Hacker News new | comments | ask | show | jobs | submit login
Brave browser can inject headers in HTTP requests (github.com)
267 points by rvnx 11 days ago | hide | past | web | favorite | 160 comments

To be fair looking at the commit where it got merged, it was for a pre-release beta build for Android and release notes specifically say

> That is a very first beta version of Brave Rewards on Android. It is pointed on test network. DO NOT TRANSFER REAL MONEY!!! We use SafetyNet API for device attestation.There are grants available on first run. There are no grants on devices where attestation is failed(rooted devices, emulators). Auto-contribution time is set to 10 minutes, just for test purposes. Couple of verified pub on staging: duckduckgo.com 3zsistemi.si

Did it make it out? Here is the link


What is the benefit of Brave?

A lot of people on the internet seem to be advocating it but reading the Wikipedia article they seem to have a business model of replacing website adverts with their own. Which doesn't seem all that ethical.

The benefit would be to early investors, and they get to be in the dirty world of adtech while engaging in some ethical duck and cover. It’s nice that the default blocks ads, but we all know how easy it is to flip that switch down the line. At its core, it presents itself as a kind of profit-sharing alt-ads cum adblocker, which is supposed to be a compromise between supporing the ad model of the internet and personal privacy. In practice it seems like an ethical black hole, but one with some big names invested in it, and loads of hype.

Personally I think compromises with the ad industry only end one way, and the addition of cryptocurrency into the mix should set of alarm bells.

A small minority of users believe that they are entitled to all the resources on the internet for free.

Maybe, but that’s not even orthogonal to my point, and unrelated to my post or this topic. I’m not going to engage in a trite debate over well-worn ideological ground in which you scream “freeloaders” and I talk about the right to fast forward through ads, or turn down the volume on the radio during ads. Instead I’ll just say that a majority of users believe that their computers are their property, and have the right to control what runs on them. This is especially true when advertisers have shown contempt for user privacy and even whether or not they deliver malware.

Beyond that, I hope that you can start responding to things I’ve actually said, instead of just responding with “pithy” and tangential one-liners. I’m not interested in an intellectually bankrupt form of posturing in place of real debate.

>not even orthogonal

Sorry for nitpicking, but I just couldn't get this to leave my mind. I understand that you were going for a wordplay with "not even wrong", but I'm still trying to imagine whether there's a geometric interpretation to make sense of this.

Would this imply that the angle between the two things cannot be defined? If so, what would be a possible situation here?

I have to admit that it was just a play on words, and except for dragonwriter’s formulation I have nothing to offer on this one. On the other hand I enjoyed your comment, and didn’t find it nitpicky at all.

> but I'm still trying to imagine whether there's a geometric interpretation to make sense of this.

Well, I suppose there's a framework in which orthogonal could imply coplanar and so skew lines would.be “not even orthogonal”; particularly they'd have no contact at all irrespective of relative alignment.

This is actually quite possible in non-Euclidean geometries even for things that usually have angles in real world [1].

1 https://en.wikipedia.org/wiki/Hyperbolic_geometry

People who block ads aren't freeloaders. I have seen this argument before.

We are all paying for those marketing budgets- its included in the price of everything we buy. Paying for our own brainwashing.

Whether people who block ads on advertiser-supported websites are "freeloaders" is a worthwhile question, but "we live in a consumer-driven society buying products from companies that use part of their revenue to advertise more products to us, ergo you should not object to me blocking ads on your website" strikes me as a bit of a shaky argument.

> I’m not going to engage in a trite debate over well-worn ideological ground in which you scream “freeloaders”

You must have me mistaken for another commenter. I never said the word "freeloaders." Perhaps are you projecting?

Turning down the volume on the radio doesn't involve hijacking any DRM or ad tech. It's built into the hardware. To wit: The analogy is bogus.

Do you have the right to control what runs on your computer when you don't own the copyright? The answer to that is no. The copyright owner decides that. You can opt out by not visiting your favorite sites in the future. Please take a stand and do not visit them.

> Beyond that, I hope that you can start responding to things I’ve actually said, instead of just responding with “pithy” and tangential one-liners. I’m not interested in an intellectually bankrupt form of posturing in place of real debate.

I continue to do that sir.

Do you have the right to control what runs on your computer when you don't own the copyright? The answer to that is no.

This is factually incorrect, as has been pointed out elsewhere in this thread. You can do whatever you like with what’s runs on your computer, assuming that you legally acquired it. Feel free to levy a moral objection if you like, but don’t pretend that your personal hangups are reflected in law. Your right to play with something on your computer is the same as your right to remix music you own; it only ends if you try to distribute it.

I think this may be a little dismissive. I use adblockers, but it has nothing to do with revenue streams or philosophical reasons. Ad companies have time and again shown they cannot be trusted with my machine. Whether it's sticking me in a redirect loops, telling me I have a virus, redirecting and disabling the back button, vibrating my phone, making loud noises, etc etc. I'm done giving them chances until I know these problems have been solved. I understand this may harm the good actors, which is why I'm surprised these issues still exist.

