Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] Brave Privacy Browser Is Whitelisting Trackers of Facebook and Twitter (github.com/brave)
36 points by rvnx on Feb 10, 2019 | hide | past | favorite | 24 comments

Hi Im Brave's CTO.

There's a balance between breaking the web and being as strict as possible. Saying we fully allow Facebook tracking isn't right [1], but we admittedly need more strict-mode like settings for privacy conscious users.

We do block Facebook at least as good as uBlock origin with EasyPrivacy. The referenced code is in a separate component which does the same as Disconnect blocking.

We're taking this seriously internally and we'll iterate on where we are to improve the situation. We're looking at if we can polyfill a local JS resource instead for example as one option if it doesn't make further requests.

[1]: https://github.com/brave/adblock-lists/blob/f25b698aff4666bb...



// Temporary whitelist until we find a better solution const whitelistHosts = ['connect.facebook.net', 'connect.facebook.com', 'staticxx.facebook.com', 'www.facebook.com', 'scontent.xx.fbcdn.net', 'pbs.twimg.com', 'scontent-sjc2-1.xx.fbcdn.net', 'platform.twitter.com', 'syndication.twitter.com', 'cdn.syndication.twimg.com']

a better solution for what, i wonder

I guess it's new that it was discovered, nobody seems to have noticed while it's a major issue for a privacy tool.

Security vulnerabilities commonly are discovered after a product releases... sometimes many years later.

The related commits are years old. This isn't new. Last commit to that line was 3 years ago with the comment "unblocking embedding of twitter timelines".


Also I just realized that is an archived repo that isn't used any more.

I took a quick look through the newer repos and couldn't find any kind of hard coded whitelist like that.

Am I missing something?

Ah, they put an underscore in the var name this time. Thanks for the link.

Huh ... I thought that must be a sensationalist headline but sure enough - a fresh download of Brave browser loads facebook.com on pinterest.com.


"until we find a better solution" to what? More context would help.

Is this still in the current version?

It is not.

What makes you believe so ? https://github.com/brave/brave-browser/issues/1108

I'm trying to figure out if the code is still active case, but this is a quite recent ticket (after the release of the Chromium-based edition, and updated 4 days ago)

It's on the master branch... How did you determine it's not in the current version or will not be in the next version?

Brave has two versions, Muon (legacy) running mostly JS code, and the Chromium-based (current), running mostly C++.

The whitelist is in both versions

Looks like their claim about privacy protection is bogus, eh?

It is still whitelisted in current.

Three years old in an archived repo, hmm…

Way to ignore the comment directly before that line:

> // Temporary whitelist until we find a better solution

This post is sensationalist, flagged.

It's temporary since 3 years, that's why ;)

Then link to the new repo and provide context. Just highlighting a line with absolutely no context is sensationalist. I'm sure there have been public discussions about this.

I'm sure there have been public discussions about this.

Can you substantiate this? Because that would be extremely relevant to the conversation. Making statements with absolutely no context just seems sensationalistic.

I'm not entirely sure how I can substantiate an assumption.

If you're sure that there's been public discussion about the matter, then surely you won't have to spend too much time looking it up on Google? Backing up assertions takes energy. Are you motivated enough to champion your own assertions?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact