
Brave browser can inject headers in HTTP requests - rvnx
https://github.com/brave/browser-android-tabs/commit/911770a07549ce53f49a9d87a5a19b4da29fb767#diff-35dd256442c3c60f5bec67e5b2a86cda
======
augbog
To be fair looking at the commit where it got merged, it was for a pre-release
beta build for Android and release notes specifically say

> That is a very first beta version of Brave Rewards on Android. It is pointed
> on test network. DO NOT TRANSFER REAL MONEY!!! We use SafetyNet API for
> device attestation.There are grants available on first run. There are no
> grants on devices where attestation is failed(rooted devices, emulators).
> Auto-contribution time is set to 10 minutes, just for test purposes. Couple
> of verified pub on staging: duckduckgo.com 3zsistemi.si

Did it make it out? Here is the link

[https://github.com/brave/browser-android-
tabs/releases/tag/1...](https://github.com/brave/browser-android-
tabs/releases/tag/1.0.74)

------
Jonnax
What is the benefit of Brave?

A lot of people on the internet seem to be advocating it but reading the
Wikipedia article they seem to have a business model of replacing website
adverts with their own. Which doesn't seem all that ethical.

~~~
gnicholas
For me, it offers a faster browsing experience than Chrome, and privacy at
least as good as Firefox.

I used to use both of these popular browsers, and now I'm all-in on Brave.
Chrome is fast but has well-documented privacy issues. But even running
various tracker blockers and a Pi-Hole, Chrome wasn't nearly as fast as Brave
(without additional blockers or the Pi-Hole).

I like to support Mozilla/Firefox, and Firefox has been my daily driver for
most of the last two decades. But it just isn't as fast as Chrome (let alone
Brave). It has better privacy than Chrome, and the inimitable Tree Style Tabs,
but it takes noticeably longer to open new tabs and load pages.

I moved over to Brave once they started supporting Chrome extensions. I have
found that my MBP's fan kicks on much less often than before on
Chrome/Firefox, and the battery lasts longer as well. While I miss the TST
that I enjoyed on FF, I'm getting by with Sidewise. The inconvenience of
having the tabs loaded in a separate window is massively outweighed by the
speed/privacy benefits of Brave.

As for the ethics of ad-replacement, this is a bigger question. If the
baseline were "everyone has ads everywhere", this could be seen as an
unethical alternative. But the baseline is "many people (and presumably nearly
everyone who is savvy enough to install Brave) use adblockers". So it's not
like they're going from seeing ads to not seeing ads. They're going from
blocking them with one system to blocking and replacing them with another
system. And they can send the revenue from the replacement ads to the websites
they spend time on.

~~~
ericol
So, they finally have extensions working? I tested Brave couple of months ago,
and my reason for not fully switching was no extension support.

~~~
phalangion
You can install extensions from the chrome web store. All the ones I have
tried have worked.

------
scarface74
And Brave or similar programs that block ads but can intercept your web
browsing wouldn’t be needed if Android had a built in content blocking
framework like iOS. Ad blockers in iOS submit a JSON file to Safari that
processes those rules. The third party ad blocked has no access to your
browsing history.

And the one I use has a novel revenue model that doesn’t require anything
shady - I give them money and they give me a product.

~~~
phishfi
With Android Pie, users can just set the DNS to dns.adguard.com and be done
with it at the DNS level. Works great on my Pixel so far (past couple months).

~~~
scarface74
DNS ad blockers can’t block on the level of granularity that path based ad
blockers do.

------
bsclifton
Employee here- I haven’t seen an official comment here yet

The JSON file that was linked to does have partner domains which (when the
header is present) the website will provide a specific integration. When those
specific partner sites are visited, the headers are sent with the request

An example someone mentioned here already is marketwatch. They have a
promotion where you can sign up for a free subscription if you use Brave

The browser is open source and nothing is being hidden- although this and the
whitelist (used for a better webcompat experience) could be better documented

Should these lists be shown in the UI and configurable? (ex: disableable?) I
wonder what a better experience would look like for people that don’t want
this functionality

~~~
tyingq
Changing the code where it can only inject headers that start with "X-Brave-"
would eliminate one class of concerns.

It leaves others, but perhaps your idea of a UI to disable it addresses that
somewhat.

~~~
bsclifton
This is a great point-

I reviewed with team and created [https://github.com/brave/brave-
browser/issues/3301](https://github.com/brave/brave-browser/issues/3301) to
track this (folks are welcome to give it thumbs up). The fix for this should
be something we can deliver in our next product release (0.60.x - 9 days from
now)

edit: issue is now fixed! [https://github.com/brave/brave-
core/pull/1633](https://github.com/brave/brave-core/pull/1633)

I also captured feedback on being able to customize/opt-out of this
functionality with [https://github.com/brave/brave-
browser/issues/3302](https://github.com/brave/brave-browser/issues/3302)
(thumbs up and comments appreciated!)

------
somada141
Two of these in a day (other one under
[https://news.ycombinator.com/item?id=19129309](https://news.ycombinator.com/item?id=19129309))?
Seems peeps are digging through the source all of a sudden :D.

I do have to wonder if this is as egregious as some of the comments between
the two threads would make it seem given that this is an open-source project.

~~~
rvnx
It's just that I looked for curiosity in the source-code and found the
whitelist (and separated the threads to not create confusion) but I'm sure
people with more time would find more.

~~~
somada141
Don't get me wrong I applaud the fact that you dug through the code and let
the rest of us know. People (including myself) take things at face value too
much these days :).

------
orian
Their full mission is "We're reinventing the browser as a user-first platform
for speed, privacy, better ads, and beyond ", therefore I guess this is for a
"better ads" ;-)

~~~
jordigh
This is why I can't support Brave. They see it as a foregone conclusion that
the only way to make sure the internet doesn't starve it so make sure we all
watch ads, and they think that if they can make the ads nicer, we'll all watch
them. They gave Brave tools to hide some or most ads hoping that this will
make us willingly watch other ads.

How about no? How about we find a better way to not starve than making sure
everyone is fed their daily dose of manipulative marketing materials?

~~~
jplayer01
Well, get to it. Give us the solution. Outright rejecting Brave isn't helpful.
Newspapers financed themselves through ads for decades, but now because
websites try to do the same (while abusing their position) and Brave tries to
find a fair middle ground that still respects our privacy and rights, they're
suddenly the bad guy.

~~~
enraged_camel
>>Well, get to it. Give us the solution. Outright rejecting Brave isn't
helpful.

Just because someone rejects a shitty solution doesn't mean they suddenly
acquire the burden of coming up with a new one.

~~~
jplayer01
They haven't even given a valid reason to consider the solution shitty enough
to reject. All I could derive from their comment is that they doesn't like ads
at all (while ignoring the fact that nobody else has managed to implement a
working solution, that ads work, and that Brave is implementing the one
solution that has traditionally had plenty of support (micropayments) and some
hope of working).

Like, weren't micropayments all the rage just 5 years ago?

Are ads really the problem in itself? I'd say the real problem with ads are ad
networks that track you, create a profile of you and use that to personalize
ads, meanwhile providing an attack vector for malware and site owners abusing
it historically in the form of Flash or other ugly and distracting ways of
displaying them. Brave is providing a way to display ads that _don 't_ track
you and don't infringe on your privacy. I don't see the downside here, only
the upside that we can continue to have a 'free' internet where not only the
well-off have access to vast swathes of the internet.

~~~
jordigh
Ads are the problem in itself.

Nobody likes them, at best we tolerate them and or manage to ignore them.