> redirecting and disabling the back button

I haven't heard of this before. How does it work? Do you know of any examples?

You perform like fifty redirects in a row, and when you try to go ”back” it just redirects you forward to where you were. Eventually the browser hangs as you mash the back button, and the redirect chain fires off again. It’s a fucking shitty practice.

tl;dr: you can insert whatever page into the browser's history so when you click the back button the browser navigates to that specific page. Google is working on preventing it in Chromium [1]

[1] https://fossbytes.com/google-chrome-is-working-to-prevent-ba...

The vast majority of internet advertising firms believe they are entitled to all my personal information without sufficient notice or consent.

Internet users are entitled to all resources returned to their user agent by a request.

I know businesses want to pretend the web works like television, or radio, or newspapers, but it doesn't.

Whatever a site sends me as a response to a request is mine. It's mine. The transaction is completed, the response belongs to me and I can do whatever I want with it. I can not run the javascript. I can run my own javascript. I can mess with the HTML and CSS. I can choose not to view the ads. Hell, Brave is based on and works on this premise, it injects its own ads. They can do that. I can do that. I have no reason to do that, but I could.

That's the way the web works, has always worked, and will always work. And it's the reason ads on the internet were doomed from the start. The only reason they worked, at all, to begin with is that the public wasn't aware that ad blocking was possible, and browsers weren't capable of it, but the underlying capability was always there, it was always implicit to the way the request/response model of the web worked.

The only group acting entitled are businesses. They feel entitled to more control over the end user's experience than they have. If they want that kind of control, they can put up a paywall. Or go back to old media. Or accept the true nature of the field they're playing on, that they cannot have complete control over the end state of their content on the web. They cannot force the end user to endure their advertising if they don't want to.

> Internet users are entitled to all resources returned to their user agent by a request.

This is legally false. If a digital artist creates a painting and puts it up on their website, and you go view it, it does not become yours. The artist retains the copyright to the work, and not only is it illegal for you to then sell prints of it, but a violation of ethics, to boot.

>If a digital artist creates a painting and puts it up on their website, and you go view it, it does not become yours.

Of course the image is mine, just as an image of the painting in a newspaper or brochure would be mine, it's a copy freely distributed by the copyright owner. I'm perfectly within my legal rights to do whatever I want with it, within the confines of the browser.

I'm not claiming i have the right to sell it or anything, but I absolutely do have the right to decide whether or not it shows up.

Actually you have a lot more rights than that. Your rights stop when you want to distribute unmodified or derivative works without authorization. Nothing is stopping you from remixing ANYTHING* if you have no intent to distribute it.

*if it was legally acquired. Remixing illegal stuff would still be possession of illegal stuff.

Please stop abusing "ethics" to force your own moral framework on other people. This isn't what it is, and on top of that (given that it's different for everyone) if you need to say it the reader already knows you are wrong.

When did I mention "ethics" or any moral framework?

It's simply a matter of common sense, legal precedent and the way HTTP works.

To claim otherwise would mean companies have the right to force me not to alter the content of their responses in my browser, in order to guarantee their ads are viewed. If this were true, all browsers and many plugins would already be illegal, as would ad blockers, whose legality has been confirmed in multiple court cases.

Ethics and morality don't enter into the discussion. If I want to support a site by viewing their ads, I can. If I don't, I don't have to. The choice is mine to make. Sites depending on ad revenue, meanwhile, can try as hard as they want to convince me to choose to view their ads, but they have no legal right, nor technical ability to make me, as long as we're talking about content that can be filtered out of an HTTP response by a browser I control.

I think you mistook the ancestry of my comment.

looks like you're right - my mistake.

I don't believe I'm entitled to anything for free, I believe that I'm entitled to companies not using hostile, dishonest revenue gathering methods.

Information is free. The person using it has the obligation to be a good steward of humanity and it's use. We're getting better at it, but throwing up walled gardens is not the answer.

For me, it offers a faster browsing experience than Chrome, and privacy at least as good as Firefox.

I used to use both of these popular browsers, and now I'm all-in on Brave. Chrome is fast but has well-documented privacy issues. But even running various tracker blockers and a Pi-Hole, Chrome wasn't nearly as fast as Brave (without additional blockers or the Pi-Hole).

I like to support Mozilla/Firefox, and Firefox has been my daily driver for most of the last two decades. But it just isn't as fast as Chrome (let alone Brave). It has better privacy than Chrome, and the inimitable Tree Style Tabs, but it takes noticeably longer to open new tabs and load pages.

I moved over to Brave once they started supporting Chrome extensions. I have found that my MBP's fan kicks on much less often than before on Chrome/Firefox, and the battery lasts longer as well. While I miss the TST that I enjoyed on FF, I'm getting by with Sidewise. The inconvenience of having the tabs loaded in a separate window is massively outweighed by the speed/privacy benefits of Brave.

As for the ethics of ad-replacement, this is a bigger question. If the baseline were "everyone has ads everywhere", this could be seen as an unethical alternative. But the baseline is "many people (and presumably nearly everyone who is savvy enough to install Brave) use adblockers". So it's not like they're going from seeing ads to not seeing ads. They're going from blocking them with one system to blocking and replacing them with another system. And they can send the revenue from the replacement ads to the websites they spend time on.

Brave is just chromium with some baked-in extensions now.

And minus the stuff that talks to Google.

The problem isn't Firefox. The problem is chrome. Since it has a biggest market share and most of the web developers use it. Websites tend to be more optimized for Chromium engine than Firefox. I moved to Firefox and Gmail and other google apps work terribly slow. I'm trying to find a new email provider now . Does anyone have recommendations?

So, they finally have extensions working? I tested Brave couple of months ago, and my reason for not fully switching was no extension support.

You can install extensions from the chrome web store. All the ones I have tried have worked.

Yeah supports all of the Chrome extensions I use, including Sidewise, Hacker News Enhancement Suite, and BeeLine Reader. I think some extensions may not work yet, but I’ve not come across any problems so far.

>What is the benefit of Brave?

One interesting aspect is that they intend to integrate the ad matching & serving engine right into the browser. Thus (at least in theory) the browser can still serve "relevant" ads without exposing your clickstream to anyone. According to their materials, you'd have full control over what's collected and how it's used. It's opt-in.

IMHO The model hits the sweet spot for those who don't mind ads in principle but don't trust the ad industry.

> What is the benefit of Brave?

I don't like Brave's business model, but I like the browser itself. Firefox Mobile just didn't cut it to me. All I wanted was Chromium without Google, and all the privacy features[1] built-in. I'm glad such a browser exists.

[1] https://lh3.googleusercontent.com/vghNt_aflzbGItBHthEGnAvtRt...

I've switched from Brave to Bromite [0]. All of the same features, but no "business" involvement behind it -- just a clean Chromium with sane patches for privacy and security.

[0] https://www.bromite.org/

I think you are missing some key elements.

It adds a new potential way monetize the web. Currently, the prevailing model is to offer a “free” product, where user data is being collected and sold to whoever is willing to pay.

Brave introduces the ability to pay per use and if you want to, you can opt-in to ads that are targeted based on anonymized data for targeting and you can earn BAT for doing so.

It basically changes the incentive model the ad industry and arguably a lot of the internet.

> but reading the Wikipedia article they seem to have a business model of replacing website adverts with their own. Which doesn't seem all that ethical.


It seems blindingly obvious that Brave/BAT is in seriously dangerous legal territory. I would be that very close to 0% of the money transferred by BATs has made it to the "rightful" owners, where rightful is "where people paying BATs thought they were going".

If this scheme ever gets any serious attention, positive or negative, it's going to be a spectacular implosion.

> What is the benefit of Brave?

It is to have a chrome with adblocker on android. For all my desktop browsing I use firefox but on android some sites just don't work.

I haven't seen any Brave ads but if they start to appear, then I'm back on Firefox on android as well..

I'm curious, what sites don't work? Firefox on android has been fine for me.

Twitter on Firefox android keeps giving me an error saying I have been rate limited and other Firefox users have reported the same. With how horrible twitter is I assume this is a problem on their side.

That's actually Twitter's intentional behaviour to force users to log in.

Somehow you're no longer rate limited after signing in

The “rate limited” error occurs for me on MobileSafari on iOS, so it’s not Firefox related. Reloading the page works fine. It seems to have to do with which referrer took you to Twitter.

Firefox blocks third party trackers by default. In some rate limiting implementation, this often signals a bot that don't often retain tracker cookies.

Oh, so it could be my DNS-based adblocking setup or the “Prevent Cross-site Tracking” option in Safari settings. That makes sense.

I get this error in chrome/Android and rarely visit twitter.

Does that happen on chrome? I wonder what would happen if you swap out the user agent and have that issue.

Edit: It's working now just fine, even if I am not signed in. Like they suggest below, it seems like that is Twitter being actively malicious to web users, and not Firefox.

I work at Brave. Thank you for using our product. Any ad products we ship will be opt-in only. If you don’t opt-in you’ll never see them.

Thanks for clarifying that.

The Brave ads are opt-in.

If you don't want to pay for content in some way then that is your problem and has nothing to do with Brave, Chrome, or FireFox.

For now. If the rise of Google has taught us anything it’s to analyze a business in terms of its likely future, not its present spin and PR. If all it takes to make more money is to flip a switch, then it’s reasonable to worry that such a flip is just a matter of wider adoption and time.

This is a thoughtful idea. What is the Brave endgame after they win a new browser war? Their model would encourage users to donate to spread BATs to creators, but it would be a small portion who did it. They could try to add a premium subscription, but again a minority of users would pay. Probably, it ends up with pressure to turn ads back on like the Adblock extension did, or to pay users to watch ads in a gamified way?

