change is really small.
You can change browsers, but in many places you have no option on ISP.
In any case your ISP probably doesn't care as much about selling your information since you are already paying them.
Even if they are you can always use VPN to blind them.
I'm jealous of the fact that you're not aware that there is a solution for this. What do you think VPNs are selling? It's specifically relief from ISP-level tracking.
It's profitable enough that there seem to be ads for it baked into everything. I won't repeat their name here, but have you avoided that "Sponsored by NxxxVPN" all over the Internet/baked into every YouTube video that has sponsored videos?
It's profitable enough that there seem to be ads for it baked into everything. I won't repeat their name here, but have you avoided that "Sponsored by NxxxVPN" all over the Internet/baked into every YouTube video that has sponsored videos?
ISPs are a blackbox and it's not possible to figure out what they do from user-side.
There is also hardly anything you can do about from your side. Using a vpn or similar solutions is only shifting the problem from one provider to another. You can reduce the exposure with some measurments, but they are also expensive and complicated.
But for this (and other) reasons companies have started to fix it from the server-side by offering encrypted connections and working on ways to hide your trail from the middleman and their attatched agencies.
There is also hardly anything you can do about from your side. Using a vpn or similar solutions is only shifting the problem from one provider to another. You can reduce the exposure with some measurments, but they are also expensive and complicated.
But for this (and other) reasons companies have started to fix it from the server-side by offering encrypted connections and working on ways to hide your trail from the middleman and their attatched agencies.
Encryption solves security, but doesn't entirely address privacy.
An ISP might not know what a user does at pornhub.com, but the ISP does know when and how often the user visits pornhub.com and how much data is exchanged when they do. I'm sure someone would pay for that kind of fingerprinting.
An ISP might not know what a user does at pornhub.com, but the ISP does know when and how often the user visits pornhub.com and how much data is exchanged when they do. I'm sure someone would pay for that kind of fingerprinting.
If it bother's you there's TOR and you can ssh to a vps. Most stuff is encrypted now and there are 3 different DNS encryption standards (one of which is actually good.)
IMO: what's left of that issue is getting solved.
IMO: what's left of that issue is getting solved.
ISPs right now are freaking out that their very expensive solutions like Nokia Deepfield are seeing less and less.
Ten years ago you’d be right, but right now that business is dying rapidly.
Ten years ago you’d be right, but right now that business is dying rapidly.
Almost everything is SSL-secured now. There's not very much an ISP can snoop on. DNS lookups and IP addresses, I guess.
the timing and size of everyone's connection to everything is "not very much"?
Indeed it is not. Unless of course you find a way to map the timing and size of a pageload to its potentially sensitive content, in which case do tell.
> Unless of course you find a way to map the timing and size of a pageload to its potentially sensitive content, in which case do tell.
Wasn't there a HN story about people doing exactly that to figure out what condition people were looking up on WebMD? I don't recall when.
Wasn't there a HN story about people doing exactly that to figure out what condition people were looking up on WebMD? I don't recall when.
TLSv1.2 traffic contains the hostname of the site you're connecting to, and the list of ciphers. This can be fingerprinted to identify your browser, and the server-side software. [1]
TLSv1.3 on the other hand sometimes encrypts the hostname (eSNI) and most of the TLS handshake, so there's much less data to fingerprint. It's not as widely supported, but support is growing...
[1] https://engineering.salesforce.com/tls-fingerprinting-with-j...
//Edited to clarify that eSNI isn't default behaviour of 1.3
TLSv1.3 on the other hand sometimes encrypts the hostname (eSNI) and most of the TLS handshake, so there's much less data to fingerprint. It's not as widely supported, but support is growing...
[1] https://engineering.salesforce.com/tls-fingerprinting-with-j...
//Edited to clarify that eSNI isn't default behaviour of 1.3
ECH (the new name of eSNI) is not even out of draft status yet, so it's misleading to put it on the same level as TLS 1.3 (although you did say it was not as widely supported, it's an understatement).
> TLSv1.3 on the other hand encrypts the hostname (eSNI)
eSNI is not the default behavior, and has few deployments at scale. TLSv1.3 transmits SNI in the clear.
eSNI is being replaced with ECH[1], but in many cases, there is a 1:1 relation between the IP address and the site being served. ESNI and ECH are only one layer of obfuscation - a middleman (such as an ISP) could still snoop your DNS (unless DoH/DoT) and/or correlate the IP addresses you connect to against the hostname(s) presented on that server.
Attackers already do that today with nmap - scan publicly addressable ranges on port 443 and see what names are on the certificate presented by the server.
[1]: https://blog.cloudflare.com/encrypted-client-hello/
eSNI is not the default behavior, and has few deployments at scale. TLSv1.3 transmits SNI in the clear.
eSNI is being replaced with ECH[1], but in many cases, there is a 1:1 relation between the IP address and the site being served. ESNI and ECH are only one layer of obfuscation - a middleman (such as an ISP) could still snoop your DNS (unless DoH/DoT) and/or correlate the IP addresses you connect to against the hostname(s) presented on that server.
Attackers already do that today with nmap - scan publicly addressable ranges on port 443 and see what names are on the certificate presented by the server.
[1]: https://blog.cloudflare.com/encrypted-client-hello/
Right. The actual improvement from TLS 1.2 to TLS 1.3 in this respect is that in TLS 1.2 the certificate was in the clear.
Encrypted Client Hello isn't finished. I would say the basic idea is settled, but there are plenty of technical nits and it might be next year before they have a final document.
Eventually the idea is that ECH will be GREASEd by always sending ECH data, if the client knows it is supported it will use ECH and if not then it will fill out the ECH data with random nonsense. Since it's encrypted, an adversary can't easily distinguish one from the other and a site which doesn't offer ECH will ignore the nonsense anyway.
The idea of probing servers on port 443 works well enough for dozens of popular sites with dedicated servers, but much less well for the long tail. A bulk host won't give you a list of every customer just because you hit port 443 on each server and pled ignorance, you'll get a generic "Under construction" page and no information.
Encrypted Client Hello isn't finished. I would say the basic idea is settled, but there are plenty of technical nits and it might be next year before they have a final document.
Eventually the idea is that ECH will be GREASEd by always sending ECH data, if the client knows it is supported it will use ECH and if not then it will fill out the ECH data with random nonsense. Since it's encrypted, an adversary can't easily distinguish one from the other and a site which doesn't offer ECH will ignore the nonsense anyway.
The idea of probing servers on port 443 works well enough for dozens of popular sites with dedicated servers, but much less well for the long tail. A bulk host won't give you a list of every customer just because you hit port 443 on each server and pled ignorance, you'll get a generic "Under construction" page and no information.
>TLSv1.3 on the other hand encrypts the hostname (eSNI) and most of the TLS handshake
That's supported in supported in tls 1.3, but actual deployment/usage is spotty (it's an extension, not mandatory). AFAIK it also requires your DNS to cooperate, since that's how it gets the keys for the initial handshake.
That's supported in supported in tls 1.3, but actual deployment/usage is spotty (it's an extension, not mandatory). AFAIK it also requires your DNS to cooperate, since that's how it gets the keys for the initial handshake.
TFA isn't though, for example.
How are IPs "not much"? I get that you mean that they don't see the requests and responses themselves, but you can easily infer interests, life events, other particularities from the request targets and the timings alone.
I mean, 95% of those IPs are just going to be some Cloudflare CDN anyway, right? I think you'd be hard-pressed to infer much real info from them.
Maybe then mask the hosting provider's identity, but surely the different websites have different IPs? Also, there are easily accessible services that aggregate info like this, and also keep record of past IP changes, like SecurityTrails.
The propaganda that metadata isn't a privacy threat is one of the biggest PR wins for the surveillance economy ever.
[deleted]
You can encrypt your DNS lookups with several different services.
That still doesn't hide the IP you are connecting to unless you are on a VPN. They still know that if you are connecting to 209.216.230.240, it _could_ be hacker news. With the widespread use of CDNs, and hosting of multiple services on a single IP, this won't be 100% accurate, but the ISP can still connect the dots I guess
With the amount of VPNs popping out it seems that there is more than almost none worrying.
It’s not like VPNs don’t have the exact same problem, though…
They do, but at least in theory, their business model is built on not selling the information.
Given how much ISPs charge I don't think they need to sell info to make money.
As garbage as most US ISP options are, I'd trust them long before I trust random VPN services. And I can be reasonably certain that my physical connection goes to Verizon. My virtual connection could be going anywhere and I just have to believe that it's to people who are who they say they are.
As garbage as most US ISP options are, I'd trust them long before I trust random VPN services. And I can be reasonably certain that my physical connection goes to Verizon. My virtual connection could be going anywhere and I just have to believe that it's to people who are who they say they are.
This is exactly the business model for some VPNs, particularly the free or very-cheap variety.
There's still an element of trust involved, but it's better than the status quo of "we'll monitor your internet, take it of leave it" from the ISPs.
If you turn on your VPN, they can do exactly that.
You’re just trading one for the other and that new one might not even have to follow the same laws.
You’re just trading one for the other and that new one might not even have to follow the same laws.
except that if a VPN provider is caught selling your data, they are toast.
any VPN worth its salt has a business model built around not logging data and not selling data. Your ISP on the other hand, is in the business of selling you internet access. Your data is a secondary revenue stream for them.
They two are not equivalent.
any VPN worth its salt has a business model built around not logging data and not selling data. Your ISP on the other hand, is in the business of selling you internet access. Your data is a secondary revenue stream for them.
They two are not equivalent.
As long as you also clarify that their consumers must be following the news where that's announced.
With us technical people it's more likely, but not necessary for others that may have just heard 'use a vpn' and went to the App Store, searched for 'vpn' and prepaid 3 years.
Hide my ass VPN is still up - https://www.hidemyass.com/en-us/index
With us technical people it's more likely, but not necessary for others that may have just heard 'use a vpn' and went to the App Store, searched for 'vpn' and prepaid 3 years.
Hide my ass VPN is still up - https://www.hidemyass.com/en-us/index
Yeah the amount of folks using rando free VPN they know nothing about is a little worrisome.
Depending on where you live the likelihood of your ISP doing something exceptionally nefarious might be way lower than some random VPN client someone finds on an appstore.
Depending on where you live the likelihood of your ISP doing something exceptionally nefarious might be way lower than some random VPN client someone finds on an appstore.
A clarification as there seems to be some confusion:
Whether VPNs solve the issue or not is irrelevant to my point. Their primary advertised feature is to hide your traffic from your ISP, McDonalds or whoever, and people buy them. (Secondary feature is masking location for streaming services, which doesn't really work).
Whether VPNs solve the issue or not is irrelevant to my point. Their primary advertised feature is to hide your traffic from your ISP, McDonalds or whoever, and people buy them. (Secondary feature is masking location for streaming services, which doesn't really work).
Brave's development team's responses can be found at these locations, covering a post very similar to this one.
https://old.reddit.com/r/privacytoolsIO/comments/nvz9tl/_/h1...
https://old.reddit.com/r/brave_browser/comments/nw7et2/_/h18...
https://old.reddit.com/r/brave_browser/comments/nw7et2/_/h1f...
https://old.reddit.com/r/privacytoolsIO/comments/nvz9tl/_/h1...
https://old.reddit.com/r/brave_browser/comments/nw7et2/_/h18...
https://old.reddit.com/r/brave_browser/comments/nw7et2/_/h1f...
I appreciate articles that look into topics in some depth that I’m curious about. But I really dislike the author’s strident writing style. Now, if there’s a single exaggeration or untruth from the author, It’ll throw the rest of the article in doubt for me. I think it would be better if it was a bit more dispassionate.
Another thing I’ve noticed in security (and I actually work in this field) is that if a project makes some progress but doesn’t address all the things (e.g. Signal end-to-end encryption for the masses but it uses a phone number or isn’t federalized), people criticise so strongly. It’s like, ok, but give some (actually a lot) of credit because it’s literally the best option right now?
Another thing I’ve noticed in security (and I actually work in this field) is that if a project makes some progress but doesn’t address all the things (e.g. Signal end-to-end encryption for the masses but it uses a phone number or isn’t federalized), people criticise so strongly. It’s like, ok, but give some (actually a lot) of credit because it’s literally the best option right now?
> But I really dislike the author’s strident writing style.
Colorful and emotional language gets attention. Dispassionate writing doesn't. Whenever I see people criticize an author for a little rhetorical flair, I play the famous "Pirates of the Caribbean" scene in my mind:
Hacker News: "Your article is the most strident and obnoxious piece of technical writing I've ever heard of"
Author: "Ah, but you have heard of it!"
Colorful and emotional language gets attention. Dispassionate writing doesn't. Whenever I see people criticize an author for a little rhetorical flair, I play the famous "Pirates of the Caribbean" scene in my mind:
Hacker News: "Your article is the most strident and obnoxious piece of technical writing I've ever heard of"
Author: "Ah, but you have heard of it!"
I think this is a popular narrative, but I don't think it's true. Especially in HN, some of the best articles I can remember aren't angry people being obnoxious, but can even be highly-technical and entirely dispassionate.
Also, I am not sure people do remember these types of articles. Perhaps they remember some notion of the content, but I'm doubtful many detractors would remember the author.
Also, I am not sure people do remember these types of articles. Perhaps they remember some notion of the content, but I'm doubtful many detractors would remember the author.
my ideal article tells me everything I need to know in simple language, without meander or emotion. that’s rare even here
Yeah clickbait sells, but I’m saying if there’s a single error, combined with the emotional tone, I’m more likely to discount the whole article and think they’re just extremely biased and blinded by their emotions.
this is one of the major problems with the current media landscape. all publicity is good publicity. look at Trump. look at the Paul brothers. HN is one of the few safe harbours from that. personally, I’d like to keep it that way
Most of the article is in fact factually incorrect.
The main thesis is that: Brave's adblocker is just uBlock Origin and so it's better to just use uBlock Origin on FF.
But Brave's adblocker is not just uBlock Origin so the entire article falls apart.
Everything else is just trying to misrepresent everything in the worst possible light.
> It is said that this might be a backdoor. But I don’t want to get conspiracist. I prefer giving you verifiable facts. I’ll limit myself to inform you about suspicious activities.
Righttt... we're not children, we all know what you're trying to do here.
The main thesis is that: Brave's adblocker is just uBlock Origin and so it's better to just use uBlock Origin on FF.
But Brave's adblocker is not just uBlock Origin so the entire article falls apart.
Everything else is just trying to misrepresent everything in the worst possible light.
> It is said that this might be a backdoor. But I don’t want to get conspiracist. I prefer giving you verifiable facts. I’ll limit myself to inform you about suspicious activities.
Righttt... we're not children, we all know what you're trying to do here.
On mobile, it's not as easy to say "use FF Android". Desktop FF is fine, and it's what I use, but on mobile FF is not as fast as Chromium based browsers. Text-heavy content is fine everywhere, but for sites that are more interactive, Chromium based browsers usually deliver less choppy performance.
The entire blog reads like a conspiracy theory 4chan /g/ fever dream
It's a personal website, not a corporate blog. Why does it have to be dispassionate? The tone is strident, but there are no personal attacks or abusive language used.
Is the writing very strident? To me it didn’t really come across as such, though I guess standards differ when it comes to largely technical writing compared with other types of writing (e.g. on politics).
Another shady practice: you could donate to any website, but Brave itself received the amount if not claimed by the website creator. Users did not know. (https://davidgerard.co.uk/blockchain/2019/01/13/brave-web-br..., https://redd.it/a8g1i9)
Don't use Brave. Tell others not to use it.
Don't use Brave. Tell others not to use it.
That's not true. If the website or user does not claim the rewards within 3 months it goes back to the user.
Correct. Tips and contributions to unverified properties remain [on the user's device] for up to 90 days. The browser will make routine attempts to send the tip through; if it fails to do so after 90 days those rewards are unlocked and can be given to another creator.
Brave can't send BAT to a site that doesn't accept BAT. For example, HN doesn't. When I click on the BAT icon, the first thing I see is a message saying the tokens will remain in my wallet until the site accepts my tip.
This is now how it used to work - which is why the OP uses “could” instead of “can” - see the linked article.
The way it "used to work" was that Brave gave users BAT for using the Browser and Brave Payments (now Brave Rewards). The user could then visit a site/channel, and Brave would communicate if the property was verified or not (e.g. a verified property had a check-mark, and an unverified property did not). If you tipped a verified property, the BAT (as gift from Brave) would go to the creator's associated wallet. If the property was not verified, the BAT would go into a settlement wallet, awaiting the creator's registration. Again, this was Brave's BAT effectively being earmarked for a creator who had not yet verified. The feedback at the time from the community was that the UI/UX was confusing; indeed it was. We quickly modified the model, and today it is substantially better as a result. Unverified properties are now as explicitly identified as verified ones, and tips to the former are held on-device for up to 90 days.
Just because something is not perfect, it should not be condemned. I don't understand why alternatives are often held to much higher standards than the established service.
aren't the alternatives in this case held to a lower standard? Like the kind of shady behavior you see from these alternatives, often in some way tied into crypto stuff, you don't even see from Google or Microsoft, let alone from someone like Mozilla
Brave runs on the exact same ad model as Chrome, they just inserted themselves as the middle man. There's no actual value provided here and it's basically just "big corporate bad" marketing
Brave runs on the exact same ad model as Chrome, they just inserted themselves as the middle man. There's no actual value provided here and it's basically just "big corporate bad" marketing
"Brave runs on the exact same ad model as Chrome…"
You couldn't be more mistaken here. I covered the history of digital advertising and the introduction of Brave's model here: https://www.youtube.com/watch?v=LsrrT502luI.
