113 comments

[ 3.2 ms ] story [ 178 ms ] thread
this type of stuff makes me wonder if there really ever was any browser that truly cared about privacy.

firefox has gone down the hill and last week I switched to Brave. but hardening Brave isn’t the ultimate solution as lots of things will break in future updates.

There’s still safari!!
Arguably doing the most to protect user privacy.
What is Safari doing that Firefox isn't? I find multi-account containers in Firefox to be indispensable. Does Safari do something similar?
(comment deleted)
What's wrong with Firefox?
Last I checked (6 mos ago), it had memory leaks and it was slow. I could leave my chrome/brave tabs open for a week while I worked on a project, but firefox had to be killed and restarted daily or it would eat all my RAM and swap.

That being said, I made do with it for years because I love the tree tabs plugin and the containers. But 6 months ago I finally gave up on it.

The parent made it sound like the privacy side of Firefox was slipping, so I was hoping he could talk about any specifics.
I had to add a lot to my user.js (or about:config) just to avoid Mozilla's shady telemetry and diagnostics. If you google it, there's even Hardended Firefox...
Can't you just uncheck the telemetry box in the settings? I don't get what is shady about it though, you can see what is being sent (about:telemetry) and they tell you it's on by default.
That's not the only place where telemetry takes place. Even with that option turned off, FF has other telemetries working in the background.
I run Firefox for two months at a time with no memory leak issues. I have 6 Firefox windows open at all times with over 200 tabs open and over 300 tabs open at once at points during the day. Right now it's using 3.5GB of RAM. The only reason I don't run it longer than two months that is I need to reboot for OS updates. This is on Debian.
On my Ubuntu firefox can do the same. On windows 7 it falls apart.
Lol why are you still using win7? Uses an outdated os that is no longer supported. But doesn't attribute programs playing up to that? Mate. Win7 is your problem get off that.
Windows 7 is a better experience compared to windows 10. Windows 7 doesn't ask me to upgrade or throw ads in my start menu or sends installed program data to Microsoft or have any of the other enhancements

I do have win10 on a different machine and a smaller performance happens but still happens.

I have Ubuntu and an even smaller performance happens but it always happens.

But on Windows 7 the memory leaks are very noticable.

Windows 7 is no longer security-patched. Regardless of how you feel about the good old days of 7, you are a risk to yourself running it.

It bears stating that if you are also using a machine running 7 in a company setting, you are also a risk to that company.

Personally I've seen the opposite: video sites on Chromium that would eat up 300MB+ and an additional 1~3MB of leaked mem per action. Whereas the same site on FF would happily sit at 20~30MB.
Not true in my experience on Windows.

I find Firefox handles many tabs better than Chrome.

That's your computer bud not Firefox.
Firefox doesn't have memory leaks.

Use it on Mac and Linux on a daily basis, and don't close tabs for weeks at a time when I forget about them. Are you sure it isn't your tree tabs plug ins?

I switched to brave, because Mozilla is no longer actually defending privacy, Firefox has full telemetry, allows google analytics,has unique Id for each installer, and much more.

Brave on the other hand, has an ad-blocker by default, blocks trackers, blocks Google amp, limited telemetry, and has a fully independent search engine.

Its a browser I can reccomend to anyone, and they will be more private by just using it, yes its not perfect but disabling the crypto is stuff is trivial, its just 2 options to disable and you are done.

I lost hope that Mozilla is going to actually fix stuff, its now just spending money on political advocacy and has fired engineers while raising the CEO's salary.

https://www.ghacks.net/2022/03/17/each-firefox-download-has-...

https://arstechnica.com/information-technology/2020/08/firef...

Brave is headed by the guy who invented Javascript, one might say you're taking your online privacy/security out of the frying pan just so you can toss it in the fire.
LibreWolf is a Firefox fork/mod which actually respects privacy in my usage (if you trust it to be non-malicious). It enables privacy features, and turns off Firefox-bundled ads and studies and telemetry.

I had to turn off fission.autostart on an old machine with 4 gigabytes of RAM (and maybe decrease content processes to 1), to make it use less RAM.

LibreWolf?
Breaks a lot of sites and disables a lot of things for no reason.

Its only for very advanced users.

I find the default brave values to be very good. Its almost the best browser in terms of privacy protections by default, only battered by librewolf which breaks a ton of sites(1)

And with brave search, you have good search and a good browser too.

1. https://privacytests.org

I've been using Brave as my primary browser now for at least four years, and it breaks very few web sites these days. I still have to revert to another browser every once in a while (less than once a month). The Brave experience has made using any other browser painful... Whenever I open a familiar site in a different browser where Brave isn't available (work) it's a jarring and dissonant shock. So many annoying ads everywhere all of a sudden! The crypto stuff I just ignore.
I never really understood the crypto stuff. BAT isn't mined on the computers of people who use brave, right? so why is it even a cryptocurrency at all, couldn't they just essentially use a non-coin solution? aka a bunch of integers in a sql database
I never cared about BAT, I just realized its was centralized on top of ETH and then just stopped caring.

I immediately disable it and anything related to crypto and I just forget about it.

The official story is that Brave runs a revenue share program, so if they wanted to use "real money" they would have to be a licensed money transmitter. To sidestep the regulatory issue, it is much easier to use a cryptocurrency for the payout and punt all the KYC/AML requirements to a crypto exchange.

"Why BAT and not just use another existing crypto?" Well, they tried! They started with Bitcoin, but no one wanted to use BTC to tip or contribute, which is kind of a problem if you want to build an alternative monetization strategy for content creators.

Both are open source, aren't they?
but you need TLS!
I think they are referring to cryptocurrency, not cryptography in general.
How is HTTPS supposed to work without crypto?
I think they are referring to cryptocurrency, not cryptography in general.
(comment deleted)
Get used to it. Crypto related stuff is only getting more influential and adopted. Current prices don't mean anything. Use case and utility of some of them is where it's at. BAT from Brave is a good example of a practical application for an alternative ad system. I have been using Brave with the BAT option enabled for over a year and even though I started as a skeptic, I can now say it works relatively well. Is it perfect? No, there a some bugs in their UI for them. Does it accomplish the objectives it was designed for? Definitely. But the most important part at the end of the day is having the option to participate or not. I don't mind seeing an ad every once in a while specially if I can get a cut of how much it cost to display that ad to me.
Brave's way of using cryptocurrencies is the only good use of crypto I know of. (There are probably others)
It uses a MITM attack to inject Cryptocurrency span into webpages. Sorry, it’s indefensible. Nobody is going to “get used to” the modern equivalent of viruses, especially when non-infected browsers are available.
Adoption metrics say otherwise on both their browser and ad system but sure.
>It uses a MITM attack to inject Cryptocurrency span into webpages

Are we talking about the opt-in ads (which might contain "Cryptocurrency span") or the affiliate codes (which are injected into pages you've already decided to visit)?

Man any browser trying to pass off it being acceptable to inject affiliate codes in links just because you were going there anyways is some serious red flags and you should end that relationship promptly.

Brave is truly capitalist cancer in browser form. I thought we killed off IE & Netscape. Turns out they had a kid.

Damn if you think any of that is problematic (which is not because you can opt out, and by default is not enabled), specially from the "capitalist cancer" pov wait until you hear about this obscure browser called Chrome from a company you might have heard called Google.

Edit: Forgot to mention, they stopped injecting the links 2 years ago as they claim it was a mistake (maybe, maybe not, but for sure not the case right now) -> https://brave.com/referral-codes-in-suggested-sites/.

(comment deleted)
How is it absurd? Do you have any technical explanation to back this up? Because it sounds a bit absurd.
OT, but it's kinda crazy how cryptocurrencies totally hijacked the word "crypto", which may cause confusion for years to come.

Like in the sibling comments that confuse it with cryptography-crypto :D

That doesn't make the slightest lick of sense to me. Can you elaborate how cryptocurrencies compromise browser security?
It doesn't. My guess is that some people find crypto icky, and their thinking is that if the browser vendor is doing an icky thing they can't be trusted to keep the browser secure.
Well, they pay me to use Brave.
Browsers should't be get-rich-quick crypto pyramid schemes.
You don't need to put a single dollar into Brave's BAT in order to get paid in them when volunteering to get ads from their ad system (which companies pay for btw). You can easily sell them for hard cash. Your pyramid scheme example doesn't work here buddy.
The browser does a man-in-the-middle attack on webpages. It’s sketchy, dodgy and scammy. It was bad when they introduced it, but in 2022 it completely indefensible.
I don't think you understand what a man in the middle is or how it works at the browser engine level but sure keep repeating it.
Are you claiming that ad blocking is a MITM attack?
No. Brave browser hijacks webpages that you view and injects their own adverts onto the webpage.

The webpage you requested is not the webpage you are shown, because of the man-in-the-middle attack.

The ads are notifications. They aren’t injected into the page.

You clearly have never used Brave.

Doesn't need to be as long as they can convert it to real money.
Until the pyramid scheme collapses and everyone loses their money.
Genuine question. Can you explain how the BAT coin and system is a pyramid scheme? I don’t know enough about how BAT works.
It's not. The BAT ecosystem is pretty much the only crypto project that is injected with "real money". It comes from the advertises that want to buy space in Brave's own ad network. For every dollar that an advertisers pays to Brave, they give 70 cents to the users.

The payouts are calculated in USD, not in BAT. BAT is only used because it is the "easiest" way to send money to users without getting banks from every corner of the world involved. If you want to cash out the BAT, you need to go through the KYC with one of the partner exchanges. But if you just want to use the BAT to tip other users, no KYC is needed.

The ads from Brave are completely private - your browser downloads the whole inventory, the ad-matching is done in-device, and a separate service is responsible in validating double-blind signatures to count for your ad views.

Yes, the Brave browser removes a website’s adverts, and injects its own ads into webpages using a man-in-the-middle attack. It’s sketchy, grubby behavior, and is the reason why websites are starting to block the Brave browser.

I notice the BAT cryptotoken has lost lots of value recently. Perhaps that’s why there is lots of desperate Brave spam recently.

> Yes, the Brave browser removes a website’s adverts, and injects its own ads into webpages using a man-in-the-middle attack

That is simple FUD. No ads are put into the webpages. The ads from Brave networks are displayed via the OS notification system, and they are opt-in.

You repeating this lie in multiple threads is not going to make it true, and spreading this kind of misinformation says more about you than those you are criticizing.

No, the page is not "injected" with anything.

No, they are not "unrequested" (sic). The ads from Brave are opt-in. If you don't want to see ads to receive the rewards, simply don't turn them on.

No, there are no "vulnerable people being exploited". No one needs to pay to participate in the rewards program. Those receiving ads are merely cashing in monthly $3-$10 rewards paid in the token, and go on with their day.

No, no one "lost their life savings" because they participated in the BAT rewards program or because they used the browser.

All your comments regarding the functioning of Brave and BAT rewards are bordering libelous. Can you please at least get one fact straight, or do you just want to throw more unabashed lies around?

I don’t use it, but if I did, I’d convert it to USD every month, so in your scenario, I’d end up missing out on my final month of payment. Not too shabby for zero work on my part. The only people who would lose their money are those who never cashed any out.

Anyway, BAT seems like one of the more useful cryptos I’ve seen. Granted; that’s a very low hurdle.

The "not real money" I'm somehow able to convert to USD and transfer to my bank account after claiming my rewards every month without having to put a single dollar into their system.
(comment deleted)
Nice tutorial. It takes some work, but all that crypto stuff can be disabled in Brave and then it works really well blocking ads and trackers...
Rather than disabling all the crypto, why not use a browser that isn't infected with it in the first place?
Read the second half of the comment you're replying to
Actually it's addressed in the linked posting.

Hardening does not start at choosing the right tools or networks, hardening begins with gathering information to inform yourself and others in order to stay up-to-date so that you can deal with current and upcoming threats. Tools, extensions and Co. are just a workaround until someone build the right system, that starts by voting and supporting the right politicians and organizations.

Firefox also requires setup (installing uBlock for starters). I find that setting up Brave is not any more work, and then it is indeed a pretty good browser.
But that's the whole point of Brave. If you're not interested in crypto, pick a browser that's just a browser. There are better choices: Safari, GNOME Web, Falkon, Firefox.
What if one just wants a more usable ungoogled-chromium?
Pretty much all of my suggestions are that, except maybe Firefox.
The point of using a Chromium fork is full extension compatibility, same rendering engine and similar-enough featureset (what matters varies by user, which is why just forking Chromium works best). None of your suggestions match these requirements.
Safari: not an option outside of Macs. Gnome Web: barely usable. Falkon: insecure due to no/low maintenance (think the last release is years ago). Firefox: requires setup too.
Falkon only appears out of date because the rendering engine component is updated separately, as part of Plasma.

As for Gnome Web being "unusable", that's quite an extraordinary claim.

Falkon relies on Qt for QtWebEngine, not Plasma. Which has its maintenance issues of its own (look it up, it's a chore nobody really likes doing and is therefore infrequent, something you don't want for a web engine).

Falkon, on many platforms, links Qt statically, so you stil rely on them making timely releases.

It is absolutely not a browser anybody should use.

GNOME Web has next to no UI over WebKit, so the claim is easily verified.

GNOME web is truly bad. Not only is it WebKit based (which puts it at a stark disadvantage out of the gate), but it also lacks tons of features like extention support, settings sync, custom themes, robust developer tooling, PWA support, the list goes on...

Hell, GNOME web hasn't even fixed it's text rendering issues yet. Text is still jagged and aliased out-of-the box. It's definitely on the cusp of "unusably bad"

That's your take. I use Brave for it's protocol support and native ad blocking. Where are you getting this "point of Brave" from?
Anyone ever consider the possibility that crypto isn't needed in a society that is based on trust, and if we all trusted each other, then none of this is necessary? It is almost as if the powers that be want crypto because they don't trust anyone, and therefore perpetuates the problem of needless abstraction?
(comment deleted)
Western countries are rapidly moving from being high-trust to low-trust societies. The reasons for this are multifaceted, complex, and self-reinforcing, and it isn't likely that the trend will be reversed any time soon. Certainly not within our lifetimes. So we can either stick our heads in the sand about it, or develop technologies to deal with it as best we can. I'm not a crypto fan myself, but I understand why it exists and why it will probably be increasingly important as time goes on.
No one will ever trust a completely trustless coin, because if you can't trust each other, putting trust in an abstract concept isn't exactly a winning solution.

Human trust matters, not mathematical trust.

Unfortunately you don’t understand what trustless means in this context. “No one trusts a trustless coin” makes no sense, there is no trust required for it to function (theoretically). It works as expected whether your counterparty is a saint or entirely corrupt.
I do, I think. No one wants to use a coin that also let's criminals do dark things with even less scrutiny than fiat currencies.
And we can see this across all levels of society, from cryptocurrency to grade inflation to George Floyd to political corruption to school shootings. The loss of trust in institutions is particularly accelerated today, whereas people of the "Greatest Generation" who are dying now grew up in a world where teachers, police, and politicians were generally trusted.
(comment deleted)
> and if we all trusted each other, then none of this is necessary?

I mean, maybe, but that's never going to happen so it really doesn't matter

Your periodic reminder that talking about "trustlessness" in distributed systems only means that the consensus can be verified independently and that there is no central authority.
Just use Vivaldi :-) Simplicity is a virtue. Complexity is a sin.
Isn't vivaldi closed source?
Nearly all of it except the web renderer. You may like its GUI, but a secure or privacy respecting option it is not.

Network analyses also show it's a very chatty browser.

Would be nice if there was a tool which automates all this and hardens the Brave in one simple click