The alternative seems to be either ads/tracking (chrome), or directing people towards search engines owned by competitors (Firefox).

Then again, their whole tech stack is built on a competitors work too. All browsers depend so much on Google now its crazy

What's your point? They might become evil in the future so we should treat them like they're evil now?

I’d prefer you responded to what I actually wrote, rather than a straw man I didn’t write. I can only really refer you back to my original comment, which answers the question, “What’s your point” without the unreasonable framing of my answer.

To reiterate If the rise of Google has taught us anything it’s to analyze a business in terms of its likely future, not its present spin and PR. If all it takes to make more money is to flip a switch, then it’s reasonable to worry that such a flip is just a matter of wider adoption and time.

Brave is a combination of adtech undermining other adtech, cryptocurrency, and a lot of verbiage. I feel that’s a reason to be concerned when the line between said verbiage and future profits (assuming widespread adoption rather than withering away) is the flip of a single option from “opt-in” to “opt-out”.

It may not simply take flipping a switch to make more money. As far as we all know, Google's value proposition for throwing as many ads as possible in front of us is that they have tons of personal data about their users.

Brave does not offer such value to advertisers (unless they start having people "Sign Up", which would be an effort significantly more difficult than flipping a switch), so where do you suppose the value in throwing as many ads as possible to as many people possible comes in? What value is there in showing me a browser-based ad for something completely irrelevant to me?

That aside, I responded directly to your comment, which basically says that if Organization X does something undesirable, related Organization Y would likely do it as well. On one level, I get it, it's almost agreeable. On another, it seems like you want to hold Brave accountable for the sins of Google, which is almost absurd to me. But hey, that's your right. Can you go ahead and copy/paste the comment again if you continue to disagree? I like being condescended to.

I use both Brave and Kiwi on my phone because they are Chromium based and work as well as Google's Chrome for Android but give me more privacy.

However Firefox on Android is really super slowly almost stepping up on Android.

And Brave or similar programs that block ads but can intercept your web browsing wouldn’t be needed if Android had a built in content blocking framework like iOS. Ad blockers in iOS submit a JSON file to Safari that processes those rules. The third party ad blocked has no access to your browsing history.

And the one I use has a novel revenue model that doesn’t require anything shady - I give them money and they give me a product.

With Android Pie, users can just set the DNS to dns.adguard.com and be done with it at the DNS level. Works great on my Pixel so far (past couple months).

DNS ad blockers can’t block on the level of granularity that path based ad blockers do.

That's how Chromium is planning to work in the future. People don't want such a crippled system. https://news.ycombinator.com/item?id=18973477

I read through the article and people were saying that the static rules limit its effectiveness. I haven’t noticed any difference between the effectiveness of ad blocking in iOS and using something like AdBlock for Chrome on desktops.

It seems like people don’t trust the motives of Google (and rightfully so).

I notice a pretty marked difference between the best ad blocker I could find for iOS (1 BlockerX) and uBlock Origin on Firefox.

The difference in utility is stark enough that if I'm on the road and need to browse the web outside of known-safe sites, I find it more pleasant to do so on my 5.7" Android phone than on my 10" iPad.

What are some sites where ads get through with 1Blocher?

It's not just ads, it's also not having the ability to only allow 3rd-party scripts and frames via whitelist.

Since I don't use Safari for "normal" browsing, I can't recall any specific problematic sites, but just opening some random news headlines I get the following unwanted behaviours, roughly half of which are nags to install the iOS app:

* theverge.com - nag to disable ad blocker

* nbcbayarea.com - nag to install app

* youtube.com - nag to install app, autoplaying video, all the rest of the junk that YouTube annoyances blocklist blocks for me with uBlock: https://youtube.adblockplus.me/

* lifehacker.com - annoying animated recommended story gif (to be fair this isn't an ad-blocking issue, it's just a configuration setting that Safari doesn't offer)

* bloomberg.com - nag to install app, nag to subscribe

* forbes.com - nag to install app

* observer.com - autoplaying video ad

* twitter - app nag, login/signup nag

I’m not getting some of the app install nagware, but I’m also not getting them when I disable content blockers so it may just be a cookie thing. Also I couldn’t manually block the nagware on the NBC site using the share extension.

I only use YouTube mostly for official AWS videos and then I use CornerTube. I usually don’t see ads. Do content producers get to choose when ads are shown?

> Do content producers get to choose when ads are shown?

That's my understanding. Also a mostly non-YouTube user though, I find the web interface really unpleasant - if I were going to "use" it on a regular basis I'd probably use youtube-dl.

IOS allows you to change rules on the fly. The chrome proposal says they are static and unchangeable, other than whitelisting specific pages. You can't, for example, add or delete a rule. The only way to change rules is to submit a new version of your extension.