In short, Brave's model is largely the inversion of Google's model. With Brave, users must opt-in. Google doesn't ask you to opt-in. With Brave, user data remains on device. Google requires the remote collection of your data, as well as the broadcasting of it to third-parties. With Brave, users decide when and how many ads they will be shown. Google shows you as many as they can get away with. With Brave, user's collect 70% of the revenue for their participation. Google gives you nothing, but takes quite a bit. With Brave, Brave Software learns nothing about you, your interests, or your browsing history. Google learns quite a bit about you, harvesting as much data as they can get away with, and using it across contexts and domains.
You couldn't be more mistaken here. I covered the history of digital advertising and the introduction of Brave's model here: https://www.youtube.com/watch?v=LsrrT502luI.
In short, Brave's model is largely the inversion of Google's model. With Brave, users must opt-in. Google doesn't ask you to opt-in. With Brave, user data remains on device. Google requires the remote collection of your data, as well as the broadcasting of it to third-parties. With Brave, users decide when and how many ads they will be shown. Google shows you as many as they can get away with. With Brave, user's collect 70% of the revenue for their participation. Google gives you nothing, but takes quite a bit. With Brave, Brave Software learns nothing about you, your interests, or your browsing history. Google learns quite a bit about you, harvesting as much data as they can get away with, and using it across contexts and domains.
I did test out Brave a while ago and the reward system was on by default. I had to go to the settings to turn it off, and in fact this option did not sync. So whenever I installed it on a new device I had to turn it off again, and I suspect that's deliberate. I also don't think that Google shares my information with third parties, pretty sure they say explicitly they don't do that.
And as to Brave's model of pooling users and preserving anonimity, isn't this exactly what Google's FLoC is? As far as I'm aware the dreaded third party cookies seem to be on their way out. I'll give Brave props for being a frontrunner on this, but that's not an inversion of Google's model, this appears to be exactly where everyone is going.
And as to Brave's model of pooling users and preserving anonimity, isn't this exactly what Google's FLoC is? As far as I'm aware the dreaded third party cookies seem to be on their way out. I'll give Brave props for being a frontrunner on this, but that's not an inversion of Google's model, this appears to be exactly where everyone is going.
Brave Ads/Rewards is definitely OFF by default in Brave (I just double-checked, https://imgur.com/UIASmf4). You're invited to enable it during the Welcome screen, but it's off by default. If you install Brave today (make sure you don't have an old profile sitting around in %localappdata%/BraveSoftware/ already) and observe otherwise, that's a bug (please let us know).
I think you're misunderstanding how Brave's anonymity works. We don't rely on something like k-anonymity where we hide users behind some common cohort ID. Suffice it to say, we're not big fans of FLoC: https://brave.com/why-brave-disables-floc/. Brave's anonymity is based on the inversion of the flow of data. Rather than collecting information about users, Brave transmits data from advertisers to the user's device for local scrutiny.
Google is in no way moving towards the Brave model; it they are far too dependent on user data, IMHO. Brave, on the other hand, was born with a Can't be Evil mindset; every step of the way we have built the application and service to preclude abuse and overreach.
I think you're misunderstanding how Brave's anonymity works. We don't rely on something like k-anonymity where we hide users behind some common cohort ID. Suffice it to say, we're not big fans of FLoC: https://brave.com/why-brave-disables-floc/. Brave's anonymity is based on the inversion of the flow of data. Rather than collecting information about users, Brave transmits data from advertisers to the user's device for local scrutiny.
Google is in no way moving towards the Brave model; it they are far too dependent on user data, IMHO. Brave, on the other hand, was born with a Can't be Evil mindset; every step of the way we have built the application and service to preclude abuse and overreach.
It may be unrelated, but this blog post and the rather lively HN discussion made me install Brave for the first time.
Out of all chromes of Chrome I have sampled, Brave has the best visual polish. Best regards to your UI/UX design team.
Out of all chromes of Chrome I have sampled, Brave has the best visual polish. Best regards to your UI/UX design team.
Relevant part;
>What happens if you send a tip to an unverified creator?
I click “tip” for my YouTube channel, and the screen below comes up. The “Learn more” link goes to the Brave FAQ, which says that no funds leave the browser until the creator verifies — but admits that previous versions of Brave worked differently, and sent the tokens to Brave in the hope that the creator would sign up at some point.
It would seem this is possibly no longer the case, I'd love an update on it.
>What happens if you send a tip to an unverified creator?
I click “tip” for my YouTube channel, and the screen below comes up. The “Learn more” link goes to the Brave FAQ, which says that no funds leave the browser until the creator verifies — but admits that previous versions of Brave worked differently, and sent the tokens to Brave in the hope that the creator would sign up at some point.
It would seem this is possibly no longer the case, I'd love an update on it.
Did any lawsuits come out of this? That seems like actual fraud, and Eich or others in the company should be in prison.
The money goes back to the wallet that sent it after a period of time if no one claims it.
The claim that Brave was collecting money on behalf of others is quite misleading. See my response here: https://news.ycombinator.com/item?id=27553383.
Lots of people are pointing out that this isn't the case anymore, but the fact is that it used to work this way, and they only changed it after backlash. That was enough to turn me off of Brave forever.
Yeah; from what I can tell, Brave's history is basically a long list of:
1. Do something shady and/or incompetent to make money
2. Ignore an internet backlash calling them out for it
3. "Fix" said shady thing
4. From then on out, aggressively deny doing that thing everywhere it's mentioned, without acknowledging that it used to be the case
Brave seems like an adequate browser for some niche use cases and probably has some cool tech. I do not trust the company or people behind it to have my best intentions in mind.
It definitely feels like they like to constantly push boundaries, and not in a good way.
1. Do something shady and/or incompetent to make money
2. Ignore an internet backlash calling them out for it
3. "Fix" said shady thing
4. From then on out, aggressively deny doing that thing everywhere it's mentioned, without acknowledging that it used to be the case
Brave seems like an adequate browser for some niche use cases and probably has some cool tech. I do not trust the company or people behind it to have my best intentions in mind.
It definitely feels like they like to constantly push boundaries, and not in a good way.
Yeah, I too dislike it when companies respond positively in response to criticism.
I prefer the orgs I interact with to be perfect and never make mistakes and when they do (but they don't because I only interact with perfect institutions) I prefer them to double-down instead of improve.
I prefer the orgs I interact with to be perfect and never make mistakes and when they do (but they don't because I only interact with perfect institutions) I prefer them to double-down instead of improve.
The point is that Brave can't be trusted by default. It's nice that they roll back dark patterns when they're caught by people like Tom Scott, I guess?
I think there is a difference between an imperfect implementation of something that has never been done before (especially when your competition is an adtech giant oligopoly) and "dark patterns".
Worth pointing out that part of the reason it was hard to just refund people who donated to non-verified creators was Brave actually caring about privacy, so the donations in question were completely anonymous.
So when it was pointed out that it's still a problem, they came up with a solution that I think strikes a good balance.
Worth pointing out that part of the reason it was hard to just refund people who donated to non-verified creators was Brave actually caring about privacy, so the donations in question were completely anonymous.
So when it was pointed out that it's still a problem, they came up with a solution that I think strikes a good balance.
> So when it was pointed out that it's still a problem, they came up with a solution that I think strikes a good balance.
Fair enough.
To me, it couldn't have been more obvious that collecting "money" in creators' names and also misrepresenting that was Bad™. I'll try to be gracious and chalk this up to "lack of common sense" instead of "part of the evil plan".
Fair enough.
To me, it couldn't have been more obvious that collecting "money" in creators' names and also misrepresenting that was Bad™. I'll try to be gracious and chalk this up to "lack of common sense" instead of "part of the evil plan".
Actually I'm less charitable than "lack of common sense" and chalk it up to hubris – I think what happened is that they couldn't really imagine why someone wouldn't want to accept donations from their viewers/consumers, regardless of source, and so just defaulted to collecting for everyone assuming everyone would love to hop on board the BAT train. This of course turned out not to be the case for various reasons and yes is pretty obvious in hindsight.
But I'm still willing to forgive if I think the course-correction is adequate, which in this case it was.
But I'm still willing to forgive if I think the course-correction is adequate, which in this case it was.
The BAT that was moving around at that time was from Brave. We allocated hundreds of millions of tokens back in 2017 to a User Growth Pool. We distributed tokens to users of the Brave Browser, and allowed them to send those tokens off to their favorite content creators. This is similar to how PayPal lets you email money to anybody, even if they aren't signed up on PayPal. Our thought here was that users could effectively earmark the BAT they received from us, and that creators could sign up and claim those tokens.
We identified verified creators as such, but didn't make the non-verified state as explicit. We largely followed a similar pattern to that of Twitter (checkmark for those who are verified, and nothing for those who aren't).
When you visited a YouTube channel, website, etc., we would show you the name and favicon for that resource in the tipping UI. In the case of some YouTube channels, the page name was just the YouTuber's name, and their favicon was a picture of their face.
The changes that Tom Scott and others suggested back in 2018 were ground-breaking. They helped us realize some naïve decisions in the UI/UX of the tipping process and more. We moved quickly to implement those changes (https://brave.com/rewards-update), and the entire system is now substantially better as a result. But there was never any ill-motive involved. We had BAT, and we wanted users to give it to their favorite creators. Tom Scott approved of the changes at the time, which was a nice way to wrap things up
We identified verified creators as such, but didn't make the non-verified state as explicit. We largely followed a similar pattern to that of Twitter (checkmark for those who are verified, and nothing for those who aren't).
When you visited a YouTube channel, website, etc., we would show you the name and favicon for that resource in the tipping UI. In the case of some YouTube channels, the page name was just the YouTuber's name, and their favicon was a picture of their face.
The changes that Tom Scott and others suggested back in 2018 were ground-breaking. They helped us realize some naïve decisions in the UI/UX of the tipping process and more. We moved quickly to implement those changes (https://brave.com/rewards-update), and the entire system is now substantially better as a result. But there was never any ill-motive involved. We had BAT, and we wanted users to give it to their favorite creators. Tom Scott approved of the changes at the time, which was a nice way to wrap things up
The difference with emailing money on PayPal is that the recipient is notified. Brave was collecting currency on behalf of people without even notifying them.
Just because someone can collect the money/currency at a later date doesn't make it fine. If I collected money on behalf of charities yet only gave the money to the charity if they explicitly asked me for it, I doubt that would go down well with donors.
I could even use the situation to my advantage by gaining interest on the donations in the time between it is donated and I pass it on. I suspect Brave was benefiting in a similar way - all the donated money would not be traded while Brave were holding onto it, creating a scarcity which would benefit BAT's prices.
Just because someone can collect the money/currency at a later date doesn't make it fine. If I collected money on behalf of charities yet only gave the money to the charity if they explicitly asked me for it, I doubt that would go down well with donors.
I could even use the situation to my advantage by gaining interest on the donations in the time between it is donated and I pass it on. I suspect Brave was benefiting in a similar way - all the donated money would not be traded while Brave were holding onto it, creating a scarcity which would benefit BAT's prices.
You're missing one of the earliest points in my response; the tokens people were "sending" to creators [were from Brave]. We gave the user 5 BAT and asked them who they'd like to support with it. User's could pick a creator, and we would work on notifying that creator that [BAT from Brave had been directed towards them by Brave users]. All of that aside, the feedback from users around this time was phenomenal, and helped us redesign the system into something substantially better.
Ah OK, I thought they were able to donate BAT they earnt from ads, that is definitely different. Still misleading, but better.
We didn't have the ability to earn from ad-notifications at that time. These events and changes (https://brave.com/rewards-update/) predate the launch of Brave Ads, which we introduced in April of 2019 (https://brave.com/brave-ads-launch/). I wouldn't say "misleading," as this suggests deliberate deceit. Our UI/UX was nascent, and naïve. The feedback we received was timely, and incredibly helpful. I'm pleased we were able to turn around the updates quickly, which have since served to make for a substantially better experience
Your hyperbole seems to be purposefully taking the parent post in bad faith.
He is expressing skepticism towards their original intentions and you like how they responded. No need to talk past each other.
He is expressing skepticism towards their original intentions and you like how they responded. No need to talk past each other.
I don't agree. GC cannot speak to their intentions, so at the end of the day this is just holding them to a standard that it is unreasonable to ever hold any institution to. Humans make mistakes and organizations are comprised of humans. What matters is how they address such mistakes, which I've only seen positive improvement from Brave.
When somebody shows you who they are, believe them.
So I feel as if the author is missing the point.
Of course brave markets to you with ads. That's the entire point of the web browser. To ad-block, but then to replace it with a suitable privacy protecting alternative to the point that Brave (and everyone else) has no idea which ads you were served and what your browsing history is. The entire point is to mot just be an ad blocker, but to be private, and to provide a workable alternative to the ads that track us on websites.
Furthermore... brave lists on their website what they collect in analytics programs. And... it's not much. They also send the answers in what they call 'low resolution', which basically means multiple choice with ranges making it a lot harder to identify you compared to a specific number. Sure, it's not no tracking at all, but it's probably pretty close to the least you can get to serve relevant ads while serving a general populous.
It is true that it'd be nice if they forked off Chromium at some point so they are less in Google's hands. We can all use more of that.
So, at least for me, this kinda falls on deaf ears. It's missing the point as to why Brave does what it does.
Of course brave markets to you with ads. That's the entire point of the web browser. To ad-block, but then to replace it with a suitable privacy protecting alternative to the point that Brave (and everyone else) has no idea which ads you were served and what your browsing history is. The entire point is to mot just be an ad blocker, but to be private, and to provide a workable alternative to the ads that track us on websites.
Furthermore... brave lists on their website what they collect in analytics programs. And... it's not much. They also send the answers in what they call 'low resolution', which basically means multiple choice with ranges making it a lot harder to identify you compared to a specific number. Sure, it's not no tracking at all, but it's probably pretty close to the least you can get to serve relevant ads while serving a general populous.
It is true that it'd be nice if they forked off Chromium at some point so they are less in Google's hands. We can all use more of that.
So, at least for me, this kinda falls on deaf ears. It's missing the point as to why Brave does what it does.
I feel the author is on point. Brave is all about marketing and surfing the privacy wave to make profit.
Take a look at https://brave.com/brave-ads/
Brave goal is to acquire as much users as possible to sell them to advertisers. They are no different from Google. Might as well use Chrome with ublock origin and farm crypto on your own.
Take a look at https://brave.com/brave-ads/
Brave goal is to acquire as much users as possible to sell them to advertisers. They are no different from Google. Might as well use Chrome with ublock origin and farm crypto on your own.
The difference is that with Brave you are rewarded for your attention to these ads. That idea has some merit I think, regardless of how it's implemented in Brave.
The privacy/tracking aspect of Braves Ads (which you don't have to use) seems to be way, way better than Google Adsense. It's like comparing the good ol' fixed "image banner + link" vs Adsense. They're both ads, but one is better than the other.
And then you have Chrome sending data directly to Google, the auto logins, dark patterns, etc, which you don't get with Brave or Vivaldi.
And then you have Chrome sending data directly to Google, the auto logins, dark patterns, etc, which you don't get with Brave or Vivaldi.
I find it funny that people say this when this is pretty much exactly what FLOC is - the browser choosing your interests and deciding which interests to send to the ad server - but without the "show ads on every website and hold the profits from website owners until they claim it".
> deciding which interests to send to the ad server
I was looking at their media kit[0]. They link to a presentation[1] which mentions that the ads are sent to the browser and then the browser itself picks the ones that should be shown to the user.
If this is really the case, then the browser isn't sending that information to the ad server.
[0] https://brave.com/brave-ads/assets/Brave_Media_Kit.pdf
[1] https://www.youtube.com/watch?v=qEj5ZiQohJc
I was looking at their media kit[0]. They link to a presentation[1] which mentions that the ads are sent to the browser and then the browser itself picks the ones that should be shown to the user.
If this is really the case, then the browser isn't sending that information to the ad server.
[0] https://brave.com/brave-ads/assets/Brave_Media_Kit.pdf
[1] https://www.youtube.com/watch?v=qEj5ZiQohJc
This wouldn’t work for an ad network as big as Google’s, and would further centralize who can serve ads to users (something Google can’t get away with like Brave can).
> This wouldn’t work for an ad network as big as Google’s
Yeah, maybe. I was just pointing out that it doesn't send the user's preferences to a server.
Yeah, maybe. I was just pointing out that it doesn't send the user's preferences to a server.
>The privacy/tracking aspect of Braves Ads (which you don't have to use) seems to be way, way better than Google Adsense
Exactly, "seems". Once again, good marketing from the Brave team. Heck, they even sponsored chess grandmaster Hikaru Nakamura on his Twitch stream.
Exactly, "seems". Once again, good marketing from the Brave team. Heck, they even sponsored chess grandmaster Hikaru Nakamura on his Twitch stream.
The ad industry isn't going away, if you're thinking of a world in the future sans ads. With the Brave's model, at least you are able to make some profit for yourself.
It's not utopian, but works from a capitalist's standpoint. And a lot of real users like it!
It's not utopian, but works from a capitalist's standpoint. And a lot of real users like it!
Can you target users via Brave Ads like you can with Adwords/Adsense? If I understood correctly (I might be wrong - hence the "seems"), you can't because they're not doing anything close to what Google does.
I guess my point is that not all tracking or ads are the same. You can track clicks and views of a banner without profiling users across multiple sites and apps, learn all you can, and then let advertisers target them.
I guess my point is that not all tracking or ads are the same. You can track clicks and views of a banner without profiling users across multiple sites and apps, learn all you can, and then let advertisers target them.
Well I mean, yes, they want their ads to succeed (that's how they can offer a product for free). I don't think there's anything wrong with that.
What matters to me is how much data they collect and how they use it. It seems pretty clear to me that they go out of their way to collect less data, and try to be very privacy concious about it.
Do you think they are lying about that? I personally don't, and the code is there for us to audit (the only closed source part of the browser is the part that guarantees it's a human not a bot viewing the ads as far as I know). So I think it's pretty safe to call them much better than Google and their revenue model is certainly a lot more stable than Firefox's.
What matters to me is how much data they collect and how they use it. It seems pretty clear to me that they go out of their way to collect less data, and try to be very privacy concious about it.
Do you think they are lying about that? I personally don't, and the code is there for us to audit (the only closed source part of the browser is the part that guarantees it's a human not a bot viewing the ads as far as I know). So I think it's pretty safe to call them much better than Google and their revenue model is certainly a lot more stable than Firefox's.
I think the key difference is that user data are never shared with a third party, not even Brave. All the ad matching logic is done in client so data doesn’t leave my machine.
This is a big difference so using Brave vs Chrome doesn’t result in a company having a record of every site browsed.
This is a big difference so using Brave vs Chrome doesn’t result in a company having a record of every site browsed.
> They are no different from Google.
Brave lets you turn off the ads. They also pay you cryptocurrency if you decide to turn them on.
Brave lets you turn off the ads. They also pay you cryptocurrency if you decide to turn them on.
Not sure if I'm fully behind that comment, but it kind of raises an important point. If you want a freer web based on some kind of business, and not a non-profit/charity (and often a shaky one like Mozilla, financed mainly by Google)... this business has to function in some realistic way. (This is largely orthogonal to the open source/free - proprietary axis (which doesn't really exist in web browsers anymore). You should be able to sell/monetize free software.)
I, for one, wouldn't complain if some financially solvent (self-sustaining, money-making), reasonably ethical and non-exploitative web browser existed (the same for search engine, OS etc.). In the economic system that we have it could be more efficient in marketing -> market share among privacy-unaware people and so on.
So maybe we should strive to have a reasonable, analytic discussion what business practices are acceptable (rationally, if not emotionally at first glance) and which are not. This does not mean that we should just eat up whatever "privacy entrepreneurs" think of. But the tone of TFA feels a little less convincing because of the sprinkling of phrases like "their shitty program", like expecting you've already made up your mind.
I, for one, wouldn't complain if some financially solvent (self-sustaining, money-making), reasonably ethical and non-exploitative web browser existed (the same for search engine, OS etc.). In the economic system that we have it could be more efficient in marketing -> market share among privacy-unaware people and so on.
So maybe we should strive to have a reasonable, analytic discussion what business practices are acceptable (rationally, if not emotionally at first glance) and which are not. This does not mean that we should just eat up whatever "privacy entrepreneurs" think of. But the tone of TFA feels a little less convincing because of the sprinkling of phrases like "their shitty program", like expecting you've already made up your mind.
The issue is that Brave's "point" is a self-defeating motive. It wants to rid the internet of ads by... creating more amicable ads? Furthermore, the proceeds from said ads almost never benefit the creators of the content, meaning that Brave has effectively created an ulterior economy adjacent to the internet. Great, just what we needed, Another Competing Standard.
Nobody in the ads industry wants this, and a good 90% of the privacy sector is watching Brave in horror. Creators will make less money and be exclusively paid in a fiat currency, which probably won't appeal to anyone either. If nobody can reconcile Brave's existence, it will always be a second-class citizen on the web, even if it is forked from Chrome.
Nobody in the ads industry wants this, and a good 90% of the privacy sector is watching Brave in horror. Creators will make less money and be exclusively paid in a fiat currency, which probably won't appeal to anyone either. If nobody can reconcile Brave's existence, it will always be a second-class citizen on the web, even if it is forked from Chrome.
> brave-core-ext.s3.brave.com fetches 5 extensions and installs them. It is said that this might be a backdoor. But I don’t want to get conspiracist. I prefer giving you verifiable facts. I’ll limit myself to inform you about suspicious activities.
Okay, so which 5 extensions? There has to be more information on this somewhere. Article seems kind of lazy and definitely loses steam after the second half.
Okay, so which 5 extensions? There has to be more information on this somewhere. Article seems kind of lazy and definitely loses steam after the second half.
That part in particular set the tone for this entire post for me. It convinced me that I could not trust the author to be intellectually or rhetorically honest, at which point I no longer see any value in this write-up. It also helped me read the rest of this post in the correct context.
"Many people are saying this. Note that I'm not saying it, I only say true things. But I want you to think it anyway."
Really?
"Many people are saying this. Note that I'm not saying it, I only say true things. But I want you to think it anyway."
Really?
Well... There's a more serious first start browser comparison by netmeister.org [0] which shows that 4 downloads are made.
I downloaded and extracted the files. They look like helpers or partials for Brave internal extensions.
All of them include manifest files with their names:
- 1_0_14: "Brave HTTPS Everywhere Updater extension". Contains a 1MB ZIPped database of https domains.
- 1_0_21: "Brave NTP sponsored images component". Contains three photos (to display in their new tab probably).
- 1_0_22: "Brave Local Data Files Updater extension". Seems to contain whitelists and blacklists for extensions, autoplay, referers, trackers, etc.
- 1_0_498: "Brave Ad Block Updater extension". Contains a 2.4 MB filter list for their adblocker implementation.
Nothing seems to be harmful at all. This mechanism is used by almost all Chrome/Chromium based browsers to update their internal extensions and components.
But, if the poster cares about backdoors... Well, every major browser out there has features that could be used to backdoor their users like Firefox Telemetry Experiments (which download xpi files) and Chrome Components. They also can change properties at will unless its disabled (via flags, about:config, recompiling, etc).
Note: I'm a Vivaldi and Chromium user. I only use Brave with iOS which is kind of a different beast (since everything has to be implemented on top of iOS provided WebKit) since it somehow blocks ads better than stock Safari with AdGuard filters. For stuff like banking (on iOS) I use Safari.
Note 2: Blink and WebKit have deviated quite dramatically so they are indeed different browser engines (like Gecko is) with different implementations, quirks and bugs.
[0] https://www.netmeister.org/blog/browser-startup.html
I downloaded and extracted the files. They look like helpers or partials for Brave internal extensions.
All of them include manifest files with their names:
- 1_0_14: "Brave HTTPS Everywhere Updater extension". Contains a 1MB ZIPped database of https domains.
- 1_0_21: "Brave NTP sponsored images component". Contains three photos (to display in their new tab probably).
- 1_0_22: "Brave Local Data Files Updater extension". Seems to contain whitelists and blacklists for extensions, autoplay, referers, trackers, etc.
- 1_0_498: "Brave Ad Block Updater extension". Contains a 2.4 MB filter list for their adblocker implementation.
Nothing seems to be harmful at all. This mechanism is used by almost all Chrome/Chromium based browsers to update their internal extensions and components.
But, if the poster cares about backdoors... Well, every major browser out there has features that could be used to backdoor their users like Firefox Telemetry Experiments (which download xpi files) and Chrome Components. They also can change properties at will unless its disabled (via flags, about:config, recompiling, etc).
Note: I'm a Vivaldi and Chromium user. I only use Brave with iOS which is kind of a different beast (since everything has to be implemented on top of iOS provided WebKit) since it somehow blocks ads better than stock Safari with AdGuard filters. For stuff like banking (on iOS) I use Safari.
Note 2: Blink and WebKit have deviated quite dramatically so they are indeed different browser engines (like Gecko is) with different implementations, quirks and bugs.
[0] https://www.netmeister.org/blog/browser-startup.html
Could it be some of Brave features that seem to use extensions? For example, if I enable the "IPFS companion" or "WebTorrent", they show as extensions under the browser's "task manager": https://i.imgur.com/PFRkv5l.png
The only other thing I could think of is "chrome://components/" which also exists on Chrome and updates some browser components.
The only other thing I could think of is "chrome://components/" which also exists on Chrome and updates some browser components.
You can see them listed at the bottom of this page:
* https://spyware.neocities.org/articles/brave.html
... which doesn't really add anything to the original assertion as we don't know what the extensions might do. The statement is all all there is.
* https://spyware.neocities.org/articles/brave.html
... which doesn't really add anything to the original assertion as we don't know what the extensions might do. The statement is all all there is.
Firefox user here. I've looked into Brave, but decided I didn't really want it.
This article is incredibly slanted. It takes every single possible fact it can and spins it into "Brave Bad."
Something like this:
> Brave is just another Chromium skin. So at the end, when using Brave or any other Chromium based browser, you’re giving marketshare to Google and supporting their evil web empire.
Is simply not true. Every browser that isn't Chrome, every search page that isn't google.com, sends a message to not just Google but other competitors in the space that users want change.
In addition, in an ideal world Chromium would be able to build enough momentum through community support (or support from MS or others) to provide a healthy fork, free from Google's clutches.
I agree that Firefox is better - it is my personal web browser of choice - but that doesn't mean that Brave is bad software, or that the people behind it are evil, and anything that tamps down Google's monopoly is good in my mind.
This article is incredibly slanted. It takes every single possible fact it can and spins it into "Brave Bad."
Something like this:
> Brave is just another Chromium skin. So at the end, when using Brave or any other Chromium based browser, you’re giving marketshare to Google and supporting their evil web empire.
Is simply not true. Every browser that isn't Chrome, every search page that isn't google.com, sends a message to not just Google but other competitors in the space that users want change.
In addition, in an ideal world Chromium would be able to build enough momentum through community support (or support from MS or others) to provide a healthy fork, free from Google's clutches.
I agree that Firefox is better - it is my personal web browser of choice - but that doesn't mean that Brave is bad software, or that the people behind it are evil, and anything that tamps down Google's monopoly is good in my mind.
the biggest deal is hardcoded whitelist imho. rest of the article is just raw emotions
You can't fully block certain services without breaking pages. Block Facebook and you break hotlinked images and comments on some sites. Block Twitter and embeded tweets break. Some people use these services to login too. And so on.
I assume most users here understand this and would be able to fix the page, but the average user doesn't know how to do that. But then more advanced users should use uBlock Origin too, which lets you block Facebook, Twitter, Disqus, etc, too, so I don't think it's a major issue for us.
I assume most users here understand this and would be able to fix the page, but the average user doesn't know how to do that. But then more advanced users should use uBlock Origin too, which lets you block Facebook, Twitter, Disqus, etc, too, so I don't think it's a major issue for us.
I understand this as well, but I would very much prefer if I could flip block/unblock on those cookies at will
Brave the company has made some egregious missteps, but the problem with Brave is that there is so much FUD around it it's incredible. People keep repeating the same bullcrap which has been debunked hundreds of times, and Brave gets reviled much more than it deserves. Every time a Brave article is posted on HN the first 5 top comments are the same trite, wrong arguments, whose first reply is usually someone clarifying and correcting OP.
There's a long road ahead to cleaning up the Brave name, if it's at all possible in the first place.
There's a long road ahead to cleaning up the Brave name, if it's at all possible in the first place.
In addition to some of the other oddities with the article (i.e. the absolutely wrong claim about Brave's ad blocker), I think the security between Chromium and Firefox is a bit too simplistic? This piece [1] might go too far in the other direction, but at the very least it outlines why there are deficiencies in Firefox, comparatively.
[1]: https://madaidans-insecurities.github.io/firefox-chromium.ht...
[1]: https://madaidans-insecurities.github.io/firefox-chromium.ht...
This article is really complete and straight to the point.
I really like that madaidan keeps it updated.
I really like that madaidan keeps it updated.
The one thing the OP article doesn't actually do is claim that Firefox is more SECURE than Chrome/Brave, the arguments (mostly bad) are that it more private. And that pretty much goes without saying for Chrome, since its entire raison d'etre is to strip privacy from its users for Google. It's unfortunate that on platforms outside macOS you have to choose between risking your privacy being invaded or your device being invaded.
The reality in any case is that in every pwn contest every year, all the major browsers are exploited, usually with full sandbox escapes; Chrome has better security implementation but a huge install base that makes effort to crack it worthwhile, while Firefox is easier but has trivial market share.
The reality in any case is that in every pwn contest every year, all the major browsers are exploited, usually with full sandbox escapes; Chrome has better security implementation but a huge install base that makes effort to crack it worthwhile, while Firefox is easier but has trivial market share.
I understand Eich has been controversial and Brave gets a lot of flak in return, regardless of issues like the ones raised in the article. Yet, I remain a fan of Brave because of Brave Rewards. I love being rewarded based on my usage, even if the amount is worthless and the ads are random crypto shit. The idea of a company actually spreading revenue based on my attention back to me makes me happy and I wouldn't mind if more ad-based services do this.
> even if the amount is worthless and the ads are random crypto shit.
Maybe you are not valuing your own resources enough. Ads draw time, concentration and other mental resources. So i can only believe that it will be a net-negative in the end. It can feel rewarding, but financially, the advertiser can't pay you enough.
Maybe you are not valuing your own resources enough. Ads draw time, concentration and other mental resources. So i can only believe that it will be a net-negative in the end. It can feel rewarding, but financially, the advertiser can't pay you enough.
That's true, the whole thing on my end is likely some fallacy.
On another note, I've always thought the idea of constructing your own ad profile could be interesting. Like selecting the types of products and related content that you'd want to be pushed.
From my understanding this is kind of the goal of social apps but it's obviously not self-directed. I guess it is in some capacity based on your behavior but it's not like you're intentionally clicking selecting you'd be interested and actually would maybe buy.
On another note, I've always thought the idea of constructing your own ad profile could be interesting. Like selecting the types of products and related content that you'd want to be pushed.
From my understanding this is kind of the goal of social apps but it's obviously not self-directed. I guess it is in some capacity based on your behavior but it's not like you're intentionally clicking selecting you'd be interested and actually would maybe buy.
Notes about some of the points made:
- The built-in blocker, just like the blocker on Firefox, Edge or Opera, isn't that good. That's why you should install something like uBlock Origin on top.
- If all scripts from Facebook and Twitter are blocked, you'll end up with broken pages. Some pages have Facebook comments, which won't load if you block all Facebook domains. Embeded tweets also won't work if Twitter is blocked. Not everyone is an advanced user, so I understand why they decided not to block everything (they give you the option to block this - check your settings).
- Brave Rewards... for users: you don't have to use it. Independently of the DNS queries, you won't see any ads if you don't opt-in. If you decide to join, you'll get some BAT at the end of the month. It's not 100%, but it's more than the 0% you receive from Google Adsense.
- Brave Rewards... for website operators, youtubers, etc: I think this is where we sometimes miss the point. Users are already blocking your ads! Even if they don't use an extension for that, the built-in blocker in Brave, Opera and Firefox already block some or all of your ads. That revenue is gone.
So, and if users opt-in, you'll be able to make some money via Brave Rewards (we just have to confirm that we own the site, like a Google Webmaster Tools verification). Again, users already block your ads. Between no revenue and some revenue, what's better?
We should also keep in mind that by default, the money users receive is then shared among the sites they visited. In practice, users are sending you a small monthly payment/donation for using your site, viewing your videos, etc.
- "You may have seen in the past a fork of Brave which removed telemetry and other shady practices from Brave. It was called Braver."
Not sure what's the surprise here. We can't create a Firefoxer or Edgier without getting in trouble with Mozilla or Microsoft. Being able to fork doesn't mean that we can use the same name.
- The built-in blocker, just like the blocker on Firefox, Edge or Opera, isn't that good. That's why you should install something like uBlock Origin on top.
- If all scripts from Facebook and Twitter are blocked, you'll end up with broken pages. Some pages have Facebook comments, which won't load if you block all Facebook domains. Embeded tweets also won't work if Twitter is blocked. Not everyone is an advanced user, so I understand why they decided not to block everything (they give you the option to block this - check your settings).
- Brave Rewards... for users: you don't have to use it. Independently of the DNS queries, you won't see any ads if you don't opt-in. If you decide to join, you'll get some BAT at the end of the month. It's not 100%, but it's more than the 0% you receive from Google Adsense.
- Brave Rewards... for website operators, youtubers, etc: I think this is where we sometimes miss the point. Users are already blocking your ads! Even if they don't use an extension for that, the built-in blocker in Brave, Opera and Firefox already block some or all of your ads. That revenue is gone.
So, and if users opt-in, you'll be able to make some money via Brave Rewards (we just have to confirm that we own the site, like a Google Webmaster Tools verification). Again, users already block your ads. Between no revenue and some revenue, what's better?
We should also keep in mind that by default, the money users receive is then shared among the sites they visited. In practice, users are sending you a small monthly payment/donation for using your site, viewing your videos, etc.
- "You may have seen in the past a fork of Brave which removed telemetry and other shady practices from Brave. It was called Braver."
Not sure what's the surprise here. We can't create a Firefoxer or Edgier without getting in trouble with Mozilla or Microsoft. Being able to fork doesn't mean that we can use the same name.
Slightly off topic, but it was a lot of fun to listen to Brendan Eich on Lex Fridman's podcast talk about Brave and the browser wars of the 90s and 00s. I've been using the Browser for several months without any of the rewards enabled and appreciate that it seems to quietly remove 95% of ads and does it effectively.
https://lexfridman.com/brendan-eich/
https://lexfridman.com/brendan-eich/
Same here. I've also had Brendan Eich respond to one of my posts on HN - not something I'd expect from any other browser on the market. He understands techies because he is one. I wish Mozilla was headed by a techie and not a lawyer :(
Reminder that there's a reason Brendan Eich doesn't work for Mozilla anymore, and it's not just layoffs due to dwindling userbases. Half of their board stepped down when he was about to be appointed.
Decoupling software from the people behind it may be a good thing, but I don't want to support people that work against my interests.