So why have something that nobody likes? They're not inevitable, and society
can function without ads.

~~~
jplayer01
Most normal businesses don't provide free access without payment. Until
recently, the only ones that did were newspapers. They were financed through
ads and to a minor portion subscriptions. If you remove ads, you remove free
internet. That's how it works. Unless you propose taxing everybody.

------
withinrafael
I asked Jonathan Sampson about this and it's a developing conversation. [1]

> For some partners, Brave will set a custom header to identify the browser.
> We use the Chrome user-agent string, so accounting for traffic coming from
> Brave is otherwise hard. [...] As an example, if you navigate to
> [https://www.marketwatch.com/](https://www.marketwatch.com/) you will notice
> a custom header. [image of header listing containing X-Brave-Partner:
> dowjones]

[1]
[https://twitter.com/BraveSampson/status/1094713424452505601](https://twitter.com/BraveSampson/status/1094713424452505601)

~~~
DyslexicAtheist
pretty weak response so far.

His explanation as to whether _this might make a user more prone to
fingerprinting_ was a total cop-out too. It does make you more prone to
fingerprinting _" but only to their audience"_ isn't a good enough answer.
Customers/partners which users have no control over and are expected to trust
Brave executives as acting in their best interest. Where is the foundation
that justifies this trust?

~~~
atomical
They are just getting started. You have the right to be skeptical but you
would be better served turning that skepticism towards Google.

Brave plans to do all machine learning for their ad tech locally in the
browser. Can you imagine Google ever doing that to protect their user's
privacy?

~~~
toyg
Does it make any real difference whether they beat you with a crowbar or a
baseball bat? In the end, you're still bleeding.

------
Deimorz
How is this a "backdoor"? They could have just done this in the browser code
itself if they wanted to.

Unless you've found some way to change the content of that url without the
browser detecting it, I don't understand what you think there is to be
concerned about here.

------
thenanyu
Wait, what am I missing here?

\- the source code is open, so we can see that this is going on

\- the url where the headers are downloaded from is open so we can see /
monitor whatever headers get added

I'm not a security expert, just a lowly developer, what sequence of events
should I be concerned about?

------
uberman
Interesting. How did you discover this? Can you post something about how they
are using this data in the actual header itself?

~~~
rvnx
Just by reading source-code.

Every day the browser downloads from "laptop-updates" server a list of hosts
and list of headers to inject.

This is supposed to help websites to identify that the user is running Brave
(but there are other exceptions in the code, like at
[https://github.com/brave/browser-
laptop/blob/master/js/data/...](https://github.com/brave/browser-
laptop/blob/master/js/data/siteHacks.js#L50) ) but in practice, the Brave
developers can inject any header into any website remotely.

Every single Brave installation is uniquely tracked by a "download-id" which
makes the backdoor even more powerful.

~~~
TazeTSchnitzel
Does it do any kind of whitelisting of what kind of headers can be sent?

~~~
rvnx
No

------
ameyv
I just switched from chrome to brave and now I need to seriously rethink this.

~~~
Phenix88be
Firefox is still backdoor free :)

~~~
pmlnr
This is debatable: with the experiments, Firefox has the power to install
addons behind the scenes. See the Mr. Robot fiasco:
[https://news.ycombinator.com/item?id=15956325](https://news.ycombinator.com/item?id=15956325)

~~~
jonathankoren
I hate to tell you this, but every browser has the ability to run experiments.

~~~
AnaniasAnanas
w3m does not have that. In any case, since experiments are no different to
backdoors you might as well say that most popular browsers have backdoors.

~~~
jonathankoren
“Backdoor” is a very loaded term. Would you call all self updating software
backdoored? I seriously doubt it.

~~~
AnaniasAnanas
Well, yes, unless if such functionality was opt-in or at least asked me before
installing the new version.

------
useranon
Function where this url is called: [https://github.com/brave/brave-
core/blob/8305d502aa72a558481...](https://github.com/brave/brave-
core/blob/8305d502aa72a5584815aa714dc3ba129df64546/components/brave_referrals/browser/brave_referrals_service.cc#L435)

------
rvnx
Source: [https://github.com/brave/browser-android-
tabs/commit/911770a...](https://github.com/brave/browser-android-
tabs/commit/911770a07549ce53f49a9d87a5a19b4da29fb767#diff-35dd256442c3c60f5bec67e5b2a86cda)

------
untangle
To me, Brave left the moral high ground when they became an adtech company.
Another harbinger of ill was foisting an ICO on the world -- to sell tickets
to the adtech show. To date, Brave's moves have benefitted Brave, and no one
else.

~~~
bjl
Not to mention the charity fraud scheme from a couple months ago, which they
still haven't stopped doing.

------
andrenotgiant
Reading this thread:
[https://twitter.com/BraveSampson/status/1094713424452505601](https://twitter.com/BraveSampson/status/1094713424452505601)

They're adding a header to identify Brave browser to sites they have
partnerships with, like MarketWatch.com and Cheddar.com.

For example, if you add the header: `X-Brave-Partner: cheddar` to your headers
in Chrome, and navigate to cheddar.com you get 3 free months of their
paywalled content. (Who pays for a subscription to Cheddar.com?!)

If you think about it, you can start to see why they HAD to add a new Header
and not just use a custom Brave UserAgent string.

They currently use Chrome's UA string, if they used a uniquely identifiable
string, publishers who weren't on-board with Brave's ad network could start
nagging users/trying to get around Brave's ad-switching technology.

------
rolph
when i look at whatever the link is pointed at i get this:

> [{"domains":["coinbase.com","api.coinbase.com"],"headers":{"X-Brave-
> Partner":"coinbase"},"cookieNames":[],"expiration":31536000000},{"domains":["marketwatch.com","barrons.com"],"headers":{"X-Brave-
> Partner":"dowjones"},"cookieNames":[],"expiration":31536000000},{"domains":["townsquareblogs.com","tasteofcountry.com","ultimateclassicrock.com","xxlmag.com","popcrush.com"],"headers":{"X-Brave-
> Partner":"townsquare"},"cookieNames":[],"expiration":31536000000},{"domains":["cheddar.com"],"headers":{"X-Brave-
> Partner":"cheddar"},"cookieNames":[],"expiration":31536000000}] <

also im not digging into the code at all, if i click on the link for this
thread i land on the above snippet.

------
DyslexicAtheist

      [
      {
        "domains":["coinbase.com","api.coinbase.com"],
        "headers":{"X-Brave-Partner":"coinbase"},
        "cookieNames":[],"expiration":31536000000},
        {
          "domains":["marketwatch.com","barrons.com"],
          "headers":{"X-Brave-Partner":"dowjones"},
            "cookieNames":[],"expiration":31536000000
        },
          {
            "domains":["townsquareblogs.com","tasteofcountry.com",
              "ultimateclassicrock.com","xxlmag.com","popcrush.com"],
            "headers":
            {
               "X-Brave-Partner":"townsquare"},
               "cookieNames":[],"expiration":31536000000},
               {
                  "domains":["cheddar.com"],
                  "headers":
                  {
                     "X-Brave-Partner":"cheddar"
                  },
               "cookieNames":[],"expiration":31536000000
              }
      ]

------
rambojazz
How should I interpret this json file?

------
Markoff
and stumbling on steps CAN kill you, so what? there it's difference between
can do and doing something

------
pwaai
Never heard of Brave until now and never going to use it in the future.

------
unicornporn
[http://archivecaslytosk.onion/GwRwX](http://archivecaslytosk.onion/GwRwX)

~~~
snazz
This link is just the same thing as the submission, wrapped in a webpage
capture tool. The non-Tor version:
[https://archivecaslytosk.onion.pet/GwRwX](https://archivecaslytosk.onion.pet/GwRwX)