One assumes that wasn't an accidental design flaw.

No need to look at motives. The end result matters, and the end result makes it as crippled as Apple's solution. Luckily, Android users will continue to have other options.

Privacy invasive options which kind of defeats half the purpose of ad blockers.

And those “other choices” only work within the browser. Apple’s ad blocking framework works with apps that embed web views using the SafariViewConttroller like Feedly.

We have a product for this. Consumer shared Adblock VPN. Or dedicated cloud or local builds for businesses. https://ba.net/adblockvpn

And non-privacy invasive options. Your point is a very poor one. Android users can use options that are worse than iOS options, the same as iOS options, or better than iOS options. Most will use the last category, as you would expect.

Android also supports blocking ads throughout the system, not just in WebViews, which is the only option on iOS.

Can you guarantee that your ad blocking framework is not recording and selling your data or be sold to another company that will?

You can buy VPN subscriptions that serve as ad blockers outside of the App Store and just go into settings and configure it yourself. Preferably, host your own VPN host on your computer where you know no third party is intercepting and recording your traffic.

Most ad blockers that people use on Android are open source, e.g. uBlock. While due diligence is good, I don't think I've seen any evidence that would suggest gorhill wants to sell my data. You can't compare an ad blocking extension to an entirely different browser (Brave) as a whole. uBlock runs on regular old Firefox for Android.

I appreciate that it would be nice if Google gave us the option to block stuff in Webviews, but it's not a replacement for having a real ad blocker like uBlock that is much more complicated and has many more features. I think the person you are talking to is mainly criticizing Apple for not letting you use such an ad blocker on their OS.

What are these extra features? I asked earlier about posting a link to some pages where ads aren’t blocked by 1Blocker but are blocked by Firefox + extension.

More than on any other platform. Unlike Apple, F-Droid has reproducible builds.

Right like most users are going to build their own apps and install them. Also, are you going to personally audit every line of code?

That's not how it works.

I'm also not saying that it's perfect, but it is clearly better than Apple's alternative, which you have not disputed.

You just said you have reproducible builds. Either you are going to audit the code and do the build yourself or you are still trusting a third party.

I think you can agree that being able to see the code, and detect patched builds, makes it much more risky to pull something like this.

What percentage of people have the requisite knowledge to do that? The Heartbleed bug was in open source software for over a year before anyone noticed it.

This could be avoided by only running programs written in safer languages. C/++ allows for very very hard to spot bugs that can cause serious issues like heartbleed. You would have to try a lot harder to hide such a thing in a haskell program .

Since all five widely implemented platforms (iOS, Android, MacOS, Windows, and Linux) and most mainstream open source software is written in C, that would be a tough lift. Also since there are far more people who know C than Haskell, that kind of gets rid of the “many eyes” defense.

There may be fewer people able to read haskell but I would say fewer are needed to verify that a program doesn't have unexpected behavior. Also languages like rust are becoming bigger which should help.

Sure there is a lot of C floating around but there is a solution in sight and there is some amount of effort being put in to rewriting things in Rust.

No, I'm trusting the ecosystem of people and companies who are able to audit the code.

Again, you have not disputed that Apple is worse.

You don’t have to trust the ad blockers. The operating system won’t let ad blockers have access to your browser history. If you want to see how the ad blocking framework on iOS, you are free to go over to WebKit.org.

You really think people are auditing all of the open source software you are using? Where were they the year and a half the HeartBleed bug was out in the wild?

Nobody is claiming it stops all vulnerabilities, so let's get that straw man out of the way.

I'm saying it's significantly better than the alternative, and you continue to ignore that point. For example, reproducible builds directly stops XCodeGhost from ever happening, which was the single largest mobile malware infection in history by a wide margin. As another example, heartbleed has nothing on this 15 year old MacOS bug. https://www.macworld.com/article/3250125/macs/full-macos-com...

So a vulnerability that affects a phone with 12% market share if you downloaded an infected app is larger than a bug that affected all Android phones and all you needed was a phone number?


And since Android phones both have a horrible security model and a horrible history of receiving updates, any malware or security issue is made worse.

There have been no Stagefright malware infections ever reported. Compare to nearly half a billion XCodeGhost infections, which reproducible builds stop cold. When it comes to results, the Android security model is peachy compared to iOS's. https://www.theregister.co.uk/2017/02/15/google_stagefright_...

Even though 95% and 99% of phones were vulnerable and many never got patched, there was really no problem because few were affected?

I live in a neighborhood that has never had a reported break in. Does that mean I’m not more vulnerable if I leave my door unlocked and post a huge sign outside letting everyone know?

There are many layers of security in modern OSes. Apple ignores many of them to the peril of their customers, and it shows in the results. In your example, many Android devices left the door unlocked but had a security guard. Apple locked the door but the lock on the door allowed many other keys to work.

What security guard? There was no security that kept Android from being vulnerable. It would have been just as easy for someone to infect the Android build chain.

