The Brave browser is one of the more popular privacy browsers out there.
It's a full-featured browser available for many of the most popular platforms across mobile and desktop systems.
However, even though the browser is free and open source, the company behind it (Brave) has been involved in a number of privacy scandals.
Some of these scandals have included the Brave browser itself.
Given this, the Brave browser seems to be a user-friendly and effective privacy browser.
Today, we are going to evaluate its claims as a privacy browser. We will keep in mind the privacy controversies as we do so. Let's get started.
The Brave Browser at a glance...
- Good out-of-the-box tracker blocking capabilities ()
- Sync & availability on mobile platforms
- Privacy-related controversies surround Brave ()
- "Phoning home" issues () More info
- Based on Chromium (may be a valid issue for some people)
The Brave browser got its official start in 2016. It was founded as a free and open source project by former Mozilla developer, Brendan Eich.
Brave has grown considerably over the years. It is now officially backed by its own company (which has other projects) that has a whole team of developers. However, the browser remains free and open source.
Brave claims to allow users to "take back control" (assuming from ad companies/trackers) with its browser. It is also claims that the Brave browser gives a faster browsing experience, since it blocks "data-grabbing ads and trackers."
Brave also has a lot of integrations within the browser. It integrates Tor (desktop only) into its Private mode; IPFS nodes, for peer-to-peer sharing; and its own rewards system for viewing adds and earning BAT, a cryptocurrency.
Brave, the company, has been involved in some privacy issues in the past. Some of these include its injection of affiliate links into its Binance widget.
Brave is widely available across many different platforms. Brave is available on Windows and macOS. It is also available on these Linux distros:
For mobile, Brave is available on both Android and iOS.
|Ubuntu 16.04+, Mint 17+
Debian 9+, openSUSE 15+
Fedora 28+, CentOS/RHEL 8+
||Intel Pentium 4 processor
w/ SSSE2 support
|Intel Pentium 4 processor
w/ SSSE2 support
||Android version 5+
||iOS version 12+
Launch and set up
The installer downloaded from the official brave.com website is... interesting. It's not a binary in of itself.
Once you hit "Run" on the UAC pop-up (I'm using Windows 10 for this review), the installer just "goes." The installer itself pulls a binary from bravesoftware.com, and then installs the browser that way.
I found it strange enough to note, because this is not a common trend among privacy browsers. Most of the time, you download the binary (a common one is
.exe for Windows). When you execute (double-click) it, you then go through a localized Setup wizard for the installation process.
This may raise a red flag for some users, because the installer immediately connects to the domain updates.bravesoftware.com in order to download and simultaneously execute the Brave browser binary:
After the installer finished, Brave immediately launched. According to Sysmon, it made a number of DNS queries and connections right off the bat:
We can guess that these queries are a result of the different update services within Brave... why there are so many subdomains, who knows?
Letting it idle for a little over 10 mins, Brave repeats queries for componentupdater.brave.com and go-updater.com. It also queries:
We can guess that the first two queries are related to Brave's reward system. I found this a little unsettling because I hadn't even configured Brave - much less, opted in or out of the rewards system yet. However, for some - if interested in enabling the reward system - this is trivial.
p3a.brave.com is a call to Brave's "Privacy-Preserving Product Analytics.". Fortunately, this can be disabled from within Brave's settings.
The last DNS query, safebrowsing.brave.com is a call to Brave's version of Google's Safebrowsing service. This tells us that "Safebrowsing" is on by default.
Keep in mind that this is all while sitting at the initial welcome screen:
From this initial welcome screen you can import bookmarks from other browsers, opt-out of Brave's analytics, set a default search engine, and "opt-in" to using the reward system.
You have the option of skipping this "welcome tour" altogether. Everything you would skip is adjustable within Brave's settings.
We'll dive into the privacy and security features of Brave here. We'll also cover any other unique features this browser has.
Built-in Tracker/Ad blocking
One of the many draws to Brave is the fact that it has a built-in ad/tracker blocker.
That's not to say it's the only privacy browser that ships out with its own built-in ad/tracker blocking solution, but I will say it's really solid. Even especially so, when compared to the likes of Avast's Secure Browser lackluster "adblocker."
The "standard" mode of the Brave's tracker blocker works pretty well:
There's also an aggressive mode. You should be aware that the aggressive mode can break sites, but I found that many still functioned fine during my use of the browser.
While I was mostly satisfied with the built-in blocker, I found myself wishing Brave detailed what trackers it blocked. At most, it will give you a number but no further details.
Brave also features fingerprinting protection.
It was hard to evaluate its effectiveness in the wild - I was getting a near constant "0" for "Fingerprinting blocked."
To at least get some evaluation of this fingerprinting protection feature, I resulted to using the HTML5 Canvas Fingerprinting tool over at browserleaks.com:
As you can see, my browser's fingerprint is "unique."
This isn't immediate cause for concern because I would get the same result in Firefox with the about:config setting
privacy.resistFingerprinting set to true. (More information on Firefox Privacy).
In Firefox, when refreshing the page, it will then kick out another randomized browser signature - which helps protect against fingerprinting in general. It especially helps in protection against HTML5 Canvas based fingerprinting.
However, I grew concerned because when I refreshed the page in Brave, the browser signature didn't change.
On the flip side, when I visit EFF's Cover Your Tracks tool, it claimed that my (Brave) browser had a randomized fingerprint:
To be fair, it's nearly impossible to 100% defend your browser from being fingerprinted in general, but I wanted to include this information to show that fingerprinting protection isn't a straightforward matter.
"Private" window w/ Tor
One of Brave's highly unique "privacy" features is that it incorporates Tor into its "Private browsing" tabs.
The biggest advantage this has is letting you access
.onion addresses without firing up the "real" Tor, however I wouldn't call it a replacement for Tor itself. Since this "Tor mode" simply acts as a proxy to the actual Tor network, you don't get the full benefits of Tor through the Brave browser.
There's also the fact that Brave's Tor window was leaking DNS requests. The reported bug has since been fixed.
If you're going to go browsing on the Deep Web itself, then do yourself a favor and use the real, properly configured Tor browser.
Built-in "script" blocker
Brave has out-of-the-box settings to block scripts. This is an independent setting from its tracker blocking capabilities and the browser's fingerprinting protection settings.
Brave runs on the open-source Chromium framework.
While this is source code that is mostly maintained by Google, it seems as though Brave has stripped most - if not all - of the Google dependent services from the code. (And in many cases, replaced it with their own.)
Brave is updated very frequently. Updates roll out very quickly after new updates for Chromium are released.
Frequent updates are especially important because Chromium is currently the most common browser engine on the internet and therefore many attackers focus on exploiting it. Some of these exploits can get extended to forks - especially if they don't reasonably keep up with the updates to the source Chromium code.
Regular updates fix known bugs, exploits, and in some cases, add new/improve on existing features.
Brave features a cryptocurrency-driven rewards system, called Brave Rewards.
The cryptocurrency that drives this rewards system is BAT (Basic Attention Token.) You can earn BAT by enabling "privacy-respecting" ads or by converting fiat (your "real" dollars) into BAT.
You'll need an Uphold cryptowallet in order to take advantage of the rewards system. This requires providing personally identifiable information to Uphold in order to open and "verify" your wallet.
For those interested, Brave has recently integrated the IPFS (InterPlanetary File System) protocol into its browser.
IPFS is a peer-to-peer network for storing and sharing data - mostly in the form of files. Since it's peer-to-peer, it is decentralized. Decentralization is an asset when it comes to privacy - take the Tor browser's routing hops for example.
Good built-in tracker blocking
Overall, Brave's "shields" provides pretty decent tracker protection all on its own. It's probably the best native solution (as opposed to using an extension like uBlock Origin) I have seen in a privacy browser.
The fact that the built-in tracker blocking is pretty good, means that the browser has excellent out-of-the-box protection. Out-of-the-box meaning that you're fiddling with any settings, or downloading any extensions.
With that said, most users will still get better tracker blocking capabilities using an extension like uBlock Origin.
Additionally, with uBlock Origin, you will have more direct control over what to block - as opposed to just using predefined "standard" and "aggressive" modes.
Brave comes with fairly good privacy-friendly defaults. It doesn't require a ton of tweaking to get started being more "private."
Sure, there are always settings to switch on/off and extensions to download, but Brave's vanilla and freshly-downloaded self makes for a decent privacy browser.
Controversies surrounding Brave
Brave has been at the center of a few different "privacy controversies" throughout the years...
In early 2021, it was revealed that Brave's private window with Tor was leaking DNS requests. The leaked DNS requests could be picked up by your ISP or anyone who happened to be snooping on your network.
Allegedly, the development team was aware of the DNS leak for months, since it had been reported on its bug bounty platform. Additionally, users started reporting it on Brave's official GitHib for close to a month before it was addressed.
In 2020, it was revealed that Brave was automatically
injecting its affiliate code
when certain domains (such as
binance.us) were typed into the address bar.
So, if you were to type
binance.us into the address bar, your Brave browser would automatically route you to its affiliate link with Binance. There was also the collateral issue that Brave was not forthcoming about its affiliate status with Binance until it was blasted for doing this.
Around 2019, users questioned an update that contained a
"hidden" whitelist of tracking URLs
tucked within the source code.
Since the domains are hardcoded, it is exceedingly difficult to block them unless you strip it from the source code.
Apparently, this public issue was acknowledged by Brave, but has yet to be addressed within Brave's source code. There have been no domains removed from this hardcoded whitelist, but there have been additions over the years.
There's also the issue that some see Brave Software as little more than an "ad" company that pushes cryptocurrency to make a profit.
"Phoning Home" / Remote connections
First I want to say:
- You will find many articles on the internet that say that Brave is deemed the most "private browser."
- Most, if not all, of these articles will cite the Trinity College Web Browser Privacy study to support this statement
- I am not saying they are "wrong," but I'm not saying they are "right" either - I think a lot of misguided conclusions have been drawn from this study.
Second, I want to say that in this specific instance, when I mention "Phoning home," I really just mean the browser initiating background connections to remote servers. This is something Brave does a lot.
While Brave may not necessarily transmitting identifiable information (at least, according to the study) to its servers, the fact that it will call to several different domains everytime it's launched is slightly unsettling. While things such as Brave's analytics can be disabled (theoretically stopping the call to p3a.brave.com), the fact that it constantly "checks for updates" can't be modified or disabled easily:
These domains are what Brave will query for "updates":
There's nothing inherently wrong with automatically checking for updates. However, it falls into a bit of the same trap that Waterfox does, where we can't expressedly specify how often we want it to check for updates. However, where Waterfox only queries one domain, Brave queries 3 to 4, sometimes 5. Additionally, Brave queries a lot of its update servers, very frequently.
On occasion, Brave will also query pcdn.brave.com and brave-today-cdn.brave.com. This is Brave's "private content delivery network," and it's how it delivers its personalized news feed, "Brave Today." It's triggered when you continuously scroll down on the New Tab page:
Fortunately, Brave Today can be disabled, which should stop the call to at least brave-today-cdn.brave.com. The pcdn.brave.com query seems to be tied to some other processes within the browser.
Brave will call to safebrowsing.brave.com when "Safebrowsing" is enabled within the settings:
If you opt-in to Brave's reward system, you'll see multiple queries to its rewards API.
At the end of the day, Brave initiates too many remote connections to Brave Software servers for my liking. And in my honest opinion, that's not something that the "most private browser" should do.
Brave has a lot of pros when it comes to some aspects of privacy - but the cons can really outweigh the pros. Specifically, Brave comes with decent tracker blocking capabilities right out the box. It's also easier to configure than many other privacy browsers out there.
However, the cons are heavy. The privacy controversies that surround Brave are hard to ignore and quite frankly, they should not be ignored. Of these controversies, the presence of the hardcoded tracker whitelist is of most concern...
Ultimately, the Brave browser is a very easy browser to use and like... at least, until you start digging a little more.
You'll find Brave in our recommended browsers only because of its simplicity and immediate out-of-the-box privacy improving capabilities, AKA it's super user-friendly. This is especially true (and important) on mobile, since the availability of privacy browsers and their capabilities are far more limited on mobile platforms.
In the end, I feel that many other browsers - especially for many desktops -- offer more than Brave does when tweaked/configured for privacy. Without all the baggage.
However, for some non-power users who are willing to overlook the more "backend" or "reputation" issues that surround/have surrounded the browser, then Brave could prove a viable alternative to Google Chrome.
Hopefully this review gave valuable insights to you and/or aided in your personal decisions about your online security and privacy.
So, with that said and as always, stay safe out there!