Decoupling software from the people behind it may be a good thing, but I don't want to support people that work against my interests.
> Half of their board stepped down when he was about to be appointed.
You mean the same board that appointed him?
Yes, a number of board members stepped down around that time, but a couple of those were coincidental timing.
You mean the same board that appointed him?
Yes, a number of board members stepped down around that time, but a couple of those were coincidental timing.
Reminder: making up slurs against me because you don't like something about me is lying, and you shouldn't do it.
This doesn't remind me of anything. Your comment is just innuendo.
The thought of Firefox shilling crypto bux turns my stomach, so I'll have to disagree with you.
As others have said multiple times, you can turn off all that crypto stuff in brave and ignore it. They've found a unique way to fund the product, not at the mercy of Google which can only be a good thing right?
All cryptocurrency stuff is off by default. I personally think it's best to tell the truth and evaluate projects and products on their merit. Thanks for your support!
I work at Brave as "Senior Privacy Researcher and Director of Privacy". I responded to many of these same accusations when they were made Friday, that time on Reddit.
https://www.reddit.com/r/privacytoolsIO/comments/nvz9tl/brav...
https://www.reddit.com/r/privacytoolsIO/comments/nvz9tl/brav...
Is the saying "storm in a teacup" or "tempest in a teapot" or something like that?
Anyway, I don't really find any of this that egregious tbh.
Personally, I'm layering with nextdns to drop all the crap, and vpn over that, maybe solely depending on any one solution is the failure?
Also the "use Firefox" would be awesome if we could rely on Mozilla! I have always wanted them to succeed but recently they've been stumbling so hard and it doesn't look so promising.
Anyway, I don't really find any of this that egregious tbh.
Personally, I'm layering with nextdns to drop all the crap, and vpn over that, maybe solely depending on any one solution is the failure?
Also the "use Firefox" would be awesome if we could rely on Mozilla! I have always wanted them to succeed but recently they've been stumbling so hard and it doesn't look so promising.
>Brave has built-in telemetry. Brave will make a ton of requests to the domain p3a.brave.com as telemetry
So does Firefox, yet this blog post suggests it as a replacement.
>Brave isn’t more than Chromium with another skin and a built-in adblocker with reduced functionality.
As far as I know it includes additional functionality such as build-in support for tor and ipfs. (and while it might not be the best choice if you want privacy, it at least makes onion sites accessible for normal people)
>This means that you need to update the entire browser to fix a bug in the adblocker
Just like for bugs in the firefox tracking protection and the dev tools in most browsers? It is like they are trying to include as much nitpicking as possible.
>However, it seems to have a contrary effect, since it sends requests to fetch the information required
Just like firefox.
>Brave uses Google’s gstatic, which is btw using Cloudflare.
Firefox uses Google analytics in about:addons.
>Hostility towards forks
looks at iceweasel
>The only browser that does not use Google’s web engine (blink) is Firefox
I would include Safari, at least from the popular ones.
(disclaimer: I am a Firefox user)
So does Firefox, yet this blog post suggests it as a replacement.
>Brave isn’t more than Chromium with another skin and a built-in adblocker with reduced functionality.
As far as I know it includes additional functionality such as build-in support for tor and ipfs. (and while it might not be the best choice if you want privacy, it at least makes onion sites accessible for normal people)
>This means that you need to update the entire browser to fix a bug in the adblocker
Just like for bugs in the firefox tracking protection and the dev tools in most browsers? It is like they are trying to include as much nitpicking as possible.
>However, it seems to have a contrary effect, since it sends requests to fetch the information required
Just like firefox.
>Brave uses Google’s gstatic, which is btw using Cloudflare.
Firefox uses Google analytics in about:addons.
>Hostility towards forks
looks at iceweasel
>The only browser that does not use Google’s web engine (blink) is Firefox
I would include Safari, at least from the popular ones.
(disclaimer: I am a Firefox user)
Brave's telemetry is private by design; you can read about it at https://brave.com/p3a. You're absolutely right about Firefox's telemetry though, which is often served up from a another process after Firefox is closed. This was covered in more detail on my post regarding network activity of popular browsers at https://brave.com/popular-browsers-first-run/.
You picked apart the author's narrative pretty nicely here. I provided 3 comments (quite long ones) as well with more detail: https://news.ycombinator.com/item?id=27552530.
You picked apart the author's narrative pretty nicely here. I provided 3 comments (quite long ones) as well with more detail: https://news.ycombinator.com/item?id=27552530.
Can someone explain the point in the article that Facebook can still track you if the script is loaded from an edge cache and the browser doesn't send cookies?
I can think of unique script URLs, but if it's coming from an edge cache, presumably it's not that unique.
And maybe some sort of JS-based fingerprinting? But since Brave controls the browser, it's within their control to try to make the browser environment homogenous across users. I think Tor Browser does something like that, not sure about Brave.
Any other attacks I'm not thinking of?
edit: oh, if the script makes a request back to FB, then I suppose your IP address is available...
I can think of unique script URLs, but if it's coming from an edge cache, presumably it's not that unique.
And maybe some sort of JS-based fingerprinting? But since Brave controls the browser, it's within their control to try to make the browser environment homogenous across users. I think Tor Browser does something like that, not sure about Brave.
Any other attacks I'm not thinking of?
edit: oh, if the script makes a request back to FB, then I suppose your IP address is available...
I think the OP is just wrong here. I personally agree with Brave's statement that they are protecting users here. The assertion that "Anyone who knows a bit about how JavaScript works and it’s [sic] capacities to track you without the need of using cookies will be laughing after reading that." I know a thing or two about JavaScript and I'm not laughing, I'm genuinely confused about what the OP thinks the problem is because I don't see one.
I don't like the crypto nonsense of Brave, and while I like Firefox in theory, its performance leaves a lot to be desired and they don't seem to know who their user base is. Microsoft Edge got a decent native vertical tab solution before Firefox did! Edge!
I wish some nonprofit would make a Chromium browser with sane defaults and take my donations. That's all I need.
I wish some nonprofit would make a Chromium browser with sane defaults and take my donations. That's all I need.
> its performance leaves a lot to be desired
I'm not sure what you're talking about; this may be the case several times in the past, but you should check again because this is a thing that constantly changes. Firefox performance today doesn't really leave a lot to be desired IMO
> Microsoft Edge got a decent native vertical tab solution before Firefox did! Edge!
Tree Style Tabs has been around since like… 2007?. Or does the "native" part somehow make it a whole lot better?
I'm not sure what you're talking about; this may be the case several times in the past, but you should check again because this is a thing that constantly changes. Firefox performance today doesn't really leave a lot to be desired IMO
> Microsoft Edge got a decent native vertical tab solution before Firefox did! Edge!
Tree Style Tabs has been around since like… 2007?. Or does the "native" part somehow make it a whole lot better?
> Firefox performance today doesn't really leave a lot to be desired IMO
Sadly I recently left Firefox after having used it for 20 years (Phoenix/Firebird days).
The performance degradation was becoming too noticeable. I switched to Brave (of all things), but that's only because I could no longer fight the real performance that a Chromium-based browser has.
I hate doing this, because the last thing I want is a browser engine monopoly. That's why I started using Firefox in the first place, to help get rid of IE.
Sadly I recently left Firefox after having used it for 20 years (Phoenix/Firebird days).
The performance degradation was becoming too noticeable. I switched to Brave (of all things), but that's only because I could no longer fight the real performance that a Chromium-based browser has.
I hate doing this, because the last thing I want is a browser engine monopoly. That's why I started using Firefox in the first place, to help get rid of IE.
I often find sites with subpar performance in Firefox. I think that it's the sites' fault though, for testing only in Chrome / Safari. Reddit's redesign is an example, the loading, scrolling, post opening experience is slow and I can see that it eats a lot of CPU. In chrome it's much faster on the same machine.
For me at least Firefox is a no go on every laptop I’ve worked on - the fans start spinning up and I start losing battery life really quickly (especially on macs). Works fine on my desktops though.
Tree Style Tabs has been pretty limited since the port to WebExtensions. It can no longer take the place of the existing tab bar, and instead sits alongside it unless you do some Firefox profile CSS trickery that I never got working properly. Mozilla was considering adding a "hide tab bar" feature but I think they abandoned that.
> Microsoft Edge got a decent native vertical tab solution before Firefox did! Edge!
Firefox has had the "down-arrow" Tabs menu, which does exactly the same thing, since, uh, about forever.
Firefox has had the "down-arrow" Tabs menu, which does exactly the same thing, since, uh, about forever.
Edge has the best security of any browser on Windows
ducks
ducks
Edge is the best browser for downloading Firefox.
How is it better than any other Chromium based browser like Chrome, Brave or Vivaldi? I can understand it is more integrated than the others, but how is it more secure?
I use Firefox at home and Chrome at work. I can’t tell any difference on performance.
Does Vivaldi count?
I like Brave, though I'm open to switching if there's a better alternative. Here's what I like about it:
1. Compatibility with Google Chrome Extensions. This is sine qua non (though I'd settle for compatibility with FF extensions).
2. Ad-blocking and reasonable-effort script blocking by default.
3. No apparent performance issues for my usage (YouTube, clicking links on HN, GitHub).
4. Integration with Tor, IPFS. Not a deal-breaker, but I do like it.
1. Compatibility with Google Chrome Extensions. This is sine qua non (though I'd settle for compatibility with FF extensions).
2. Ad-blocking and reasonable-effort script blocking by default.
3. No apparent performance issues for my usage (YouTube, clicking links on HN, GitHub).
4. Integration with Tor, IPFS. Not a deal-breaker, but I do like it.
Popularizing IPFS and Tor to bigger user bases is likely the single best thing that brave does.
I use Brave and I have the exact same list of likes, and in same order of priority - if that is what you meant.
From the German Wikipedia:
> On March 3, 2021, Brave announced that it had acquired search engine technology from the former browser manufacturer Cliqz for its own search engine, Brave Search. The former owner, the German publishing house Hubert Burda Media, has held shares in Brave since then.
Hubert Burda Media is a traditional publisher, owner of well known German publications as well as hardware stores. They also own XING, which is the German version of LinkedIn which nearby everybody uses here.
Hubert Burda was the president of the VDZ (=Verband Deutscher Zeitschriftenverleger, Association of German Magazine Publishers), so it's safe to assume that he is against internet user privacy.
I'm not sure if they are able to legally access user data through this "partnership" with Brave.
> On March 3, 2021, Brave announced that it had acquired search engine technology from the former browser manufacturer Cliqz for its own search engine, Brave Search. The former owner, the German publishing house Hubert Burda Media, has held shares in Brave since then.
Hubert Burda Media is a traditional publisher, owner of well known German publications as well as hardware stores. They also own XING, which is the German version of LinkedIn which nearby everybody uses here.
Hubert Burda was the president of the VDZ (=Verband Deutscher Zeitschriftenverleger, Association of German Magazine Publishers), so it's safe to assume that he is against internet user privacy.
I'm not sure if they are able to legally access user data through this "partnership" with Brave.
> This means that you need to update the entire browser to fix a bug in the adblocker. Stupid, isn’t it?
I mean chrome and firefox both update pretty much every time I open them and they are only like 50-100mb? Why would I be upset that my browser updated? OP Made it bold too they must think its a real gotcha!
Later in the article they are again grinding that axe against auto updates, that some how having an up to date browser hurts privacy?
Op must be the one last IE6 stan.
They complain about BRAVE ARE SCAMMING PEOPLE! and that they COVERED UP PEOPLE THAT EXPOSED THEM! It turns out to be an ad on the home screen for a crypto currency exchange... Scam exposed LOL
I mean chrome and firefox both update pretty much every time I open them and they are only like 50-100mb? Why would I be upset that my browser updated? OP Made it bold too they must think its a real gotcha!
Later in the article they are again grinding that axe against auto updates, that some how having an up to date browser hurts privacy?
Op must be the one last IE6 stan.
They complain about BRAVE ARE SCAMMING PEOPLE! and that they COVERED UP PEOPLE THAT EXPOSED THEM! It turns out to be an ad on the home screen for a crypto currency exchange... Scam exposed LOL
The surest sign that Brave has made it is that 3 hours in, we aren't seeing a rush of rebuttals from Sampson, Clifton, or Eich in the comments.
The article rehashes some FUDy and misleading comments which have been knocked down years ago.
Brave's not perfect, but for different reasons than this author raises.
The article rehashes some FUDy and misleading comments which have been knocked down years ago.
Brave's not perfect, but for different reasons than this author raises.
Sorry for the late arrival; I provided a response (via 3 comments) here: https://news.ycombinator.com/item?id=27552530. I'll try to be faster in the future
Browsers are responsible for a very large chunk of our ability to interact with the world. In that sense I greatly appreciate the article trying to illuminate some areas of Brave which are not necessarily obvious upfront.
I am absolutely inclined to believe that Brave is not as private as it appears.
What also comes to mind is that Brave's founder Brandon Eich is a homophobe who donated to ban gay marriage in California (Prop 8, https://slate.com/technology/2014/04/brendan-eich-why-mozill...). That alone is sufficient to doubt the integrity of his organization.
I am absolutely inclined to believe that Brave is not as private as it appears.
What also comes to mind is that Brave's founder Brandon Eich is a homophobe who donated to ban gay marriage in California (Prop 8, https://slate.com/technology/2014/04/brendan-eich-why-mozill...). That alone is sufficient to doubt the integrity of his organization.
I currently have Firefox, Edge, and Chrome open. I also have Opera and Vivaldi installed (and I think I might have Maxthon too). I use them for different purposes. Firefox for personal stuff, Chrome on my second monitor for social networks and twitch, Edge for my main work. Vivaldi for my part time job. I say the more browsers the better and I am definitely rooting for Firefox to help chip away at chromium's dominance.
I don't have Brave installed because I am not overly concerned with privacy and the other browsers seem fast enough. I have ublock origin, noscript, and privacy badger installed on Firefox. That is good enough for me. I also think BAT is not really worthwhile.
I don't have Brave installed because I am not overly concerned with privacy and the other browsers seem fast enough. I have ublock origin, noscript, and privacy badger installed on Firefox. That is good enough for me. I also think BAT is not really worthwhile.
FF + uorigin + a dns blocker like pihole seems to be where it’s at right now. Maybe EFF privacy badger on top
Any better options out there? Been thinking of adding protonvpn
Any better options out there? Been thinking of adding protonvpn
FF now does DNS over HTTPS by default (Preferences > General > Network Settings), it defaults to using NextDNS and is configurable.
Some people will be uncomfortable with this default, but it's a step up from consumer ISPs who _will_ track you, to a 3rd party who Mozilla says wont.
I add Mullvad VPN (because wiregaurd is frickin awesome), which also allows you to use their DNS servers, but for this you actually have to turn off FF's DNS over HTTPS to allow the wiregaurd interface to pick up the DNS requests - they have a really good "leak" checker page while using their servers to check for various protocols https://mullvad.net/en/check/
Yes yes I know, VPN doesn't unbreak the internet, but here we are.
Some people will be uncomfortable with this default, but it's a step up from consumer ISPs who _will_ track you, to a 3rd party who Mozilla says wont.
I add Mullvad VPN (because wiregaurd is frickin awesome), which also allows you to use their DNS servers, but for this you actually have to turn off FF's DNS over HTTPS to allow the wiregaurd interface to pick up the DNS requests - they have a really good "leak" checker page while using their servers to check for various protocols https://mullvad.net/en/check/
Yes yes I know, VPN doesn't unbreak the internet, but here we are.
The other great thing is, in case you wanted to support Mozilla, the MozillaVPN is using Mullvad's service, and routinely provides great service. I will add though, if you're a huge privacy advocate, and don't want to supply your email or card details to Mozilla but want to use a VPN, Mullvad directly is still the best choice imo.
I use Mozilla VPN, but the program (Ubuntu 20.04) 1+ times per day just closes and it does not have a network kill switch.
So I have to continue to use Firefox's DoH to prevent my university to occasionally take a peek at my traffic. Assuming they don't bother reversing IPs to domain names.
So I have to continue to use Firefox's DoH to prevent my university to occasionally take a peek at my traffic. Assuming they don't bother reversing IPs to domain names.
You don't need a "network kill switch" with wiregaurd, you might be using the openVPN option which mullvad also provide for compatibility. Because wiregaurd is stateless you don't have to worry about stuff leaking through while physical layers go up and down, you can just leave the wg interface up and keep hoping around safely... I literally haven't taken my current wg connection down in days, yet my computer is put to sleep every night.
If you use Linux you don't even need an app (not Firefox's or Mullvad's), you can just pop one of the wiregaurd configs (mullvad.net can generate them for you) into /etc/wiregaurd and then use the super simple wg-quick cli interface to bring it up. You can also tell systemd to bring up a specific interface at startup with one line.
If you use Linux you don't even need an app (not Firefox's or Mullvad's), you can just pop one of the wiregaurd configs (mullvad.net can generate them for you) into /etc/wiregaurd and then use the super simple wg-quick cli interface to bring it up. You can also tell systemd to bring up a specific interface at startup with one line.
>FF now does DNS over HTTPS by default
Just checked & mine was off. Not that I mind since it's supposed to hit the local pihole anyway
Just checked & mine was off. Not that I mind since it's supposed to hit the local pihole anyway
I would add a VPN for sure. People always complain that it just shifts the trust to them instead of your ISP, but there's many VPN providers who I trust a hell of a lot more than any ISP.
For me the best feature of Brave is the ability to reward the content publishers without watching their ads, basically YouTube Premium for web. I just wish more publishers would opt into this program.
Is anybody is looking for more information, check out https://creators.brave.com
This made some decent points but relied too much on FUD.
What decent points were made? The author is clearly not technical (or not to the degree needed to conduct such a review). Contrast it with an actual competent review of Brave and other browsers, such as https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf.
You're right. Most of the points I called decent are old stuff that has been addressed multiple times.
The only reason I use Brave is that I can type “you” + tab to directly enter YouTube search from the URL input field, and this works for gMaps and Amazon. For the life of me I cannot figure out how to configure this in Firefox.
You can get similar functionality in any browser by setting DuckDuckGo as your default search engine (so you can search from the URL input field and using bangs. So "!yt search term" in the input field (without quotes) would search YouTube. DDG is sufficient for 99% of searches for me, and when it fails I just use the !g bang for Google search. You can check all the bangs available here: https://duckduckgo.com/bang
Edit: !m or !gmap for Google Maps, !a for Amazon
Edit: !m or !gmap for Google Maps, !a for Amazon
In Firefox almost any search box can be right clicked and there is an option "Add a keyword for this search". If you use "y" shortcut for youtube, then your URL entry is "y gangnam".
Also if you use DDG as your main URL search engine, they have bunch of "bang" shortcuts that redirect your query to online searches. For yt you'd use "!you gangnam". Others can be found here: https://duckduckgo.com/bang
Also if you use DDG as your main URL search engine, they have bunch of "bang" shortcuts that redirect your query to online searches. For yt you'd use "!you gangnam". Others can be found here: https://duckduckgo.com/bang
Thank you and the others who recommended this!
In Firefox, right-click in the youtube search box and you can make a keyword search bookmark. I can do, for example, 'yt gojira' to search for that, or 'wp goldfish' to search wikipedia, and so on.
An alternative method to the other comments, which will enable the Tab behaviour you're describing (it will add a search engine with a keyword instead of a bookmark):
1. Add YouTube as a search engine (visit YouTube, click on the + in the search box and click 'Add "YouTube"').
2. Open Firefox Settings > Search > Search Shortcuts (near the bottom)
3. Set a keyword "you" for YouTube in the table
4. Search by typing "you" + Tab in the address bar[deleted]
> The only browser that does not use Google’s web engine (blink) is Firefox
Well, Safari is a thing on MacOS and is the only browser engine on iOS. StatCounter[0], the data source behind caniuse, says it has nearly 19% marketshare as well.
Well, Safari is a thing on MacOS and is the only browser engine on iOS. StatCounter[0], the data source behind caniuse, says it has nearly 19% marketshare as well.
I would never use brave personally, however given the fact this post is essentially just a copy pasta of typical /g/ arguments.
Everyone should take the post with a mountain full of salt (just look at their post about systemd).
Everyone should take the post with a mountain full of salt (just look at their post about systemd).
> Everyone should take the post with a mountain full of salt (just look at their post about systemd).
The latter felt more convincing, so I don't see it as an argument for distrusting the one on Brave.
The latter felt more convincing, so I don't see it as an argument for distrusting the one on Brave.
I would love to use something other than brave but Firefox is shit and arguably getting worse over time. They have been sacrificing ux for revenue streams for a while now. Also extension management is a joke, especially if you have more than 5 extensions.
I have like 30 chrome extensions... Most of which get used at least weekly. Many of them do things like prevent sites from blocking text select or copy paste, things like that. I believe extensions are the mechanism of agency that enables a browser to be an "user agent" again.
I have like 30 chrome extensions... Most of which get used at least weekly. Many of them do things like prevent sites from blocking text select or copy paste, things like that. I believe extensions are the mechanism of agency that enables a browser to be an "user agent" again.
> I would love to use something other than brave but Firefox is shit and arguably getting worse over time.
As someone who's used Chrome exclusively for the good part of a decade and has been using Firefox again for the last several months, I don't get this criticism at all. It seems…fine? In any case it's radically better than it was when I initially switched to Chrome from Firefox.
As someone who's used Chrome exclusively for the good part of a decade and has been using Firefox again for the last several months, I don't get this criticism at all. It seems…fine? In any case it's radically better than it was when I initially switched to Chrome from Firefox.
After some consideration, I decided to not use Brave.
Maybe I am looking at the privacy policy too simply, but why not prefer to use private browsing tabs? With auto fill password support, it is really not inconvenient.
I am now, with no actions on my part except running the betas for the new iOS, iPadOS, and macOS, using Apple’s new Tor-like system. I have no comment on this yet.
Maybe I am looking at the privacy policy too simply, but why not prefer to use private browsing tabs? With auto fill password support, it is really not inconvenient.
I am now, with no actions on my part except running the betas for the new iOS, iPadOS, and macOS, using Apple’s new Tor-like system. I have no comment on this yet.
[deleted]
I am currently using brave on android because it is the last latest stable browser that provides stacked Tab layout like this.
https://github.com/michael-rapp/ChromeLikeTabSwitcher
Latest chrome and it's derivatives(except brave) have removed this in favour of grid layout which i dislike(they also brought in tab groups which i despise entirely)
I know that brave has shady stuff like blockchain and ads, but they can be turned off. On desktop, i use firefox and i want to use firefox on android too but i find android firefox(fenix) janky.
Please suggest me good browser and also a suggestion to chrome developers:
Please don't remove things that we like. atleast provide option to enable it
https://github.com/michael-rapp/ChromeLikeTabSwitcher
Latest chrome and it's derivatives(except brave) have removed this in favour of grid layout which i dislike(they also brought in tab groups which i despise entirely)
I know that brave has shady stuff like blockchain and ads, but they can be turned off. On desktop, i use firefox and i want to use firefox on android too but i find android firefox(fenix) janky.
Please suggest me good browser and also a suggestion to chrome developers:
Please don't remove things that we like. atleast provide option to enable it
Can somebody please shed some light as to what the reference to Apple meant? I’d like to know more..
Agreed, that really felt like a quite big “citation needed” moment for me when I started reading.
I’ve been using Brave to watch YouTube videos in incognito mode ever since 1Blocker on Safari stopped blocking YouTube ads. This article brings up some good points, and I want to support Firefox more anyway, so I need to see how Firefox handles YouTube ads.
For the past month or so, Brave on Ubuntu has been failing to block YT ads, so now I've been stuck with 2 unskippable multi-minute ads before almost every vid. I've been hitting mute and switching tabs while I wait. The most egregiously annoying one was 6 minutes of ads on an 8-minute standup comedy clip.
Brave on mobile still blocks all that crap so I've transitioned to listening to YT content on my cellphone, propped up on my desk, while I browse the Internet on my desktop.
Brave on mobile still blocks all that crap so I've transitioned to listening to YT content on my cellphone, propped up on my desk, while I browse the Internet on my desktop.
You could pay for ad-free YouTube, if you dislike the ads so much.
Many argue that "They'll pay to have ads removed", but that doesn't seem to hold true when services offers that exact option.
Many argue that "They'll pay to have ads removed", but that doesn't seem to hold true when services offers that exact option.
> Many seem to argue that "They'll pay to have ads removed", but that doesn't seem to hold true when services offers that exact option.
I would pay for ad free Youtube, if it was an option. Even with Youtube Premium, included promotions continue to be shown
I would pay for ad free Youtube, if it was an option. Even with Youtube Premium, included promotions continue to be shown
Well yeah, they don't stop someone advertising a product in the main content. If they did, then James Bond movies would be a lot shorter.
The ad-blockers also don’t block those, so I don’t think that was the point.
That’s interesting, maybe that’s market/country dependent. I pay for Premium and haven’t seen and ad or promotion since I signed up.
That really not okay when you actually pay to have no ads.
That really not okay when you actually pay to have no ads.
You should try to install uBlock Origin. I've tried both Vivaldi's and Brave's adblockers but they're still ways behind what uBlock can do.
Why not use one of the many chrome extensions that blocks YouTube ads?
Same here. Made me switch back to Firefox full-time instead of trusting Brave of getting things right when they time and time stumble on things.
Have you double checked that the shields are still up for YouTube? I had the same thing happen to me a couple of weeks ago. Turned out my shields were down for YouTube for some reason.
What’s a YouTube Ad? :-) long time Firefox + uBlock Origin user here.
uBlock Origin + Sponsorblock + Firefox will give you the best possible Youtube experience.
firefox itself doesn't 'handle' youtube ads, but ublock origin does.
I use ublock origin on Firefox and it seems to properly block all YouTube ads. As with YouTube-dl it’s probably a bit of an arms race, so if your tool of choice stops working maybe wait for the next update and they’re likely to get it fixed / right.
I guess the number of users must be low. Otherwise, there's a near perfect solution for YouTube: create a stream that contains both the ads and the content and don't allow buffering ahead of time while the ads play. Sure, that's fair task, but doable. When the costs of uBlock exceeds the server+man power needed to implement that, they'll switch.
I get the impression that YouTube do not really put any effort into breaking youtube-dl, YouTube Vanced, etc. It seems that mostly when these break it's accidental.
The last thing YouTube wants to do alienate the technically literate minority who use adblocking, because these are the people who could establish an actual competitor. These folks still put money into the creator ecosystem anyway, through patreon and direct sponsorships, which funds creators to make more content. YT wins either way, honestly.
The last thing YouTube wants to do alienate the technically literate minority who use adblocking, because these are the people who could establish an actual competitor. These folks still put money into the creator ecosystem anyway, through patreon and direct sponsorships, which funds creators to make more content. YT wins either way, honestly.
uBlock Origin with Firefox seems to work really well for blocking video ads. For me it doesn't just block YouTube ads, it manages to block adverts from a couple other streaming sites I use too.
German c't magazine tested all the main browsers in terms of privacy in the latest issue. Brave came out on top by a large margin. They even discovered that Edge sends a list of visited sites while in private browsing mode back to Microsoft!
I've heard some negative things about Brave but i'm willing to give it a try now because it may just be noise. I can imagine the advertising industry being very motivated to keep people away from Brave.
I've heard some negative things about Brave but i'm willing to give it a try now because it may just be noise. I can imagine the advertising industry being very motivated to keep people away from Brave.
Always look at the quality of work being done. The author's post is distinctively different from that of more reputable sources, such as the review done by Leith and team at https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf.
You should also try Vivaldi[0] if you're already shopping around. Once Firefox went belly-up last week I needed a new browser, and Vivaldi made the cut for me. They publish their source code and do a great job of stripping the Google features out of Chrome.
[0] https://vivaldi.com
[0] https://vivaldi.com
I will probably never use Brave exclusively because of the fact that BAT shoots their privacy shtick in the foot. Why is my personal exploitation opt-in now? I don't want my browser to make money, and I certainly don't want to be caught in the crossfire while Adsense and other major providers roll out their circumvention mechanisms. Why is it so hard for people to just pick Firefox or a half-decent Chrome fork?
I blocked every domain in the article on my firewall and then fired up Brave. None were requested. Not sure what to believe now.
The Epic Privacy Browser is still the best if you want a Chromium-based privacy browser. Brave cloned them anyway and added their crypto and reduced the privacy. Firefox isn't recommended for privacy, though TOR is of course very good for anonymity, but Epic is better for everyday use.
Brave's business model is replacing the ads on websites with their own ads. Then there was that one time they started inserting their own affiliate codes into web pages. No surprise they replace the trackers on websites with their own tracking, too. At least their ethics are consistent.
"Brave's business model is replacing the ads on websites with their own ads."
Incorrect. Isn't true now, and has never been true in the past.
"Then there was that one time they started inserting their own affiliate codes into web pages."
Also false. Not true now, and was never true in the past.
"No surprise they replace the trackers on websites with their own tracking, too."
Still false. You're 0 for 3. Please consider downloading Brave and actually trying it for a day. It seems you have been quite misled on this topic.
See a more detailed response here: https://news.ycombinator.com/item?id=27552530
Incorrect. Isn't true now, and has never been true in the past.
"Then there was that one time they started inserting their own affiliate codes into web pages."
Also false. Not true now, and was never true in the past.
"No surprise they replace the trackers on websites with their own tracking, too."
Still false. You're 0 for 3. Please consider downloading Brave and actually trying it for a day. It seems you have been quite misled on this topic.
See a more detailed response here: https://news.ycombinator.com/item?id=27552530
So ironic that the OP's website doesn't require HTTPS. The most minimum security practice on the web that's nearly enforced by even the worst browser, and this security rant either doesn't care or doesn't realize their site is misconfigured.
The author is not technical; this was only the first of many mistakes they made. I posted three exhaustive responses at https://news.ycombinator.com/item?id=27552530.
A rebuttal of the points in the article, as most of it is arguing in bad faith:
> Brave's adblocker is uBlock origin
It's not[1].
> Brave Today can't be disabled
Currently called "Brave News" if you're looking for it. And of course it actually can be disabled[2].
> Rewards is used to track you
A request being made to a URL does not mean you are being "tracked". Brave ads are the most privacy-preserving ad architecture[3] I know about, and they are the only people trying to make a better funding model for the web that still has a lot of the upsides of ad-driven content (mainly that it is not a regressive funding model). FF is worse in this regard because Mozilla gets most of their revenue from adtech giants that clearly don't give a flying fuck about your privacy. If you think Mozilla's funding model isn't a conflict of interest and makes the web more privacy-conscious, I have a bridge to sell you.
> Telemetry automatically violates your privacy
Not really? Of course, someone very concerned with privacy should opt out of telemetry, and Brave lets you do that.
> Auto-updates violate privacy
How so? As I point out later, the most likely result of auto-updates is that they help preserve your privacy by getting bugs patched faster.
> Affiliate codes
Yes, Brave had pre-programmed history items that were affiliate links to a crypto exchange. This harmed nobody in any way and the backlash was over-the-top. But they disabled in response to user feedback. I kinda liked this idea, as it is another way Brave was trying to fund themselves without being beholden to the Googlopoly which is an endeavor I very much support (with the caveat that it can't hurt users, which again this did not).
> Uphold doesn't care about your privacy
Uphold is a financial institution based in the US (as Brave is) which by necessity needs to comply with KYC/AML regulations. That means they need to collect your personal info. Take it up with the US government if you're unhappy.
> Tor tabs leaking DNS
Was fixed fairly quickly[4] and I think worth pointing out that no other browser even bothers trying to do something like this (integrating Tor for better privacy). Conveniently left out of the part where the author made the claim that "Brave isn't better for privacy than FF because it's just uBlock origin". Clearly brave is trying things that are not just adblocking to increase user privacy.
In general with this point, kinda funny that apparently the author of this article wants Brave to be the only software engineering org in existence that never has bugs. I guess if that's your stance though it makes sense that you wouldn't want auto-updates. For everyone else that lives in reality, auto-updates are a good thing for security (and therefore privacy, as made clear here when a privacy-related bug inevitably happens).
> Chromium and Google’s monopoly
Yeahhhhh, using FF isn't the silver bullet you think it is, as again, Mozilla gets the vast majority of their revenue from being paid by Google. What happens if that dries up? Seems unlikely that maintaining Blink without Mozilla will be easier than Brave maintaining a privacy-centric fork of Chromium (which will presumably continue to get not-privacy-related upstream improvements from Google/Microsoft/etc in perpetuity).
> brave-core-ext.s3.brave.com fetches 5 extensions and installs them. It is said that this might be a backdoor. But I don’t want to get conspiracist. I prefer giving you verifiable facts. I’ll limit myself to inform you about suspicious activities.
This is worse than all the Bitcoin maximalists / shitcoin pump-and-dumpers with their "this is not financial advice" shtick. We know what you're doing, it's pretty transparent. Especially when you do it twice:
> They were also accused of theft with BAT but this isn’t verifiable so I’ll only link the source for you.
In summary, I disagree with basically all of this article, significant parts of which are just factually wrong.
[1] https://github.com/brave/adblock-rust
[2] https://support.brave.com/hc/en-us/articles/360056341952-How...
[3] https://brave.com/intro-to-brave-ads/
[4] https://github.com/brave/brave-browser/issues/13527
> Brave's adblocker is uBlock origin
It's not[1].
> Brave Today can't be disabled
Currently called "Brave News" if you're looking for it. And of course it actually can be disabled[2].
> Rewards is used to track you
A request being made to a URL does not mean you are being "tracked". Brave ads are the most privacy-preserving ad architecture[3] I know about, and they are the only people trying to make a better funding model for the web that still has a lot of the upsides of ad-driven content (mainly that it is not a regressive funding model). FF is worse in this regard because Mozilla gets most of their revenue from adtech giants that clearly don't give a flying fuck about your privacy. If you think Mozilla's funding model isn't a conflict of interest and makes the web more privacy-conscious, I have a bridge to sell you.
> Telemetry automatically violates your privacy
Not really? Of course, someone very concerned with privacy should opt out of telemetry, and Brave lets you do that.
> Auto-updates violate privacy
How so? As I point out later, the most likely result of auto-updates is that they help preserve your privacy by getting bugs patched faster.
> Affiliate codes
Yes, Brave had pre-programmed history items that were affiliate links to a crypto exchange. This harmed nobody in any way and the backlash was over-the-top. But they disabled in response to user feedback. I kinda liked this idea, as it is another way Brave was trying to fund themselves without being beholden to the Googlopoly which is an endeavor I very much support (with the caveat that it can't hurt users, which again this did not).
> Uphold doesn't care about your privacy
Uphold is a financial institution based in the US (as Brave is) which by necessity needs to comply with KYC/AML regulations. That means they need to collect your personal info. Take it up with the US government if you're unhappy.
> Tor tabs leaking DNS
Was fixed fairly quickly[4] and I think worth pointing out that no other browser even bothers trying to do something like this (integrating Tor for better privacy). Conveniently left out of the part where the author made the claim that "Brave isn't better for privacy than FF because it's just uBlock origin". Clearly brave is trying things that are not just adblocking to increase user privacy.
In general with this point, kinda funny that apparently the author of this article wants Brave to be the only software engineering org in existence that never has bugs. I guess if that's your stance though it makes sense that you wouldn't want auto-updates. For everyone else that lives in reality, auto-updates are a good thing for security (and therefore privacy, as made clear here when a privacy-related bug inevitably happens).
> Chromium and Google’s monopoly
Yeahhhhh, using FF isn't the silver bullet you think it is, as again, Mozilla gets the vast majority of their revenue from being paid by Google. What happens if that dries up? Seems unlikely that maintaining Blink without Mozilla will be easier than Brave maintaining a privacy-centric fork of Chromium (which will presumably continue to get not-privacy-related upstream improvements from Google/Microsoft/etc in perpetuity).
> brave-core-ext.s3.brave.com fetches 5 extensions and installs them. It is said that this might be a backdoor. But I don’t want to get conspiracist. I prefer giving you verifiable facts. I’ll limit myself to inform you about suspicious activities.
This is worse than all the Bitcoin maximalists / shitcoin pump-and-dumpers with their "this is not financial advice" shtick. We know what you're doing, it's pretty transparent. Especially when you do it twice:
> They were also accused of theft with BAT but this isn’t verifiable so I’ll only link the source for you.
In summary, I disagree with basically all of this article, significant parts of which are just factually wrong.
[1] https://github.com/brave/adblock-rust
[2] https://support.brave.com/hc/en-us/articles/360056341952-How...
[3] https://brave.com/intro-to-brave-ads/
[4] https://github.com/brave/brave-browser/issues/13527
Brilliant and succinct response. I provided 3 long responses here as well: https://news.ycombinator.com/item?id=27552530. One thing to point out regarding the Tor issue too is that this bug only happened because Brave is leading the industry in decloaking third-party ads and trackers masquerading as first-party resources (see https://brave.com/privacy-updates-6/ for more). This is what happens when you lead; others get to see you stumble from time to time.
I see a lot of their ads on Youtube. The are really off-putting.
Dropped Brave when it become worse than ublock/Firefox.
Can't we just like use Brave / Firefox and block all tracking domain names with something like pihole?
Does the browser not at all work then?
Does the browser not at all work then?
[deleted]
Fear mongering.
A competitor maybe? Someone with an agenda against Eich because of the donation debacle?
Privacy-wise, either Firefox or Brave are better than Chrome.
Ads are annoying but they do fund the net.
A competitor maybe? Someone with an agenda against Eich because of the donation debacle?
Privacy-wise, either Firefox or Brave are better than Chrome.
Ads are annoying but they do fund the net.
[deleted]
If you've visited /g/ lately you know how much Brave is pumping threads that are basically just ads for Brave.
I wouldn't immediately jump to competitor conclusion (and even they were they have good points)
To be Brave's model has always been bat shit insane.
>Ads are annoying but they do fund the net. This is a complete lie. If your website can not survive without ads then it shouldn't exist. Running a website takes almost no capital. Only people who are afraid about ad insdustry being destroyed (expect of course the people running the industry) are shitty blogs and useless news sites, because the truth is their content is so sub par that no one in their right minds would pay anything for it, but at least they can scam people into being sold onwards to advertisers.
Everyone should be running uBlock Origin. Everyone should be running ad blocking DNS. Websites that don't allow adblocks aren't worth visiting in the first place.
>Ads are annoying but they do fund the net. This is a complete lie. If your website can not survive without ads then it shouldn't exist. Running a website takes almost no capital. Only people who are afraid about ad insdustry being destroyed (expect of course the people running the industry) are shitty blogs and useless news sites, because the truth is their content is so sub par that no one in their right minds would pay anything for it, but at least they can scam people into being sold onwards to advertisers.
Everyone should be running uBlock Origin. Everyone should be running ad blocking DNS. Websites that don't allow adblocks aren't worth visiting in the first place.
Disagree. Brave's approach to funding is at odds with privacy. The concept of warming up to ads to get paid is capitulating to the advertising industry.
While I did not appreciate the tone of the article, there are some valid points there. Brave may be better than Chrome but there are still better options. It might be better to get a common cold virus than it is to get covid-19, but I'd still rather not get any virus. Sites that don't work right when you block all of the tracking lose me, I won't capitulate.
While I did not appreciate the tone of the article, there are some valid points there. Brave may be better than Chrome but there are still better options. It might be better to get a common cold virus than it is to get covid-19, but I'd still rather not get any virus. Sites that don't work right when you block all of the tracking lose me, I won't capitulate.
"Brave's approach to funding is at odds with privacy."
Elaborate, please. Brave's ad model is built for privacy and security. User's must first opt-in. Your data remains on your device. Ad catalogs are downloaded and reviewed locally. You are rewarded when you see an ad notification. I repeat, rewards are granted when your attention has been spent; no clicks necessary. I discussed the model further in this recent 5-minute video: https://youtu.be/LsrrT502luI
Elaborate, please. Brave's ad model is built for privacy and security. User's must first opt-in. Your data remains on your device. Ad catalogs are downloaded and reviewed locally. You are rewarded when you see an ad notification. I repeat, rewards are granted when your attention has been spent; no clicks necessary. I discussed the model further in this recent 5-minute video: https://youtu.be/LsrrT502luI
Brave is its own ad network and offers targeting to over 200 IAB categories. I don't agree that profiling my demographics and offering them up for sale is protecting my privacy, even if that does not include PII.
If I want to skip out on Brave Ads then I don't really need the Brave browser.
If I want to skip out on Brave Ads then I don't really need the Brave browser.
You're going to have to help me understand how Brave's current ad model is at odds with protecting your privacy. Brave [does not] send any data to advertisers. That means no PII from the user, no meta data from the user, and no cohort ID or anything else for the user.
> Brave [does not] send any data to advertisers.
What about Brave itself? Brave Ads offers a lot of IAB advertising categories for sale to advertisers. If everything is pushed to the client and happens on the client, how does Brave Ads even know which IAB categories might be missing (and not exactly for sale in its network)? How would an advertiser know if/when an ad was even served?
The model still relies on assessing the folks that install Brave to know what you have to sell, and advertisers at least feeling like they are getting value from that advertising, most want some kind of measurable result. It would seem that some information is flowing back to Brave to allow for attribution and payments. Why do I trust anyone to hold this information? How can I know what happens to this information in the future? I can probably be deanonymized from Brave data.
What about Brave itself? Brave Ads offers a lot of IAB advertising categories for sale to advertisers. If everything is pushed to the client and happens on the client, how does Brave Ads even know which IAB categories might be missing (and not exactly for sale in its network)? How would an advertiser know if/when an ad was even served?
The model still relies on assessing the folks that install Brave to know what you have to sell, and advertisers at least feeling like they are getting value from that advertising, most want some kind of measurable result. It would seem that some information is flowing back to Brave to allow for attribution and payments. Why do I trust anyone to hold this information? How can I know what happens to this information in the future? I can probably be deanonymized from Brave data.
No, Brave (the browser) doesn't send user data to Brave (the company) either. Matching happens on device. Categories are enumerated in the regional ad catalog. Local, on-device machine-learning decides whether a given ad is appropriate for the user. The data which comes back consists of cryptographic attestations; no user data. See https://github.com/brave/brave-browser/wiki/Security-and-pri... for more information. We have also added a way to anonymously detect conversions, such as when a user purchases a product or service after having viewed an ad-notification. This too relies on cryptography, and not user data. Although, if you purchase a product from an advertiser, you are likely already giving them some form of user data (e.g. Name, Address, etc.), but Brave doesn't have/transmit any user-data to ourselves or advertisers.
> The data which comes back consists of cryptographic attestations; no user data.
I'll be honest, I have no idea what that means, other than data going from the Brave browser going to the Brave Ad network. And I cannot see or verify that data. I don't want a browser that is a browser and an ad network, in which case I don't need Brave.
I'm interested in how you define 'user data'. Do you mean PII? In my opinion, if I interact with the Brave web browser and Brave creates a log of that then that is 'user data', its not browser data or advertising data. PII is one kind of user data. Data I enter into browser windows is another kind of user data. My interactions with the browser, as generated by me the user, generate user data too.
I'll be honest, I have no idea what that means, other than data going from the Brave browser going to the Brave Ad network. And I cannot see or verify that data. I don't want a browser that is a browser and an ad network, in which case I don't need Brave.
I'm interested in how you define 'user data'. Do you mean PII? In my opinion, if I interact with the Brave web browser and Brave creates a log of that then that is 'user data', its not browser data or advertising data. PII is one kind of user data. Data I enter into browser windows is another kind of user data. My interactions with the browser, as generated by me the user, generate user data too.
[deleted]
Does anyone here use Opera or have thoughts on it?
Brave seems strictly worse than Vivaldi to me...
I switched from Brave to Bromite on Android.
Brave is the false sensation of privacy, _compared to Firefox._ For people who use Chromium, Brave is the best there is.
The author is full of shit.
Make no mistake, it has nothing to do with Brave, it's just marxist guerrilla against Eich. They cancelled him once at Mozilla, they are at it again.
I find I use brave only as a last resort to get around anti-ad-block websites, or quasi paywalls, etc.
I found a list [0] on HN awhile ago of "free, open source and privacy respecting services and alternatives to privative services".
I have been using many of the items before I came across the list, and started using some after going through it.
Many items on the list are viable and practical alternatives to proprietary products commonly used.
[0]: https://github.com/pluja/awesome-privacy
I have been using many of the items before I came across the list, and started using some after going through it.
Many items on the list are viable and practical alternatives to proprietary products commonly used.
[0]: https://github.com/pluja/awesome-privacy
Once it became obvious through Firefox blog posts that they support censorship and oppose free speech, I made the switch to Brave.
Breaking this response up into a few comments:
"Their adblocker is just a fork of uBlock Origin…"
Claims like this should be supplemented with links to our source code (see https://code.brave.com), if true. I'm not sure what gave the author this impression; Brave's built-in ad-blocking does use public lists in addition to our own efforts, but that isn't the same as being a fork of uBlock Origin. That being said, uBO is a fine extension, and you should definitely be using it (if you're not using Brave).
"They’re whitelisting trackers from Facebook and Twitter, so they can use scripts in third parties' websites to track you across the web."
This is also quite misleading. It stems from a claim made back in 2018 about our now-retired "Muon" build of Brave. We had a file which listed third-party scripts which shouldn't be blocked (so as not to "break the Web"). Among these were particular Facebook and Twitter scripts, because Facebook and Twitter content is embedded all throughout the Web (think of embedded Tweets, posts, videos, etc.). As such, it's important to permit this content to load, but to prevent it from utilizing any persistent storage (e.g. cookies). Not only were these scripts prevented to accessing storage, Brave also modified or discarded the referrer header on these request. This wasn't ever a case of "whitelisting trackers".
"They’re blatantly lying to their users. Anyone who knows a bit about how JavaScript…"
Responding to a previous explanation for the "whitelist", the author emphatically claims the engineers at Brave don't understand how JavaScript works. If I'm not mistaken, the author is responding to Brendan Eich (Brave's CEO), who happens to also be *the creator of JavaScript*.
"Another problem with their built-in adblocker is that it’s better for extensions to be separated from the core of the browser, since they don’t follow each other’s update cycles. This means that you need to update the entire browser to fix a bug in the adblocker. Stupid, isn’t it?"
Agreed, which is why Brave's ad-blocking logic is broken out into a distinct component. You can see it enumerated on brave://components, and even request updates from that page as well. It would have been very unwise to require a full browser update just to deliver updates to ad-blocking rules, etc.
> Note: By this point, it should be clear to the reader that the author is unqualified to conduct such a review. A cursory review of Brave's source (both in the archived 'Muon' repo and our active code.brave.com endpoint) would have answered many of their questions. A review of Brave's network activity, such as the one I conducted this year (see https://brave.com/popular-browsers-first-run/), would have addressed many claims to follow.
"It’s important to bring focus to the fact that Brave isn’t more than Chromium with another skin and a built-in adblocker with reduced functionality."
Wrong, again. Brave is a heavily patched version of Chromium, deviating in many ways (see https://github.com/brave/brave-browser/wiki/Deviations-from-...) from the base project. Again, this would have been quite clear to the author if they compared the network activity of Chrome and Brave (see https://brave.com/popular-browsers-first-run/).
"Rewards is their shitty program that will replace ads displayed on websites with their own."
Another easily-disproven claim, showing the author likely has never used Brave. Brave *does not replace ads on websites*. Brave's Ad system is opt-in, user-configurable, and displays ad notifications as native system notifications. These appear as prompts on your desktop or screen, outside of the browser itself.
"…they’re tracking you with Rewards…"
Again, where is the network analysis or source code to substantiate this claim? The author doesn't provide anything, because it's simply not true. Brave Rewards is designed to preclude tracking. Rather than having user data flow out to remote servers (the way Google Ads and more work today), Brave Rewards keeps the user's data on their device, and routinely downloads a regional ad catalog. This inverts the traditional digital advertising model. I covered this system in a bit more detail recently in a 5-minute talk on the history of digital advertising, and how Brave is fixing the industry. You can watch that talk at https://www.youtube.com/watch?v=LsrrT502luI.
Continued below...
"Their adblocker is just a fork of uBlock Origin…"
Claims like this should be supplemented with links to our source code (see https://code.brave.com), if true. I'm not sure what gave the author this impression; Brave's built-in ad-blocking does use public lists in addition to our own efforts, but that isn't the same as being a fork of uBlock Origin. That being said, uBO is a fine extension, and you should definitely be using it (if you're not using Brave).
"They’re whitelisting trackers from Facebook and Twitter, so they can use scripts in third parties' websites to track you across the web."
This is also quite misleading. It stems from a claim made back in 2018 about our now-retired "Muon" build of Brave. We had a file which listed third-party scripts which shouldn't be blocked (so as not to "break the Web"). Among these were particular Facebook and Twitter scripts, because Facebook and Twitter content is embedded all throughout the Web (think of embedded Tweets, posts, videos, etc.). As such, it's important to permit this content to load, but to prevent it from utilizing any persistent storage (e.g. cookies). Not only were these scripts prevented to accessing storage, Brave also modified or discarded the referrer header on these request. This wasn't ever a case of "whitelisting trackers".
"They’re blatantly lying to their users. Anyone who knows a bit about how JavaScript…"
Responding to a previous explanation for the "whitelist", the author emphatically claims the engineers at Brave don't understand how JavaScript works. If I'm not mistaken, the author is responding to Brendan Eich (Brave's CEO), who happens to also be *the creator of JavaScript*.
"Another problem with their built-in adblocker is that it’s better for extensions to be separated from the core of the browser, since they don’t follow each other’s update cycles. This means that you need to update the entire browser to fix a bug in the adblocker. Stupid, isn’t it?"
Agreed, which is why Brave's ad-blocking logic is broken out into a distinct component. You can see it enumerated on brave://components, and even request updates from that page as well. It would have been very unwise to require a full browser update just to deliver updates to ad-blocking rules, etc.
> Note: By this point, it should be clear to the reader that the author is unqualified to conduct such a review. A cursory review of Brave's source (both in the archived 'Muon' repo and our active code.brave.com endpoint) would have answered many of their questions. A review of Brave's network activity, such as the one I conducted this year (see https://brave.com/popular-browsers-first-run/), would have addressed many claims to follow.
"It’s important to bring focus to the fact that Brave isn’t more than Chromium with another skin and a built-in adblocker with reduced functionality."
Wrong, again. Brave is a heavily patched version of Chromium, deviating in many ways (see https://github.com/brave/brave-browser/wiki/Deviations-from-...) from the base project. Again, this would have been quite clear to the author if they compared the network activity of Chrome and Brave (see https://brave.com/popular-browsers-first-run/).
"Rewards is their shitty program that will replace ads displayed on websites with their own."
Another easily-disproven claim, showing the author likely has never used Brave. Brave *does not replace ads on websites*. Brave's Ad system is opt-in, user-configurable, and displays ad notifications as native system notifications. These appear as prompts on your desktop or screen, outside of the browser itself.
"…they’re tracking you with Rewards…"
Again, where is the network analysis or source code to substantiate this claim? The author doesn't provide anything, because it's simply not true. Brave Rewards is designed to preclude tracking. Rather than having user data flow out to remote servers (the way Google Ads and more work today), Brave Rewards keeps the user's data on their device, and routinely downloads a regional ad catalog. This inverts the traditional digital advertising model. I covered this system in a bit more detail recently in a 5-minute talk on the history of digital advertising, and how Brave is fixing the industry. You can watch that talk at https://www.youtube.com/watch?v=LsrrT502luI.
Continued below...
"…it’s important to say that Rewards uses Uphold…"
The author then takes a jab at KYC, the process of confirming your identity by providing ID and other information. No user of Brave Rewards is required to do this. Users are able to opt-in, participate, earn, and pass along rewards to content creators and publishers. If a user wishes to "cash out," however, they do have to verify their identity in compliance with relevant laws and regulations. But this is not handled by Brave; we do what we can to stay away from your data. Instead, Uphold (and soon Gemini) handles this process.
"Contrary to popular belief, Rewards isn’t opt in."
The author here conflates calls to certain endpoints with program participation. They are correct that Brave would make calls at times to our own rewards server, but not because the user has been auto opted-in. Those calls would attempt to locate rewards for the current user, and they would respond with an error or an empty balance, since the user hasn't opted-in. We've been working on cleaning up these types of unnecessary calls; I think this one resulted when the user clicks on the Rewards panel. By default the panel would expand and ask the user if they would like to opt-in. If the user were already opted-in, the panel would expand and attempt to retrieve their balance. The buggy behavior here was the attempt to retrieve a balance in both states. If you ever spot an issue like this, please do let us know But again, no ad notifications are shown, and no ad catalogs are downloaded until a user opts in.
"…they fetch affiliates for Brave Rewards, with pings such as Grammarly, Softonic, Uphold, etc."
Another basic mistake from this author. They're referring to custom headers. These don't ping anybody. We document the headers on GitHub (see https://github.com/brave/brave-browser/wiki/Custom-Headers), explaining there that these serve as a substitute for a custom user-agent string (which Brave lacks). These don't identify the user to anybody, make any bad-door network calls, or anything. Again, the user is clearly not qualified to discuss these technical topics, and has done little (if any) homework on the matter.
"They also make requests to various domains… There isn’t a way to opt out from sending this requests."
A few domains are shared, but these again aren't explored any more deeply. I covered these endpoints in my network analysis (see https://brave.com/popular-browsers-first-run/); many are also covered in the document detailing proxies (see https://github.com/brave/brave-browser/wiki/Deviations-from-...) we have setup with Google services to prevent users from making contact with Google. This is yet another example of where the user could have opened a Web Proxy Debugger like Fiddler or Charles and examined the network activity to understand what's going on.
"Brave has built-in telemetry. …a lot of people believe in their marketing and think that Brave is private out of the box."
Telemetry and Privacy aren't necessarily at odds with one another; it depends on how your telemetry is implemented. We have detailed our approach in detail on our Blog (see https://brave.com/privacy-preserving-product-analytics-p3a/). We also document the questions and possible answers on GitHub at https://github.com/brave/brave-browser/wiki/P3A.
"Suspicious behavior which installs 5 extensions"
The author is, again, showing their lack of experience and effort in this area. Again, they could have found this information covered in our source code (see https://code.brave.com), in my network analysis (see https://brave.com/popular-browsers-first-run/), or even by inspecting the CRX files themselves in something like Rob Wu's CRX Viewer (see https://robwu.nl/crxviewer/).
"There is a ton of criticism about Firefox’s Pocket. But Brave has something similar, which is called Brave Today."
Brave Today is available on the new tab page, but doesn't actually make any network calls unless you open it up. This was important to us, since we aim to keep Brave as clean and quiet as possible. From a new tab page, you have to scroll down to trigger network activity. But this deferring of request isn't all we've done to make this system as private as possible. Brave also drops request headers, pads resource bytes, and more. The padding of resource bytes is really neat; no matter which image is being requested from the Brave CDN, its file-size is always the same (meaning no network-connected sleuth can infer your network activity by watching image file sizes). We talk about this system in greater detail on our blog. See Brave's Private Content Delivery Network (see https://brave.com/brave-private-cdn/).
The author then takes aim at Brave’s “SafeBrowsing”. Brave uses Google's SafeBrowsing service to protect users from harmful sites and more. Similar services are used by practically all major browsers today (many using SafeBrowsing). What matters most here, again, is implementation. SafeBrowsing has a LookUp API and an Update API. One of these sends data with each request to Google for their judgement. The other routinely downloads a database of potentially harmful URLs and performs the lookup locally, on the user's device. Brave takes the latter route. And the routine database updates are proxied through Brave server's, meaning users aren't making any direct contact with Google. This was also covered in my network analysis (see https://brave.com/popular-browsers-first-run/) earlier this year. Compare and contrast with something like Opera to see how others perform similar lookups.
Continued below...
The author then takes a jab at KYC, the process of confirming your identity by providing ID and other information. No user of Brave Rewards is required to do this. Users are able to opt-in, participate, earn, and pass along rewards to content creators and publishers. If a user wishes to "cash out," however, they do have to verify their identity in compliance with relevant laws and regulations. But this is not handled by Brave; we do what we can to stay away from your data. Instead, Uphold (and soon Gemini) handles this process.
"Contrary to popular belief, Rewards isn’t opt in."
The author here conflates calls to certain endpoints with program participation. They are correct that Brave would make calls at times to our own rewards server, but not because the user has been auto opted-in. Those calls would attempt to locate rewards for the current user, and they would respond with an error or an empty balance, since the user hasn't opted-in. We've been working on cleaning up these types of unnecessary calls; I think this one resulted when the user clicks on the Rewards panel. By default the panel would expand and ask the user if they would like to opt-in. If the user were already opted-in, the panel would expand and attempt to retrieve their balance. The buggy behavior here was the attempt to retrieve a balance in both states. If you ever spot an issue like this, please do let us know But again, no ad notifications are shown, and no ad catalogs are downloaded until a user opts in.
"…they fetch affiliates for Brave Rewards, with pings such as Grammarly, Softonic, Uphold, etc."
Another basic mistake from this author. They're referring to custom headers. These don't ping anybody. We document the headers on GitHub (see https://github.com/brave/brave-browser/wiki/Custom-Headers), explaining there that these serve as a substitute for a custom user-agent string (which Brave lacks). These don't identify the user to anybody, make any bad-door network calls, or anything. Again, the user is clearly not qualified to discuss these technical topics, and has done little (if any) homework on the matter.
"They also make requests to various domains… There isn’t a way to opt out from sending this requests."
A few domains are shared, but these again aren't explored any more deeply. I covered these endpoints in my network analysis (see https://brave.com/popular-browsers-first-run/); many are also covered in the document detailing proxies (see https://github.com/brave/brave-browser/wiki/Deviations-from-...) we have setup with Google services to prevent users from making contact with Google. This is yet another example of where the user could have opened a Web Proxy Debugger like Fiddler or Charles and examined the network activity to understand what's going on.
"Brave has built-in telemetry. …a lot of people believe in their marketing and think that Brave is private out of the box."
Telemetry and Privacy aren't necessarily at odds with one another; it depends on how your telemetry is implemented. We have detailed our approach in detail on our Blog (see https://brave.com/privacy-preserving-product-analytics-p3a/). We also document the questions and possible answers on GitHub at https://github.com/brave/brave-browser/wiki/P3A.
"Suspicious behavior which installs 5 extensions"
The author is, again, showing their lack of experience and effort in this area. Again, they could have found this information covered in our source code (see https://code.brave.com), in my network analysis (see https://brave.com/popular-browsers-first-run/), or even by inspecting the CRX files themselves in something like Rob Wu's CRX Viewer (see https://robwu.nl/crxviewer/).
"There is a ton of criticism about Firefox’s Pocket. But Brave has something similar, which is called Brave Today."
Brave Today is available on the new tab page, but doesn't actually make any network calls unless you open it up. This was important to us, since we aim to keep Brave as clean and quiet as possible. From a new tab page, you have to scroll down to trigger network activity. But this deferring of request isn't all we've done to make this system as private as possible. Brave also drops request headers, pads resource bytes, and more. The padding of resource bytes is really neat; no matter which image is being requested from the Brave CDN, its file-size is always the same (meaning no network-connected sleuth can infer your network activity by watching image file sizes). We talk about this system in greater detail on our blog. See Brave's Private Content Delivery Network (see https://brave.com/brave-private-cdn/).
The author then takes aim at Brave’s “SafeBrowsing”. Brave uses Google's SafeBrowsing service to protect users from harmful sites and more. Similar services are used by practically all major browsers today (many using SafeBrowsing). What matters most here, again, is implementation. SafeBrowsing has a LookUp API and an Update API. One of these sends data with each request to Google for their judgement. The other routinely downloads a database of potentially harmful URLs and performs the lookup locally, on the user's device. Brave takes the latter route. And the routine database updates are proxied through Brave server's, meaning users aren't making any direct contact with Google. This was also covered in my network analysis (see https://brave.com/popular-browsers-first-run/) earlier this year. Compare and contrast with something like Opera to see how others perform similar lookups.
Continued below...
"It’s a concerning issue for a “privacy” oriented browser to connect to Cloudflare’s and Google’s domains, since both of them are telemetry."
The author here is referring to proxied URLs, which were already addressed. They claim these are "telemetry," which is absurd. Telemetry is about understanding how users and products intersect. To suggest Brave is doing any telemetry here, or assisting Google/Cloudflare with Telemetry, would require the author to provide something substantive. They don't, however, because they aren't technically qualified to conduct this type of review in the first place. Also, they note receiving a 404 when attempting to access these endpoints. This is because the user failed to note that these receive POST requests, rather than GET requests. The latter results in a 404.
"Brave will check for updates every time you run it. …Brave’s dedication to privacy is truly amazing /s."
Yes, and? Software that remains up-to-date typically remains safer and more secure. We're not about to have our 30+ million users running outside, vulnerable, and brittle versions of Chromium which have known, published exploits in the wild.
"Brave has been caught inserting affiliate codes…"
Not much of a scandal here. Brave shipped an update which would offer users affiliate-versions of particular URLs. The goal here was to detect pre-search input (no network activity involved), and offer up an affiliate link if one was available. The user could then decide to visit a URL with or without traffic attribution. We blogged about this in "On Partner Referral Codes in Brave Suggested Sites (see https://brave.com/referral-codes-in-suggested-sites/)". As stated there, the intent was to offer referral options during searches. Our mistake was also matching fully-qualified URLs. Once the issue was found, it was quickly resolved. It's important to note that traffic attribution is not necessarily malicious, anti-privacy, or a matter of security. The author has been suggesting users switch to Firefox; has the author conducted a search from Firefox? Is the author aware, as revealed in a network analysis (see https://brave.com/popular-browsers-first-run/), that keystrokes are asynchronously fed to Google, and that each request is marked with a Firefox identifier for traffic attribution?
"Who the fuck implements Tor but doesn’t change the DNS?"
Ah, that issue. Again, the user hasn't done their homework. What they're referring to here was the recent bug with Brave's Tor context which would emit a DNS lookup, potentially exposing your traffic to your ISP. Let me be quite clear, that is bad. Really bad. Which is why we fixed it without hesitation. That said, was this an example of Brave not knowing how Tor works? Or how DNS works? Not at all, as the author seems to have left out some important context.
Brave has supported Tor for a long time, and without any DNS lookup issue. So what caused this issue? It was actually Brave's effort to remain ahead of the industry in terms of security and privacy, believe it or not. In late 2020 we blogged about Fighting CNAME Trickery (see https://brave.com/privacy-updates-6/), and the growing trend of third-party trackers finding ways to plant themselves on first-party domains. To combat this, Brave added a DNS lookup to resolve first-party endpoints and evaluate the endpoint with our block lists and more. This gave Brave the unique ability to identify third-party trackers even when they masquerade as first-party requests. But, we failed to limit this feature only to standard browsing contexts. Having a feature like this makes you one of the most secure and private browsers on the market. Having it in a Tor context, however, means potentially leaking some network activity. This was not a case of Brave failing to understand how Tor or DNS works; this was a case of Brave taking the initiate to do something bold, and stumbling in the process. When you lead, everybody gets to see your mistakes.
"Possible scam and theft?"
Betteridge's law of headlines is an adage that states: "Any headline that ends in a question mark can be answered by the word no." One issue the user does bring up here (by link, not explicitly) are a set of changes made to Brave's UX/UI following feedback from content creators in 2018. We blogged about this in greater detail at https://brave.com/rewards-update/. In summary, our UI/UX was somewhat confusing. We made a few rapid changes, which resulted in a substantially much better system. This was, in my opinion, a stellar example of how crucial community feedback is to developing a solid product.
"Hostility towards forks"
More nonsense. Brave has no problem with forks; we do have a problem with those wishing to copy and paste Brave under the name "Braver". That should be quite obviously a bad-faith gesture. The individual(s) behind this proposed browser (there were at most 2 or 3 people) soon realized how much work goes into developing a browser, and the effort fell apart. But forks of Brave exist today; Dissenter (don't use this browser! (see https://twitter.com/BraveSampson/status/1350685642846572546)) and PreSearch for iOS being a couple examples.
In summary, if you want a technical review of Brave, don't get it from randos on the Internet Look instead to competent engineers, such as the work done by Douglas Leith (see https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf) and others at Trinity College in Dublin. Their abstract is as follows, "We measure the connections to backend servers made by six browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge and Yandex Browser, during normal web browsing. Our aim is to assess the privacy risks associated with this back-end data exchange. We find that the browsers split into three distinct groups from this privacy perspective. In the first (most private) group lies Brave, in the second Chrome, Firefox and Safari and in the third (least private) group lie Edge and Yandex."
Fin.
The author here is referring to proxied URLs, which were already addressed. They claim these are "telemetry," which is absurd. Telemetry is about understanding how users and products intersect. To suggest Brave is doing any telemetry here, or assisting Google/Cloudflare with Telemetry, would require the author to provide something substantive. They don't, however, because they aren't technically qualified to conduct this type of review in the first place. Also, they note receiving a 404 when attempting to access these endpoints. This is because the user failed to note that these receive POST requests, rather than GET requests. The latter results in a 404.
"Brave will check for updates every time you run it. …Brave’s dedication to privacy is truly amazing /s."
Yes, and? Software that remains up-to-date typically remains safer and more secure. We're not about to have our 30+ million users running outside, vulnerable, and brittle versions of Chromium which have known, published exploits in the wild.
"Brave has been caught inserting affiliate codes…"
Not much of a scandal here. Brave shipped an update which would offer users affiliate-versions of particular URLs. The goal here was to detect pre-search input (no network activity involved), and offer up an affiliate link if one was available. The user could then decide to visit a URL with or without traffic attribution. We blogged about this in "On Partner Referral Codes in Brave Suggested Sites (see https://brave.com/referral-codes-in-suggested-sites/)". As stated there, the intent was to offer referral options during searches. Our mistake was also matching fully-qualified URLs. Once the issue was found, it was quickly resolved. It's important to note that traffic attribution is not necessarily malicious, anti-privacy, or a matter of security. The author has been suggesting users switch to Firefox; has the author conducted a search from Firefox? Is the author aware, as revealed in a network analysis (see https://brave.com/popular-browsers-first-run/), that keystrokes are asynchronously fed to Google, and that each request is marked with a Firefox identifier for traffic attribution?
"Who the fuck implements Tor but doesn’t change the DNS?"
Ah, that issue. Again, the user hasn't done their homework. What they're referring to here was the recent bug with Brave's Tor context which would emit a DNS lookup, potentially exposing your traffic to your ISP. Let me be quite clear, that is bad. Really bad. Which is why we fixed it without hesitation. That said, was this an example of Brave not knowing how Tor works? Or how DNS works? Not at all, as the author seems to have left out some important context.
Brave has supported Tor for a long time, and without any DNS lookup issue. So what caused this issue? It was actually Brave's effort to remain ahead of the industry in terms of security and privacy, believe it or not. In late 2020 we blogged about Fighting CNAME Trickery (see https://brave.com/privacy-updates-6/), and the growing trend of third-party trackers finding ways to plant themselves on first-party domains. To combat this, Brave added a DNS lookup to resolve first-party endpoints and evaluate the endpoint with our block lists and more. This gave Brave the unique ability to identify third-party trackers even when they masquerade as first-party requests. But, we failed to limit this feature only to standard browsing contexts. Having a feature like this makes you one of the most secure and private browsers on the market. Having it in a Tor context, however, means potentially leaking some network activity. This was not a case of Brave failing to understand how Tor or DNS works; this was a case of Brave taking the initiate to do something bold, and stumbling in the process. When you lead, everybody gets to see your mistakes.
"Possible scam and theft?"
Betteridge's law of headlines is an adage that states: "Any headline that ends in a question mark can be answered by the word no." One issue the user does bring up here (by link, not explicitly) are a set of changes made to Brave's UX/UI following feedback from content creators in 2018. We blogged about this in greater detail at https://brave.com/rewards-update/. In summary, our UI/UX was somewhat confusing. We made a few rapid changes, which resulted in a substantially much better system. This was, in my opinion, a stellar example of how crucial community feedback is to developing a solid product.
"Hostility towards forks"
More nonsense. Brave has no problem with forks; we do have a problem with those wishing to copy and paste Brave under the name "Braver". That should be quite obviously a bad-faith gesture. The individual(s) behind this proposed browser (there were at most 2 or 3 people) soon realized how much work goes into developing a browser, and the effort fell apart. But forks of Brave exist today; Dissenter (don't use this browser! (see https://twitter.com/BraveSampson/status/1350685642846572546)) and PreSearch for iOS being a couple examples.
In summary, if you want a technical review of Brave, don't get it from randos on the Internet Look instead to competent engineers, such as the work done by Douglas Leith (see https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf) and others at Trinity College in Dublin. Their abstract is as follows, "We measure the connections to backend servers made by six browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge and Yandex Browser, during normal web browsing. Our aim is to assess the privacy risks associated with this back-end data exchange. We find that the browsers split into three distinct groups from this privacy perspective. In the first (most private) group lies Brave, in the second Chrome, Firefox and Safari and in the third (least private) group lie Edge and Yandex."
Fin.
Brave is a scam, but recommending palemoon or icecat a is (for different reasons) also a bad idea.
Can you elaborate on why palemoon and icecat are bad ideas? Haven’t used either. Am assuming they’re further behind on the latest web standards?
They both lack the manpower to keep up. I personally don't mind missing on the latest features, but I don't want my software to be full of old security holes that were patched long ago in upstream Firefox.
Besides, I have once witnessed a conversation between Palemoon developers and some distro's packagers about usage of palemoon logo or trademark or something like that. The developers spoke in a very entitled tone and it was quite off-putting.
Besides, I have once witnessed a conversation between Palemoon developers and some distro's packagers about usage of palemoon logo or trademark or something like that. The developers spoke in a very entitled tone and it was quite off-putting.
How exactly is Brave a scam? The author certainly couldn't argue this point (detailed response to their claims can be found here: https://news.ycombinator.com/item?id=27552530).
The fact that author's arguments are flawed (imo not all of them are) does not imply their claim is incorrect. A lot has been written on the topic Elsewhere, I'm sure you will be able to find some better explanations if you so desire.
This article is a glittery piece of shit, from lies about the blockers to completely made up points on the ad system.
In 2001 or so I considered entering into an encrypted email correspondence with my brother, for fun. I quickly gave up on the idea because I realized that I didn’t trust that my computer or my brother’s computer didn’t already have spyware of some kind, I didn’t trust the integrity of any encryption/decryption tools that existed, didn’t trust myself not to lose the passwords or leave them lying around, and didn’t trust that some day I wouldn’t just stupidly leave my laptop somewhere with the password entered. Etc., etc. It was obvious that actually having even one meaningfully secret conversation would actually require involved and somewhat ridiculous lifestyle changes.
Having thought this through long ago, I have never understood why people behave as though a chat client or browser that they download from the open internet would be meaningfully secure.
Having thought this through long ago, I have never understood why people behave as though a chat client or browser that they download from the open internet would be meaningfully secure.
So closing your bathroom door isn’t worth it because someone can ram it? :)
I live in a house with toddlers. This is absolutely true. I leave the door open so it doesn't bash into my leg when they come hammering on it.
[deleted]
What is "it" that would bash into your leg? The door? Are your toddlers strong enough to ram closed door with enough force for it to bash into your leg?
If I suspect there are invisible people who can make money off of pictures of me taking a dump and can phase through doors, then I indeed might not close the bathroom doors. These metaphors never work because encrypting your text messages is qualitatively different from quotidian intuitions about privacy.
Exactly. I sleep outside because a meteorite would crush a house; therefore a house is useless.
Do you lock the doors on your house? Why bother? Someone could break a window?
Security is about identifying and mitigating threat models.
For example, if you're concerned with mass surveillance an encrypted messenger will stop that.
Just because something doesn't protect against CIA 0days doesn't make it worthless.
Security is about identifying and mitigating threat models.
For example, if you're concerned with mass surveillance an encrypted messenger will stop that.
Just because something doesn't protect against CIA 0days doesn't make it worthless.
A house is almost nothing like a computer along any dimension that the metaphor could possibly make sense.
Besides, unless you've built your own encrypted messenger, you're still putting trust in several agents that you have no reason to trust.
Besides, unless you've built your own encrypted messenger, you're still putting trust in several agents that you have no reason to trust.
You can pretty easily check how private and secure a browser is; setting up a "man in the middle" to monitor its communication is something we do routinely at Brave (see https://brave.com/popular-browsers-first-run/), and what others have done as well (see https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf).
The people arguing that Firefox has an edge because it maintains a separate browser engine (like the writer of this article) are going to have real difficulties making their argument. Ditto the attacks on Brave for not being private enough. The people who care about privacy should be more worried about getting caught in Google's web of properties than about privacy per-se - that company is bad news. And Firefox is more closely aligned with Google's interest than Brave is. Look at how much money Google has been funnelling to Firefox over the years.
Having a different engine is really more of an inconvenience than a strength - it means that sometimes pages will not work in Firefox. Having an independent engine was important when it was IE6 vs the open web. It doesn't matter much when the engines involved are BSD license vs GPL.
If Chrome was all proprietary licenses then having an independent engine would matter. But the internet likes to standardise on one, open, technology.
Having a different engine is really more of an inconvenience than a strength - it means that sometimes pages will not work in Firefox. Having an independent engine was important when it was IE6 vs the open web. It doesn't matter much when the engines involved are BSD license vs GPL.
If Chrome was all proprietary licenses then having an independent engine would matter. But the internet likes to standardise on one, open, technology.
You may be right, and you may not be. It has to be good that there are more than exactly one engine, it means there is a discussion, some level of "forced openness".
That wouldn't be possible if web developers could simply rely on undocumented quirks of a sole browser.
It's possible that FF will die. But I think that would be extremely sad. For one, Manifest V3 would be forced upon the entire web => no more uOrigin.
That wouldn't be possible if web developers could simply rely on undocumented quirks of a sole browser.
It's possible that FF will die. But I think that would be extremely sad. For one, Manifest V3 would be forced upon the entire web => no more uOrigin.
> It has to be good that there are more than exactly one engine...
Well, that is kinda the point. No, it doesn't. It might be worse than having one great de-facto standard engine. Having 2+ splits web developers in what they choose to support.
In this instance, we literally have a young company (Brave Software, Inc) that chose to go head-to-head with Google. Their CEO is deeply entwined with the history of first Netscape then Mozilla/Firefox. They went with Chromium.
That is a pretty searing indictment of the "an independent engine is important" argument. If Eich doesn't think Firefox is up for the challenge, what exactly is the gameplan here?
Nobody is saying Mozilla has to die, whatever that means. But if there is an advantage to its existence that advantage is difficult to spot. Firefox doesn't even have the thriving extension ecosystem it could once boast about - they killed most of it off. There is nothing useful there except a different set of quirks.
Well, that is kinda the point. No, it doesn't. It might be worse than having one great de-facto standard engine. Having 2+ splits web developers in what they choose to support.
In this instance, we literally have a young company (Brave Software, Inc) that chose to go head-to-head with Google. Their CEO is deeply entwined with the history of first Netscape then Mozilla/Firefox. They went with Chromium.
That is a pretty searing indictment of the "an independent engine is important" argument. If Eich doesn't think Firefox is up for the challenge, what exactly is the gameplan here?
Nobody is saying Mozilla has to die, whatever that means. But if there is an advantage to its existence that advantage is difficult to spot. Firefox doesn't even have the thriving extension ecosystem it could once boast about - they killed most of it off. There is nothing useful there except a different set of quirks.
> Nobody is saying Mozilla has to die, whatever that means.
To die means having so few users that development is abandoned and the teams disbanded. It could happen; I wish it doesn't; you seem to wish it does... because it would make the life of web developers a little simpler?
But I don't think that's true; I think it's the opposite: web development would be a little more difficult if/when everything is controlled by just one company who decides unilaterally what can be done and what can't.
To die means having so few users that development is abandoned and the teams disbanded. It could happen; I wish it doesn't; you seem to wish it does... because it would make the life of web developers a little simpler?
But I don't think that's true; I think it's the opposite: web development would be a little more difficult if/when everything is controlled by just one company who decides unilaterally what can be done and what can't.
There is no risk of everything being controlled by one company. That is why it is acceptable for there to only be one browser engine.
Observe that Brave, inc is using the chromium engine in a way that opposes Google.
Mozilla has developed a bunch of great features in the last few years. If they were developing on Chromium, most of the internet would have access to them. Instead, only a minor subset do. This is a bad strategy.
Observe that Brave, inc is using the chromium engine in a way that opposes Google.
Mozilla has developed a bunch of great features in the last few years. If they were developing on Chromium, most of the internet would have access to them. Instead, only a minor subset do. This is a bad strategy.
I don't think you understand how Chromium works. Google makes all the important decisions. People have advocated for independent governance (e.g. some kind of Chromium Foundation) but Google isn't interested.
E.g. Brave opposes Google in some ways but they have no say in the development of Web standards implemented by Chromium.
E.g. Brave opposes Google in some ways but they have no say in the development of Web standards implemented by Chromium.
It is open source. If someone doesn't like a decision they can fork the codebase.
Mozilla's Gecko has been beaten down to sub-double-digit market share, they're less relevant right now than when IE6 was >75% of the market. They have no power to influence the direction the web moves in. And yet life is going on better than ever.
If you want a counterbalance to stop Google making the important decisions, Firefox has failed spectacularly. And yet Google doesn't have any power to move the web in a direction it doesn't want to go - because their engine is open source and that is what actually matters here.
Mozilla's Gecko has been beaten down to sub-double-digit market share, they're less relevant right now than when IE6 was >75% of the market. They have no power to influence the direction the web moves in. And yet life is going on better than ever.
If you want a counterbalance to stop Google making the important decisions, Firefox has failed spectacularly. And yet Google doesn't have any power to move the web in a direction it doesn't want to go - because their engine is open source and that is what actually matters here.
To make any dent to Google's dominance over the web a potential fork would first have to gain any noticeable traction. This seems highly unlikely if well funded companies like Microsoft or Mozilla weren't able to leverage their properties (Windows in Microsoft's case) or their brand (Mozilla) so far. Plus, any major fork of Chromium would have to compete with Chrome's vast development budget.
Browser vendors can carry small patches against Chromium but significant changes are very costly to carry long-term as the code changes under you. Furthermore, Google controls how heavy that burden is for you. In practice browser vendors who choose Chromium don't challenge Google's Web platform decisions except in very narrow cases like FLoC. In contrast Mozilla and Apple examine every Google-proposed Web platform feature or change to see whether it makes sense.
Mozilla's influence over the Web platform is much lower than it was but it is also far from zero. Lots of major sites still test in Firefox. Apple has even more influence. That is why Google doesn't yet has absolute power over the Web platform.
Mozilla's influence over the Web platform is much lower than it was but it is also far from zero. Lots of major sites still test in Firefox. Apple has even more influence. That is why Google doesn't yet has absolute power over the Web platform.
> Browser vendors can carry small patches against Chromium but significant changes are very costly to carry long-term as the code changes under you. Furthermore, Google controls how heavy that burden is for you.
This is fundamentally wrong; at any point anyone can hard fork chromium and then the long term costs of maintenance and rate of code change are completely out of Google's control.
> In practice browser vendors...
This is because Google generally makes great choices with Chrome that don't need to be second guessed. One of the reasons for Chrome's ubiquity is Google makes a great browser.
This is fundamentally wrong; at any point anyone can hard fork chromium and then the long term costs of maintenance and rate of code change are completely out of Google's control.
> In practice browser vendors...
This is because Google generally makes great choices with Chrome that don't need to be second guessed. One of the reasons for Chrome's ubiquity is Google makes a great browser.
No-one is going to hard-fork Chromium. The reason you adopt Chromium is because you don't want to pay to maintain your own browser engine.
> The reason you adopt Chromium is because you don't want to pay to maintain your own browser engine.
Same argument applies to Gecko, but if people want to get in to the web browser game it makes a lot more sense to start with a de-facto open standard - which is Chromium. There are already a lot of browsers based on that engine, which is apparently named Blink according to Wikipedia, with backers who could easily choose to maintain an engine if they wanted to.
If the world ends in 12 months then sure, no-one is going to fork Chromium. But in the future, at some point Google will start doing a bad job maintaining it and Chromium could well be forked. If someone decides they need a browser engine to maintain full time they're probably going to fork Chromium as the technically strongest starting point and start maintaining a branch themselves. Forking Gecko would get them ... not much useful. Maybe some PR points.
The Blink license says people can fork it. There isn't any legal or technical reason that it is unforkable. At some point, it will be forked.
Same argument applies to Gecko, but if people want to get in to the web browser game it makes a lot more sense to start with a de-facto open standard - which is Chromium. There are already a lot of browsers based on that engine, which is apparently named Blink according to Wikipedia, with backers who could easily choose to maintain an engine if they wanted to.
If the world ends in 12 months then sure, no-one is going to fork Chromium. But in the future, at some point Google will start doing a bad job maintaining it and Chromium could well be forked. If someone decides they need a browser engine to maintain full time they're probably going to fork Chromium as the technically strongest starting point and start maintaining a branch themselves. Forking Gecko would get them ... not much useful. Maybe some PR points.
The Blink license says people can fork it. There isn't any legal or technical reason that it is unforkable. At some point, it will be forked.
Using Gecko (or Webkit) would have added extra risk for Brave. When you're starting a company, especially a browser company that's going to take on Google at some level, you need to minimize all unnecessary risks. I don't blame Brendan for doing that.
Plus, when Brendan started Brave, Firefox was further behind in performance and architecture than it is now.
Plus, Brendan's departure from Mozilla was somewhat messy and I don't blame him for not wanting to keep a Mozilla dependency.
> Having 2+ splits web developers in what they choose to support.
Having one engine, Chromium, would mean Google gets a completely free hand to make almost all decisions about how the Web works. Also, Web sites would have no chance of noticing they depend on Chromium bugs --- very bad for the future of the Web (and for Chromium).
Now, Webkit is also a very viable engine. The problem with relying on Apple is that they have a powerful disincentive to let the Web platform be a viable competitor to iOS.
This is why Mozilla matters.
Plus, when Brendan started Brave, Firefox was further behind in performance and architecture than it is now.
Plus, Brendan's departure from Mozilla was somewhat messy and I don't blame him for not wanting to keep a Mozilla dependency.
> Having 2+ splits web developers in what they choose to support.
Having one engine, Chromium, would mean Google gets a completely free hand to make almost all decisions about how the Web works. Also, Web sites would have no chance of noticing they depend on Chromium bugs --- very bad for the future of the Web (and for Chromium).
Now, Webkit is also a very viable engine. The problem with relying on Apple is that they have a powerful disincentive to let the Web platform be a viable competitor to iOS.
This is why Mozilla matters.
Hi roc, just FYI we started Brave in 2015 based on Gecko, using the Graphene multiprocess/sandboxing code from that era's FirefoxOS. We switched late in the year after listing all the problems to solve (DRM was one, many others) in order to compete with Chrome. Mozilla or my departure was not an issue.
No, Manifest V2 support remains internally and for "Enterprise Chrome" customers. Therefore we at Brave have promised that we would support V2 on by default for extensions including uBO (not needed on Brave) and uMatrix. HTH
Firefox has had a load of conflicts of interests that people don't want to mention. For example, >90% of their funding comes from Google for being the default search engine. That means Mozilla doesn't want to upset Google too much.
As a result, what have we seen? Safari has added new privacy features, that should have been obvious, before Firefox. DuckDuckGo, which Mozilla staff generally recommend, isn't the default which is odd for how vocal Mozilla likes to be about how we're great for your privacy and an open web.
The point is that by receiving >90% of their funding from Google, Mozilla can continue existing. And also be a hypocrite in their actions.
As a result, what have we seen? Safari has added new privacy features, that should have been obvious, before Firefox. DuckDuckGo, which Mozilla staff generally recommend, isn't the default which is odd for how vocal Mozilla likes to be about how we're great for your privacy and an open web.
The point is that by receiving >90% of their funding from Google, Mozilla can continue existing. And also be a hypocrite in their actions.
>As a result, what have we seen? Safari has added new privacy features, that should have been obvious, before Firefox.
Firefox has added plenty of "obvious" privacy features that no other browser has. Container tabs are amazing (and incredibly useful even apart from maintaining privacy).
Where is uBlock Origin or uMatrix for Safari? They can't exist because Apple doesn't really care about the browser extension ecosystem and doesn't implement the APIs. Apple has very different priorities than Mozilla does, and that's not a dig at either of them.
Given that, I'm not sure it's a great idea to assign ulterior motivations to the delay, especially since Firefox does eventually get those features.
https://techcrunch.com/2021/02/24/mozilla-beefs-up-anti-cros...
Firefox has added plenty of "obvious" privacy features that no other browser has. Container tabs are amazing (and incredibly useful even apart from maintaining privacy).
Where is uBlock Origin or uMatrix for Safari? They can't exist because Apple doesn't really care about the browser extension ecosystem and doesn't implement the APIs. Apple has very different priorities than Mozilla does, and that's not a dig at either of them.
Given that, I'm not sure it's a great idea to assign ulterior motivations to the delay, especially since Firefox does eventually get those features.
https://techcrunch.com/2021/02/24/mozilla-beefs-up-anti-cros...
>It doesn't matter much when the engines involved are BSD license vs GPL
Without a competing engine, Google is free to cease development on Chromium and start a new private fork, and autoupdate all Chrome browsers to that new fork. Then they can add all sorts of web features that only they support. Every browser dependent on Chromium will fall behind in security updates and web features, and become more unusable than Firefox is today.
Without a competing engine, Google is free to cease development on Chromium and start a new private fork, and autoupdate all Chrome browsers to that new fork. Then they can add all sorts of web features that only they support. Every browser dependent on Chromium will fall behind in security updates and web features, and become more unusable than Firefox is today.
If Google did that, we'd be better off with the Mozilla corporation taking over Chromium development than continuing to develop Gecko.
The erosion of interest in Firefox over the years raises a pretty basic question: if Google followed through with that scenario, how effective would Firefox be? They're got steamrolled in the last decade with massive amounts of funding (from Google).
Brave is literally showing that if someone wants to compete with Google, they're going to start with chromium as a base. Your argument is similar to "if someone wants to compete with Google, they need to be able to use Gecko/Webkit!". People with skin in the game are saying whatever the theoretical merits are to your argument, it is wrong. Gecko isn't part of the competitive equation any more.
The erosion of interest in Firefox over the years raises a pretty basic question: if Google followed through with that scenario, how effective would Firefox be? They're got steamrolled in the last decade with massive amounts of funding (from Google).
Brave is literally showing that if someone wants to compete with Google, they're going to start with chromium as a base. Your argument is similar to "if someone wants to compete with Google, they need to be able to use Gecko/Webkit!". People with skin in the game are saying whatever the theoretical merits are to your argument, it is wrong. Gecko isn't part of the competitive equation any more.
This does not appear to be true. Here is the github repo for their open source adblock engine written in rust:
https://github.com/brave/adblock-rust
Here is a (somewhat dated) article describing it by the authors:
https://brave.com/improved-ad-blocker-performance/
> Google will take decisions that benefit their advertisement business, like making impossible to use adblockers on any Chromium based browser.
Because the brave adblocker is integrated directly into the browser (ie. not an extension) the Manifest V3 limitations don't apply.