Even if you look at something like the way that third party keyboards work on Android, it’s a security nightmare.

On iOS, users have to explicitly go into settings to add a third party keyboard and even then it doesn’t have network access by default. The user has to go back into settings to enable the keyboard to have network access and then they get a big scary warning. Android users happily install keyloggers.

Also, even after you both install the keyboard and give the keyboard network access, iOS still switches back to the default keyboard when entering passwords.

> What security guard? There was no security that kept Android from being vulnerable.

Blocking exploits in the Play Store, among other things. Why do you think Stagefright was never exploited?

> It would have been just as easy for someone to infect the Android build chain.

We were just talking about reproducible builds.

> Keyboard nonsense.

Android also displays a scary warning for keyboards.

Stage fright didn’t involve having an app in the Play store. The review process is non existent, and static analysis tools wouldn’t catch it anyway.

> Stage fright didn’t involve having an app in the Play store.

If the MMS app and the browsers were updated to filter Stagefright exploits (on Android, unlike iOS, system app updates do not require an OS update and happen through the Play Store, one of many things Android gets right and iOS gets wrong), the only way to exploit it is by publishing your own app to the Play Store and getting somebody to install it and hoping that the device doesn't have an selinux policy that limits the privileges of the exploit. The Play Store can trivially block apps that don't use an approved wrapper library for media that filters Stagefright exploits.

That was made so Apple could control the ads. They can decide good and bad. Not a good thing for users.

Do you really think that Apple review goes through and reviews the whole JSON file that a third party content blocker creates and submits to Safari? Apple doesn’t sell ads, why would they care what is blocked?

Employee here- I haven’t seen an official comment here yet

The JSON file that was linked to does have partner domains which (when the header is present) the website will provide a specific integration. When those specific partner sites are visited, the headers are sent with the request

An example someone mentioned here already is marketwatch. They have a promotion where you can sign up for a free subscription if you use Brave

The browser is open source and nothing is being hidden- although this and the whitelist (used for a better webcompat experience) could be better documented

Should these lists be shown in the UI and configurable? (ex: disableable?) I wonder what a better experience would look like for people that don’t want this functionality

Changing the code where it can only inject headers that start with "X-Brave-" would eliminate one class of concerns.

It leaves others, but perhaps your idea of a UI to disable it addresses that somewhat.

This is a great point-

I reviewed with team and created https://github.com/brave/brave-browser/issues/3301 to track this (folks are welcome to give it thumbs up). The fix for this should be something we can deliver in our next product release (0.60.x - 9 days from now)

edit: issue is now fixed! https://github.com/brave/brave-core/pull/1633

I also captured feedback on being able to customize/opt-out of this functionality with https://github.com/brave/brave-browser/issues/3302 (thumbs up and comments appreciated!)

Two of these in a day (other one under https://news.ycombinator.com/item?id=19129309)? Seems peeps are digging through the source all of a sudden :D.

I do have to wonder if this is as egregious as some of the comments between the two threads would make it seem given that this is an open-source project.

It's just that I looked for curiosity in the source-code and found the whitelist (and separated the threads to not create confusion) but I'm sure people with more time would find more.

Don't get me wrong I applaud the fact that you dug through the code and let the rest of us know. People (including myself) take things at face value too much these days :).

Their full mission is "We're reinventing the browser as a user-first platform for speed, privacy, better ads, and beyond ", therefore I guess this is for a "better ads" ;-)

This is why I can't support Brave. They see it as a foregone conclusion that the only way to make sure the internet doesn't starve it so make sure we all watch ads, and they think that if they can make the ads nicer, we'll all watch them. They gave Brave tools to hide some or most ads hoping that this will make us willingly watch other ads.

How about no? How about we find a better way to not starve than making sure everyone is fed their daily dose of manipulative marketing materials?

What I take from it is that the point of Brave is to keep your data yours. It wasn't to get rid of ads entirely. The internet has become a data mining project in which your time, attention, and data is straight up stolen (or worse given away) and then monetized by companies that have long realized that data has tangible value.

The point of Brave (to me) seems to be that it gives you the tools to keep your data secure and provides a way for you to willingly trade it for something of value (BAT). This is done by enabling ads. In essence you are the one being paid for your attention instead of Google or Facebook. The ads are serves by brave but purchased with BAT. So the same people who want to serve you ads need to buy BAT on the open market. This is what gives the token value.

So the point Isn't to get rid of ads. The point is to give you a way to actually get paid for your data. Your data has value and people are going to get paid for it as long as it A) exists and B) is useful to sell you stuff. I think that a tool to actually make people realize the value of their own data is something that we desperately need in this space.

Well, get to it. Give us the solution. Outright rejecting Brave isn't helpful. Newspapers financed themselves through ads for decades, but now because websites try to do the same (while abusing their position) and Brave tries to find a fair middle ground that still respects our privacy and rights, they're suddenly the bad guy.

>>Well, get to it. Give us the solution. Outright rejecting Brave isn't helpful.

Just because someone rejects a shitty solution doesn't mean they suddenly acquire the burden of coming up with a new one.

They haven't even given a valid reason to consider the solution shitty enough to reject. All I could derive from their comment is that they doesn't like ads at all (while ignoring the fact that nobody else has managed to implement a working solution, that ads work, and that Brave is implementing the one solution that has traditionally had plenty of support (micropayments) and some hope of working).

Like, weren't micropayments all the rage just 5 years ago?

Are ads really the problem in itself? I'd say the real problem with ads are ad networks that track you, create a profile of you and use that to personalize ads, meanwhile providing an attack vector for malware and site owners abusing it historically in the form of Flash or other ugly and distracting ways of displaying them. Brave is providing a way to display ads that don't track you and don't infringe on your privacy. I don't see the downside here, only the upside that we can continue to have a 'free' internet where not only the well-off have access to vast swathes of the internet.

Ads are the problem in itself.

Nobody likes them, at best we tolerate them and or manage to ignore them.

So why have something that nobody likes? They're not inevitable, and society can function without ads.

Most normal businesses don't provide free access without payment. Until recently, the only ones that did were newspapers. They were financed through ads and to a minor portion subscriptions. If you remove ads, you remove free internet. That's how it works. Unless you propose taxing everybody.

Exactly. Ads are a legacy business model of a legacy distribution system. Too few people have read JPB's excellent "Selling wine without bottles", but that is in full effect here.

The problem is that new content-centric business models have not yet emerged. So, some people remain chained to the old paradigms.

The crisis we have is a gap in vision. People don't realize that driving cost of information distribution to zero means that it no longer has enough scarcity to force the economic transfer of other scarce resources. Basically, what OSS did for commercial software, the Internet did for anything that fits within a 2D screen. Netflix, NYTimes, Fortnite, JK Rowling, and Jenna Jameson are all competitors in a space whose Pixels*Seconds value is commoditized.

Capitalism doesn't thrive unless there is an exponentiating dynamic. The only one available on the Internet is bandwidth capture. Which, for now, translates into attentional capture.

With the imminent arrival of P2P web software (e.g. Beaker Browser) and mesh networking, the tides will turn back towards a creator-centric peer network.

I'm interested in this: https://datproject.org

Making ads nicer is only half of Brave.

The other half is setting aside an amount of cash each month (an amount that you decide on), and paying it out to the sites you visit the most.

I like that idea better, but I don't know if it's sustainable, users don't want to pay money.

I asked Jonathan Sampson about this and it's a developing conversation. [1]

> For some partners, Brave will set a custom header to identify the browser. We use the Chrome user-agent string, so accounting for traffic coming from Brave is otherwise hard. [...] As an example, if you navigate to https://www.marketwatch.com/ you will notice a custom header. [image of header listing containing X-Brave-Partner: dowjones]

[1] https://twitter.com/BraveSampson/status/1094713424452505601

pretty weak response so far.

His explanation as to whether this might make a user more prone to fingerprinting was a total cop-out too. It does make you more prone to fingerprinting "but only to their audience" isn't a good enough answer. Customers/partners which users have no control over and are expected to trust Brave executives as acting in their best interest. Where is the foundation that justifies this trust?

That's my exact issue with Brave - though I do like what they're aiming for despite being in the ad-tech business.

I don't think it's the browser's role to police such things, it should be a dumb agent only requesting content, displaying it and not leaking any sensitive stuff.

I believe the way forward is to have another 3rd party where you can manage those things. Want to create one persona per category of website you visit?

Even go as far as one per website? Doesn't matter, your metadata, you own it and more importantly your browser stays out of that business.

They are just getting started. You have the right to be skeptical but you would be better served turning that skepticism towards Google.

Brave plans to do all machine learning for their ad tech locally in the browser. Can you imagine Google ever doing that to protect their user's privacy?

Does it make any real difference whether they beat you with a crowbar or a baseball bat? In the end, you're still bleeding.

> We use the Chrome user-agent string

It shouldn't. It should use Brave since it's not Chrome.

That's a nice thought, but in reality lots of poorly coded sites out there do UA sniffing instead of feature detection. So lots of sites break (including many Google sites) if they think you don't have Chromium feature sets.

Honestly the user agent string should just be removed. The correct way to use it seems to be do not do anything with it so why does it still exist.

If you don't have an "officially recognized" UA string some websites will assume you're a scraper/crawler/bot/ and rightfully so.

If I was ever trying to scrape a website that blocked my user agent I would just set the user agent to chrome on windows. Every library I have used supports setting whatever UA you want.

That's just a heuristic of the times. Soon bots will be much smarter than that.

They already are.

Won't lots of sites also break if you don't have Chromium feature set but report you do?

A more descript UA here ("Brave but built on Chromium") seems magnitudes better than imitating a native Chrome UA to avoid bad code that specifically looks for Chrome/ium, no?

