[HN Gopher] Brave, the false sensation of privacy
___________________________________________________________________
Brave, the false sensation of privacy
Author : Santosh83
Score : 544 points
Date : 2021-06-18 12:28 UTC (10 hours ago)
(HTM) web link (ebin.city)
(TXT) w3m dump (ebin.city)
| mordymoop wrote:
| In 2001 or so I considered entering into an encrypted email
| correspondence with my brother, for fun. I quickly gave up on the
| idea because I realized that I didn't trust that my computer or
| my brother's computer didn't already have spyware of some kind, I
| didn't trust the integrity of any encryption/decryption tools
| that existed, didn't trust myself not to lose the passwords or
| leave them lying around, and didn't trust that some day I
| wouldn't just stupidly leave my laptop somewhere with the
| password entered. Etc., etc. It was obvious that actually having
| even one meaningfully secret conversation would actually require
| involved and somewhat ridiculous lifestyle changes.
|
| Having thought this through long ago, I have never understood why
| people behave as though a chat client or browser that they
| download from the open internet would be meaningfully secure.
| robertlagrant wrote:
| Exactly. I sleep outside because a meteorite would crush a
| house; therefore a house is useless.
| jonathansampson wrote:
| You can pretty easily check how private and secure a browser
| is; setting up a "man in the middle" to monitor its
| communication is something we do routinely at Brave (see
| https://brave.com/popular-browsers-first-run/), and what others
| have done as well (see
| https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf).
| pedro2 wrote:
| So closing your bathroom door isn't worth it because someone
| can ram it? :)
| moron4hire wrote:
| I live in a house with toddlers. This is absolutely true. I
| leave the door open so it doesn't bash into my leg when they
| come hammering on it.
| [deleted]
| yakubin wrote:
| What is "it" that would bash into your leg? The door? Are
| your toddlers strong enough to ram closed door with enough
| force for it to bash into your leg?
| mordymoop wrote:
| If I suspect there are invisible people who can make money
| off of pictures of me taking a dump and can phase through
| doors, then I indeed might not close the bathroom doors.
| These metaphors never work because encrypting your text
| messages is qualitatively different from quotidian intuitions
| about privacy.
| dmm wrote:
| Do you lock the doors on your house? Why bother? Someone could
| break a window?
|
| Security is about identifying and mitigating threat models.
|
| For example, if you're concerned with mass surveillance an
| encrypted messenger will stop that.
|
| Just because something doesn't protect against CIA 0days
| doesn't make it worthless.
| mordymoop wrote:
| A house is almost nothing like a computer along any dimension
| that the metaphor could possibly make sense.
|
| Besides, unless you've built your own encrypted messenger,
| you're still putting trust in several agents that you have no
| reason to trust.
| Havoc wrote:
| FF + uorigin + a dns blocker like pihole seems to be where it's
| at right now. Maybe EFF privacy badger on top
|
| Any better options out there? Been thinking of adding protonvpn
| tomxor wrote:
| FF now does DNS over HTTPS by default (Preferences > General >
| Network Settings), it defaults to using NextDNS and is
| configurable.
|
| Some people will be uncomfortable with this default, but it's a
| step up from consumer ISPs who _will_ track you, to a 3rd party
| who Mozilla says wont.
|
| I add Mullvad VPN (because wiregaurd is frickin awesome), which
| also allows you to use their DNS servers, but for this you
| actually have to turn off FF's DNS over HTTPS to allow the
| wiregaurd interface to pick up the DNS requests - they have a
| really good "leak" checker page while using their servers to
| check for various protocols https://mullvad.net/en/check/
|
| Yes yes I know, VPN doesn't unbreak the internet, but here we
| are.
| magikaram wrote:
| The other great thing is, in case you wanted to support
| Mozilla, the MozillaVPN is using Mullvad's service, and
| routinely provides great service. I will add though, if
| you're a huge privacy advocate, and don't want to supply your
| email or card details to Mozilla but want to use a VPN,
| Mullvad directly is still the best choice imo.
| fossislife wrote:
| I use Mozilla VPN, but the program (Ubuntu 20.04) 1+ times
| per day just closes and it does not have a network kill
| switch.
|
| So I have to continue to use Firefox's DoH to prevent my
| university to occasionally take a peek at my traffic.
| Assuming they don't bother reversing IPs to domain names.
| tomxor wrote:
| You don't need a "network kill switch" with wiregaurd,
| you might be using the openVPN option which mullvad also
| provide for compatibility. Because wiregaurd is stateless
| you don't have to worry about stuff leaking through while
| physical layers go up and down, you can just leave the wg
| interface up and keep hoping around safely... I literally
| haven't taken my current wg connection down in days, yet
| my computer is put to sleep every night.
|
| If you use Linux you don't even need an app (not
| Firefox's or Mullvad's), you can just pop one of the
| wiregaurd configs (mullvad.net can generate them for you)
| into /etc/wiregaurd and then use the super simple wg-
| quick cli interface to bring it up. You can also tell
| systemd to bring up a specific interface at startup with
| one line.
| Havoc wrote:
| >FF now does DNS over HTTPS by default
|
| Just checked & mine was off. Not that I mind since it's
| supposed to hit the local pihole anyway
| rozab wrote:
| I would add a VPN for sure. People always complain that it just
| shifts the trust to them instead of your ISP, but there's many
| VPN providers who I trust a hell of a lot more than any ISP.
| hiidrew wrote:
| I understand Eich has been controversial and Brave gets a lot of
| flak in return, regardless of issues like the ones raised in the
| article. Yet, I remain a fan of Brave because of Brave Rewards. I
| love being rewarded based on my usage, even if the amount is
| worthless and the ads are random crypto shit. The idea of a
| company actually spreading revenue based on my attention back to
| me makes me happy and I wouldn't mind if more ad-based services
| do this.
| schelling42 wrote:
| > even if the amount is worthless and the ads are random crypto
| shit.
|
| Maybe you are not valuing your own resources enough. Ads draw
| time, concentration and other mental resources. So i can only
| believe that it will be a net-negative in the end. It can
| _feel_ rewarding, but financially, the advertiser can 't pay
| you enough.
| hiidrew wrote:
| That's true, the whole thing on my end is likely some
| fallacy.
|
| On another note, I've always thought the idea of constructing
| your own ad profile could be interesting. Like selecting the
| types of products and related content that you'd want to be
| pushed.
|
| From my understanding this is kind of the goal of social apps
| but it's obviously not self-directed. I guess it is in some
| capacity based on your behavior but it's not like you're
| intentionally clicking selecting you'd be interested and
| actually would maybe buy.
| songshuu wrote:
| The surest sign that Brave has made it is that 3 hours in, we
| aren't seeing a rush of rebuttals from Sampson, Clifton, or Eich
| in the comments.
|
| The article rehashes some FUDy and misleading comments which have
| been knocked down years ago.
|
| Brave's not perfect, but for different reasons than this author
| raises.
| jonathansampson wrote:
| Sorry for the late arrival; I provided a response (via 3
| comments) here: https://news.ycombinator.com/item?id=27552530.
| I'll try to be faster in the future
| jet_32951 wrote:
| I blocked every domain in the article on my firewall and then
| fired up Brave. None were requested. Not sure what to believe
| now.
| trts wrote:
| Slightly off topic, but it was a lot of fun to listen to Brendan
| Eich on Lex Fridman's podcast talk about Brave and the browser
| wars of the 90s and 00s. I've been using the Browser for several
| months without any of the rewards enabled and appreciate that it
| seems to quietly remove 95% of ads and does it effectively.
|
| https://lexfridman.com/brendan-eich/
| CodeGlitch wrote:
| Same here. I've also had Brendan Eich respond to one of my
| posts on HN - not something I'd expect from any other browser
| on the market. He understands techies because he is one. I wish
| Mozilla was headed by a techie and not a lawyer :(
| rchaud wrote:
| The thought of Firefox shilling crypto bux turns my stomach,
| so I'll have to disagree with you.
| CodeGlitch wrote:
| As others have said multiple times, you can turn off all
| that crypto stuff in brave and ignore it. They've found a
| unique way to fund the product, not at the mercy of Google
| which can only be a good thing right?
| meibo wrote:
| Reminder that there's a reason Brendan Eich doesn't work for
| Mozilla anymore, and it's not just layoffs due to dwindling
| userbases. Half of their board stepped down when he was about
| to be appointed.
|
| Decoupling software from the people behind it may be a good
| thing, but I don't want to support people that work against
| my interests.
| dblohm7 wrote:
| > Half of their board stepped down when he was about to be
| appointed.
|
| You mean the same board that appointed him?
|
| Yes, a number of board members stepped down around that
| time, but a couple of those were coincidental timing.
| trts wrote:
| This doesn't remind me of anything. Your comment is just
| innuendo.
| jonathansampson wrote:
| Breaking this response up into a few comments:
|
| "Their adblocker is just a fork of uBlock Origin..."
|
| Claims like this should be supplemented with links to our source
| code (see https://code.brave.com), if true. I'm not sure what
| gave the author this impression; Brave's built-in ad-blocking
| _does use public lists_ in addition to our own efforts, but that
| isn 't the same as being a fork of uBlock Origin. That being
| said, uBO is a fine extension, and you should definitely be using
| it (if you're not using Brave).
|
| "They're whitelisting trackers from Facebook and Twitter, so they
| can use scripts in third parties' websites to track you across
| the web."
|
| This is also quite misleading. It stems from a claim made back in
| 2018 about our _now-retired_ "Muon" build of Brave. We had a file
| which listed third-party scripts which shouldn't be blocked (so
| as not to "break the Web"). Among these were particular Facebook
| and Twitter scripts, because Facebook and Twitter content is
| embedded all throughout the Web (think of embedded Tweets, posts,
| videos, etc.). As such, it's important to permit this content to
| load, but to prevent it from utilizing any persistent storage
| (e.g. cookies). Not only were these scripts prevented to
| accessing storage, Brave also modified or discarded the referrer
| header on these request. This wasn't ever a case of "whitelisting
| trackers".
|
| "They're blatantly lying to their users. Anyone who knows a bit
| about how JavaScript..."
|
| Responding to a previous explanation for the "whitelist", the
| author emphatically claims the engineers at Brave don't
| understand how JavaScript works. If I'm not mistaken, the author
| is responding to Brendan Eich (Brave's CEO), who happens to also
| be *the creator of JavaScript*.
|
| "Another problem with their built-in adblocker is that it's
| better for extensions to be separated from the core of the
| browser, since they don't follow each other's update cycles. This
| means that you need to update the entire browser to fix a bug in
| the adblocker. Stupid, isn't it?"
|
| Agreed, which is why Brave's ad-blocking logic is broken out into
| a distinct component. You can see it enumerated on
| brave://components, and even request updates from that page as
| well. It would have been very unwise to require a full browser
| update just to deliver updates to ad-blocking rules, etc.
|
| > Note: By this point, it should be clear to the reader that the
| author is unqualified to conduct such a review. A cursory review
| of Brave's source (both in the archived 'Muon' repo and our
| active code.brave.com endpoint) would have answered many of their
| questions. A review of Brave's network activity, such as the one
| I conducted this year (see https://brave.com/popular-browsers-
| first-run/), would have addressed many claims to follow.
|
| "It's important to bring focus to the fact that Brave isn't more
| than Chromium with another skin and a built-in adblocker with
| reduced functionality."
|
| Wrong, again. Brave is a heavily patched version of Chromium,
| deviating in many ways (see https://github.com/brave/brave-
| browser/wiki/Deviations-from-...) from the base project. Again,
| this would have been quite clear to the author if they compared
| the network activity of Chrome and Brave (see
| https://brave.com/popular-browsers-first-run/).
|
| "Rewards is their shitty program that will replace ads displayed
| on websites with their own."
|
| Another easily-disproven claim, showing the author likely has
| never used Brave. Brave *does not replace ads on websites*.
| Brave's Ad system is opt-in, user-configurable, and displays ad
| notifications as _native system notifications_. These appear as
| prompts on your desktop or screen, outside of the browser itself.
|
| "...they're tracking you with Rewards..."
|
| Again, where is the network analysis or source code to
| substantiate this claim? The author doesn't provide anything,
| because it's simply not true. Brave Rewards is designed to
| preclude tracking. Rather than having user data flow out to
| remote servers (the way Google Ads and more work today), Brave
| Rewards keeps the user's data on their device, and routinely
| downloads a regional ad catalog. This inverts the traditional
| digital advertising model. I covered this system in a bit more
| detail recently in a 5-minute talk on the history of digital
| advertising, and how Brave is fixing the industry. You can watch
| that talk at https://www.youtube.com/watch?v=LsrrT502luI.
|
| Continued below...
| jonathansampson wrote:
| "...it's important to say that Rewards uses Uphold..."
|
| The author then takes a jab at KYC, the process of confirming
| your identity by providing ID and other information. No user of
| Brave Rewards is required to do this. Users are able to opt-in,
| participate, earn, and pass along rewards to content creators
| and publishers. If a user wishes to "cash out," however, they
| do have to verify their identity in compliance with relevant
| laws and regulations. But this is not handled by Brave; we do
| what we can to stay away from your data. Instead, Uphold (and
| soon Gemini) handles this process.
|
| "Contrary to popular belief, Rewards isn't opt in."
|
| The author here conflates calls to certain endpoints with
| program participation. They are correct that Brave would make
| calls at times to our own rewards server, but not because the
| user has been auto opted-in. Those calls would attempt to
| locate rewards for the current user, and they would respond
| with an error or an empty balance, since the user hasn't opted-
| in. We've been working on cleaning up these types of
| unnecessary calls; I think this one resulted when the user
| clicks on the Rewards panel. By default the panel would expand
| and ask the user if they would like to opt-in. If the user were
| already opted-in, the panel would expand and attempt to
| retrieve their balance. The buggy behavior here was the attempt
| to retrieve a balance in both states. If you ever spot an issue
| like this, please do let us know But again, no ad notifications
| are shown, and no ad catalogs are downloaded until a user opts
| in.
|
| "...they fetch affiliates for Brave Rewards, with pings such as
| Grammarly, Softonic, Uphold, etc."
|
| Another basic mistake from this author. They're referring to
| custom headers. These don't ping anybody. We document the
| headers on GitHub (see https://github.com/brave/brave-
| browser/wiki/Custom-Headers), explaining there that these serve
| as a substitute for a custom user-agent string (which Brave
| lacks). These don't identify the user to anybody, make any bad-
| door network calls, or anything. Again, the user is clearly not
| qualified to discuss these technical topics, and has done
| little (if any) homework on the matter.
|
| "They also make requests to various domains... There isn't a
| way to opt out from sending this requests."
|
| A few domains are shared, but these again aren't explored any
| more deeply. I covered these endpoints in my network analysis
| (see https://brave.com/popular-browsers-first-run/); many are
| also covered in the document detailing proxies (see
| https://github.com/brave/brave-browser/wiki/Deviations-
| from-...) we have setup with Google services to prevent users
| from making contact with Google. This is yet another example of
| where the user could have opened a Web Proxy Debugger like
| Fiddler or Charles and examined the network activity to
| understand what's going on.
|
| "Brave has built-in telemetry. ...a lot of people believe in
| their marketing and think that Brave is private out of the
| box."
|
| Telemetry and Privacy aren't necessarily at odds with one
| another; it depends on how your telemetry is implemented. We
| have detailed our approach in detail on our Blog (see
| https://brave.com/privacy-preserving-product-analytics-p3a/).
| We also document the _questions_ and possible _answers_ on
| GitHub at https://github.com/brave/brave-browser/wiki/P3A.
|
| "Suspicious behavior which installs 5 extensions"
|
| The author is, again, showing their lack of experience and
| effort in this area. Again, they could have found this
| information covered in our source code (see
| https://code.brave.com), in my network analysis (see
| https://brave.com/popular-browsers-first-run/), or even by
| inspecting the CRX files themselves in something like Rob Wu's
| CRX Viewer (see https://robwu.nl/crxviewer/).
|
| "There is a ton of criticism about Firefox's Pocket. But Brave
| has something similar, which is called Brave Today."
|
| Brave Today is available on the new tab page, but doesn't
| actually make any network calls unless you open it up. This was
| important to us, since we aim to keep Brave as clean and quiet
| as possible. From a new tab page, you have to scroll down to
| trigger network activity. But this deferring of request isn't
| all we've done to make this system as private as possible.
| Brave also drops request headers, pads resource bytes, and
| more. The padding of resource bytes is really neat; no matter
| which image is being requested from the Brave CDN, its file-
| size is always the same (meaning no network-connected sleuth
| can infer your network activity by watching image file sizes).
| We talk about this system in greater detail on our blog. See
| Brave's Private Content Delivery Network (see
| https://brave.com/brave-private-cdn/).
|
| The author then takes aim at _Brave's "SafeBrowsing"_. Brave
| uses Google 's SafeBrowsing service to protect users from
| harmful sites and more. Similar services are used by
| practically all major browsers today (many using SafeBrowsing).
| What matters most here, again, is _implementation_.
| SafeBrowsing has a LookUp API and an Update API. One of these
| sends data with each request to Google for their judgement. The
| other routinely downloads a database of potentially harmful
| URLs and performs the lookup locally, on the user 's device.
| Brave takes the latter route. And the routine database updates
| are proxied through Brave server's, meaning users aren't making
| any direct contact with Google. This was also covered in my
| network analysis (see https://brave.com/popular-browsers-first-
| run/) earlier this year. Compare and contrast with something
| like Opera to see how others perform similar lookups.
|
| Continued below...
| jonathansampson wrote:
| "It's a concerning issue for a "privacy" oriented browser to
| connect to Cloudflare's and Google's domains, since both of
| them are telemetry."
|
| The author here is referring to proxied URLs, which were
| already addressed. They claim these are "telemetry," which is
| absurd. Telemetry is about understanding how users and
| products intersect. To suggest Brave is doing any telemetry
| here, or assisting Google/Cloudflare with Telemetry, would
| require the author to provide something substantive. They
| don't, however, because they aren't technically qualified to
| conduct this type of review in the first place. Also, they
| note receiving a 404 when attempting to access these
| endpoints. This is because the user failed to note that these
| receive POST requests, rather than GET requests. The latter
| results in a 404.
|
| "Brave will check for updates every time you run it.
| ...Brave's dedication to privacy is truly amazing /s."
|
| Yes, and? Software that remains up-to-date typically remains
| safer and more secure. We're not about to have our 30+
| million users running outside, vulnerable, and brittle
| versions of Chromium which have known, published exploits in
| the wild.
|
| "Brave has been caught inserting affiliate codes..."
|
| Not much of a scandal here. Brave shipped an update which
| would offer users affiliate-versions of particular URLs. The
| goal here was to detect pre-search input (no network activity
| involved), and offer up an affiliate link if one was
| available. The user could then decide to visit a URL with or
| without traffic attribution. We blogged about this in "On
| Partner Referral Codes in Brave Suggested Sites (see
| https://brave.com/referral-codes-in-suggested-sites/)". As
| stated there, the intent was to offer referral options
| _during searches_. Our mistake was _also_ matching fully-
| qualified URLs. Once the issue was found, it was quickly
| resolved. It 's important to note that traffic attribution is
| not necessarily malicious, anti-privacy, or a matter of
| security. The author has been suggesting users switch to
| Firefox; has the author conducted a search from Firefox? Is
| the author aware, as revealed in a network analysis (see
| https://brave.com/popular-browsers-first-run/), that
| keystrokes are asynchronously fed to Google, and that each
| request is marked with a Firefox identifier for traffic
| attribution?
|
| "Who the fuck implements Tor but doesn't change the DNS?"
|
| Ah, that issue. Again, the user hasn't done their homework.
| What they're referring to here was the recent bug with
| Brave's Tor context which would emit a DNS lookup,
| potentially exposing your traffic to your ISP. Let me be
| quite clear, that is bad. Really bad. Which is why we fixed
| it without hesitation. That said, was this an example of
| Brave not knowing how Tor works? Or how DNS works? Not at
| all, as the author seems to have left out some important
| context.
|
| Brave has supported Tor for _a long time_ , and without any
| DNS lookup issue. So what caused this issue? It was actually
| Brave's effort to remain ahead of the industry in terms of
| security and privacy, believe it or not. In late 2020 we
| blogged about Fighting CNAME Trickery (see
| https://brave.com/privacy-updates-6/), and the growing trend
| of third-party trackers finding ways to plant themselves on
| first-party domains. To combat this, Brave added a DNS lookup
| to resolve first-party endpoints and evaluate the endpoint
| with our block lists and more. This gave Brave the unique
| ability to identify third-party trackers even when they
| masquerade as first-party requests. But, we failed to limit
| this feature only to standard browsing contexts. Having a
| feature like this makes you one of the most secure and
| private browsers on the market. Having it in a Tor context,
| however, means potentially leaking some network activity.
| This was not a case of Brave failing to understand how Tor or
| DNS works; this was a case of Brave taking the initiate to do
| something bold, and stumbling in the process. When you lead,
| everybody gets to see your mistakes.
|
| "Possible scam and theft?"
|
| Betteridge's law of headlines is an adage that states: "Any
| headline that ends in a question mark can be answered by the
| word _no_. " One issue the user does bring up here (by link,
| not explicitly) are a set of changes made to Brave's UX/UI
| following feedback from content creators in 2018. We blogged
| about this in greater detail at https://brave.com/rewards-
| update/. In summary, our UI/UX was somewhat confusing. We
| made a few rapid changes, which resulted in a substantially
| much better system. This was, in my opinion, a stellar
| example of how crucial community feedback is to developing a
| solid product.
|
| "Hostility towards forks"
|
| More nonsense. Brave has no problem with forks; we do have a
| problem with those wishing to _copy and paste_ Brave under
| the name "Braver". That should be quite obviously a bad-
| faith gesture. The individual(s) behind this _proposed
| browser_ (there were at most 2 or 3 people) soon realized how
| much work goes into developing a browser, and the effort fell
| apart. But forks of Brave exist today; Dissenter (don 't use
| this browser! (see
| https://twitter.com/BraveSampson/status/1350685642846572546))
| and PreSearch for iOS being a couple examples.
|
| In summary, if you want a technical review of Brave, don't
| get it from randos on the Internet Look instead to competent
| engineers, such as the work done by Douglas Leith (see
| https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf)
| and others at Trinity College in Dublin. Their abstract is as
| follows, "We measure the connections to backend servers made
| by six browsers: Google Chrome, Mozilla Firefox, Apple
| Safari, Brave Browser, Microsoft Edge and Yandex Browser,
| during normal web browsing. Our aim is to assess the privacy
| risks associated with this back-end data exchange. We find
| that the browsers split into three distinct groups from this
| privacy perspective. In the first (most private) group lies
| Brave, in the second Chrome, Firefox and Safari and in the
| third (least private) group lie Edge and Yandex."
|
| Fin.
| okdjnfweonfe wrote:
| Brave's development team's responses can be found at these
| locations, covering a post very similar to this one.
|
| https://old.reddit.com/r/privacytoolsIO/comments/nvz9tl/_/h1...
|
| https://old.reddit.com/r/brave_browser/comments/nw7et2/_/h18...
|
| https://old.reddit.com/r/brave_browser/comments/nw7et2/_/h1f...
| auslegung wrote:
| I've been using Brave to watch YouTube videos in incognito mode
| ever since 1Blocker on Safari stopped blocking YouTube ads. This
| article brings up some good points, and I want to support Firefox
| more anyway, so I need to see how Firefox handles YouTube ads.
| CapricornNoble wrote:
| For the past month or so, Brave on Ubuntu has been failing to
| block YT ads, so now I've been stuck with 2 unskippable multi-
| minute ads before almost every vid. I've been hitting mute and
| switching tabs while I wait. The most egregiously annoying one
| was 6 minutes of ads on an 8-minute standup comedy clip.
|
| Brave on mobile still blocks all that crap so I've transitioned
| to listening to YT content on my cellphone, propped up on my
| desk, while I browse the Internet on my desktop.
| capableweb wrote:
| Same here. Made me switch back to Firefox full-time instead
| of trusting Brave of getting things right when they time and
| time stumble on things.
| kunagi7 wrote:
| You should try to install uBlock Origin. I've tried both
| Vivaldi's and Brave's adblockers but they're still ways
| behind what uBlock can do.
| FractalHQ wrote:
| Why not use one of the many chrome extensions that blocks
| YouTube ads?
| snapetom wrote:
| Have you double checked that the shields are still up for
| YouTube? I had the same thing happen to me a couple of weeks
| ago. Turned out my shields were down for YouTube for some
| reason.
| mrweasel wrote:
| You could pay for ad-free YouTube, if you dislike the ads so
| much.
|
| Many argue that "They'll pay to have ads removed", but that
| doesn't seem to hold true when services offers that exact
| option.
| orangepanda wrote:
| > Many seem to argue that "They'll pay to have ads
| removed", but that doesn't seem to hold true when services
| offers that exact option.
|
| I would pay for ad free Youtube, if it was an option. Even
| with Youtube Premium, included promotions continue to be
| shown
| robertlagrant wrote:
| Well yeah, they don't stop someone advertising a product
| in the main content. If they did, then James Bond movies
| would be a lot shorter.
| mrweasel wrote:
| The ad-blockers also don't block those, so I don't think
| that was the point.
| mrweasel wrote:
| That's interesting, maybe that's market/country
| dependent. I pay for Premium and haven't seen and ad or
| promotion since I signed up.
|
| That really not okay when you actually pay to have no
| ads.
| tech-no-logical wrote:
| firefox itself doesn't 'handle' youtube ads, but ublock origin
| does.
| pineconewarrior wrote:
| uBlock Origin + Sponsorblock + Firefox will give you the best
| possible Youtube experience.
| switch007 wrote:
| What's a YouTube Ad? :-) long time Firefox + uBlock Origin user
| here.
| loloquwowndueo wrote:
| I use ublock origin on Firefox and it seems to properly block
| all YouTube ads. As with YouTube-dl it's probably a bit of an
| arms race, so if your tool of choice stops working maybe wait
| for the next update and they're likely to get it fixed / right.
| tgv wrote:
| I guess the number of users must be low. Otherwise, there's a
| near perfect solution for YouTube: create a stream that
| contains both the ads and the content and don't allow
| buffering ahead of time while the ads play. Sure, that's fair
| task, but doable. When the costs of uBlock exceeds the
| server+man power needed to implement that, they'll switch.
| rozab wrote:
| I get the impression that YouTube do not really put any
| effort into breaking youtube-dl, YouTube Vanced, etc. It
| seems that mostly when these break it's accidental.
|
| The last thing YouTube wants to do alienate the technically
| literate minority who use adblocking, because these are the
| people who could establish an actual competitor. These
| folks still put money into the creator ecosystem anyway,
| through patreon and direct sponsorships, which funds
| creators to make more content. YT wins either way,
| honestly.
| athenas_owls wrote:
| uBlock Origin with Firefox seems to work really well for
| blocking video ads. For me it doesn't just block YouTube ads,
| it manages to block adverts from a couple other streaming sites
| I use too.
| h_anna_h wrote:
| >Brave has built-in telemetry. Brave will make a ton of requests
| to the domain p3a.brave.com as telemetry
|
| So does Firefox, yet this blog post suggests it as a replacement.
|
| >Brave isn't more than Chromium with another skin and a built-in
| adblocker with reduced functionality.
|
| As far as I know it includes additional functionality such as
| build-in support for tor and ipfs. (and while it might not be the
| best choice if you want privacy, it at least makes onion sites
| accessible for normal people)
|
| >This means that you need to update the entire browser to fix a
| bug in the adblocker
|
| Just like for bugs in the firefox tracking protection and the dev
| tools in most browsers? It is like they are trying to include as
| much nitpicking as possible.
|
| >However, it seems to have a contrary effect, since it sends
| requests to fetch the information required
|
| Just like firefox.
|
| >Brave uses Google's gstatic, which is btw using Cloudflare.
|
| Firefox uses Google analytics in about:addons.
|
| >Hostility towards forks
|
| _looks at iceweasel_
|
| >The only browser that does not use Google's web engine (blink)
| is Firefox
|
| I would include Safari, at least from the popular ones.
|
| (disclaimer: I am a Firefox user)
| jonathansampson wrote:
| Brave's telemetry is private by design; you can read about it
| at https://brave.com/p3a. You're absolutely right about
| Firefox's telemetry though, which is often served up from a
| another process after Firefox is closed. This was covered in
| more detail on my post regarding network activity of popular
| browsers at https://brave.com/popular-browsers-first-run/.
|
| You picked apart the author's narrative pretty nicely here. I
| provided 3 comments (quite long ones) as well with more detail:
| https://news.ycombinator.com/item?id=27552530.
| snyderp wrote:
| I work at Brave as "Senior Privacy Researcher and Director of
| Privacy". I responded to many of these same accusations when they
| were made Friday, that time on Reddit.
|
| https://www.reddit.com/r/privacytoolsIO/comments/nvz9tl/brav...
| 0dayz wrote:
| I would never use brave personally, however given the fact this
| post is essentially just a copy pasta of typical /g/ arguments.
|
| Everyone should take the post with a mountain full of salt (just
| look at their post about systemd).
| timvisee wrote:
| Another shady practice: you could donate to any website, but
| Brave itself received the amount if not claimed by the website
| creator. Users did not know.
| (https://davidgerard.co.uk/blockchain/2019/01/13/brave-web-br...,
| https://redd.it/a8g1i9)
|
| Don't use Brave. Tell others not to use it.
| matheusmoreira wrote:
| Brave can't send BAT to a site that doesn't accept BAT. For
| example, HN doesn't. When I click on the BAT icon, the first
| thing I see is a message saying the tokens will remain in my
| wallet until the site accepts my tip.
| judge2020 wrote:
| This is now how it used to work - which is why the OP uses
| "could" instead of "can" - see the linked article.
| jonathansampson wrote:
| The way it "used to work" was that Brave gave users BAT for
| using the Browser and Brave Payments (now Brave Rewards).
| The user could then visit a site/channel, and Brave would
| communicate if the property was verified or not (e.g. a
| verified property had a check-mark, and an unverified
| property did not). If you tipped a verified property, the
| BAT (as gift from Brave) would go to the creator's
| associated wallet. If the property was not verified, the
| BAT would go into a settlement wallet, awaiting the
| creator's registration. Again, this was Brave's BAT
| effectively being earmarked for a creator who had not yet
| verified. The feedback at the time from the community was
| that the UI/UX was confusing; indeed it was. We quickly
| modified the model, and today it is substantially better as
| a result. Unverified properties are now as explicitly
| identified as verified ones, and tips to the former are
| held on-device for up to 90 days.
| ahofmann wrote:
| Just because something is not perfect, it should not be
| condemned. I don't understand why alternatives are often held
| to much higher standards than the established service.
| Barrin92 wrote:
| aren't the alternatives in this case held to a _lower_
| standard? Like the kind of shady behavior you see from these
| alternatives, often in some way tied into crypto stuff, you
| don 't even see from Google or Microsoft, let alone from
| someone like Mozilla
|
| Brave runs on the exact same ad model as Chrome, they just
| inserted themselves as the middle man. There's no actual
| value provided here and it's basically just "big corporate
| bad" marketing
| jonathansampson wrote:
| "Brave runs on the exact same ad model as Chrome..."
|
| You couldn't be more mistaken here. I covered the history
| of digital advertising and the introduction of Brave's
| model here: https://www.youtube.com/watch?v=LsrrT502luI.
|
| In short, Brave's model is largely the inversion of
| Google's model. With Brave, users must opt-in. Google
| doesn't ask you to opt-in. With Brave, user data remains on
| device. Google requires the remote collection of your data,
| as well as the broadcasting of it to third-parties. With
| Brave, users decide when and how many ads they will be
| shown. Google shows you as many as they can get away with.
| With Brave, user's collect 70% of the revenue for their
| participation. Google gives you nothing, but takes quite a
| bit. With Brave, Brave Software learns nothing about you,
| your interests, or your browsing history. Google learns
| quite a bit about you, harvesting as much data as they can
| get away with, and using it across contexts and domains.
| Barrin92 wrote:
| I did test out Brave a while ago and the reward system
| was on by default. I had to go to the settings to turn it
| off, and in fact this option did not sync. So whenever I
| installed it on a new device I had to turn it off again,
| and I suspect that's deliberate. I also don't think that
| Google shares my information with third parties, pretty
| sure they say explicitly they don't do that.
|
| And as to Brave's model of pooling users and preserving
| anonimity, isn't this exactly what Google's FLoC is? As
| far as I'm aware the dreaded third party cookies seem to
| be on their way out. I'll give Brave props for being a
| frontrunner on this, but that's not an inversion of
| Google's model, this appears to be exactly where everyone
| is going.
| chrisco255 wrote:
| That's not true. If the website or user does not claim the
| rewards within 3 months it goes back to the user.
| jonathansampson wrote:
| Correct. Tips and contributions to unverified properties
| remain [on the user's device] for up to 90 days. The browser
| will make routine attempts to send the tip through; if it
| fails to do so after 90 days those rewards are unlocked and
| can be given to another creator.
| rideontime wrote:
| Lots of people are pointing out that this isn't the case
| _anymore_ , but the fact is that it used to work this way, and
| they only changed it after backlash. That was enough to turn me
| off of Brave forever.
| fastball wrote:
| Yeah, I too dislike it when companies respond positively in
| response to criticism.
|
| I prefer the orgs I interact with to be perfect and never
| make mistakes and when they do (but they don't because I only
| interact with perfect institutions) I prefer them to double-
| down instead of improve.
| CharlesW wrote:
| The point is that Brave can't be trusted by default. It's
| nice that they roll back dark patterns when they're caught
| by people like Tom Scott, I guess?
| fastball wrote:
| I think there is a difference between an imperfect
| implementation of something that has never been done
| before (especially when your competition is an adtech
| giant oligopoly) and "dark patterns".
|
| Worth pointing out that part of the reason it was hard to
| just refund people who donated to non-verified creators
| was Brave actually caring about privacy, so the donations
| in question were completely anonymous.
|
| So when it was pointed out that it's still a problem,
| they came up with a solution that I think strikes a good
| balance.
| CharlesW wrote:
| > _So when it was pointed out that it 's still a problem,
| they came up with a solution that I think strikes a good
| balance._
|
| Fair enough.
|
| To me, it couldn't have been more obvious that collecting
| "money" in creators' names and also misrepresenting that
| was Bad(tm). I'll try to be gracious and chalk this up to
| "lack of common sense" instead of "part of the evil
| plan".
| fastball wrote:
| Actually I'm less charitable than "lack of common sense"
| and chalk it up to hubris - I think what happened is that
| they couldn't really imagine why someone _wouldn 't_ want
| to accept donations from their viewers/consumers,
| regardless of source, and so just defaulted to collecting
| for everyone assuming everyone would love to hop on board
| the BAT train. This of course turned out not to be the
| case for various reasons and yes is pretty obvious in
| hindsight.
|
| But I'm still willing to forgive if I think the course-
| correction is adequate, which in this case it was.
| jonathansampson wrote:
| The BAT that was moving around at that time was from
| Brave. We allocated hundreds of millions of tokens back
| in 2017 to a User Growth Pool. We distributed tokens to
| users of the Brave Browser, and allowed them to send
| those tokens off to their favorite content creators. This
| is similar to how PayPal lets you email money to anybody,
| even if they aren't signed up on PayPal. Our thought here
| was that users could effectively earmark the BAT they
| received from us, and that creators could sign up and
| claim those tokens.
|
| We identified verified creators as such, but didn't make
| the non-verified state as explicit. We largely followed a
| similar pattern to that of Twitter (checkmark for those
| who are verified, and nothing for those who aren't).
|
| When you visited a YouTube channel, website, etc., we
| would show you the name and favicon for that resource in
| the tipping UI. In the case of some YouTube channels, the
| page name was just the YouTuber's name, and their favicon
| was a picture of their face.
|
| The changes that Tom Scott and others suggested back in
| 2018 were ground-breaking. They helped us realize some
| naive decisions in the UI/UX of the tipping process and
| more. We moved quickly to implement those changes
| (https://brave.com/rewards-update), and the entire system
| is now substantially better as a result. But there was
| never any ill-motive involved. We had BAT, and we wanted
| users to give it to their favorite creators. Tom Scott
| approved of the changes at the time, which was a nice way
| to wrap things up
| rideontime wrote:
| When somebody shows you who they are, believe them.
| monetus wrote:
| Your hyperbole seems to be purposefully taking the parent
| post in bad faith.
|
| He is expressing skepticism towards their original
| intentions and you like how they responded. No need to talk
| past each other.
| fastball wrote:
| I don't agree. GC cannot speak to their intentions, so at
| the end of the day this is just holding them to a
| standard that it is unreasonable to ever hold any
| institution to. Humans make mistakes and organizations
| are comprised of humans. What matters is how they address
| such mistakes, which I've only seen positive improvement
| from Brave.
| drusepth wrote:
| Yeah; from what I can tell, Brave's history is basically a
| long list of:
|
| 1. Do something shady and/or incompetent to make money
|
| 2. Ignore an internet backlash calling them out for it
|
| 3. "Fix" said shady thing
|
| 4. From then on out, aggressively deny doing that thing
| everywhere it's mentioned, without acknowledging that it used
| to be the case
|
| Brave seems like an adequate browser for some niche use cases
| and probably has some cool tech. I do not trust the company
| or people behind it to have my best intentions in mind.
|
| It definitely feels like they like to constantly push
| boundaries, and not in a good way.
| LMYahooTFY wrote:
| Relevant part;
|
| >What happens if you send a tip to an unverified creator?
|
| I click "tip" for my YouTube channel, and the screen below
| comes up. The "Learn more" link goes to the Brave FAQ, which
| says that no funds leave the browser until the creator verifies
| -- but admits that previous versions of Brave worked
| differently, and sent the tokens to Brave in the hope that the
| creator would sign up at some point.
|
| It would seem this is possibly no longer the case, I'd love an
| update on it.
| bogwog wrote:
| Did any lawsuits come out of this? That seems like actual
| fraud, and Eich or others in the company should be in prison.
| celsoazevedo wrote:
| The money goes back to the wallet that sent it after a period
| of time if no one claims it.
| jonathansampson wrote:
| The claim that Brave was collecting money on behalf of others
| is quite misleading. See my response here:
| https://news.ycombinator.com/item?id=27553383.
| JackPoach wrote:
| I see a lot of their ads on Youtube. The are really off-putting.
| [deleted]
| 404mm wrote:
| Can somebody please shed some light as to what the reference to
| Apple meant? I'd like to know more..
| angulardragon03 wrote:
| Agreed, that really felt like a quite big "citation needed"
| moment for me when I started reading.
| pityJuke wrote:
| In addition to some of the other oddities with the article (i.e.
| the absolutely wrong claim about Brave's ad blocker), I think the
| security between Chromium and Firefox is a bit too simplistic?
| This piece [1] might go too far in the other direction, but at
| the very least it outlines why there are deficiencies in Firefox,
| comparatively.
