Sure, all requests are now sent to one location, including (!!) extension (Tor, https everywhere, etc) downloads used by brave. What about the possibility of the brave folks modifying those extensions to suit their needs? If I am needing to trust Tor, I'm going to download Tor from the appropriate location, not from brave. Based on the language he used reviewing other browsers, I suspect if that behavior was seen on anything other than brave the prognosis would be different.
I don't hide the fact that I work for Brave; I mention it in numerous threads and responses. What do you feel I handled differently on account of my association with Brave? Will gladly correct any mistakes.
To your question, Brave couldn't get away with modifying extensions on the fly. This would cause integrity checks on the client to fail. Not to mention, the code to do this would have to land in our public repos on GitHub, where we would quickly be tarred and feathered.
If you're capable of running the Tor browser, we encourage you to do so. Brave isn't as good as the Tor browser if you're smart enough to use the later. That said, if you need a browser that can also make non-Tor connections, etc., then Brave is probably more ideal.
> If you're capable of running the Tor browser, we encourage you to do so. Brave isn't as good as the Tor browser if you're smart enough to use the later.
May I ask what you mean by "if you're capable of running the Tor browser" and "if you're smart enough to use the later (sic)"? Is it about the person knowing that it even exists? I use Tor Browser sometimes, and it's no different from using any other browser (except for some differences in network speed and the fact that it isolates every tab). I don't see what specific capability or smartness is required to use it.
Sure, what I mean to say is that Tor is more of a super-user utility (IMHO). If you're looking for that degree of anonymity, you probably don't want to be in a browser that also supports traditional protocols (like HTTP, etc.). As such, Tor is more appropriate for a sub-set of users who are very interested in privacy/anonymity. For those who need it only occasionally, Brave is probably a better option.
Side question: I use Brave on Android and have noticed that scrolling through the comments here on HN can be a bit finicky.
The first swipe tends to sometimes scroll the contents of a comment (not the page) up or down by a couple of pixels, then the next swipe with finger starting in same comment will let me scroll the page.
Just thought I'd mention it as I love Brave and am hoping this can be improved. Haven't noticed it on other mobile browsers. Cheers!
I think "reproducible builds" usually refers to being able to build Brave yourself, then creating a hash of the resulting artefact, and that hash being exactly the same as that of the built version Brave distributes itself.
In other words, being able to verify that the source code that is included in the build of Brave that Brave distributes, is the same as the source code we can view publicly.
Reproducibile builds would mean that anyone could download the code for a specific release and build a binary that is identical to the one you provide - byte for byte. Is that possible?
Mozilla, however, is different, in that all builds are posted to ftp.mozilla.org, in a versioned manner, and kept there for a while, which, at least in theory, makes it easier to verify or analyse the builds.
What is the situation with Brave? Can I download a version released a few months ago? As it is, the browser is not only not really versioned (at least in the binary form), but there's not even a way to disable it from automatically updating itself. Self-modifying code, where the user has no control over the channel under which the modifications are pushed, is inherently insecure from the reproducibility's perspective.
You can get older (and many incremental) builds from https://github.com/brave/brave-browser/tags. Hope this helps! There is desire within the team for reproducible builds, and I'll see to it that these coals are stoked. Our intent is to be as open, transparent, and accountable as we can be. Brave's mentality is "Can't be evil", as opposed to "Don't be evil." Thank you for the feedback!
Those are Git tags; they have nothing to do with reproducible builds, because you're not providing the executable binaries that are the ones being distributed. It's a huge downgrade in terms of reproducibility of builds compared to Firefox. (It works for Google with Google Chrome because they have an entirely different business model where the whole thing is a walled-garden by design.)
FYI we didn't have an issue open on the topic of reproducible builds until now[0]. While it has been discussed internally, we haven't focused on it. We will have to assess the work involved but will put it on our backlog.
> What do you feel I handled differently on account of my association with Brave? Will gladly correct any mistakes.
Put it in your twitter bio. Just "working @brave". If I'm reading your opinion on software its helpful to know I'm reading the opinion of someone employed by a competitor without needing to dig through other parts of your twitter account.
Obviously, if this original review were to come from Brave or a Brave-employee directly, it probably would have been taken differently than coming from a "grass-roots" individual, hence the intentional deception on his part.
Twitter explicitly allows one to have multiple accounts as long as you use them for different purposes; in this instance, it's very difficult to see what purpose this Brave-less account has (other than intentionally misleading the public by hiding the Brave affiliation whilst still talking about browsers).
There's no intentional deception here. My followers on Twitter know for whom I work, but that doesn't mean every tech-related Tweet is a work item. I didn't pump this post, I wrote it for the people who follow me on Twitter. Be kind.
> If you're capable of running the Tor browser, we encourage you to do so. Brave isn't as good as the Tor browser if you're smart enough to use the later. That said, if you need a browser that can also make non-Tor connections, etc., then Brave is probably more ideal.
I'm confused about this? Tor browser installation isn't any different from any other major browser, presumably including Brave. There's no skill required to operate it that you don't need for Chrome.
As a reader of the threads, I first assumed you were an independent security/privacy researcher. Only when I saw a reply of yours "that's being worked on" did I begin to suspect you were affiliated with brave (but assumed as a fan).
I was not able to quickly confirm your affiliation (bio was first place I looked). Not disclosing this more prominently felt icky.
For some context, I released this on Twitter, to my followers, who know I work for Brave. I mean, in my profile picture I'm seen wearing a Brave shirt and presenting at a Brave booth
The threads aren't hit pieces; they were the curious musing of a software engineer and browser builder. And it's worth noting that I spend time yesterday working with Mozilla on their telemetry bugs; so I'm not her to throw mud. Somebody else posted my thread here, and caused it to blow up. Don't lay that on me
Sorry, I didn't mean to imply ill intent whatsoever. It didn't come across to me that you were trying to do anything shady, and it also didn't seem like you were trying to damage a competitor.
Given that this did end up reaching a broader audience than your twitter following (it is a public forum), my feedback would be that it was too hard to tell that you were directly affiliated with Brave, and that it would feel much classier to disclose this clearly in your bio (just "eng @brave" or something, or even a top-level reply to your primary thread if you don't want to modify your bio).
Perhaps I'm less eagle-eyed or adept than most twitter users, but I actively suspected you were affiliated, looked for clues that you were, and could not find them. Given that it wasn't your intent to hide anything, but can accidentally give an impression that you are, it might go over better to be more proactive in disclosure.
Again, the thread itself was successful in achieving the tone of "just the curious musings of a software engineer", was great content, and IMO still reads well with knowledge of your horse in the race.
You're already trusting their browser - if they were going to maliciously modify the Tor extension, they could do it inside the browser instead of in the extension download (e.g. not load the actual Tor extension but do their nasty thing internally)
Your trust for privacy has to go somewhere - do you trust the megacorp with antitrust investigations and hundreds of perpetually pending lawsuits, or "Brave Software, Inc"? Security as well. Password sync is coming[1] - surely brave software, who controls that one domain "brave.com" and the entire process of install, update, and password sync, has security procedures that rival Google and Mozilla in preventing unauthorized or malicious code deploys.
Point of clarification: Brave supports Sync today, but passwords are not yet included. You can read about how we implement end-to-end encrypted sync here: https://github.com/brave/sync/wiki/Design
We began developing Sync during our "Muon" days, when our browser was a fortified fork of the Electron project. We then moved over to "Core", which is a soft-fork/patch of the Chromium code-base. As such, this required us to back-track just a bit, and recover some ground. Efforts were then directed at shipping a MVP of Sync across Windows, macOS, Android, and iOS. We succeeded in doing that not too long ago, and are now working towards expanding support for more data types. Hope this helps!
Any possible chance of supporting third party sync? I'd love to have Brave (my primary mobile browser) sync natively with Firefox (my primary desktop browser).
> Password sync is coming[1] - surely brave software, who controls that one domain "brave.com" and the entire process of install, update, and password sync, has security procedures that rival Google and Mozilla in preventing unauthorized or malicious code deploys.
How would I know? Is that code on GitHub? If not, why not? That would certainly give your words a lot more weight.
Also, to my knowledge there has never been a leak of Chrome sync data since the feature was first introduced in 2012.