At one point they were using a different user agent so that Brave couldn't be blocked. Of course the same people that care about this sort of thing are the same people that want to track you without your consent.

How is this a "backdoor"? They could have just done this in the browser code itself if they wanted to.

Unless you've found some way to change the content of that url without the browser detecting it, I don't understand what you think there is to be concerned about here.

Wait, what am I missing here?

- the source code is open, so we can see that this is going on

- the url where the headers are downloaded from is open so we can see / monitor whatever headers get added

I'm not a security expert, just a lowly developer, what sequence of events should I be concerned about?

Interesting. How did you discover this? Can you post something about how they are using this data in the actual header itself?

Just by reading source-code.

Every day the browser downloads from "laptop-updates" server a list of hosts and list of headers to inject.

This is supposed to help websites to identify that the user is running Brave (but there are other exceptions in the code, like at https://github.com/brave/browser-laptop/blob/master/js/data/... ) but in practice, the Brave developers can inject any header into any website remotely.

Every single Brave installation is uniquely tracked by a "download-id" which makes the backdoor even more powerful.

Does it do any kind of whitelisting of what kind of headers can be sent?


I just switched from chrome to brave and now I need to seriously rethink this.

Firefox is still backdoor free :)

This is debatable: with the experiments, Firefox has the power to install addons behind the scenes. See the Mr. Robot fiasco: https://news.ycombinator.com/item?id=15956325

I hate to tell you this, but every browser has the ability to run experiments.

w3m does not have that. In any case, since experiments are no different to backdoors you might as well say that most popular browsers have backdoors.

“Backdoor” is a very loaded term. Would you call all self updating software backdoored? I seriously doubt it.

Well, yes, unless if such functionality was opt-in or at least asked me before installing the new version.

If an update was used to push advertisements, then it would absolutely qualify as a backdoor.

read the link; i wasn't referring to website originated experiments.

btw midori is without backdoors, so is dillo, or lynx.

I am well aware of the Mr Robot brouhaha.

No one brought up “website oriented” experiments. We’re talking about the browser itself. All modern browsers of them have the ability to download JavaScript and execute it to change functionality. All of them have the ability to toggle behavior remotely. That’s how you experiment, and experiment driven development is how modern software is made.

Finally, you can not be serious mentioning Lynx. It was obsolete in 1996. I know. I was there.

It is not. The Mr. Robot controversy showed that they can remotely install addons, and the Booking controversy showed that they can remotely alter the contents of the "new tab" page.

I used brave on Android some time ago as well. Firefox really wasn't an option back then, as the rendering engine was just to slow for reading webnovels... But adblock is essentially required on mobile because of the energy drain from ads

I ultimately went back to chrome though after I installed blokada. You might want to check that out as well.

You can get it from f-droid if you have that app store already.


To me, Brave left the moral high ground when they became an adtech company. Another harbinger of ill was foisting an ICO on the world -- to sell tickets to the adtech show. To date, Brave's moves have benefitted Brave, and no one else.

Not to mention the charity fraud scheme from a couple months ago, which they still haven't stopped doing.

Reading this thread: https://twitter.com/BraveSampson/status/1094713424452505601

They're adding a header to identify Brave browser to sites they have partnerships with, like MarketWatch.com and Cheddar.com.

For example, if you add the header: `X-Brave-Partner: cheddar` to your headers in Chrome, and navigate to cheddar.com you get 3 free months of their paywalled content. (Who pays for a subscription to Cheddar.com?!)

If you think about it, you can start to see why they HAD to add a new Header and not just use a custom Brave UserAgent string.

They currently use Chrome's UA string, if they used a uniquely identifiable string, publishers who weren't on-board with Brave's ad network could start nagging users/trying to get around Brave's ad-switching technology.

when i look at whatever the link is pointed at i get this:

> [{"domains":["coinbase.com","api.coinbase.com"],"headers":{"X-Brave-Partner":"coinbase"},"cookieNames":[],"expiration":31536000000},{"domains":["marketwatch.com","barrons.com"],"headers":{"X-Brave-Partner":"dowjones"},"cookieNames":[],"expiration":31536000000},{"domains":["townsquareblogs.com","tasteofcountry.com","ultimateclassicrock.com","xxlmag.com","popcrush.com"],"headers":{"X-Brave-Partner":"townsquare"},"cookieNames":[],"expiration":31536000000},{"domains":["cheddar.com"],"headers":{"X-Brave-Partner":"cheddar"},"cookieNames":[],"expiration":31536000000}] <

also im not digging into the code at all, if i click on the link for this thread i land on the above snippet.


How should I interpret this json file?

and stumbling on steps CAN kill you, so what? there it's difference between can do and doing something

Never heard of Brave until now and never going to use it in the future.

This link is just the same thing as the submission, wrapped in a webpage capture tool. The non-Tor version: https://archivecaslytosk.onion.pet/GwRwX

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact