Brave Browser update to 1.17.75-1 (AUR) wants to download tons of GiB - 15 million receiving objects - what is going on?

See … the issue is that this is a pretty ‘canned’ response that you can find almost anywhere.
I have read your policies, and I find them lacking.
I wont go into that just now … but lets start by pointing to history.
In this way we can get a feel for what has been promised, what has been done, and so even assuming the above response is honestly intended, we can find a realistic ‘track record’.

The first thing I can easily point to is the whitelisting of facebook domains:


Thats a random publication on the subject … but the code itself, as well as the way github issues tagged against it were handled, leaves a bit to desired.

This would be less problematic if it were the first or last time.
See also scenarios like this:

I also find it quite interesting that many of the things I would like to mention are … conspicuously missing from github now. The links go nowhere.

To give an example, here is one that is still alive, and one that has become obfuscated:

https://github.com/brave/browser-android-tabs/releases/tag/1.0.74

I cannot stress enough how little trust I would have in an operation after I witnessed all of those things, regardless of whatever state the software is currently in.

Not to again mention that I have a hard time marrying the advertisements, documentation, and actions together into some cohesion of assured benevolence.

(PS - referencing yourself does not help … and while I think Trintity College is quite beautiful, I dont know that either Douglas or the ‘massaged’ samples are to be automatically taken as gospel - why not include actual privacy-focused browsers to compare against instead of stock firefox, stock chrome, stock safari? seems like skewed results …)

I thank you for taking the time to respond … but I dare say you have not provided any substantive clarification.

8 Likes

…the whitelisting of facebook domains.

We whitelisted the scripts needed to support embedded posts, etc. But Brave prevented those requests from accessing client-side storage, transmitting cookies, etc. No tracking involved. In fact, we will have some really exciting developments in this space to share later this month.

It’s important to note, when you build a browser used by tens of millions of users, that you don’t break the Web. Similar exceptions exist in AdBlock Plus, uBlock Origin, and other Web-scale solutions. If we can ensure privacy while still enabling Tweets and Facebook posts to be embedded on various sites, we will do so. We offer controls for the user who wishes to block these requests as well.

Brave has a backdoor to remotely inject headers…

Brave doesn’t have its own, distinct user-agent string. The browser identifies itself as Chrome to web-servers. In lieu of a custom user-agent string, Brave added the navigator.brave.isBrave API for sites that need (or wish) to detect the user-agent.

But a client-side API isn’t always sufficient; some servers need access to this information in the Request Headers, where the User-Agent is typically parsed. As such, Brave hosts a list of URLs (laptop-updates․brave․com/promo/custom-headers) for which a custom request header ought to be added.

An externally-hosted set of instructions is not uncommon; we’ve seen it for the better part of 2 decades in the form of compat lists in various browsers. There is no security or privacy issue here.

I also find it quite interesting that many of the things I would like to mention are … conspicuously missing from github now. The links go nowhere.

Let me know what item(s) you’re interested in, and I’ll help look them up. The further back you go, you start to get into an earlier version of Brave we called “Brave Muon” (built from a hardened Electron). So it may be the case that some issues are simply irrelevant these days, and thus receive little-to-no attention. For example, you cited a 2018 issue regarding trackingProtection.js, which I don’t believe is even part of the browser these days. (Update: Confirmed. It’s outdated. I’ve closed the issue.)

referencing yourself does not help

I referenced a repeatable analysis with published results. You claimed that Brave makes money by tracking users. I pointed to data demonstrating otherwise (no tracking at all). I was certain you would object on the basis of it being my own review, so I provided an unaffiliated third-party review from Leith. Both found Brave to be the most private of all (popular) browsers tested.

why not include actual privacy-focused browsers to compare against instead of stock firefox, stock chrome, stock safari?

Browsers must be safe, secure, intuitive, and practical. Furthermore, they must be able to render and display the Web for the common user. Many hardened browsers and apps are safe, and secure. But they often lack intuitiveness and/or practicality. For example, I’m not worried about XSS attacks when I browse in Lynx. But I also don’t use Lynx, because I like to watch Netflix, stream music, and use various browser extensions :slightly_smiling_face:

Brave compares itself to other browsers which aim to check all of those boxes. Some of the “privacy-focused browsers” you have in mind very likely don’t aim to do the same. Our comparisons, and that of Leith (from Trinity College) focus on popular browsers, used by your average, everyday netizen.