I say this sarcastically - I don't think anything about Brave's security ops is flawed or even misconfigured [now], but Google and Mozilla have a lot more resources than Brave does dedicated to security and auditing of things like CI servers and access controls.
And the password sync thing was related to the server that runs sync - it's E2EE, but Brave controls the update process and could very well deploy a malicious update that exfiltrates sync data or leaves it open to attacks.
That's why my point is about where you place your trust - if you're not up to the task of building your own browser (or at least auditing and building chromium yourself) and running your own sync software, you have to trust someone; oftentimes this means giving up privacy (Google) or giving up security (Again, choosing Brave isn't really giving up the security of your sync data, you're just now trusting a company that might not have the same security procedures and amount of resources dedicated to audits).
My daily driver is Firefox (and I abandoned Google Chrome long ago), but if I have to choose, for whatever reason, between sending requests directly to Google and sending requests to Brave, I'd choose the latter. I do trust Brave more than I trust Google (yes, I'm also aware of the controversies with a rave about its founder and about its micropayments service). I wish Mozilla would actually proxy requests to Google, since I trust Mozilla a lot more.
What you're advocating is for Mozilla to become a walled-garden, just like Brave and Chrome are.
Since when is a walled-garden a good thing?
If you trust Mozilla more than you trust Google, I think it follows that you should also trust their decision that NOT proxying and going directly to Google.com for this data is acceptable.
Not only that, but he has another account, @BraveSampson, which links to this one, @jonathansampson, but not the other way around. They used to have a nearly-identical pictures, and, IIRC, linked to each other, but not anymore.
Would I be the only one to find it fishy for someone to post such reviews for your competitors whilst pretending that you're an individual not on a payroll from Brave? Why should Mozilla proxy requests to Google through their own servers like Brave does? And the better question: Why IS Brave MITM proxying requests to Google and other services?
BTW, having multiple Twitter accounts is not against the rules if each account is for a separate purpose, but for someone working in the browser industry to be having two separate accounts where they write about browsers on each one, all whilst hiding their affiliation and pretending to be an unaffiliated individual on one of them?! Seriously?
---
Keep in mind that Brave and Chrome are the ultimate privacy violators, as it's not possible to disable autoupdates on either one; Brave developers repeatedly (see https://github.com/brave/browser-laptop/issues/1877) disregarded community's complaints about this issue (ironically, going against https://brendaneich.com/2014/01/trust-but-verify/); so, you're basically running a self-modifying binary, whether you like it or not. Any review anyone does is kinda meaningless, because there aren't any versions per se, and it can do whatever the hell it wants the next day, without any public record of what it did yesterday. With Mozilla, there's a public ftp directory with all the versions at `ftp.mozilla.org` — haven't seen anything like that for neither Brave nor Chrome.
In fact, many folks used various official guides from Google to disable Chrome from autoupdating itself, e.g., because the newer versions broke font support or other system-level features, only to find such officially-sanctioned settings completely ignored down the line.
How about doing a review of how much it costs in roaming fees to have Chrome/Brave download updates without your permission whilst you're travelling? Or how many hosts Brave does MITM to without any good reason?
Yea the difference in his analysis of brave is really different: https://mobile.twitter.com/jonathansampson/status/1165391211...
Sure, all requests are now sent to one location, including (!!) extension (Tor, https everywhere, etc) downloads used by brave. What about the possibility of the brave folks modifying those extensions to suit their needs? If I am needing to trust Tor, I'm going to download Tor from the appropriate location, not from brave. Based on the language he used reviewing other browsers, I suspect if that behavior was seen on anything other than brave the prognosis would be different.
I don't hide the fact that I work for Brave; I mention it in numerous threads and responses. What do you feel I handled differently on account of my association with Brave? Will gladly correct any mistakes.
To your question, Brave couldn't get away with modifying extensions on the fly. This would cause integrity checks on the client to fail. Not to mention, the code to do this would have to land in our public repos on GitHub, where we would quickly be tarred and feathered.
If you're capable of running the Tor browser, we encourage you to do so. Brave isn't as good as the Tor browser if you're smart enough to use the later. That said, if you need a browser that can also make non-Tor connections, etc., then Brave is probably more ideal.
> If you're capable of running the Tor browser, we encourage you to do so. Brave isn't as good as the Tor browser if you're smart enough to use the later.
May I ask what you mean by "if you're capable of running the Tor browser" and "if you're smart enough to use the later (sic)"? Is it about the person knowing that it even exists? I use Tor Browser sometimes, and it's no different from using any other browser (except for some differences in network speed and the fact that it isolates every tab). I don't see what specific capability or smartness is required to use it.
Sure, what I mean to say is that Tor is more of a super-user utility (IMHO). If you're looking for that degree of anonymity, you probably don't want to be in a browser that also supports traditional protocols (like HTTP, etc.). As such, Tor is more appropriate for a sub-set of users who are very interested in privacy/anonymity. For those who need it only occasionally, Brave is probably a better option.
You lose all the benefits of tor if you use some third party version.
You trade benefits. Which, for some people, is more ideal.
Thanks for the great analysis!
Side question: I use Brave on Android and have noticed that scrolling through the comments here on HN can be a bit finicky.
The first swipe tends to sometimes scroll the contents of a comment (not the page) up or down by a couple of pixels, then the next swipe with finger starting in same comment will let me scroll the page.
Just thought I'd mention it as I love Brave and am hoping this can be improved. Haven't noticed it on other mobile browsers. Cheers!
(Samsung S10 5G international version.)
Would you be able to capture a video of the issue? Either way, I'm happy to file an issue and investigate.
I'll get a video to you in the next day or so - thanks! :)
> Not to mention, the code to do this would have to land in our public repos on GitHub, where we would quickly be tarred and feathered.
What is the status of reproducible builds for the Brave browser?
Please clarify if I'm missing your point, but you can build Brave today. See github.com/brave/brave-browser. Let me know if you run into any issues.
I think "reproducible builds" usually refers to being able to build Brave yourself, then creating a hash of the resulting artefact, and that hash being exactly the same as that of the built version Brave distributes itself.
In other words, being able to verify that the source code that is included in the build of Brave that Brave distributes, is the same as the source code we can view publicly.
Reproducibile builds would mean that anyone could download the code for a specific release and build a binary that is identical to the one you provide - byte for byte. Is that possible?
More info about reproducible builds is here:
https://reproducible-builds.org/
I don't see any mentions of reproducible builds over there.
If you're not familiar what reproducible builds are, I suggest you examine the following article:
* https://brendaneich.com/2014/01/trust-but-verify/
Mozilla, however, is different, in that all builds are posted to ftp.mozilla.org, in a versioned manner, and kept there for a while, which, at least in theory, makes it easier to verify or analyse the builds.
What is the situation with Brave? Can I download a version released a few months ago? As it is, the browser is not only not really versioned (at least in the binary form), but there's not even a way to disable it from automatically updating itself. Self-modifying code, where the user has no control over the channel under which the modifications are pushed, is inherently insecure from the reproducibility's perspective.
You can get older (and many incremental) builds from https://github.com/brave/brave-browser/tags. Hope this helps! There is desire within the team for reproducible builds, and I'll see to it that these coals are stoked. Our intent is to be as open, transparent, and accountable as we can be. Brave's mentality is "Can't be evil", as opposed to "Don't be evil." Thank you for the feedback!
Those are Git tags; they have nothing to do with reproducible builds, because you're not providing the executable binaries that are the ones being distributed. It's a huge downgrade in terms of reproducibility of builds compared to Firefox. (It works for Google with Google Chrome because they have an entirely different business model where the whole thing is a walled-garden by design.)
Yes, I know those are Git tags. Click on them to find associated binaries. For instance, https://github.com/brave/brave-browser/releases/tag/v0.71.44. Not all tags have binaries, but most do. Those that reach a build channel always do.
What a mess, seriously! What is the retention policy? How far into the past are the binaries stored?
FYI we didn't have an issue open on the topic of reproducible builds until now[0]. While it has been discussed internally, we haven't focused on it. We will have to assess the work involved but will put it on our backlog.
[0] https://github.com/brave/brave-browser/issues/5830
> What do you feel I handled differently on account of my association with Brave? Will gladly correct any mistakes.
Put it in your twitter bio. Just "working @brave". If I'm reading your opinion on software its helpful to know I'm reading the opinion of someone employed by a competitor without needing to dig through other parts of your twitter account.
He already does it on his other account — @BraveSampson.
Here's a screenshot of both accounts side-by-side, compare and contrast:
* https://twitter.com/Mcnst/status/1166520716826763264
Obviously, if this original review were to come from Brave or a Brave-employee directly, it probably would have been taken differently than coming from a "grass-roots" individual, hence the intentional deception on his part.
Twitter explicitly allows one to have multiple accounts as long as you use them for different purposes; in this instance, it's very difficult to see what purpose this Brave-less account has (other than intentionally misleading the public by hiding the Brave affiliation whilst still talking about browsers).
There's no intentional deception here. My followers on Twitter know for whom I work, but that doesn't mean every tech-related Tweet is a work item. I didn't pump this post, I wrote it for the people who follow me on Twitter. Be kind.
> If you're capable of running the Tor browser, we encourage you to do so. Brave isn't as good as the Tor browser if you're smart enough to use the later. That said, if you need a browser that can also make non-Tor connections, etc., then Brave is probably more ideal.
I'm confused about this? Tor browser installation isn't any different from any other major browser, presumably including Brave. There's no skill required to operate it that you don't need for Chrome.
Firefox recently upstreamed some fingerprinting protections from Tor.
Brave is relatively less trackable than most default browsers.
As a reader of the threads, I first assumed you were an independent security/privacy researcher. Only when I saw a reply of yours "that's being worked on" did I begin to suspect you were affiliated with brave (but assumed as a fan).
I was not able to quickly confirm your affiliation (bio was first place I looked). Not disclosing this more prominently felt icky.
(Disclosure: I am a user & fan of Brave)
For some context, I released this on Twitter, to my followers, who know I work for Brave. I mean, in my profile picture I'm seen wearing a Brave shirt and presenting at a Brave booth
The threads aren't hit pieces; they were the curious musing of a software engineer and browser builder. And it's worth noting that I spend time yesterday working with Mozilla on their telemetry bugs; so I'm not her to throw mud. Somebody else posted my thread here, and caused it to blow up. Don't lay that on me
Sorry, I didn't mean to imply ill intent whatsoever. It didn't come across to me that you were trying to do anything shady, and it also didn't seem like you were trying to damage a competitor.
Given that this did end up reaching a broader audience than your twitter following (it is a public forum), my feedback would be that it was too hard to tell that you were directly affiliated with Brave, and that it would feel much classier to disclose this clearly in your bio (just "eng @brave" or something, or even a top-level reply to your primary thread if you don't want to modify your bio).
Perhaps I'm less eagle-eyed or adept than most twitter users, but I actively suspected you were affiliated, looked for clues that you were, and could not find them. Given that it wasn't your intent to hide anything, but can accidentally give an impression that you are, it might go over better to be more proactive in disclosure.
Again, the thread itself was successful in achieving the tone of "just the curious musings of a software engineer", was great content, and IMO still reads well with knowledge of your horse in the race.
Thank you for the kind words. I tend to leave off my present employer on Twitter. That said, I'll give it some consideration. All the best!
You're already trusting their browser - if they were going to maliciously modify the Tor extension, they could do it inside the browser instead of in the extension download (e.g. not load the actual Tor extension but do their nasty thing internally)
https://twitter.com/jonathansampson/status/11653912236932218... "thanks brave for proxying the content for me, no doubt google runs a global middleware on all requests to their domains to power their adtech machine!"
Your trust for privacy has to go somewhere - do you trust the megacorp with antitrust investigations and hundreds of perpetually pending lawsuits, or "Brave Software, Inc"? Security as well. Password sync is coming[1] - surely brave software, who controls that one domain "brave.com" and the entire process of install, update, and password sync, has security procedures that rival Google and Mozilla in preventing unauthorized or malicious code deploys.
1: https://twitter.com/jonathansampson/status/11653993492890173...
Point of clarification: Brave supports Sync today, but passwords are not yet included. You can read about how we implement end-to-end encrypted sync here: https://github.com/brave/sync/wiki/Design
Nonsequitor here, but is there a timeline? It's been 'coming' since I first looked into it many months ago.