|
| [1]: https://madaidans-insecurities.github.io/firefox-
| chromium.ht...
| yborg wrote:
| The one thing the OP article doesn't actually do is claim that
| Firefox is more SECURE than Chrome/Brave, the arguments (mostly
| bad) are that it more private. And that pretty much goes
| without saying for Chrome, since its entire raison d'etre is to
| strip privacy from its users for Google. It's unfortunate that
| on platforms outside macOS you have to choose between risking
| your privacy being invaded or your device being invaded.
|
| The reality in any case is that in every pwn contest every
| year, all the major browsers are exploited, usually with full
| sandbox escapes; Chrome has better security implementation but
| a huge install base that makes effort to crack it worthwhile,
| while Firefox is easier but has trivial market share.
| kunagi7 wrote:
| This article is really complete and straight to the point.
|
| I really like that madaidan keeps it updated.
| pedro2 wrote:
| Fear mongering.
|
| A competitor maybe? Someone with an agenda against Eich because
| of the donation debacle?
|
| Privacy-wise, either Firefox or Brave are better than Chrome.
|
| Ads are annoying but they do fund the net.
| annoyingnoob wrote:
| Disagree. Brave's approach to funding is at odds with privacy.
| The concept of warming up to ads to get paid is capitulating to
| the advertising industry.
|
| While I did not appreciate the tone of the article, there are
| some valid points there. Brave may be better than Chrome but
| there are still better options. It might be better to get a
| common cold virus than it is to get covid-19, but I'd still
| rather not get any virus. Sites that don't work right when you
| block all of the tracking lose me, I won't capitulate.
| jonathansampson wrote:
| "Brave's approach to funding is at odds with privacy."
|
| Elaborate, please. Brave's ad model is built for privacy and
| security. User's must first opt-in. Your data remains on your
| device. Ad catalogs are downloaded and reviewed locally. You
| are rewarded when you see an ad notification. I repeat,
| rewards are granted when your attention has been spent; no
| clicks necessary. I discussed the model further in this
| recent 5-minute video: https://youtu.be/LsrrT502luI
| annoyingnoob wrote:
| Brave is its own ad network and offers targeting to over
| 200 IAB categories. I don't agree that profiling my
| demographics and offering them up for sale is protecting my
| privacy, even if that does not include PII.
|
| If I want to skip out on Brave Ads then I don't really need
| the Brave browser.
| [deleted]
| nextlevelwizard wrote:
| If you've visited /g/ lately you know how much Brave is pumping
| threads that are basically just ads for Brave. I wouldn't
| immediately jump to competitor conclusion (and even they were
| they have good points) To be Brave's model has always been bat
| shit insane.
|
| >Ads are annoying but they do fund the net. This is a complete
| lie. If your website can not survive without ads then it
| shouldn't exist. Running a website takes almost no capital.
| Only people who are afraid about ad insdustry being destroyed
| (expect of course the people running the industry) are shitty
| blogs and useless news sites, because the truth is their
| content is so sub par that no one in their right minds would
| pay anything for it, but at least they can scam people into
| being sold onwards to advertisers.
|
| Everyone should be running uBlock Origin. Everyone should be
| running ad blocking DNS. Websites that don't allow adblocks
| aren't worth visiting in the first place.
| truth_ wrote:
| I found a list [0] on HN awhile ago of "free, open source and
| privacy respecting services and alternatives to privative
| services".
|
| I have been using many of the items before I came across the
| list, and started using some after going through it.
|
| Many items on the list are viable and practical alternatives to
| proprietary products commonly used.
|
| [0]: https://github.com/pluja/awesome-privacy
| llacb47 wrote:
| This made some decent points but relied too much on FUD.
| jonathansampson wrote:
| What decent points were made? The author is clearly not
| technical (or not to the degree needed to conduct such a
| review). Contrast it with an actual competent review of Brave
| and other browsers, such as
| https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf.
| llacb47 wrote:
| You're right. Most of the points I called decent are old
| stuff that has been addressed multiple times.
| debacle wrote:
| Firefox user here. I've looked into Brave, but decided I didn't
| really want it.
|
| This article is incredibly slanted. It takes every single
| possible fact it can and spins it into "Brave Bad."
|
| Something like this:
|
| > Brave is just another Chromium skin. So at the end, when using
| Brave or any other Chromium based browser, you're giving
| marketshare to Google and supporting their evil web empire.
|
| Is simply not true. Every browser that isn't Chrome, every search
| page that isn't google.com, sends a message to not just Google
| but other competitors in the space that users want change.
|
| In addition, in an ideal world Chromium would be able to build
| enough momentum through community support (or support from MS or
| others) to provide a healthy fork, free from Google's clutches.
|
| I agree that Firefox is better - it is my personal web browser of
| choice - but that doesn't mean that Brave is bad software, or
| that the people behind it are evil, and anything that tamps down
| Google's monopoly is good in my mind.
| AzzieElbab wrote:
| the biggest deal is hardcoded whitelist imho. rest of the
| article is just raw emotions
| celsoazevedo wrote:
| You can't fully block certain services without breaking
| pages. Block Facebook and you break hotlinked images and
| comments on some sites. Block Twitter and embeded tweets
| break. Some people use these services to login too. And so
| on.
|
| I assume most users here understand this and would be able to
| fix the page, but the average user doesn't know how to do
| that. But then more advanced users should use uBlock Origin
| too, which lets you block Facebook, Twitter, Disqus, etc,
| too, so I don't think it's a major issue for us.
| AzzieElbab wrote:
| I understand this as well, but I would very much prefer if
| I could flip block/unblock on those cookies at will
| 1_player wrote:
| Brave the company has made some egregious missteps, but the
| problem with Brave is that there is so much FUD around it it's
| incredible. People keep repeating the same bullcrap which has
| been debunked hundreds of times, and Brave gets reviled much
| more than it deserves. Every time a Brave article is posted on
| HN the first 5 top comments are the same trite, wrong
| arguments, whose first reply is usually someone clarifying and
| correcting OP.
|
| There's a long road ahead to cleaning up the Brave name, if
| it's at all possible in the first place.
| korse wrote:
| Does anyone here use Opera or have thoughts on it?
| mrlatinos wrote:
| The author is full of shit.
| Snd_ wrote:
| I switched from Brave to Bromite on Android.
| [deleted]
| fastball wrote:
| A rebuttal of the points in the article, as most of it is arguing
| in bad faith:
|
| > Brave's adblocker is uBlock origin
|
| It's not[1].
|
| > Brave Today can't be disabled
|
| Currently called "Brave News" if you're looking for it. And of
| course it actually can be disabled[2].
|
| > Rewards is used to track you
|
| A request being made to a URL does not mean you are being
| "tracked". Brave ads are the most privacy-preserving ad
| architecture[3] I know about, and they are the _only_ people
| trying to make a better funding model for the web that still has
| a lot of the upsides of ad-driven content (mainly that it is not
| a regressive funding model). FF is _worse_ in this regard because
| Mozilla gets most of their revenue from adtech giants that
| clearly don 't give a flying fuck about your privacy. If you
| think Mozilla's funding model isn't a conflict of interest and
| makes the web more privacy-conscious, I have a bridge to sell
| you.
|
| > Telemetry automatically violates your privacy
|
| Not really? Of course, someone _very_ concerned with privacy
| should opt out of telemetry, and Brave lets you do that.
|
| > Auto-updates violate privacy
|
| How so? As I point out later, the most likely result of auto-
| updates is that they help _preserve_ your privacy by getting bugs
| patched faster.
|
| > Affiliate codes
|
| Yes, Brave had pre-programmed history items that were affiliate
| links to a crypto exchange. This harmed nobody in any way and the
| backlash was over-the-top. But they disabled in response to user
| feedback. I kinda liked this idea, as it is _another_ way Brave
| was trying to fund themselves without being beholden to the
| Googlopoly which is an endeavor I very much support (with the
| caveat that it can 't hurt users, which again this did not).
|
| > Uphold doesn't care about your privacy
|
| Uphold is a financial institution based in the US (as Brave is)
| which by necessity needs to comply with KYC/AML regulations. That
| means they need to collect your personal info. Take it up with
| the US government if you're unhappy.
|
| > Tor tabs leaking DNS
|
| Was fixed fairly quickly[4] and I think worth pointing out that
| no other browser even bothers trying to do something like this
| (integrating Tor for better privacy). Conveniently left out of
| the part where the author made the claim that "Brave isn't better
| for privacy than FF because it's just uBlock origin". Clearly
| brave is trying things that are not just adblocking to increase
| user privacy.
|
| In general with this point, kinda funny that apparently the
| author of this article wants Brave to be the only software
| engineering org in existence that never has bugs. I guess if
| that's your stance though it makes sense that you wouldn't want
| auto-updates. For everyone else that lives in reality, auto-
| updates are a good thing for security (and therefore privacy, as
| made clear here when a privacy-related bug inevitably happens).
|
| > Chromium and Google's monopoly
|
| Yeahhhhh, using FF isn't the silver bullet you think it is, as
| again, Mozilla gets the vast majority of their revenue from being
| paid by Google. What happens if that dries up? Seems unlikely
| that maintaining Blink without Mozilla will be easier than Brave
| maintaining a privacy-centric fork of Chromium (which will
| presumably continue to get not-privacy-related upstream
| improvements from Google/Microsoft/etc in perpetuity).
|
| > brave-core-ext.s3.brave.com fetches 5 extensions and installs
| them. It is said that this might be a backdoor. But I don't want
| to get conspiracist. I prefer giving you verifiable facts. I'll
| limit myself to inform you about suspicious activities.
|
| This is worse than all the Bitcoin maximalists / shitcoin pump-
| and-dumpers with their "this is not financial advice" shtick. We
| know what you're doing, it's pretty transparent. Especially when
| you do it twice:
|
| > They were also accused of theft with BAT but this isn't
| verifiable so I'll only link the source for you.
|
| In summary, I disagree with basically all of this article,
| significant parts of which are just factually wrong.
|
| [1] https://github.com/brave/adblock-rust
|
| [2] https://support.brave.com/hc/en-
| us/articles/360056341952-How...
|
| [3] https://brave.com/intro-to-brave-ads/
|
| [4] https://github.com/brave/brave-browser/issues/13527
| jonathansampson wrote:
| Brilliant and succinct response. I provided 3 long responses
| here as well: https://news.ycombinator.com/item?id=27552530.
| One thing to point out regarding the Tor issue too is that this
| bug only happened because Brave is _leading_ the industry in
| decloaking third-party ads and trackers masquerading as first-
| party resources (see https://brave.com/privacy-updates-6/ for
| more). This is what happens when you lead; others get to see
| you stumble from time to time.
| [deleted]
| eterevsky wrote:
| For me the best feature of Brave is the ability to reward the
| content publishers without watching their ads, basically YouTube
| Premium for web. I just wish more publishers would opt into this
| program.
| jonathansampson wrote:
| Is anybody is looking for more information, check out
| https://creators.brave.com
| NelsonMinar wrote:
| Brave's business model is replacing the ads on websites with
| their own ads. Then there was that one time they started
| inserting their own affiliate codes into web pages. No surprise
| they replace the trackers on websites with their own tracking,
| too. At least their ethics are consistent.
| jonathansampson wrote:
| "Brave's business model is replacing the ads on websites with
| their own ads."
|
| Incorrect. Isn't true now, and has never been true in the past.
|
| "Then there was that one time they started inserting their own
| affiliate codes into web pages."
|
| Also false. Not true now, and was never true in the past.
|
| "No surprise they replace the trackers on websites with their
| own tracking, too."
|
| Still false. You're 0 for 3. Please consider downloading Brave
| and actually trying it for a day. It seems you have been quite
| misled on this topic.
|
| See a more detailed response here:
| https://news.ycombinator.com/item?id=27552530
| mark_l_watson wrote:
| After some consideration, I decided to not use Brave.
|
| Maybe I am looking at the privacy policy too simply, but why not
| prefer to use private browsing tabs? With auto fill password
| support, it is really not inconvenient.
|
| I am now, with no actions on my part except running the betas for
| the new iOS, iPadOS, and macOS, using Apple's new Tor-like
| system. I have no comment on this yet.
| Moodles wrote:
| I appreciate articles that look into topics in some depth that
| I'm curious about. But I really dislike the author's strident
| writing style. Now, if there's a single exaggeration or untruth
| from the author, It'll throw the rest of the article in doubt for
| me. I think it would be better if it was a bit more
| dispassionate.
|
| Another thing I've noticed in security (and I actually work in
| this field) is that if a project makes some progress but doesn't
| address all the things (e.g. Signal end-to-end encryption for the
| masses but it uses a phone number or isn't federalized), people
| criticise so strongly. It's like, ok, but give some (actually a
| lot) of credit because it's literally the best option right now?
| fastball wrote:
| Most of the article is in fact factually incorrect.
|
| The main thesis is that: Brave's adblocker is just uBlock
| Origin and so it's better to just use uBlock Origin on FF.
|
| But Brave's adblocker _is not_ just uBlock Origin so the entire
| article falls apart.
|
| Everything else is just trying to misrepresent everything in
| the worst possible light.
|
| > It is said that this might be a backdoor. But I don't want to
| get conspiracist. I prefer giving you verifiable facts. I'll
| limit myself to inform you about suspicious activities.
|
| Righttt... we're not children, we all know what you're trying
| to do here.
| rchaud wrote:
| On mobile, it's not as easy to say "use FF Android". Desktop
| FF is fine, and it's what I use, but on mobile FF is not as
| fast as Chromium based browsers. Text-heavy content is fine
| everywhere, but for sites that are more interactive, Chromium
| based browsers usually deliver less choppy performance.
| esrh wrote:
| The entire blog reads like a conspiracy theory 4chan /g/ fever
| dream
| quotemstr wrote:
| > But I really dislike the author's strident writing style.
|
| Colorful and emotional language gets attention. Dispassionate
| writing doesn't. Whenever I see people criticize an author for
| a little rhetorical flair, I play the famous "Pirates of the
| Caribbean" scene in my mind:
|
| Hacker News: "Your article is the most strident and obnoxious
| piece of technical writing I've ever heard of"
|
| Author: "Ah, but you _have_ heard of it! "
| Moodles wrote:
| Yeah clickbait sells, but I'm saying if there's a single
| error, combined with the emotional tone, I'm more likely to
| discount the whole article and think they're just extremely
| biased and blinded by their emotions.
| snet0 wrote:
| I think this is a popular narrative, but I don't think it's
| true. Especially in HN, some of the best articles I can
| remember aren't angry people being obnoxious, but can even be
| highly-technical and entirely dispassionate.
|
| Also, I am not sure people _do_ remember these types of
| articles. Perhaps they remember some notion of the content,
| but I 'm doubtful many detractors would remember the author.
| rchaud wrote:
| It's a personal website, not a corporate blog. Why does it have
| to be dispassionate? The tone is strident, but there are no
| personal attacks or abusive language used.
| Moodles wrote:
| Huh? I'm not saying there should be a law. I'm just saying I
| think it would be more effective and persuasive if it was
| more dispassionate. It's my personal opinion.
| rchaud wrote:
| OK, thanks for the clarification. I misunderstood your
| earlier comment.
| iou wrote:
| Is the saying "storm in a teacup" or "tempest in a teapot" or
| something like that?
|
| Anyway, I don't really find any of this that egregious tbh.
|
| Personally, I'm layering with nextdns to drop all the crap, and
| vpn over that, maybe solely depending on any one solution is the
| failure?
|
| Also the "use Firefox" would be awesome if we could rely on
| Mozilla! I have always wanted them to succeed but recently
| they've been stumbling so hard and it doesn't look so promising.
| throwitaway1235 wrote:
| Once it became obvious through Firefox blog posts that they
| support censorship and oppose free speech, I made the switch to
| Brave.
| omginternets wrote:
| I like Brave, though I'm open to switching if there's a better
| alternative. Here's what I like about it:
|
| 1. Compatibility with Google Chrome Extensions. This is _sine qua
| non_ (though I 'd settle for compatibility with FF extensions).
|
| 2. Ad-blocking and reasonable-effort script blocking by default.
|
| 3. No apparent performance issues for my usage (YouTube, clicking
| links on HN, GitHub).
|
| 4. Integration with Tor, IPFS. Not a deal-breaker, but I do like
| it.
| schelling42 wrote:
| Popularizing IPFS and Tor to bigger user bases is likely the
| single best thing that brave does.
| gota wrote:
| I use Brave and I have the exact same list of likes, and in
| same order of priority - if that is what you meant.
| gjsman-1000 wrote:
| I find Brave Rewards very egregious. You get lots of BAT and the
| marketing copy hypes it up immensely without mentioning,
| anywhere, that you need to provide your SSN and Driver's License
| to a third-party (Uphold) if you actually, you know, want to cash
| out.
|
| This seems particularly irritating because, let's say you set
| your browser to show you the max amount of ads for a while. You
| saved up for a few months, decided you had enough, tried to cash
| out only to discover that slap in your face that they never
| mentioned. Of course this benefits them, but the fact that the
| browser puts you in the situation of giving up your privacy to
| receive money is ridiculous for a "privacy" browser.
| fastball wrote:
| How does KYC benefit them? Seems like (if legally allowed) they
| would want to reduce the friction as much as possible.
| toolz wrote:
| To add to this, Brave appears to force you to use Uphold in
| order to "verify" your wallet. So this is absolutely Brave
| hiding your coins from you until you dox yourself with a third-
| party.
|
| It's entirely possible to trade bat for many other coins on
| exchanges without KYC, but Brave forces you to be unable to do
| that (regardless of your local laws it seems?)
|
| This is something Brave could easily fix by just exposing an
| API to allow you to do what you want with your BAT instead of
| forcing you to use a third party KYC service.
| gjsman-1000 wrote:
| This is true. When you "receive" BAT in your browser, your
| browser is not a wallet. You can't send it to any address of
| your choice, or move it to an exchange that doesn't require
| KYC like Uniswap. The only place you can send that BAT you
| "received" is "verified creators" in the Brave ecosystem.
| It's much more like an IOU BAT than real BAT.
|
| If you want to get real BAT that you could send to any
| address, send to Uniswap, or cash out, you must create an
| account on Uphold and complete full KYC before you can
| withdraw. That's when, invisibly, the IOU BAT becomes
| functional, cryptocurrency-like BAT.
|
| It's like there are 2 BATs in reality despite the marketing.
| FakeBAT and RealBAT. FakeBAT only works within Brave's
| approved creators and is what you receive in your browser,
| and you can convert it to RealBAT which is on Ethereum and
| ERC20 compliant but only if you do KYC.
| gjsman-1000 wrote:
| An addendum to my statement above: This also means,
| implicitly, BAT is not a private token. All BAT ultimately
| comes from people who completed KYC. This means that
| ultimately, if the government wanted to hunt down where
| someone's BAT came from, it's really easy when you've KYC'd
| the entire ecosystem.
|
| And, you might be OK with that for what it is, and might
| not want money laundering. Fine, but don't advertise it to
| me as an extension of a _privacy browser_. This is perhaps
| the _least private_ cryptocurrency ever outside of USDC.
| andai wrote:
| Isn't this for legal reasons? I'm pretty sure my crypto
| exchange couldn't give less of a crap about my ID but due
| to anti-money laundering laws every exchange I've used has
| had to ask me for it.
| jonathansampson wrote:
| This is the law; it's not Brave's design. Our design enables
| you to opt-in, earn, and give to content creators without
| having to provide any information. The law, however, requires
| and compels Brave to add KYC into the mix when you wish to
| self-fund or cash out. Anti-money laundering is not something
| we can or would circumvent.
| minsc__and__boo wrote:
| Seems like a pretty important piece of information to share
| with potential users up front though, for something marketing
| itself with a privacy focus.
| [deleted]
| bhearsum2 wrote:
| You could still the user of this during onboarding, or before
| the start seeing any BAT ads.
| mikro2nd wrote:
| So... I dunno... Just _ignore_ the whole BAT /Rewards nonsense?
| I use none of that shit, though I do use Brave for a (very) few
| things that require a Chrome-like browser (i.e. Won't work in
| Firefox with my battery of plugins). I don't regard it
| primarily as a high-privacy tool (FF is better at that, though
| far from perfect) but it's better than using Chrome on non-Goog
| sites.
|
| Ah, the world has become a strange place. I currently use no
| less than 5 different browsers for different contexts, but
| mainly Chrome for Goog properties on the seldom occasion I have
| to go there, FF for almost everything else. Then the corner
| cases...
| smaryjerry wrote:
| Isn't this only an issue if you actually want to cash out
| your $2 or whatever. The bigger benefit of Brave is that you
| can contribute money to websites or content creators that
| your prefer. This is like the "old" internet where ads didn't
| care what content they were shown next to, giving much more
| freedom of expression on the net. Say YouTube thought your
| video joking about COVID meant they thought you deserved to
| demonetize your whole channel, we'll now brave donations
| still allows you to make some sort of ad profit. That
| actually ads up for people from pennies from millions of
| people together. Cashing out for a few dollars a year is not
| really the intent of the system.
| imiric wrote:
| It's a shame how Brave Inc. has fumbled the execution of this
| concept. It's a great idea in principle: users earn currency
| for their attention (watching ads) _or_ by outright purchasing
| it and avoiding ads, they get to choose which services they
| want to support and with how much, publishers get paid without
| slimy advertisers and GDPR headaches, while still keeping
| advertising in the loop but in a much more indirect and
| controllable way. It 's brilliant. It would eventually allow
| getting rid of advertisers from the loop entirely with novel
| ways of earning currency.
|
| Of course this is a pipe dream with the modern ad-powered web.
| Why would tech giants have a desire to make changes that would
| affect their main revenue stream? Advertisers wouldn't be
| thrilled either.
|
| Still, I think it's the best idea that actually has some merit
| of working at scale to change how the web is monetized today.
| And we need more of those. Just maybe not executed by Brave
| Inc.
| macinjosh wrote:
| > you need to provide your SSN and Driver's License to a third-
| party (Uphold) if you actually, you know, want to cash out.
|
| This is the government's fault not Brave's. There are laws that
| enforce the requirements. We do not have the freedom to move
| value or money around freely any more.
| gjsman-1000 wrote:
| And I completely understand that. But Brave is still guilty
| of not mentioning on their product page that for all the
| privacy things they do, Brave Rewards isn't private, and also
| has a conflict of interest incentivizing them to not tell
| people about it.
| toolz wrote:
| It's Brave's fault if they only give you access to your BAT
| coins after signing up with Uphold. There should be no reason
| they hide access to your coins until you use a third party
| service to dox yourself.
|
| Brave may not be implementing the dox'ing, but they appear to
| be requiring you to use someone else's implementation which
| is absolutely their fault.
| mumblemumble wrote:
| I am guessing that the parent comment has it right. This is
| admittedly outside my area of expertise, but I would assume
| that the system they have for managing BATs is subject to
| the US's Know Your Customer laws, which require financial
| institutions (including crypto exchanges) to, well, know
| their customer. Personally.
|
| They have to figure all that out _before_ they give you
| access to your account. Which means, yeah, there may well
| be a good reason for them to require you personally
| identify yourself before giving you access to the tokens:
| if they didn 't, they'd risk getting into serious trouble
| with the authorities.
|
| They didn't technically need to contract that stuff out to
| a third-party company, of course. But, from a practical
| perspective, they did. They're a small browser company and
| financial regulation compliance would be a huge and
| burdensome departure from their core skill set. I don't
| think they could have afforded to do it themselves.
| gjsman-1000 wrote:
| And that's all right and good, I'm actually OK with this
| being the requirement for a system like this if a browser
| that rewards you with crypto is available.
|
| What I'm not OK with is that Brave isn't upfront about
| this.
| mumblemumble wrote:
| Indeed. It's weird to see an organization whose entire
| sales pitch is, "Trust us, we're trustworthy," that
| persists in acting unnecessarily skeezy at seemingly
| every turn. Like, you half expect their next blog post to
| be, "We've been trying to reach you about your car's
| warranty..."
| ipaddr wrote:
| kyc laws only applies to exchanges that allow cashing
| out. I don't understand why kyc would be required here.
| The browser user should be the miner getting a reward as
| a private key. They should be able to move it to any
| exchange (this is where kyc is required) or trade
| privately.
|
| Why they chose to implement the design in this way is not
| what I would expect.
| mumblemumble wrote:
| > kyc laws only applies to exchanges that allow cashing
| out. I don't understand why kyc would be required here.
|
| Because cashing out is kind of the entire point of BAT?
|
| If creators couldn't redeem their BATs for actual
| spendable currency, they wouldn't really be any different
| from a Facebook Like button that people have to pay to
| click.
| chrisco255 wrote:
| KYC, AML, CYA, IANAL
| squiggleblaz wrote:
| KYC stands for "Know Your Customer" and it's a reference to
| laws that require businesses to have a clue who they're doing
| business with. It's not a legitimate response to the concern
| here. The concern is failure to provide adequate information
| about the consequences of your actions up front. They're
| going to benefit from the ads, and they won't necessarily
| have to pay for that benefit, because they didn't adequately
| obtain informed consent before they began by informing you
| that you need to pony up PII to a third party.
|
| AML is probably Anti-Money Laundering. It again has nothing
| to do with informed consent. It is possible to prevent money
| from being laundered by telling a person up front, before
| they agree to sign up, that they have to give their private
| information to a third party.
|
| CYA is probably "Cover Your Arse". Again, it's not a
| legitimate concern for the same reason as above.
|
| IANAL is obviously not a response to the original concern but
| merely intended to reduce the risk of the reply. But there's
| no legal issues being raised. The issue is purely whether or
| not a business who praises their privacy credentials should
| clearly let their customers know that, if they choose to
| engage in business with them, their private information will
| need to be shared with a business who they may not trust.
|
| If OP's story is true, Brave is not above engaging in
| distrust for dollars. That's the lesson to be learnt here.
| Brave doesn't care about your privacy. They just hope that by
| marketing privacy, they can get a few customers. And they
| will and apparently do engage in shady practices that
| compromise your privacy. No acronym can justify that, other
| than something that stands for "Businesses need to be
| responsible for their actions, not just their profits".
| chrisco255 wrote:
| It was just a funny comment. They absolutely let you know
| in the docs on and the site and in every interview the CEO
| does that it is a requirement to complete KYC to receive
| the funds. I don't know what to say, it's all there, in the
| docs. In the FAQ: https://support.brave.com/hc/en-
| us/articles/360032158891-Wha...
| [deleted]
| seibelj wrote:
| I think your anger is misplaced - you should be angry at
| government who requires Brave (and eBay, and Etsy, and any
| company that is paying out money to people) to require this. If
| this wasn't legally required they (and every other company)
| wouldn't do it.
| qeternity wrote:
| Let's presume this were true - that the Government was also
| at fault (I don't agree) - why does that excuse Brave's
| behavior?
|
| If I go look at any other service which requires that kind of
| information, it's always right up front. Want a Robinhood
| account? Great, you have to provide the info when you open an
| acocunt.
| prepend wrote:
| I use brave and rewards but have never cashed out so didn't
| provide any KYC info.
|
| I just donate BAT to sites.
|
| Brave does "request info up front" for users who want to
| use the wallet. Requesting it from users who won't need it
| is a waste of time.
|
| All Robinhood users perform financial transactions, very
| few Brave users do.
| freediver wrote:
| Is the lack of other options to send micropayments to
| sites the reason you do this? If there was a way to one
| click send micropayments to sites from a browser that did
| not require you to watch ads, but you send your own
| money, would you do it?
| prepend wrote:
| Honestly it's because I've never had enough tokens to
| qualify for the minimum. So I just leave stuff in my
| wallet and transfer every once in a while.
|
| I would prefer a wallet that I have control over, but I
| kind of ignore the BAT stuff and just use it because it's
| a clean browser that's easier for me than managing
| adblocker plug-ins. The tokens are just a bonus.
| gruez wrote:
| Is there a reason why brave has to do it but services like
| bing rewards doesn't? Also, AFAIK paypal allows you to do
| small transfers without verifying anything.
| PragmaticPulp wrote:
| Sites like eBay would require user identity verification
| whether or not the government required it. Can you imagine
| the scale of fraud on eBay if users were allowed to set up
| anonymous accounts and accept irreversible currency
| transactions to anonymous sellers? It would be a scammer's
| dream come true.
|
| I wouldn't have any interest in using such marketplaces.
|
| As for Brave: Whether or not KYC or other regulations explain
| their behavior, any cryptocurrency rewards program has an
| inherent incentive to make it as difficult as possible to
| cash out. People who cash out almost always sell their coins,
| putting downward pressure on the price. If they can use dark
| patterns to reduce the number of people selling coins, the
| coin price stays higher.
|
| The ideal cryptocurrency rewards program (for the crypto, not
| the users) would give people coins but almost force them to
| hold those coins and make it as difficult as possible to
| sell. This simultaneously hypes the coin by spreading
| awareness and removes downward price pressure by making it
| difficult to sell. This almost always means the company or
| founders have a lot of the coin that they plan to sell off as
| it becomes popular.
|
| Virtually everything that comes attached with arbitrary
| crypto tokens or rewards is a scam to make the founders
| wealthy while the users chase pennies.
| schelling42 wrote:
| Using this dark pattern is probably necessary, as it is the
| only robust way to protect them from being click-frauded.
| You can earn only small rewards by watching ads in a single
| browser, so there is a big incentive to run as many
| automated brave instances as possible. Then send it all to
| one wallet and cash out. But one would need to complete KYC
| for each instance. You can't move the tokens without it, so
| it can't be scaled up.
| kerng wrote:
| Not sure why you are downvoted.
|
| I guess users could also send the tokens elsewhere to try and
| find an exchange that doesnt care about money laundering laws
| - but governments get quite involved in crypto.
|
| Or is transfering tokens not possible?
| gjsman-1000 wrote:
| Not with Brave, it is not. All of your tokens go into
| Uphold, and you must go through full KYC (providing your
| Driver's License and SSN), before you can move them to any
| other wallet. And no, the tokens your browser says you
| have, they aren't actually yours or transferrable until
| your KYC Verification is complete. The amount of tokens in
| your account before you complete Uphold verification is
| more of an IOU BAT until you create an account and get the
| actual BAT.
|
| This is what is also egregious. Yes, BAT is decentralized
| when you move it around in wallets, but as far as the
| browser is concerned, all BAT you earn from receiving ads
| is actually quite centralized.
| kerng wrote:
| Thanks for clarifying - that indeed should have a big red
| warning sign for anyone signing up trying to collect BAT
| via Brave.
| gjsman-1000 wrote:
| That, at least, does have a reason. Uphold is an online
| exchange and crypto wallet more popular in Europe but very
| similar to Coinbase. The government doesn't want money
| laundering and other financial crimes, and you might disagree
| with KYC but at least there's some argument there.
|
| I don't like that Brave doesn't say, on their Brave Rewards
| page, warning: You will need to give up your privacy to cash
| out. If that's OK with you, great; if not, don't set your
| browser to show ads for months before you try cashing out or
| you'll get a nasty surprise.
|
| From Brave's perspective, there's also a conflict of interest
| here. Remember, when an advertiser spends BAT to show an ad,
| 30% goes to Brave and 70% to the ad receiver. Brave has every
| incentive to get that 30%, don't they? If that means you were
| fooled into leaving your browser showing ads thinking you
| could cash out without losing your privacy, they benefit. And
| that's why it really smells fishy that they don't mention it
| on their product page.
| vorticalbox wrote:
| I guess some users don't ever cash out and just use the
| rewards to fund the content they consume.
| [deleted]
| capableweb wrote:
| Brave, Inc has no requirement to be located in the US that
| does require these laws, hardly the fault of the government
| they are choosing to be incorporated under that Brave chooses
| that particular geographical position, especially since the
| US probably has some of the worst examples in recent history
| for disregarding the privacy of citizens and non-citizens
| alike.
| mannerheim wrote:
| I'm pretty sure the US government is notorious for
| enforcing its financial laws well beyond its borders.
| stiltzkin wrote:
| I have been testing Brave for some time and i have not received
| lot of BAT since using it, i can summarize in few words but
| Brave are so cheap on paying BAT at the cost of giving you ads.
| For privacy better stick with Firefox or LibreWolf and earn
| crypto somewhere else.
| isodev wrote:
| Browsers are responsible for a very large chunk of our ability to
| interact with the world. In that sense I greatly appreciate the
| article trying to illuminate some areas of Brave which are not
| necessarily obvious upfront.
|
| I am absolutely inclined to believe that Brave is not as private
| as it appears.
|
| What also comes to mind is that Brave's founder Brandon Eich is a
| homophobe who donated to ban gay marriage in California (Prop 8,
| https://slate.com/technology/2014/04/brendan-eich-why-mozill...).
| That alone is sufficient to doubt the integrity of his
| organization.
| tapoxi wrote:
| I don't like the crypto nonsense of Brave, and while I like
| Firefox in theory, its performance leaves a lot to be desired and
| they don't seem to know who their user base is. Microsoft Edge
| got a decent native vertical tab solution before Firefox did!
| Edge!
|
| I wish some nonprofit would make a Chromium browser with sane
| defaults and take my donations. That's all I need.
| beervirus wrote:
| I use Firefox at home and Chrome at work. I can't tell any
| difference on performance.
| gjsman-1000 wrote:
| Does Vivaldi count?
| atatatat wrote:
| If you trust the people behind Opera, sure?
| xNeil wrote:
| I trust them personally. Jon von Tetzchner, the founder of
| Opera, left Opera to start Vivaldi once he felt management
| wasn't doing things the right way.
| k33l0r wrote:
| I tried out Edge for about 15 minutes but had to bail because
| of the amount of Bing and MSN nonsense embedded in the
| browser...
| figers wrote:
| Where do you see that? I use it every day and step one was
| switching search to DuckDuckGo
| fbcpck wrote:
| > its performance leaves a lot to be desired
|
| I'm not sure what you're talking about; this may be the case
| several times in the past, but you should check again because
| this is a thing that constantly changes. Firefox performance
| today doesn't really _leave a lot to be desired_ IMO
|
| > Microsoft Edge got a decent native vertical tab solution
| before Firefox did! Edge!
|
| Tree Style Tabs has been around since like... 2007?. Or does
| the "native" part somehow make it a whole lot better?
| EMM_386 wrote:
| > Firefox performance today doesn't really leave a lot to be
| desired IMO
|
| Sadly I recently left Firefox after having used it for 20
| years (Phoenix/Firebird days).
|
| The performance degradation was becoming too noticeable. I
| switched to Brave (of all things), but that's only because I
| could no longer fight the real performance that a Chromium-
| based browser has.
|
| I hate doing this, because the last thing I want is a browser
| engine monopoly. That's why I started using Firefox in the
| first place, to help get rid of IE.
| jjcon wrote:
| For me at least Firefox is a no go on every laptop I've
| worked on - the fans start spinning up and I start losing
| battery life really quickly (especially on macs). Works fine
| on my desktops though.
| tapoxi wrote:
| Tree Style Tabs has been pretty limited since the port to
| WebExtensions. It can no longer take the place of the
| existing tab bar, and instead sits alongside it unless you do
| some Firefox profile CSS trickery that I never got working
| properly. Mozilla was considering adding a "hide tab bar"
| feature but I think they abandoned that.
| npteljes wrote:
| I often find sites with subpar performance in Firefox. I
| think that it's the sites' fault though, for testing only in
| Chrome / Safari. Reddit's redesign is an example, the
| loading, scrolling, post opening experience is slow and I can
| see that it eats a lot of CPU. In chrome it's much faster on
| the same machine.
| atatatat wrote:
| Edge has the best security of any browser on Windows
|
| _ducks_
| Santosh83 wrote:
| How is it better than any other Chromium based browser like
| Chrome, Brave or Vivaldi? I can understand it is more
| _integrated_ than the others, but how is it more secure?
| blackboxlogic wrote:
| Edge is the best browser for downloading Firefox.
| qwertox wrote:
| From the German Wikipedia:
|
| > On March 3, 2021, Brave announced that it had acquired search
| engine technology from the former browser manufacturer Cliqz for
| its own search engine, Brave Search. _The former owner, the
| German publishing house Hubert Burda Media, has held shares in
| Brave since then_.
|
| Hubert Burda Media is a traditional publisher, owner of well
| known German publications as well as hardware stores. They also
| own XING, which is the German version of LinkedIn which nearby
| everybody uses here.
|
| Hubert Burda was the president of the VDZ (=Verband Deutscher
| Zeitschriftenverleger, Association of German Magazine
| Publishers), so it's safe to assume that he is against internet
| user privacy.
|
| I'm not sure if they are able to legally access user data through
| this "partnership" with Brave.
| nipponese wrote:
| The only reason I use Brave is that I can type "you" + tab to
| directly enter YouTube search from the URL input field, and this
| works for gMaps and Amazon. For the life of me I cannot figure
| out how to configure this in Firefox.
| occamschainsaw wrote:
| You can get similar functionality in any browser by setting
| DuckDuckGo as your default search engine (so you can search
| from the URL input field and using bangs. So "!yt search term"
| in the input field (without quotes) would search YouTube. DDG
| is sufficient for 99% of searches for me, and when it fails I
| just use the !g bang for Google search. You can check all the
| bangs available here: https://duckduckgo.com/bang
|
| Edit: !m or !gmap for Google Maps, !a for Amazon
| [deleted]
| jmiskovic wrote:
| In Firefox almost any search box can be right clicked and there
| is an option "Add a keyword for this search". If you use "y"
| shortcut for youtube, then your URL entry is "y gangnam".
|
| Also if you use DDG as your main URL search engine, they have
| bunch of "bang" shortcuts that redirect your query to online
| searches. For yt you'd use "!you gangnam". Others can be found
| here: https://duckduckgo.com/bang
| nipponese wrote:
| Thank you and the others who recommended this!
| eythian wrote:
| In Firefox, right-click in the youtube search box and you can
| make a keyword search bookmark. I can do, for example, 'yt
| gojira' to search for that, or 'wp goldfish' to search
| wikipedia, and so on.
| Liquid_Fire wrote:
| An alternative method to the other comments, which will enable
| the Tab behaviour you're describing (it will add a search
| engine with a keyword instead of a bookmark):
| 1. Add YouTube as a search engine (visit YouTube, click on the
| + in the search box and click 'Add "YouTube"'). 2. Open
| Firefox Settings > Search > Search Shortcuts (near the bottom)
| 3. Set a keyword "you" for YouTube in the table 4. Search
| by typing "you" + Tab in the address bar
| oofbey wrote:
| So ironic that the OP's website doesn't require HTTPS. The most
| minimum security practice on the web that's nearly enforced by
| even the worst browser, and this security rant either doesn't
| care or doesn't realize their site is misconfigured.
| jonathansampson wrote:
| The author is not technical; this was only the first of many
| mistakes they made. I posted three exhaustive responses at
| https://news.ycombinator.com/item?id=27552530.
| KingOfCoders wrote:
| Dropped Brave when it become worse than ublock/Firefox.
| pmurt7 wrote:
| Make no mistake, it has nothing to do with Brave, it's just
| marxist guerrilla against Eich. They cancelled him once at
| Mozilla, they are at it again.
| miedpo wrote:
| So I feel as if the author is missing the point.
|
| Of course brave markets to you with ads. That's the entire point
| of the web browser. To ad-block, but then to replace it with a
| suitable privacy protecting alternative to the point that Brave
| (and everyone else) has no idea which ads you were served and
| what your browsing history is. The entire point is to mot just be
| an ad blocker, but to be private, and to provide a workable
| alternative to the ads that track us on websites.
|
| Furthermore... brave lists on their website what they collect in
| analytics programs. And... it's not much. They also send the
| answers in what they call 'low resolution', which basically means
| multiple choice with ranges making it a lot harder to identify
| you compared to a specific number. Sure, it's not no tracking at
| all, but it's probably pretty close to the least you can get to
| serve relevant ads while serving a general populous.
|
| It is true that it'd be nice if they forked off Chromium at some
| point so they are less in Google's hands. We can all use more of
| that.
|
| So, at least for me, this kinda falls on deaf ears. It's missing
| the point as to why Brave does what it does.
| stereolambda wrote:
| Not sure if I'm fully behind that comment, but it kind of
| raises an important point. If you want a freer web based on
| some kind of business, and not a non-profit/charity (and often
| a shaky one like Mozilla, financed mainly by Google)... this
| business has to function in some realistic way. (This is
| largely orthogonal to the open source/free - proprietary axis
| (which doesn't really exist in web browsers anymore). You
| should be able to sell/monetize free software.)
|
| I, for one, wouldn't complain if some financially solvent
| (self-sustaining, money-making), reasonably ethical and non-
| exploitative web browser existed (the same for search engine,
| OS etc.). In the economic system that we have it could be more
| efficient in marketing -> market share among privacy-unaware
| people and so on.
|
| So maybe we should strive to have a reasonable, analytic
| discussion what business practices are _acceptable_
| (rationally, if not emotionally at first glance) and which are
| not. This does not mean that we should just eat up whatever
| "privacy entrepreneurs" think of. But the tone of TFA feels a
| little less convincing because of the sprinkling of phrases
| like "their shitty program", like expecting you've already made
| up your mind.
| smoldesu wrote:
| The issue is that Brave's "point" is a self-defeating motive.
| It wants to rid the internet of ads by... creating more
| amicable ads? Furthermore, the proceeds from said ads almost
| never benefit the creators of the content, meaning that Brave
| has effectively created an ulterior economy adjacent to the
| internet. Great, just what we needed, Another Competing
| Standard.
|
| Nobody in the ads industry wants this, and a good 90% of the
| privacy sector is watching Brave in horror. Creators will make
| less money and be exclusively paid in a fiat currency, which
| probably won't appeal to anyone either. If nobody can reconcile
| Brave's existence, it will always be a second-class citizen on
| the web, even if it is forked from Chrome.
| varnaud wrote:
| I feel the author is on point. Brave is all about marketing and
| surfing the privacy wave to make profit.
|
| Take a look at https://brave.com/brave-ads/
|
| Brave goal is to acquire as much users as possible to sell them
| to advertisers. They are no different from Google. Might as
| well use Chrome with ublock origin and farm crypto on your own.
| psiops wrote:
| The difference is that with Brave you are rewarded for your
| attention to these ads. That idea has some merit I think,
| regardless of how it's implemented in Brave.
| matheusmoreira wrote:
| > They are no different from Google.
|
| Brave lets you turn off the ads. They also pay you
| cryptocurrency if you decide to turn them on.
| prepend wrote:
| I think the key difference is that user data are never shared
| with a third party, not even Brave. All the ad matching logic
| is done in client so data doesn't leave my machine.
|
| This is a big difference so using Brave vs Chrome doesn't
| result in a company having a record of every site browsed.
| miedpo wrote:
| Well I mean, yes, they want their ads to succeed (that's how
| they can offer a product for free). I don't think there's
| anything wrong with that.
|
| What matters to me is how much data they collect and how they
| use it. It seems pretty clear to me that they go out of their
| way to collect less data, and try to be very privacy concious
| about it.
|
| Do you think they are lying about that? I personally don't,
| and the code is there for us to audit (the only closed source
| part of the browser is the part that guarantees it's a human
| not a bot viewing the ads as far as I know). So I think it's
| pretty safe to call them much better than Google and their
| revenue model is certainly a lot more stable than Firefox's.
| celsoazevedo wrote:
| The privacy/tracking aspect of Braves Ads (which you don't
| have to use) seems to be way, way better than Google Adsense.
| It's like comparing the good ol' fixed "image banner + link"
| vs Adsense. They're both ads, but one is better than the
| other.
|
| And then you have Chrome sending data directly to Google, the
| auto logins, dark patterns, etc, which you don't get with
| Brave or Vivaldi.
| judge2020 wrote:
| I find it funny that people say this when this is pretty
| much exactly what FLOC is - the browser choosing your
| interests and deciding which interests to send to the ad
| server - but without the "show ads on every website and
| hold the profits from website owners until they claim it".
| celsoazevedo wrote:
| > deciding which interests to send to the ad server
|
| I was looking at their media kit[0]. They link to a
| presentation[1] which mentions that the ads are sent to
| the browser and then the browser itself picks the ones
| that should be shown to the user.
|
| If this is really the case, then the browser isn't
| sending that information to the ad server.
|
| [0] https://brave.com/brave-
| ads/assets/Brave_Media_Kit.pdf
|
| [1] https://www.youtube.com/watch?v=qEj5ZiQohJc
| judge2020 wrote:
| This wouldn't work for an ad network as big as Google's,
| and would further centralize who can serve ads to users
| (something Google can't get away with like Brave can).
| celsoazevedo wrote:
| > This wouldn't work for an ad network as big as Google's
|
| Yeah, maybe. I was just pointing out that it doesn't send
| the user's preferences to a server.
| varnaud wrote:
| >The privacy/tracking aspect of Braves Ads (which you don't
| have to use) seems to be way, way better than Google
| Adsense
|
| Exactly, "seems". Once again, good marketing from the Brave
| team. Heck, they even sponsored chess grandmaster Hikaru
| Nakamura on his Twitch stream.
| celsoazevedo wrote:
| Can you target users via Brave Ads like you can with
| Adwords/Adsense? If I understood correctly (I might be
| wrong - hence the "seems"), you can't because they're not
| doing anything close to what Google does.
|
| I guess my point is that not all tracking or ads are the
| same. You can track clicks and views of a banner without
| profiling users across multiple sites and apps, learn all
| you can, and then let advertisers target them.
| marvindanig wrote:
| The ad industry isn't going away, if you're thinking of a
| world in the future sans ads. With the Brave's model, at
| least you are able to make some profit for yourself.
|
| It's not utopian, but works from a capitalist's
| standpoint. And a lot of real users like it!
| crazypython wrote:
| Brave is the false sensation of privacy, _compared to Firefox._
| For people who use Chromium, Brave is the best there is.
| Anonashtonian wrote:
| I would love to use something other than brave but Firefox is
| shit and arguably getting worse over time. They have been
| sacrificing ux for revenue streams for a while now. Also
| extension management is a joke, especially if you have more than
| 5 extensions.
|
| I have like 30 chrome extensions... Most of which get used at
| least weekly. Many of them do things like prevent sites from
| blocking text select or copy paste, things like that. I believe
| extensions are the mechanism of agency that enables a browser to
| be an "user agent" again.
| CharlesW wrote:
| > _I would love to use something other than brave but Firefox
| is shit and arguably getting worse over time._
|
| As someone who's used Chrome exclusively for the good part of a
| decade and has been using Firefox again for the last several
| months, I don't get this criticism at all. It seems...fine? In
| any case it's radically better than it was when I initially
| switched to Chrome from Firefox.
| wmitty wrote:
| > Their adblocker is just a fork of uBlock Origin,
|
| This does not appear to be true. Here is the github repo for
| their open source adblock engine written in rust:
|
| https://github.com/brave/adblock-rust
|
| Here is a (somewhat dated) article describing it by the authors:
|
| https://brave.com/improved-ad-blocker-performance/
|
| > Google will take decisions that benefit their advertisement
| business, like making impossible to use adblockers on any
| Chromium based browser.
|
| Because the brave adblocker is integrated directly into the
| browser (ie. not an extension) the Manifest V3 limitations don't
| apply.
| pmurt7 wrote:
| > If earning half a penny in a month is okay for you, in
| exchange of your privacy, because of course, they're tracking
| you with Rewards, then enjoy your money.
|
| Lie. Brave doesn't track you. Your ad data never leave your
| machine (a bit like your bookmarks). The ad engine works
| privately on your computer and not on Brave server.
| ehutch79 wrote:
| If it's fetching ads, it has to 100% be sending some data to
| someone, who is likely able to correlate it and track you. It
| doesn't take much.
| pmurt7 wrote:
| The entire ad catalog is sent on your machine and some ad
| engine running inside the browser decides which ads to show
| you. It's funny seeing all these folks nitpicking at Brave
| but who are fine using Google or Microsoft every day
| ehutch79 wrote:
| I don't really care about brave either way, it's just
| dubious that the ads are somehow untrackable when you
| apparently get credit for seeing them some how?
| jonathansampson wrote:
| We use zero-knowledge proofs and blinded tokens to track
| when an ad has been viewed by a user. But there is no
| user data involved here. The magic of cryptography is
| that you can prove you viewed the ad without telling us
| anything about you
| mthoms wrote:
| You misunderstand. The sensitive data here is your
| browsing history (and all that it infers). Brave never
| sees that.
|
| But yes, when you view an ad, that gets recorded
| somewhere (so that you can get rewards, and the
| advertiser can be billed).
|
| You decide if you're comfortable with this or not. The
| feature is easily turned on or off.
| gentleman11 wrote:
| Do you have to download the chosen ad or is it already on
| your system? If you selectively downloaded ads, your ip
| address could give you away and you get a floc like
| situation
| jonathansampson wrote:
| The ad catalog for your region is downloaded; it comes
| with click-through URLs, titles, body text, and some
| other information. There is no connection made beyond
| this to retrieve any other ad-related data. You can see
| what your own regional catalog contains by visiting
| https://sampson.codes/brave/ads/my_region/.
| jonathansampson wrote:
| A regional catalog is downloaded routinely. The only "data"
| going out is your region (e.g. the United States). This
| returns a protobuf catalog of ads for your region. Your
| device privately studies this catalog for relevant entries.
| When an ad is shown, it's presented as a native
| notification on the OS. This means the user sees a title
| (text), and a body (text). Screenshots of these
| notifications are on https://brave.com/rewards. I also
| covered this model in brief detail recently
| https://youtu.be/LsrrT502luI (skip to about 3:22 if you
| like).
| ehutch79 wrote:
| How does it report the ad was viewed?
| jonathansampson wrote:
| When the notification pops on screen, you are granted the
| rewards. If your OS is not able to show the notification
| (due to Focus Assist, DND, or some other reason) then you
| are not rewarded (a future update to Brave will let users
| control visibility from within the browser entirely).
| gentleman11 wrote:
| and how do they prevent users from faking ad views to
| accumulate bat?
| freediver wrote:
| > The only "data" going out is your region (e.g. the
| United States).
|
| Every request Brave makes "home" will transfer private
| data like IP address of the user and browser fingerprint,
| regardless of the payload. Can you clarify what is done
| with this data?
|
| Also if it is true what says in the article that some
| requests "home" can not be disabled, why is that the
| case?
| dane-pgp wrote:
| > private data like IP address of the user and browser
| fingerprint
|
| Presumably it would send the same data whenever it checks
| for software updates too.
|
| I can't think of a threat model where downloading updates
| and downloading ads are different in terms of user
| privacy (except, of course, that a malicious update can
| do far more harm).
| kkoncevicius wrote:
| There are more lies in that article. This one for example is so
| often repeated but untrue:
|
| > Rewards is their shitty program that will replace ads
| displayed on websites with their own.
|
| Brave doesn't replace ads with their own. Brave ads are
| displayed as desktop pop-ups. They can also be easily disabled
| (which, surprise, the author doesn't mention because of his
| bias). And the idea behind Brave ads is to give you tokens
| which are then distributed to the content creators you engaged
| with. This is the default setting. Their idea is not to shovel
| you with ads or offer you "get rich with crypto" schemes. Idea
| is to block ads but still provide revenue to the content, based
| on how many users engage with that content.
|
| When I see people saying "Brave replaces ads with their own" I
| have to wonder if they have tried using Brave themselves before
| writing these critique articles.
| mattalex wrote:
| I still don't really get how brave is supposed to work:
|
| You watch significantly fewer ads than before, these ads are
| then supplied to whoever you yourself engage with. That seems
| like watching these fewer ads directly on the site, just with
| a few hoops in between.
|
| The difference is that now you watch fewer ads in total, and
| you have the Brave-browser as an inbetween, which also
| somehow has to survive. This means that you get potentially
| even less money, since less ads are watched and the ones that
| are watched are more diluted (even if brave currently doesn't
| take a cut at the moment: At some point they have to pay
| their developers, too).
|
| Also, why do they pay out in BAT? (other than the fact that
| they cooperate with "uphold" a crypto-exchange and that they
| also really really want to jump on the crypto-bandwagon)
|
| Somehow there has to be money going into the system that
| supports its own existance. If brave had something like a
| subsciption service or other way to get additional funds into
| the Network, then it might be more understandable, but even
| then: Why should I support someone by using BATs instead of
| paypaling/patreoning/whatever-elseing him the money directly?
| rglullis wrote:
| > That seems like watching these fewer ads directly on the
| site,
|
| The ads from Brave are completely separate from the
| website. They are presented as an OS notification pop-up.
|
| > Somehow there has to be money going into the system that
| supports its own existance.
|
| Yes, of course. Their revenue coming from the advertisers
| that get to place ads on their notifications. They only pay
| to the users a share of this revenue. If for some reason
| they stop getting advertisers, they will stop paying the
| users. Simple as that.
|
| > This means that you get potentially even less money.
|
| This is making the very bad assumption that they have a
| fixed revenue. As their user base grows, more advertisers
| will be interested in placing ads on their network and
| their revenue will increase.
|
| > Also, why do they pay out in BAT?
|
| Primarily, because it simplifies the logistics and allows
| them to escape the regulatory hurdles of having to become
| licensed money transmitters, and lets them outsource all of
| that crap to the crypto exchanges. A second-order but also
| important effect is that it attract users who want to
| speculate on the token.
|
| > Why should I support someone by using BATs instead of
| paypaling/patreoning/whatever-elseing him the money
| directly?
|
| Whynotboth.jpg?
|
| Patreon is not bad, but they are not in a business that can
| fight surveillance capitalism. Patreon does not have a way
| to block Facebook from tracking my browsing. Brave does.
| Patreon does not block the Youtube ads from the people that
| you want to support. Brave does.
| jonathansampson wrote:
| I recently did a 5 minute video on the history of digital
| advertising, with an introduction to Brave's model:
| https://youtu.be/LsrrT502luI.
|
| Per https://brave.com/rewards and
| https://creators.brave.com, users opt-in to Brave Rewards
| and begin participating with privacy-preserving Ads. Each
| ad nets you, the user, 70% of the associated revenue.
|
| Rewards come in the form of BAT, which moves more easily
| and comes with considerably less friction. The blockchain
| enables users to effortlessly and anonymously participate.
| This also means that everybody with attention (and not
| necessarily disposable income) can support the content they
| love online.
|
| As for paying out in BAT, creators can choose to have BAT
| auto-converted into Bitcoin, US Dollars, etc. Users can
| also have their rewards converted into another type of
| asset or currency via Uphold too. BAT is simply a utility
| token, whose utility is currently best demonstrated within
| the Brave ecosystem.
|
| To your last point, the "money going in" comes from
| advertisers. They pay in fiat currencies, or via BAT. If
| they pay us in dollars, we purchase BAT as needed from the
| market. Users can also self-fund their wallet, if they have
| disposable income.
| mattalex wrote:
| I understand that money goes in through the advertisers:
| But how is that money sufficient to maintain the current
| websites?
|
| You watch fewer ads than before, which means (if the ads
| pay the same) that each website gets on average (i.e. if
| the split is the same as before) less money. As you
| describe it, only 70% of the ad-revenue actually reaches
| the user, meaning even if you watch the same amount of
| ads, websites get 30% less money, and that ignores that
| many people just opt-out of ads. (BTW do you know where
| that 30% go to?)
|
| > The blockchain enables users to effortlessly and
| anonymously participate.
|
| That actually makes sense. But if you want to get money
| out of BAT, don't you have to pay a transaction fee? And
| if you don't, then how does Uphold make any money to pay
| their developers?
|
| For me it seems that there's money vanishing at every
| point and very little or nothing to replace it.
|
| Also, wouldn't brave have a quasi-monopoly on ads in this
| configuration? Even if brave is an honorable company (and
| I have no reason to doubt that), it makes me uneasy to
| know that we are breeding another potential "too-big-to-
| fail" giant like Facebook/Amazon/Google.
|
| _Edit_ :
|
| Rereading your comment again and noticing the "users can
| distributed bought BAT directly" part: Then the
| monetization system makes a little more sense. Do you
| have stats on how much people are paying in? Is the
| ultimate goal to get rid of ads entirely or at least
| shift over to a "pay for what you use" model? In that
| case I can understand that. (though the monopoly on
| website monetization part still makes me kind of uneasy)
| rainonmoon wrote:
| This step in the chain of progress may require people to
| adapt to the idea of making less money in exchange for a
| healthier web.
| ipaddr wrote:
| I started using it. Found it fast. I get many 4 ads a day.
| They don't appear on the website they appear near the
| button to the side. Really small ad, just text. It is so
| out of the way.
|
| The model for profit is around the bat coins gaining
| popularity. The payouts are extremely low for everyone.
| rglullis wrote:
| > The model for profit is around the bat coins gaining
| popularity
|
| Incorrect. Their revenue is in USD, and their payout is
| calculated using the revenue in USD. The price of the
| token does not affect them in any way.
|
| Their model from profit is unbelievably simple. They are
| an ad network that uses the browser as a distribution
| vehicle. More people using the browser, more advertisers
| will be buying ad space, more revenue for them.
|
| They do have a published roadmap about offering more
| services in the crypto-space (built-in web3 wallet with
| direct connection with crypto exchanges, use of NFTs to
| access features and services on different websites, etc)
| which are very interesting and it might even become a
| bigger play than the existing ad network. At the end of
| the day however, they can have a solid and sustainable
| business just with the ad distribution network.
| fossuser wrote:
| I think the idea is this:
|
| - Most people won't paypal/patreon/send money directly
|
| - The current system uses ads as a shorthand for attention.
| If you're able to get attention you get more ad traction
| and more money.
|
| - Ads suck and are a corrupting influence on everything, if
| there was a way to directly award attention without ads
| that would be better.
|
| - Brave replaces ads by tracking attention directly and
| attempting to reward it directly with BATs. These is done
| instead of cash because (I'm not really sure why) - I
| suspect because it's easier to manage and easier to split
| into tiny amounts.
|
| - Flattr from the late 2000s (2007?) was similar, but with
| cash (Flattr = Flat Rate) the idea being you'd put in
| $XX/month and it'd distribute it depending on what pages
| you viewed. It was created by some of the Pirate Bay
| founders iirc. It never got much traction.
|
| The issues I have with these services:
|
| - Ads are bad, but the attention economy is the underlying
| problem. Removing ads is good, but still incentivizing
| attention for $$ isn't great.
|
| - In the case of 'privacy' Brave has now inserted
| themselves as the tracker of all attention, this is very
| high risk and not a lot better than the ad companies. Sure
| you don't see ads but a lot of the bad slot machine
| incentives around content remain.
|
| - I don't want to necessarily pay everyone based on what I
| view, what if what captures my attention is crap? What if
| I'm reading something for context, but don't support it?
|
| ---
|
| I get what they're trying to do, reward people without ads
| and without making users pay - but I'd rather the ad model
| just die and if some businesses can't survive without it we
| probably don't need them. I recognize this isn't super
| realistic because companies compete on a global stage.
|
| A business truly operating in the interest of users would
| make a browser that had ad blocking built in without
| tracking - and worked on subverting ads full time (what
| users actually want). This includes real privacy by not
| being a new middle man tracking attention. Apple is the
| closest to doing stuff like this with their new onion
| router VPN, making it easy to block tracking from apps in
| the store, etc.
|
| Brave pretends its interest is privacy and browser users,
| but it feels like a rationalization to me. Brave's core
| business is attention tracking and taking a cut of that, if
| not now - when they have more power. Its user's attention
| is what they monetize - those incentives don't lead some
| place good.
| mthoms wrote:
| You seem to have missed a critical point: The "attention
| tracking" Brave does stays completely on device.
|
| The browser is sent a list of ads, and the browser
| decides which ads to serve based on its metrics. Brave
| doesn't see this data and the user can choose to
| participate or not.
|
| There are no easy answers, but this is an interesting
| model and a reasonable compromise for many.
| rch wrote:
| I'd prefer it if I could contribute cash monthly, and let the
| browser distribute the funds based on my browsing.
|
| The notion of getting paid to view a separate stream of ads
| seems bizarre. It's the 'Ad Buddy' model, but with crypto.
| jonathansampson wrote:
| You can do that today with Brave. Brave Rewards enables
| users to self-fund, and contribute automatically to the
| sites they visit, proportional to the time spent on those
| sites. See https://brave.com/rewards and
| https://creators.brave.com for more information. The
| beautiful thing about Brave Ads, however, is that everybody
| can support the content they love. Even if they don't have
| the ability to self-fund; they can convert attention into
| substantive support for content creators.
| freeone3000 wrote:
| Okay, but, how do I give them _actual_ money, instead of
| BAT? Will you redeem BAT for dollars?
| jonathansampson wrote:
| Within the Brave ecosystem, BAT is the unit of account
| for attention and support. Those who receive BAT,
| however, do not have to hold BAT. We offer creators and
| publishers the option of automatically converting their
| received tokens from BAT into various other types of
| assets and/or currencies. Many keep the BAT, others auto-
| convert to Bitcoin, and a large portion auto-convert to
| their regional currency (USD, CAD, etc.).
| dharmaturtle wrote:
| Possibly what you're looking for, though less browser-
| dependent: https://coil.com/
| gentleman11 wrote:
| The long term play might be that, but they would probably
| never get the market share to exploit it fully
| teejmya wrote:
| I think people are misremembering or misunderstanding a
| recent controversy where Brave was adding their own affiliate
| links to the user's browsing session without the user's
| knowledge or consent: https://www.coindesk.com/brave-
| browsers-affiliate-link-contr...
| kkoncevicius wrote:
| I don't think this is it because the article has a separate
| section about affiliate link controversy.
| 411111111111111 wrote:
| These points had been true at some point though... Also,
| brave is constantly astroturfing, so you should always
| take whatever you read online with a grain of salt.
|
| I used brave's android browser a long time ago as well
| (at that time these claims were true - but they didn't
| replace the ads on all pages). I cannot speak about whats
| the current situation however, as I'm not up to date on
| the topic.
| Belphemur wrote:
| To play devil advocate.
|
| On one side, Brave come with an adblocker that will remove
| any ads from the website you're visiting. On the other, they
| provide their own ads through the reward program.
|
| So it can be seen as "replacing website ads by its own".
|
| I approve that line of reasoning, but I think that what the
| author meant.
| ABCLAW wrote:
| The idea that the experience is equivalent as a result of
| substitution is incorrect, though, and the author's
| original heavy implication that Brave's substitution is
| malicious and selfishly designed does not hold up.
|
| Brave basically aligns advertising incentives to match with
| viewer incentives. A Google served ad is not the same thing
| as a Brave served ad from the perspective of a viewer,
| because Brave ads are optional and some of their value
| accrues to the viewer.
|
| Is the alignment perfect? No. But I do view it as a
| substantially better starting point than the currently
| centralizing, adversarial model that currently exists.
| nmz wrote:
| You can disable seeing ads in settings though. if you
| choose to see ads however, the website doesn't get
| anything, you get crypto from it.
| jonathansampson wrote:
| In Brave, by default, when a user opts-in and earns
| rewards from Brave Ads, Brave will enable the user to tip
| verified sites and content creators (even making
| automatic, pro-rata contributions possible). This is
| currently how content creators benefit (indirectly) from
| Brave Ads. Their users earn rewards, and forward them
| along. We're currently settling more than 8-figures each
| month to website owners and more. See creators.brave.com
| for more information. Further options will come in the
| future as well.
| Belphemur wrote:
| Edit: I _don 't_ approve that line of reasoning, but I
| think that what the author meant.
| kkoncevicius wrote:
| To play the devil's devil's advocate :)
|
| Brave allows you to do whatever you want. You can see
| publisher ads without Brave ads. You can see Brave ads
| without publishers ads. You can see both. Or you can
| disable both.
|
| Since individual users can achieve any configuration of ads
| they like, to me it seems that some people are only unhappy
| with this because they want to push their moral stances on
| everyone else. Like, for example, stating that the ability
| to block publisher ads while enabling Brave ads is immoral
| and shouldn't be allowed.
| causality0 wrote:
| Does integrating it into the browser have any performance
| benefits over using an extension?
| pmurt7 wrote:
| Brave ad blocker is written in Rust and browser extensions in
| JavaScript, so it should be faster
| jonathansampson wrote:
| Not only faster, but we aren't beholden to the APIs offered
| by Google and others. Manifest v3 threatened the existence
| of popular content-blockers like uBlock Origin. Since we
| are the browser, we aren't so limited. A recent example of
| how we are able to do more was with the introduction of
| CNAME blocking, which allowed us to identify when a third-
| party tracker had managed to be requested from a first-
| party URL: https://brave.com/privacy-updates-6/.
| fallat wrote:
| Why not just use Ungoogled-Chromium?
| paco3346 wrote:
| I switched because Google removed the ability to log in and
| sync settings, history, password, etc. (I realize that in
| this case I'm directly giving Google my data) but it was a
| super nice feature.
|
| Brave's Sync v2 works decently well.
| andai wrote:
| I tried this a year ago. Had some trouble first downloading
| this (afaik the project only provided sources, not binaries,
| so you had to trust some random guy's website to download the
| .exe), then it randomly crashed within 5 minutes every time I
| launched it, then I deleted it.
| jsf01 wrote:
| Third party untrusted binaries last I checked
| j-james wrote:
| You can pull trusted binaries from OpenBuildService now.
| gruez wrote:
| You can build it yourself, but even with a midrange desktop
| it'll take you at least an hour to build. A laptop would
| probably take 2-3 at least.
| ben940830298432 wrote:
| Are you going to read the source to confirm nothing
| malicious was added?
| gruez wrote:
| There's around 4.9k lines of python code and 15.9k lines
| of patches. That doesn't seem that hard to scrutinize.
| From a threat model point of view you should be more
| worried about supply chain attacks from all the third
| party programs/libraries you have installed on your
| computer.
| lorlou wrote:
| It doesn't seem to include an automatic updater.
| k4rli wrote:
| Simply use a package manager.
| fastball wrote:
| [insert link to infamous HN Dropbox comment here]
| nyberg wrote:
| Use GNU GUIX to manage it. It's been packaged for quite a
| while now
| weird-eye-issue wrote:
| This is the second reference to that in this thread. It's
| getting pretty old and I don't even think it's relevant
| andai wrote:
| Yeah just download it over FTP bro!
| shilad wrote:
| The Epic Privacy Browser Team is integrating uBlock into Epic
| in their next update and didn't find a significant degradation
| in performance from any Chrome limitations, nor a significant
| performance improvement in Brave's implementation.
|
| Epic's mobile browsers were built on Brave/Chromium, but now
| that Brave has endpoint and other dependencies as mentioned it
| doesn't explain, it isn't possible to continue to build on them
| or even test them since Brave features don't work in outsider
| builds.
| dangerface wrote:
| > This means that you need to update the entire browser to fix a
| bug in the adblocker. Stupid, isn't it?
|
| I mean chrome and firefox both update pretty much every time I
| open them and they are only like 50-100mb? Why would I be upset
| that my browser updated? OP Made it bold too they must think its
| a real gotcha!
|
| Later in the article they are again grinding that axe against
| auto updates, that some how having an up to date browser hurts
| privacy?
|
| Op must be the one last IE6 stan.
|
| They complain about BRAVE ARE SCAMMING PEOPLE! and that they
| COVERED UP PEOPLE THAT EXPOSED THEM! It turns out to be an ad on
| the home screen for a crypto currency exchange... Scam exposed
| LOL
| imwillofficial wrote:
| This article is a glittery piece of shit, from lies about the
| blockers to completely made up points on the ad system.
| gman83 wrote:
| I always find it odd that we worry so much about how much our
| browsers are tracking us, but almost nothing about what our ISPs
| are doing. Every time I've looked into it, it seems much worse.
| As far as I can tell, ISPs are legally allowed to sell your
| browsing history to third parties: https://arstechnica.com/tech-
| policy/2017/03/for-sale-your-pr...
| mumblemumble wrote:
| ISPs can see a lot, but it does have limits. As long as we're
| using SSL (and I suppose, assuming it hasn't been cracked), the
| ISP really only knows what domains I'm visiting. So they might
| know that I'm going to WebMD, but they don't necessarily know
| that I'm reading up on treatment options for nose fungus. They
| also don't necessarily know exactly which member of my
| household is going to that website, nor can they link it up
| with any browsing I do from the coffee shop.
|
| Browser-based tracking, on the other hand, can see just about
| everything, because it's looking at the state of the data after
| it's been decrypted. And it can, with a reasonable degree of
| confidence, individually identify people, even when more than
| one person shares an internet connection, and even when one
| person uses more than one device or connects to the Internet
| from more than one location. The higher fidelity of that signal
| does imply that it's a greater privacy threat.
| agumonkey wrote:
| do we need randomized dom nodes ?
| mumblemumble wrote:
| I guess I'd have to hear more details to know exactly what
| you're thinking, but my first instinct is to say that doing
| something like that would break CSS and accessibility
| without actually offering any significant impediment to
| tracking.
| agumonkey wrote:
| I was mostly wondering about privacy up to the dom layer
| (if that's even possible)
| 0des wrote:
| The cohort concerned about tracking, one would think,
| would not be deterred by broken CSS considering they
| already live in a JS-free world and might be used to some
| visual-compromise when browsing.
| catillac wrote:
| No.
| carlosf wrote:
| ISPs do not know as much as Google/FB thanks to SSL, but they
| know a lot more than you'd think by analyzing connection
| metadata.
|
| Also many ISPs are also carriers, which makes things worse.
|
| Source: worked for telecos, have seen a lot of shady stuff
| myself.
| morelisp wrote:
| ISPs have perfect knowledge of your IP, so if they can get
| even basic traffic logs from _anything else_ can reconstruct
| your browsing history more accurately than any other third-
| party. Since you are probably visiting your ISP's site
| regularly to pay your bill, there are also a lot of
| possibilities for them to regularly associate third-party
| cookies with your login. They also have the highest-quality
| ambient location data (outside of explicit app permissions)
| to link with all of that.
| amarant wrote:
| I guess there are feasible attacks if the ISP is sufficiently
| motivated. They can't read the data transmitted, but they
| know how many bytes is in it, and with a cross reference on
| page sizes in the domain you're on, they might be able to
| narrow it down considerably.(maybe even to 1 possible page)
|
| A more far-fetched attack is a sort of timing attack: if you
| first visit arstechnica.com and then shortly afterwards visit
| Amazon.com, one could look for links to Amazon on arstechnica
| and from there have a decent guess what product you viewed on
| Amazon. This becomes a lot more feasible when paired with the
| first attack mentioned above.
| foobiekr wrote:
| These are all smart thoughts but you've clearly never
| worked for or with an ISP. As business entities in general
| they don't have that kind of technical sophistication. They
| are more on the level of "we have to hire these vendor
| consultant groups to install VMs for us" than "we build a
| crawler so that we can use domain plus byte count to drink-
| anonymize visited pages."
| [deleted]
| Pick-A-Hill2019 wrote:
| BT (a UK ISP) were up to hijinks in 2008 - "BT and Phorm:
| how an online privacy scandal unfolded"
|
| https://www.telegraph.co.uk/technology/news/8438461/BT-
| and-P...
| foobiekr wrote:
| Yes. The problem for them is that times have changed.
| geraneum wrote:
| It doesn't matter that most of them might not be that
| capable. They just hoard this data and sell it to the
| people with the means and resources.
| foobiekr wrote:
| It's not that easy to hoard when you have less than one
| competent engineer in the company and have to contract
| out to some vendor to build the data lake where they can
| hoard it.
|
| Hoarding itself is beyond the sophistication of most
| service providers in the present day.
| HWR_14 wrote:
| I'm jealous of the fact that you're not aware that there is a
| solution for this. What do you think VPNs are selling? It's
| specifically relief from ISP-level tracking.
|
| It's profitable enough that there seem to be ads for it baked
| into everything. I won't repeat their name here, but have you
| avoided that "Sponsored by NxxxVPN" all over the Internet/baked
| into every YouTube video that has sponsored videos?
| elliekelly wrote:
| I only know enough about networking to be dangerous but I am
| convinced Comcast is doing shady shit with my modem when I
| change the DNS settings to use non-Comcast servers. Every once
| in a while I'll attempt to use Wireshark to try to make sense
| of what's happening but I'm pretty clueless and don't really
| know what I'm looking at/for.
|
| If anyone knows any good resources to learn about the ISP nuts
| and bolts that make internet magic happen between my modem and
| everyone else's servers I would be most appreciative.
| Proven wrote:
| in other words, you've clue what's going on with your
| clients, but it must be Comcast because you're knowledgeable
| enough to know it's not you. right.
| jaywalk wrote:
| Comcast isn't doing anything to your DNS. They're the largest
| ISP in the country, there'd be a huge uproar if they were
| doing something like that. There are plenty of experts who
| are subscribers who'd be able to figure out exactly what's
| going on.
| selectodude wrote:
| I find Comcast's fuckery to be limited to their business
| practices. Their actual IP network seems to be very solid.
| jaywalk wrote:
| 100% agreed. And I've been a Comcast customer long enough
| to have seen the days when that certainly wasn't the
| case. They've made some pretty big mistakes in the past,
| but they seem to have learned their lesson.
| addingnumbers wrote:
| That couldn't be more wrong. They literally published an
| IETF draft standard on how they do it.
|
| https://datatracker.ietf.org/doc/html/draft-livingood-dns-
| re...
| jaywalk wrote:
| That draft is referring to the operation of _their own_
| DNS servers, not messing with third-party DNS.
| addingnumbers wrote:
| "... except in reasonable and justifiable cases where a
| user has been placed into a so-called "walled garden" for
| reasons of abuse, security compromise, account non-
| payment, new service activation, etc."
|
| Their own words
| jaywalk wrote:
| What's your issue with that? In that scenario, the user
| doesn't even have Internet access. If they didn't force
| the DNS to specific servers, the user would only see that
| their service isn't working with no indication as to
| what's going on. It's clearly not something they do with
| normal, functional users and I never said that they
| didn't have the _capability_ to do it.
| addingnumbers wrote:
| That was a pretty rapid shift from "Comcast isn't doing
| anything to your DNS" to "So what if they are? There are
| times when they should!"
| jaywalk wrote:
| Yeah, wow I guess I should have included the caveat
| "Comcast isn't doing anything to your DNS... except when
| you literally don't have Internet access and couldn't
| reach a third-party DNS server anyway"
| addingnumbers wrote:
| If you wanted to be honest you could have said "I have
| literally no idea what Comcast is doing with DNS, but I
| will attempt rationalizing everything they do as I am
| gradually informed of it"
| [deleted]
| wizzwizz4 wrote:
| There's _already_ a huge uproar around Comcast. But Comcast
| isn 't losing any customers, because they have monopolies.
| jaywalk wrote:
| Yeah, uproar around prices and speeds and stuff like
| that. Nothing like screwing with third-party DNS
| requests.
| wizzwizz4 wrote:
| Actually, I have heard that claim more than once, about
| various providers (up to, and including, "when I changed
| my DNS settings and the traffic slowed down, the tech got
| me to change them back, and the traffic sped up").
|
| It's less common, I think, because more people know how
| to check their speed than change their DNS.
| jaywalk wrote:
| The only way I can think of that working is if the
| provider is intercepting DNS requests for popular speed
| tests to redirect to an internally-hosted version that
| would be faster. Otherwise, I can't think of any
| realistic way DNS settings can affect actual throughput.
| tialaramex wrote:
| So, suppose I'm Huge Video Streaming Corp X, and I get a
| DNS request asking me for the address of my servers. Well
| I have over a thousand servers around the globe, which
| one do you need? Any of them would work, but you likely
| want the fast nearby one, right? So I can try to guess
| based on the IP address the query came from...
|
| I know the best answer for a Comcast DNS server in New
| York is the server I physically installed in a New York
| Comcast rack, but when a public DNS server asks me from
| Paris, maybe I suggest a London server, 'cos that's
| pretty close to Paris, shame that New York isn't.
|
| EDNS Client Subnet is a feature that lets a DNS server
| say OK, I'm asking on behalf of somebody from 10.20.30/24
| and so my system can do the same trick with ECS. But
| doing this unwinds most of the privacy benefit of using a
| public service, so several famous public DNS servers
| explicitly do not use ECS.
|
| Obviously the cheap bulk host used for some Single
| Serving site like "Is pizza rat mayor of New York yet?"
| isn't affected, that is only one server and it is
| wherever it is, but somebody like Netflix absolutely is
| affected by this because they have their machines close
| to the customers to deliver better performance and if
| they don't know where the customer is that inteferes.
|
| QUIC has an optional feature called Connection Migration
| to help improve this, the remote server is like "Um, now
| that you're connected to www.example.com here in Glasgow,
| Scotland, I notice your IP address is from Tokyo, Japan,
| and this is just a suggestion, but maybe talk to my
| identical twin also named www.example.com in Tokyo, Japan
| for better performance? Here is the IP address to try"
| jaywalk wrote:
| That's not what I meant by "actual throughput." The fact
| that a download is slower from a server halfway around
| the world versus one in the same datacenter where my ISP
| has a peering agreement near me isn't because my
| connection slows down when I'm hitting the far away
| server.
| tk75x wrote:
| This explanation makes a lot of sense. It also has a
| slight feeling of Hanlon's Razor, although there isn't
| necessarily incompetence involved (unless you count the
| technology's inability to find the absolute
| fastest/closest server [for whatever reason] as
| incompetence).
| wizzwizz4 wrote:
| If the ISP is checking for DNS lookup of speed test
| websites, then allocating higher bandwidth to the
| connection for a brief period of time?
|
| Or, somehow _more_ cynically, the ISP makes money from
| selling the data collected from DNS, so punishes people
| who use a different DNS provider. (DNS is plaintext-by-
| default, so I don 't quite see how this would work, but
| it's possible.)
|
| Or perhaps the system uses DNS lookups as a proxy for "is
| a human browsing the web"; if there aren't enough, it's
| clearly some kind of automated computer program that
| doesn't deserve internet access.
| jaywalk wrote:
| Your first example would be dead simple to detect and
| take advantage of to get those boosted speeds all the
| time. Your other two examples are a bit wild.
| wizzwizz4 wrote:
| The first example is a real-life example. The other two
| are speculative, because I've heard a case where it _wasn
| 't the first example_.
| _jal wrote:
| "Come on, what are you worried about? I'm sure it's fine,
| somebody must have inspected it."
| gruez wrote:
| While absence of evidence isn't evidence of absence, some
| guy's anecdote isn't really evidence of existence.
| jaywalk wrote:
| Well, I can tell you that I'm a Comcast customer who
| doesn't use their DNS, and I have no issues. If I did
| have issues, I also have the expertise to figure out
| what's going on.
| unknown_error wrote:
| Weren't they the ones who pioneered DNS hijacking of
| unknown domains to serve their own recommendations and ads?
| jaywalk wrote:
| No, that was VeriSign back in 2003:
| https://www.icann.org/en/announcements/details/advisory-
| conc...
| unknown_error wrote:
| Ah, OK. I didn't realize verisign did that too. Comcast
| followed not long after...
|
| https://arstechnica.com/tech-policy/2009/08/comcasts-dns-
| red...
| jaywalk wrote:
| Comcast used to do a lot of messed up stuff. As I
| mentioned in a comment somewhere close to here, I've been
| a customer long enough to have seen those bad days and
| how they've managed to change since those days.
| bewuethr wrote:
| I found The UNIX and Linux System Administration Handbook
| (5th Edition), chapters about networking and DNS very
| instructive, and they list a ton of additional references if
| you want to dig deeper.
| _jal wrote:
| The recommendation of _The UNIX and Linux System
| Administration Handbook_ is a good one.
|
| As far as Comcast, I'm stuck with them, too. At least in my
| experience, they don't monkey with DNS - I run and use my own
| DNS servers, and have never seen interference.
|
| They do run deep packet inspection, and if they detect you,
| for instance, torrenting commercial media, they'll inject
| scary messages in port 80 traffic. Given that nearly all web
| traffic is encrypted now, the main effect of this is to break
| things like automated `apt-get update`s.
|
| One thing you can do to detect transparent DNS hijacking is
| to ask a nonexistent server a question. Something like `dig
| @13.14.15.16 news.ycombinator.com` should not give you an
| answer. If it does, someone's spying on and/or gaslighting
| you.
| mikro2nd wrote:
| Curious: how can they detect whether you're torrenting
| commercial media if you've enabled Bittorrent protocol
| encryption? Surely all they can see then is the outer
| (envelope) of the packets...?
| tenebrisalietum wrote:
| Bittorrent trackers by design have a list of all IPs in
| the swarm and give to anyone who asks (that's how peers
| coordinate).
| Shank wrote:
| This is a bit of a misconception. Copyright holders have
| always gone after seeders based on people connecting to
| swarms, tracker info, and crawling DHT. There's no reason
| to use DPI when the list of uploaders is just given out
| by trackers and DHT for free. See: https://www.usenix.org
| /legacy/event/woot10/tech/full_papers/...
| livueta wrote:
| You're right that is how it generally operates, but in
| the case of Comcast I think this meme doesn't want to die
| because in the late 00s Comcast really did do DPI to
| interfere with torrents:
| https://www.techdirt.com/articles/20071029/020756.shtml
|
| Fairly googleable with "Comcast sandvine". Afaik they
| haven't done anything like that for years, though.
| tgragnato wrote:
| Exactly
|
| Bittorrent protocol encryption is only useful to protest
| against the use of DPI for bandwidth shaping, it has no
| influence on privacy.
|
| Even with (the weak) encryption, connections to trackers
| and DHT nodes are easily identified
| mikro2nd wrote:
| Thank you for clarifying this!
| gruez wrote:
| >I am convinced Comcast is doing shady shit with my modem
| when I change the DNS settings to use non-Comcast servers
|
| Well that's vague. What are the symptoms? How would comcast
| even know that you changed DNS settings? It's possible to
| infer that from DNS queries to their servers dropping off and
| traffic to 1.1.1.1 or 8.8.4.4 increasing, but I doubt comcast
| is competent enough to build that sort of detection system.
| yaur wrote:
| On my home network I just run a transparent proxy and
| direct all outbound traffic bound to port 53 to my local
| dns server, it's not hard.
| xnyan wrote:
| Interestingly enough, this is almost exactly how ISPs do
| it when they really want to get your attention. A couple
| years ago I forgot to update an expired credit card that
| I used to pay my spectrum cable bill. One morning every
| DNS request resolved to their "your account is about to
| be closed due to nonpayment" page. As I also use my own
| DNS sever I was surprised by this, and sure enough
| everything going out of my network on 53 was being
| grabbed up by their CGNAT and sent to their DNS server.
| addingnumbers wrote:
| I just block all outbound port 53 traffic, any device or
| app that doesn't honor my DHCP-provided DNS resolver can
| suck it.
|
| Looking at you, Chromecast that tries 8.8.8.8 40 times an
| hour even though you know perfectly damn well that
| 10.10.10.1 is working
| robocat wrote:
| The DNS provided by many ISPs is not to be trusted, as
| per this thread, so how else can your Chromecast act to
| find a trustworthy DNS?
|
| And with newer decides that use DoH, you can no longer
| prevent devices from contacting their own DNS provider
| without totally firewalling them (or perhaps using some
| IP blacklist or whitelist, if available?)
|
| https://en.wikipedia.org/wiki/DNS_over_HTTPS
| addingnumbers wrote:
| When I said blocking all outbound 53 I meant no
| exceptions, my local forwarder already uses DoH to an
| outside resolver.
|
| Everything that I don't have complete visibility into the
| network stack of goes on a VLAN that does not forward
| traffic to the internet, it advertises a proxy via WPAD
| and DHCP option 252. I have a whitelist of hostnames that
| each device is allowed to make CONNECT requests to, so
| far there is only one.
|
| If it's not a plain unencrypted HTTP request to my proxy,
| or a CONNECT request involving a server/device pair I've
| decided to trust, it's not going anywhere.
|
| This breaks a lot of things that I would just as soon
| rather do without. I can't change my universal remote hub
| settings from the vendor portal, boo-hoo. I can't view my
| cameras from the hardened VLAN or from the internet
| (unless I VPN in first since the only copy of the
| recordings is on my local NAS)... good.
| roelschroeven wrote:
| I should think they just detect traffic from your IP
| address on port 53 to any IP address that's not one of
| their nameservers.
| elliekelly wrote:
| Sorry, I didn't get into details because I wasn't intending
| to ask HN to troubleshoot for me. But, since you asked...
|
| I have an "XFi Gateway" combination modem/router provided
| by Comcast (perhaps my first mistake) so the DNS settings
| are restricted and cannot be changed. I have the Comcast
| modem/router set to bridge mode and connected my own router
| where I _can_ control the DNS settings.
|
| My understanding is the DNS settings closer to the client
| control. So in addition to having set my router to
| Cloudflare's DNS I also set my devices as well. One day,
| maybe a year ago or so, I'm on HN and I click an archive.is
| link, read the article, and go to the discussion thread
| only to see several comments about how archive.is is
| blocked by Cloudflare DNS. I checked the DNS settings on my
| MacBook and router and I was indeed using Cloudflare DNS
| but for some reason I was able to access the "blocked"
| address.
|
| So I went to the terminal, cleared the cache, and checked
| nslookup archive.is and it responded correctly. Then I
| checked a nonsense DNS server: nslookup archive.is 5.9.3.7
| or something and it _still_ responded correctly. I tried
| the same with different websites and got the same result.
| So I searched "see my DNS server" or something and found a
| few websites but they all showed Cloudflare. Very odd.
|
| When I logged in with my VPN, Mullvad, and changed the DNS
| settings on the router and my laptop to Mullvad's and
| repeated the experiment it finally returned NXDOMAIN. Then
| I _disconnected_ from the VPN but left Mullvad 's DNS
| settings, repeated the experiment _again_ with the same
| results - even when I was using a totally bogus DNS server
| it was returning the correct IP address.
|
| That's when I installed Wireshark and, lo and behold, I
| could see the requests that should have been going to
| 1.1.1.1 or 5.9.3.7 going to 75.75.75.75. Comcast.
|
| A call to Comcast was, as expected, a complete waste of
| time. First they told me it was using their DNS settings
| because of "their firewall" and then they told me that if I
| used _their_ built-in router rather than mine + bridge mode
| I wouldn 't have the issue at all.
|
| Messing around in Wireshark I eventually determined the
| issue had something to do with one specific port that was
| making the requests (I can't recall how but I think because
| I could see Mullvad VPN was using a different port for
| DNS?) so I fiddled around and forced (or maybe redirected?)
| my router to use that port too and that finally worked in
| avoiding the Comcast servers. But, knowing just enough to
| be dangerous and not entirely sure what I was doing, I
| didn't keep the forced port and decided I'd have to get my
| own modem and use my VPN in the meantime.
|
| Before I had gotten around to buying a new modem (this was
| somewhat early in the pandemic) I saw a post on HN about
| NextDNS and decided I'd see if I ran into the same issue. I
| didn't, as far as I could tell at least. When I run
| Wireshark now (I still use NextDNS) I don't see any contact
| with 75.75.75.75 or 75.75.76.76. I _think_ this is because
| NextDNS uses DoH? But who knows.
|
| Like I said, I only know enough to be dangerous so perhaps
| I just had something configured in an odd way that made the
| Comcast servers step in as a fail-safe and there's a
| totally innocent explanation. But based on my experience as
| a Comcast customer I don't really think they're deserving
| of the benefit of the doubt so I've definitely got a bit of
| a tin foil hat when it comes to them secretly messing
| around with my traffic through the leased modem.
| xnyan wrote:
| I agree with you that comcast is incompetent, but
| everything becomes cheaper and easier over time and network
| hardware/software products that perform "deep" packet
| inspection at line rate as well as provide analytics on
| that returned data are now trivial and pretty much table
| stakes for Cisco, Juniper, Palo Alto et al.
|
| Specifically for detecting if a user is not using their
| DNS, yes you could correlate a user's http requests (unless
| you are using ESNI the requested domain is in plaintext by
| design) with traffic logs on their DNS server and observe
| that there was no DNS request to the ISP DNS server before
| a request was made, I don't think that would be necessary.
| Most users use the ISP default DNS - that's your baseline.
| If most customers hit your DNS X times per Mb of web
| traffic, then someone using a custom DNS is going to stand
| out like a sore thumb.
|
| Again, 100% agree that ISPs are not very technically
| competent (to put it mildly), but as time marches on the
| ability to both capture and more importantly analyze and
| report on that data is becoming cheaper and easier. ISPs
| want to get value from (sell) your data and vendors want to
| sell ISPs subscriptions to analytics and other platforms
| that bring them reoccurring revenue. Data from customer DNS
| is one of the most valuable sources of information an ISP
| has and I would be surprised if there was not at least an
| attempt to know how many customers did not use it.
| foobiekr wrote:
| ISPs right now are freaking out that their very expensive
| solutions like Nokia Deepfield are seeing less and less.
|
| Ten years ago you'd be right, but right now that business is
| dying rapidly.
| slightwinder wrote:
| ISPs are a blackbox and it's not possible to figure out what
| they do from user-side.
|
| There is also hardly anything you can do about from your side.
| Using a vpn or similar solutions is only shifting the problem
| from one provider to another. You can reduce the exposure with
| some measurments, but they are also expensive and complicated.
|
| But for this (and other) reasons companies have started to fix
| it from the server-side by offering encrypted connections and
| working on ways to hide your trail from the middleman and their
| attatched agencies.
| willis936 wrote:
| Encryption solves security, but doesn't entirely address
| privacy.
|
| An ISP might not know what a user does at pornhub.com, but
| the ISP does know when and how often the user visits
| pornhub.com and how much data is exchanged when they do. I'm
| sure _someone_ would pay for that kind of fingerprinting.
| ForHackernews wrote:
| Almost everything is SSL-secured now. There's not very much an
| ISP can snoop on. DNS lookups and IP addresses, I guess.
| ballenf wrote:
| The propaganda that metadata isn't a privacy threat is one of
| the biggest PR wins for the surveillance economy ever.
| atatatat wrote:
| the timing and size of everyone's connection to everything is
| "not very much"?
| vntok wrote:
| Indeed it is not. Unless of course you find a way to map
| the timing and size of a pageload to its potentially
| sensitive content, in which case do tell.
| HWR_14 wrote:
| > Unless of course you find a way to map the timing and
| size of a pageload to its potentially sensitive content,
| in which case do tell.
|
| Wasn't there a HN story about people doing exactly that
| to figure out what condition people were looking up on
| WebMD? I don't recall when.
| [deleted]
| yabones wrote:
| TLSv1.2 traffic contains the hostname of the site you're
| connecting to, and the list of ciphers. This can be
| fingerprinted to identify your browser, and the server-side
| software. [1]
|
| TLSv1.3 on the other hand _sometimes_ encrypts the hostname
| (eSNI) and most of the TLS handshake, so there 's much less
| data to fingerprint. It's not as widely supported, but
| support is growing...
|
| [1] https://engineering.salesforce.com/tls-fingerprinting-
| with-j...
|
| //Edited to clarify that eSNI isn't default behaviour of 1.3
| Aissen wrote:
| ECH (the new name of eSNI) is not even out of draft status
| yet, so it's misleading to put it on the same level as TLS
| 1.3 (although you did say it was not as widely supported,
| it's an understatement).
| elithrar wrote:
| > TLSv1.3 on the other hand encrypts the hostname (eSNI)
|
| eSNI is not the default behavior, and has few deployments
| at scale. TLSv1.3 transmits SNI in the clear.
|
| eSNI is being replaced with ECH[1], but in many cases,
| there is a 1:1 relation between the IP address and the site
| being served. ESNI and ECH are only one layer of
| obfuscation - a middleman (such as an ISP) could still
| snoop your DNS (unless DoH/DoT) and/or correlate the IP
| addresses you connect to against the hostname(s) presented
| on that server.
|
| Attackers already do that today with nmap - scan publicly
| addressable ranges on port 443 and see what names are on
| the certificate presented by the server.
|
| [1]: https://blog.cloudflare.com/encrypted-client-hello/
| tialaramex wrote:
| Right. The actual improvement from TLS 1.2 to TLS 1.3 in
| this respect is that in TLS 1.2 the _certificate_ was in
| the clear.
|
| Encrypted Client Hello isn't finished. I would say the
| basic idea is settled, but there are plenty of technical
| nits and it might be next year before they have a final
| document.
|
| Eventually the idea is that ECH will be GREASEd by always
| sending ECH data, if the client knows it is supported it
| will use ECH and if not then it will fill out the ECH
| data with random nonsense. Since it's encrypted, an
| adversary can't easily distinguish one from the other and
| a site which doesn't offer ECH will ignore the nonsense
| anyway.
|
| The idea of probing servers on port 443 works well enough
| for dozens of popular sites with dedicated servers, but
| much less well for the long tail. A bulk host won't give
| you a list of every customer just because you hit port
| 443 on each server and pled ignorance, you'll get a
| generic "Under construction" page and no information.
| gruez wrote:
| >TLSv1.3 on the other hand encrypts the hostname (eSNI) and
| most of the TLS handshake
|
| That's supported in _supported_ in tls 1.3, but actual
| deployment /usage is spotty (it's an extension, not
| mandatory). AFAIK it also requires your DNS to cooperate,
| since that's how it gets the keys for the initial
| handshake.
| yoz-y wrote:
| TFA isn't though, for example.
| npteljes wrote:
| How are IPs "not much"? I get that you mean that they don't
| see the requests and responses themselves, but you can easily
| infer interests, life events, other particularities from the
| request targets and the timings alone.
| ForHackernews wrote:
| I mean, 95% of those IPs are just going to be some
| Cloudflare CDN anyway, right? I think you'd be hard-pressed
| to infer much real info from them.
| nextlevelwizard wrote:
| You can change browsers, but in many places you have no option
| on ISP. In any case your ISP probably doesn't care as much
| about selling your information since you are already paying
| them. Even if they are you can always use VPN to blind them.
| yoz-y wrote:
| With the amount of VPNs popping out it seems that there is more
| than almost none worrying.
| yoz-y wrote:
| A clarification as there seems to be some confusion:
|
| Whether VPNs solve the issue or not is irrelevant to my
| point. Their primary advertised feature is to hide your
| traffic from your ISP, McDonalds or whoever, and people buy
| them. (Secondary feature is masking location for streaming
| services, which doesn't really work).
| pwdisswordfish8 wrote:
| It's not like VPNs don't have the exact same problem,
| though...
| yoz-y wrote:
| They do, but at least in theory, their business model is
| built on not selling the information.
| ziml77 wrote:
| Given how much ISPs charge I don't think they need to
| sell info to make money.
|
| As garbage as most US ISP options are, I'd trust them
| long before I trust random VPN services. And I can be
| reasonably certain that my physical connection goes to
| Verizon. My virtual connection could be going anywhere
| and I just have to believe that it's to people who are
| who they say they are.
| kube-system wrote:
| This is exactly the business model for some VPNs,
| particularly the free or very-cheap variety.
| gruez wrote:
| There's still an element of trust involved, but it's better
| than the status quo of "we'll monitor your internet, take
| it of leave it" from the ISPs.
| rovr138 wrote:
| If you turn on your VPN, they can do exactly that.
|
| You're just trading one for the other and that new one
| might not even have to follow the same laws.
| eldaisfish wrote:
| except that if a VPN provider is caught selling your
| data, they are toast.
|
| any VPN worth its salt has a business model built around
| not logging data and not selling data. Your ISP on the
| other hand, is in the business of selling you internet
| access. Your data is a secondary revenue stream for them.
|
| They two are not equivalent.
| rovr138 wrote:
| As long as you also clarify that their consumers must be
| following the news where that's announced.
|
| With us technical people it's more likely, but not
| necessary for others that may have just heard 'use a vpn'
| and went to the App Store, searched for 'vpn' and prepaid
| 3 years.
|
| Hide my ass VPN is still up -
| https://www.hidemyass.com/en-us/index
| duxup wrote:
| Yeah the amount of folks using rando free VPN they know
| nothing about is a little worrisome.
|
| Depending on where you live the likelihood of your ISP
| doing something exceptionally nefarious might be way lower
| than some random VPN client someone finds on an appstore.
| SamuelAdams wrote:
| You can encrypt your DNS lookups with several different
| services.
| AkshitGarg wrote:
| That still doesn't hide the IP you are connecting to unless
| you are on a VPN. They still know that if you are connecting
| to 209.216.230.240, it _could_ be hacker news. With the
| widespread use of CDNs, and hosting of multiple services on a
| single IP, this won't be 100% accurate, but the ISP can still
| connect the dots I guess
| swiley wrote:
| If it bother's you there's TOR and you can ssh to a vps. Most
| stuff is encrypted now and there are 3 different DNS encryption
| standards (one of which is actually good.)
|
| IMO: what's left of that issue is getting solved.
| graderjs wrote:
| I don't always find it odd, but when I do I find it odd that we
| worry so much about applications when the entire cell telephony
| networking layer is completely and unpatchably hacked.
| fay59 wrote:
| It's always been known that your carrier has access to your
| unencrypted cell traffic (including voice and text) and that
| carriers are slimy. You're also protected by using secure
| services over IP. I think that the set of people for whom
| this will cause a threat model change is really small.
| wyager wrote:
| Because you can work around that pretty easily with
| authenticating encryption. Even if the networking layer
| weren't hacked, you should assume it was.
| qeternity wrote:
| I have a feeling that you mean "easily" in the same sense
| the infamous Dropbox demo comment did.
|
| EDIT: I wasn't thinking, OP is completely right. Sorry for
| the snark.
| tormeh wrote:
| You can just use whatsapp or whatever. The phone network
| with SIP/SS7 etc. is hopeless, but you don't have to use
| it, and most people I know prefer other forms of
| communication anyway.
| qeternity wrote:
| Ah right, sorry understood. You're completely right...I
| wasn't thinking in terms of IP-based services.
| graderjs wrote:
| I mean more like not just the data transfer layer, but
| the whole cell telephony baseband firmware enables
| privileged access to your phone. This can be the entry
| vector for multiple exploits that go way below the
| application layer. E2E encrypt is meaningless at this
| level.
| xoa wrote:
| > _but the whole cell telephony baseband firmware enables
| privileged access to your phone_
|
| This is very outdated, at least for a significant number
| of smartphones (including all iPhones, but not limited
| just to those). Apple and IIRC other manufacturers long
| since isolated the baseband, treating it simply as a
| standard USB or PCIe peripheral (and in the latter case
| using an IOMMU with it amongst other things). It has zero
| special access to anything on the rest of the phone which
| in the smart phone era is where everything of interest
| actually lives and happens.
| zikduruqe wrote:
| ^ This. Prior to Apple, the phone OEMs and carriers had
| hooks all into your baseband firmware for all kinds of
| things; firmware updates, CALEA hooks, automatic
| provisioning, etc...
|
| Source - used to certify these things in a lab
| environment.
| deccanchargers wrote:
| I am currently using brave on android because it is the last
| latest stable browser that provides stacked Tab layout like this.
|
| https://github.com/michael-rapp/ChromeLikeTabSwitcher
|
| Latest chrome and it's derivatives(except brave) have removed
| this in favour of grid layout which i dislike(they also brought
| in tab groups which i despise entirely)
|
| I know that brave has shady stuff like blockchain and ads, but
| they can be turned off. On desktop, i use firefox and i want to
| use firefox on android too but i find android firefox(fenix)
| janky.
|
| Please suggest me good browser and also a suggestion to chrome
| developers:
|
| _Please don 't remove things that we like. atleast provide
| option to enable it_
| Tepix wrote:
| German c't magazine tested all the main browsers in terms of
| privacy in the latest issue. Brave came out on top by a large
| margin. They even discovered that Edge sends a list of visited
| sites _while in private browsing mode_ back to Microsoft!
|
| I've heard some negative things about Brave but i'm willing to
| give it a try now because it may just be noise. I can imagine the
| advertising industry being very motivated to keep people away
| from Brave.
| smoldesu wrote:
| You should also try Vivaldi[0] if you're already shopping
| around. Once Firefox went belly-up last week I needed a new
| browser, and Vivaldi made the cut for me. They publish their
| source code and do a great job of stripping the Google features
| out of Chrome.
|
| [0] https://vivaldi.com
| smoldesu wrote:
| I will probably never use Brave exclusively because of the fact
| that BAT shoots their privacy shtick in the foot. Why is my
| personal exploitation opt-in now? I don't want my browser to make
| money, and I certainly don't want to be caught in the crossfire
| while Adsense and other major providers roll out their
| circumvention mechanisms. Why is it so hard for people to just
| pick Firefox or a half-decent Chrome fork?
| judge2020 wrote:
| > The only browser that does not use Google's web engine (blink)
| is Firefox
|
| Well, Safari is a thing on MacOS and is the only browser engine
| on iOS. StatCounter[0], the data source behind caniuse, says it
| has nearly 19% marketshare as well.
| bruce343434 wrote:
| > brave-core-ext.s3.brave.com fetches 5 extensions and installs
| them. It is said that this might be a backdoor. But I don't want
| to get conspiracist. I prefer giving you verifiable facts. I'll
| limit myself to inform you about suspicious activities.
|
| Okay, so which 5 extensions? There has to be more information on
| this somewhere. Article seems kind of lazy and definitely loses
| steam after the second half.
| chias wrote:
| That part in particular set the tone for this entire post for
| me. It convinced me that I could not trust the author to be
| intellectually or rhetorically honest, at which point I no
| longer see any value in this write-up. It also helped me read
| the rest of this post in the correct context.
|
| "Many people are saying this. Note that _I 'm_ not saying it, I
| only say true things. But I want you to think it anyway."
|
| _Really?_
| kunagi7 wrote:
| Well... There's a more serious first start browser comparison
| by netmeister.org [0] which shows that 4 downloads are made.
|
| I downloaded and extracted the files. They look like helpers or
| partials for Brave internal extensions.
|
| All of them include manifest files with their names:
|
| - 1_0_14: "Brave HTTPS Everywhere Updater extension". Contains
| a 1MB ZIPped database of https domains.
|
| - 1_0_21: "Brave NTP sponsored images component". Contains
| three photos (to display in their new tab probably).
|
| - 1_0_22: "Brave Local Data Files Updater extension". Seems to
| contain whitelists and blacklists for extensions, autoplay,
| referers, trackers, etc.
|
| - 1_0_498: "Brave Ad Block Updater extension". Contains a 2.4
| MB filter list for their adblocker implementation.
|
| Nothing seems to be harmful at all. This mechanism is used by
| almost all Chrome/Chromium based browsers to update their
| internal extensions and components.
|
| But, if the poster cares about backdoors... Well, every major
| browser out there has features that could be used to backdoor
| their users like Firefox Telemetry Experiments (which download
| xpi files) and Chrome Components. They also can change
| properties at will unless its disabled (via flags,
| about:config, recompiling, etc).
|
| Note: I'm a Vivaldi and Chromium user. I only use Brave with
| iOS which is kind of a different beast (since everything has to
| be implemented on top of iOS provided WebKit) since it somehow
| blocks ads better than stock Safari with AdGuard filters. For
| stuff like banking (on iOS) I use Safari.
|
| Note 2: Blink and WebKit have deviated quite dramatically so
| they are indeed different browser engines (like Gecko is) with
| different implementations, quirks and bugs.
|
| [0] https://www.netmeister.org/blog/browser-startup.html
| upofadown wrote:
| You can see them listed at the bottom of this page:
|
| * https://spyware.neocities.org/articles/brave.html
|
| ... which doesn't really add anything to the original assertion
| as we don't know what the extensions might do. The statement is
| all all there is.
| celsoazevedo wrote:
| Could it be some of Brave features that seem to use extensions?
| For example, if I enable the "IPFS companion" or "WebTorrent",
| they show as extensions under the browser's "task manager":
| https://i.imgur.com/PFRkv5l.png
|
| The only other thing I could think of is "chrome://components/"
| which also exists on Chrome and updates some browser
| components.
| losvedir wrote:
| Can someone explain the point in the article that Facebook can
| still track you if the script is loaded from an edge cache and
| the browser doesn't send cookies?
|
| I can think of unique script URLs, but if it's coming from an
| edge cache, presumably it's not that unique.
|
| And maybe some sort of JS-based fingerprinting? But since Brave
| controls the browser, it's within their control to try to make
| the browser environment homogenous across users. I think Tor
| Browser does something like that, not sure about Brave.
|
| Any other attacks I'm not thinking of?
|
| edit: oh, if the script makes a request back to FB, then I
| suppose your IP address is available...
| oofbey wrote:
| I think the OP is just wrong here. I personally agree with
| Brave's statement that they are protecting users here. The
| assertion that "Anyone who knows a bit about how JavaScript
| works and it's [sic] capacities to track you without the need
| of using cookies will be laughing after reading that." I know a
| thing or two about JavaScript and I'm not laughing, I'm
| genuinely confused about what the OP thinks the problem is
| because I don't see one.
| celsoazevedo wrote:
| Notes about some of the points made:
|
| - The built-in blocker, just like the blocker on Firefox, Edge or
| Opera, isn't that good. That's why you should install something
| like uBlock Origin on top.
|
| - If all scripts from Facebook and Twitter are blocked, you'll
| end up with broken pages. Some pages have Facebook comments,
| which won't load if you block all Facebook domains. Embeded
| tweets also won't work if Twitter is blocked. Not everyone is an
| advanced user, so I understand why they decided not to block
| everything (they give you the option to block this - check your
| settings).
|
| - Brave Rewards... for users: you don't have to use it.
| Independently of the DNS queries, you won't see any ads if you
| don't opt-in. If you decide to join, you'll get some BAT at the
| end of the month. It's not 100%, but it's more than the 0% you
| receive from Google Adsense.
|
| - Brave Rewards... for website operators, youtubers, etc: I think
| this is where we sometimes miss the point. Users are already
| blocking your ads! Even if they don't use an extension for that,
| the built-in blocker in Brave, Opera and Firefox already block
| some or all of your ads. That revenue is gone.
|
| So, and if users opt-in, you'll be able to make some money via
| Brave Rewards (we just have to confirm that we own the site, like
| a Google Webmaster Tools verification). Again, users already
| block your ads. Between _no revenue_ and _some revenue_ , what's
| better?
|
| We should also keep in mind that by default, the money users
| receive is then shared among the sites they visited. In practice,
| users are sending you a small monthly payment/donation for using
| your site, viewing your videos, etc.
|
| - "You may have seen in the past a fork of Brave which removed
| telemetry and other shady practices from Brave. It was called
| Braver."
|
| Not sure what's the surprise here. We can't create a _Firefoxer_
| or _Edgier_ without getting in trouble with Mozilla or Microsoft.
| Being able to fork doesn 't mean that we can use the same name.
| turminal wrote:
| Brave is a scam, but recommending palemoon or icecat a is (for
| different reasons) also a bad idea.
| jonathansampson wrote:
| How exactly is Brave a scam? The author certainly couldn't
| argue this point (detailed response to their claims can be
| found here: https://news.ycombinator.com/item?id=27552530).
| turminal wrote:
| The fact that author's arguments are flawed (imo not all of
| them are) does not imply their claim is incorrect. A lot has
| been written on the topic Elsewhere, I'm sure you will be
| able to find some better explanations if you so desire.
| didericis wrote:
| Can you elaborate on why palemoon and icecat are bad ideas?
| Haven't used either. Am assuming they're further behind on the
| latest web standards?
| turminal wrote:
| They both lack the manpower to keep up. I personally don't
| mind missing on the latest features, but I don't want my
| software to be full of old security holes that were patched
| long ago in upstream Firefox.
|
| Besides, I have once witnessed a conversation between
| Palemoon developers and some distro's packagers about usage
| of palemoon logo or trademark or something like that. The
| developers spoke in a very entitled tone and it was quite
| off-putting.
| underseacables wrote:
| I find I use brave only as a last resort to get around anti-ad-
| block websites, or quasi paywalls, etc.
| randomperson_24 wrote:
| Can't we just like use Brave / Firefox and block all tracking
| domain names with something like pihole?
|
| Does the browser not at all work then?
| roenxi wrote:
| The people arguing that Firefox has an edge because it maintains
| a separate browser engine (like the writer of this article) are
| going to have real difficulties making their argument. Ditto the
| attacks on Brave for not being private enough. The people who
| care about privacy should be more worried about getting caught in
| Google's web of properties than about privacy per-se - that
| company is bad news. And Firefox is more closely aligned with
| Google's interest than Brave is. Look at how much money Google
| has been funnelling to Firefox over the years.
|
| Having a different engine is really more of an inconvenience than
| a strength - it means that sometimes pages will not work in
| Firefox. Having an independent engine was important when it was
| IE6 vs the open web. It doesn't matter much when the engines
| involved are BSD license vs GPL.
|
| If Chrome was all proprietary licenses then having an independent
| engine would matter. But the internet likes to standardise on
| one, open, technology.
| bambax wrote:
| You may be right, and you may not be. It has to be good that
| there are more than exactly one engine, it means there is a
| discussion, some level of "forced openness".
|
| That wouldn't be possible if web developers could simply rely
| on undocumented quirks of a sole browser.
|
| It's possible that FF will die. But I think that would be
| extremely sad. For one, Manifest V3 would be forced upon the
| entire web => no more uOrigin.
| roenxi wrote:
| > It has to be good that there are more than exactly one
| engine...
|
| Well, that is kinda the point. No, it doesn't. It might be
| worse than having one great de-facto standard engine. Having
| 2+ splits web developers in what they choose to support.
|
| In this instance, we literally have a young company (Brave
| Software, Inc) that chose to go head-to-head with Google.
| Their CEO is deeply entwined with the history of first
| Netscape then Mozilla/Firefox. They went with Chromium.
|
| That is a pretty searing indictment of the "an independent
| engine is important" argument. If Eich doesn't think Firefox
| is up for the challenge, what exactly is the gameplan here?
|
| Nobody is saying Mozilla has to die, whatever that means. But
| if there is an advantage to its existence that advantage is
| difficult to spot. Firefox doesn't even have the thriving
| extension ecosystem it could once boast about - they killed
| most of it off. There is nothing useful there except a
| different set of quirks.
| roca wrote:
| Using Gecko (or Webkit) would have added extra risk for
| Brave. When you're starting a company, especially a browser
| company that's going to take on Google at some level, you
| need to minimize all unnecessary risks. I don't blame
| Brendan for doing that.
|
| Plus, when Brendan started Brave, Firefox was further
| behind in performance and architecture than it is now.
|
| Plus, Brendan's departure from Mozilla was somewhat messy
| and I don't blame him for not wanting to keep a Mozilla
| dependency.
|
| > Having 2+ splits web developers in what they choose to
| support.
|
| Having one engine, Chromium, would mean Google gets a
| completely free hand to make almost all decisions about how
| the Web works. Also, Web sites would have no chance of
| noticing they depend on Chromium bugs --- very bad for the
| future of the Web (and for Chromium).
|
| Now, Webkit is also a very viable engine. The problem with
| relying on Apple is that they have a powerful disincentive
| to let the Web platform be a viable competitor to iOS.
|
| This is why Mozilla matters.
| bambax wrote:
| > _Nobody is saying Mozilla has to die, whatever that
| means._
|
| To die means having so few users that development is
| abandoned and the teams disbanded. It could happen; I wish
| it doesn't; you seem to wish it does... because it would
| make the life of web developers a little simpler?
|
| But I don't think that's true; I think it's the opposite:
| web development would be a little more difficult if/when
| everything is controlled by just one company who decides
| unilaterally what can be done and what can't.
| roenxi wrote:
| There is no risk of everything being controlled by one
| company. That is why it is acceptable for there to only
| be one browser engine.
|
| Observe that Brave, inc is using the chromium engine in a
| way that opposes Google.
|
| Mozilla has developed a bunch of great features in the
| last few years. If they were developing on Chromium, most
| of the internet would have access to them. Instead, only
| a minor subset do. This is a bad strategy.
| roca wrote:
| I don't think you understand how Chromium works. Google
| makes all the important decisions. People have advocated
| for independent governance (e.g. some kind of Chromium
| Foundation) but Google isn't interested.
|
| E.g. Brave opposes Google in some ways but they have no
| say in the development of Web standards implemented by
| Chromium.
| roenxi wrote:
| It is open source. If someone doesn't like a decision
| they can fork the codebase.
|
| Mozilla's Gecko has been beaten down to sub-double-digit
| market share, they're less relevant right now than when
| IE6 was >75% of the market. They have no power to
| influence the direction the web moves in. And yet life is
| going on better than ever.
|
| If you want a counterbalance to stop Google making the
| important decisions, Firefox has failed spectacularly.
| And yet Google doesn't have any power to move the web in
| a direction it doesn't want to go - because their engine
| is open source and that is what actually matters here.
| matrus wrote:
| To make any dent to Google's dominance over the web a
| potential fork would first have to gain any noticeable
| traction. This seems highly unlikely if well funded
| companies like Microsoft or Mozilla weren't able to
| leverage their properties (Windows in Microsoft's case)
| or their brand (Mozilla) so far. Plus, any major fork of
| Chromium would have to compete with Chrome's vast
| development budget.
| shadofx wrote:
| >It doesn't matter much when the engines involved are BSD
| license vs GPL
|
| Without a competing engine, Google is free to cease development
| on Chromium and start a new private fork, and autoupdate all
| Chrome browsers to that new fork. Then they can add all sorts
| of web features that only they support. Every browser dependent
| on Chromium will fall behind in security updates and web
| features, and become more unusable than Firefox is today.
| roenxi wrote:
| If Google did that, we'd be better off with the Mozilla
| corporation taking over Chromium development than continuing
| to develop Gecko.
|
| The erosion of interest in Firefox over the years raises a
| pretty basic question: if Google followed through with that
| scenario, how effective would Firefox be? They're got
| steamrolled in the last decade with massive amounts of
| funding (from Google).
|
| Brave is literally showing that if someone wants to compete
| with Google, they're going to start with chromium as a base.
| Your argument is similar to "if someone wants to compete with
| Google, they need to be able to use Gecko/Webkit!". People
| with skin in the game are saying whatever the theoretical
| merits are to your argument, it is wrong. Gecko isn't part of
| the competitive equation any more.
| gjsman-1000 wrote:
| Firefox has had a load of conflicts of interests that people
| don't want to mention. For example, >90% of their funding comes
| from Google for being the default search engine. That means
| Mozilla doesn't want to upset Google _too much_.
|
| As a result, what have we seen? _Safari_ has added new privacy
| features, that should have been obvious, before Firefox.
| DuckDuckGo, which Mozilla staff generally recommend, isn 't the
| default which is odd for how vocal Mozilla likes to be about
| how we're great for your privacy and an open web.
|
| The point is that by receiving >90% of their funding from
| Google, Mozilla can continue existing. And also be a hypocrite
| in their actions.
| dralley wrote:
| >As a result, what have we seen? Safari has added new privacy
| features, that should have been obvious, before Firefox.
|
| Firefox has added plenty of "obvious" privacy features that
| no other browser has. Container tabs are amazing (and
| incredibly useful even apart from maintaining privacy).
|
| Where is uBlock Origin or uMatrix for Safari? They can't
| exist because Apple doesn't really care about the browser
| extension ecosystem and doesn't implement the APIs. Apple has
| very different priorities than Mozilla does, and that's not a
| dig at either of them.
|
| Given that, I'm not sure it's a great idea to assign ulterior
| motivations to the delay, especially since Firefox _does_
| eventually get those features.
|
| https://techcrunch.com/2021/02/24/mozilla-beefs-up-anti-
| cros...
| jccalhoun wrote:
| I currently have Firefox, Edge, and Chrome open. I also have
| Opera and Vivaldi installed (and I think I might have Maxthon
| too). I use them for different purposes. Firefox for personal
| stuff, Chrome on my second monitor for social networks and
| twitch, Edge for my main work. Vivaldi for my part time job. I
| say the more browsers the better and I am definitely rooting for
| Firefox to help chip away at chromium's dominance.
|
| I don't have Brave installed because I am not overly concerned
| with privacy and the other browsers seem fast enough. I have
| ublock origin, noscript, and privacy badger installed on Firefox.
| That is good enough for me. I also think BAT is not really
| worthwhile.
| shilad wrote:
| The Epic Privacy Browser is still the best if you want a
| Chromium-based privacy browser. Brave cloned them anyway and
| added their crypto and reduced the privacy. Firefox isn't
| recommended for privacy, though TOR is of course very good for
| anonymity, but Epic is better for everyday use.
___________________________________________________________________
(page generated 2021-06-18 23:02 UTC)