We began developing Sync during our "Muon" days, when our browser was a fortified fork of the Electron project. We then moved over to "Core", which is a soft-fork/patch of the Chromium code-base. As such, this required us to back-track just a bit, and recover some ground. Efforts were then directed at shipping a MVP of Sync across Windows, macOS, Android, and iOS. We succeeded in doing that not too long ago, and are now working towards expanding support for more data types. Hope this helps!
hey thanks for taking the time to reply. I'm eagerly awaiting that feature, it's the only thing keeping me away at the moment.
Any possible chance of supporting third party sync? I'd love to have Brave (my primary mobile browser) sync natively with Firefox (my primary desktop browser).
> Password sync is coming[1] - surely brave software, who controls that one domain "brave.com" and the entire process of install, update, and password sync, has security procedures that rival Google and Mozilla in preventing unauthorized or malicious code deploys.
How would I know? Is that code on GitHub? If not, why not? That would certainly give your words a lot more weight.
Also, to my knowledge there has never been a leak of Chrome sync data since the feature was first introduced in 2012.
I say this sarcastically - I don't think anything about Brave's security ops is flawed or even misconfigured [now], but Google and Mozilla have a lot more resources than Brave does dedicated to security and auditing of things like CI servers and access controls.
And the password sync thing was related to the server that runs sync - it's E2EE, but Brave controls the update process and could very well deploy a malicious update that exfiltrates sync data or leaves it open to attacks.
That's why my point is about where you place your trust - if you're not up to the task of building your own browser (or at least auditing and building chromium yourself) and running your own sync software, you have to trust someone; oftentimes this means giving up privacy (Google) or giving up security (Again, choosing Brave isn't really giving up the security of your sync data, you're just now trusting a company that might not have the same security procedures and amount of resources dedicated to audits).
Yeah, I like how they pitch MITMing these requests to be a good thing.
My daily driver is Firefox (and I abandoned Google Chrome long ago), but if I have to choose, for whatever reason, between sending requests directly to Google and sending requests to Brave, I'd choose the latter. I do trust Brave more than I trust Google (yes, I'm also aware of the controversies with a rave about its founder and about its micropayments service). I wish Mozilla would actually proxy requests to Google, since I trust Mozilla a lot more.
We ought to expect more from Mozilla on this.
> We ought to expect more from Mozilla on this.
What you're advocating is for Mozilla to become a walled-garden, just like Brave and Chrome are.
Since when is a walled-garden a good thing?
If you trust Mozilla more than you trust Google, I think it follows that you should also trust their decision that NOT proxying and going directly to Google.com for this data is acceptable.
Not only that, but he has another account, @BraveSampson, which links to this one, @jonathansampson, but not the other way around. They used to have a nearly-identical pictures, and, IIRC, linked to each other, but not anymore.
Would I be the only one to find it fishy for someone to post such reviews for your competitors whilst pretending that you're an individual not on a payroll from Brave? Why should Mozilla proxy requests to Google through their own servers like Brave does? And the better question: Why IS Brave MITM proxying requests to Google and other services?
BTW, having multiple Twitter accounts is not against the rules if each account is for a separate purpose, but for someone working in the browser industry to be having two separate accounts where they write about browsers on each one, all whilst hiding their affiliation and pretending to be an unaffiliated individual on one of them?! Seriously?
---
Keep in mind that Brave and Chrome are the ultimate privacy violators, as it's not possible to disable autoupdates on either one; Brave developers repeatedly (see https://github.com/brave/browser-laptop/issues/1877) disregarded community's complaints about this issue (ironically, going against https://brendaneich.com/2014/01/trust-but-verify/); so, you're basically running a self-modifying binary, whether you like it or not. Any review anyone does is kinda meaningless, because there aren't any versions per se, and it can do whatever the hell it wants the next day, without any public record of what it did yesterday. With Mozilla, there's a public ftp directory with all the versions at `ftp.mozilla.org` — haven't seen anything like that for neither Brave nor Chrome.
In fact, many folks used various official guides from Google to disable Chrome from autoupdating itself, e.g., because the newer versions broke font support or other system-level features, only to find such officially-sanctioned settings completely ignored down the line.
How about doing a review of how much it costs in roaming fees to have Chrome/Brave download updates without your permission whilst you're travelling? Or how many hosts Brave does MITM to without any good reason?