This article will be added to decentralize.today's Privacy Cookbook and then be re-edited for inclusion in our new companion site, privacy.do, 'your playbook to online privacy'.
When it comes to browsers, I hear many bloggers and privacy experts recommending Brave, simply for the ad-blocker (which is built in).
But let's not kid ourselves, Brave is a for-profit company.
This out of the way, Brave, it has to be said, has some excellent products, the browser is solid, the Brave talk feature is pretty good and the Brave search engine has some nice little extras that you won't see on Google or DuckDuckGo, like Reddit discussions for instance.
So let's start with the new search feature and then circle back to Brave as a browser later on.
Be aware though that when you visit search.brave.com you're automatically being opted-in to some tracking tools Brave has enabled! Usage metrics
This data – if you allow us to collect it – is anonymous and only analyzed in aggregate. It will never identify you or your machine. The data tells us if Brave Search is useful enough to use again and, in turn, gives us a signal that we are approaching a viable alternative to other search engines.
This sounds great, but why do you need to opt-out and not the other way round? Ask your users if they are ok with an 'opt-in'?
Thankfully, you can adjust this all in settings:
All this information (anonymous or not) will be submitted automatically to search.brave.com//api/feedback. If you check deeper on where the data goes it actually gets transferred to server-13-224-132-82.lhr3.r.cloudfront.net (13.224.132.82) and this is where it gets worst 13.224.132.82 is on AWS so an Amazon Web Services network.
Of course, Brave is not the only one who uses AWS, even Signal does, but that's not the point. AWS already collects enough metadata from you, so sending your search to them, "encrypted or not" is ridiculous! It really should be an opt-out.
Coming back to the browser itself.
Brave has had some bad headlines in the past.
Contributors to Wikimedia projects
I, myself, reviewed it in the recent past with mixed feelings...
Privacy Advocate
All of which made me look twice before I trust the browser. Thankfully, Brave is open-source and there are ways to hardening the entire setup!
Start up your Brave browser and type brave://flags which will allow you to make it a bit more privacy-friendly and improve security.
Then head through the following:
Override software rendering list (Enabled)
This overrides the built-in software rendering list and enables GPU-acceleration on unsupported system configurations.
Enable Reader Mode (Disabled)
Allows viewing of simplified web pages
Allow invalid certificates for resources loaded from localhost (Enabled)
Allows request to localhost over HTTPS even when an invalid certificate is presented.
Hardware Secure Decryption (Disabled)
Enable/Disable on Windows! the use of hardware secure Content Decryption Module (CDM) for protected content playback.
Anonymize local IPs exposed by WebRTC. (Enabled)
Conceal local IP addresses with mDNS hostnames
Experimental QUIC protocol (Enabled)
To enable experimental QUIC protocol support, this is already well-supported by AdGuard and by NextDNS.
GPU rasterization (Enabled)
Use GPU to rasterize web content.
Block insecure private network requests. (Enabled)
Prevents non-secure contexts from making sub-resource requests to more-private IP addresses.
Desktop Screenshots Edit Mode (Disabled)
This enabled screenshots to desktop.
Parallel downloading (Enabled)
This allows you to download faster.
Strict-Origin-Isolation (Enabled)
Even this is an experimental security mode, it strengthens the site isolation policy.
Strict Extension Isolation (Enabled)
Prevents extensions from sharing a process with each other.
Privacy Review (Enabled)
Enables a subpage in Settings that helps the user to review various privacy settings.
HTTPS-First Mode Setting (Enabled)
Adds setting chrome://settings/security to opt-in to HTTPS-First Mode.
Reduce User-Agent request header (Enabled)
Reduce the amount of information available in the User-Agent request header.
New Tab Page Branded Wallpapers (Disabled)
This is not needed and even when wallpapers look nice, it is an identifier.
New Tab Page Demo Branded Wallpaper (Disabled)
You get the idea, switch it off.
Collapse HTML elements with blocked source attributes (Disabled)
Cause iframe and img elements to be collapsed if the URL of their src attribute is blocked.
Enable cosmetic filtering (Enabled)
Enables support for cosmetic filtering.
Enable support for CSP rules (Enabled)
Applies additional CSP rules to pages for which a $csp rule has been loaded from a filter list.
Shields first-party network blocking (Enabled)
Allow Brave Shields to block first-party network requests in Standard blocking mode.
Enable dark mode blocking fingerprinting protection (Enabled)
Reports light mode, even you use dark mode when fingerprinting protections set to Strict.
Enable domain blocking (Enabled)
Enable support for blocking domains with an interstitial page.
Enable Brave Super Referral (Disabled)
Just disable it ;)
Enable Brave Rewards verbose logging (Disabled)
Enables detailed logging of Brave Rewards system events to a log file stored on your device. This includes perhaps real fingerprinting and browsing logs.
Enable Brave Ads custom notifications (Disabled)
Well this allows custom notifications, I am out
Enable Brave Ads custom push notifications (Disabled)
push.. enough said
Allow Brave Ads to fallback from native to custom push notifications (Disabled)
Well, same problem
Enable Brave Sync v2 (Disabled)
Brave Sync v2 integrates with chromium sync engine with Brave specific authentication flow and enforce client-side encryption. I just not a fan of syncing... Metadata..
Enable Brave News (Disabled)
I chose my own news and ads ;)
Enable Brave Wallet (Disabled)
I chose my own crypto wallets, thanks.
Enable Crypto Wallets option in settings (Disabled)
Crypto Wallets extension is deprecated, but with this option, it can still be enabled if you chose too.
Enable Gemini for Brave Rewards (Disabled)
I mean sure, if you use Gemini you can keep it open. I still feel to chose my own middleman!
Enable SpeedReader (Disabled)
It "supposed" to make things faster on simple article like websites.
Enable internal translate engine (brave-translate-go) (Enabled)
If you need it sure, but it can read your sites and gives more fingerprinting.
Hardening of the Brave browser in settings
Type in the browser: brave://settings/ or use the 3 lines dropdown and click settings.
Shields
- Choose advanced and not simple, it gives you better options to block
- Auto-redirect AMP (Enabled)
- Trackers and ads: Aggressive
- Upgrade connections to HTTPS (Enabled)
- Block scripts (Disabled)
- Cookie blocking (Only cross-site)
- Fingerprint Protection (Strict)
Social media blocking
disable everything
Privacy and Security
- Autocomplete searches and URLs (Disabled)
- WebRTC IP Handling Policy (Disable Non-Proxied UDP)
- Use Google services to push messaging (Disabled)
- Allow privacy-perserving product analytics (P3A) (Disabled)
- Allow send daily usage ping to Brave (Disabled)
- Allow send daily usage ping to Brave (Disabled)
- Help improve Brave's features and performance (Disabled)
- Enable on clear browsing data and click on the tab that says, On Exit, Enable everything
- Enable on Cookies and other site data, In General Settings, choose Block third-party cookies.
- Enable "clear cookies and site data when you close all windows”.
- Enable “send do not track request with your browsing traffic”.
- Enable “Standard Protection”.
- Enable “Always use secure connections”.
- Enable “Use secure DNS”, And choose custom (use one you trust or NextDNS what we recommend.)
Site and Shields
- Location Permissions (Disabled)
- Camera (Disabled)
- Microphone (Disabled)
- Notifications (Disabled)
- Motion Sensors (Disable)
- Clipboard (Disabled)
- Virtual Reality (Disabled)
Search Engine
Delete all search engines, Except Startpage, Brave Search, And DuckDuckGo (you can add as you please)
Extensions
- Allow Google login for extensions (Disabled)
- Hangouts (Disabled)
- Media Router (Disabled)
- Private Window with Tor (Disabled), just use the Tor browser!
- WebTorrent (Disabled)
- Widevine (Disabled) You need this for streaming services like netflix.
Wallet
- Default cryptocurrency wallet: none
IPFS
- disable everything.
Additional Settings
Autofill
disable everything
Help tips
- disable Show Wayback Machine prompt on 404 pages.
System
- disable Continue running background apps when Brave is closed.
- Disable Use hardware acceleration when available.
Brave Browser Ad-Block Hardening
Type into your browsers URL field: brave://adblock/ or use the 3 lines dropdown symbol and click Brave adblock.
- Enable Easylist-Cookie List
- Enable Fanboy Annoyances List
- Enable Fanboy Social List
- Enable ABP X Files
- Enable uBlock Annoyances List (used with Fanboy Annoyances List)
- If you like to add your own trusted lists, scroll down to subscribe to filter lists and enter your lists.
Remember, if you chose NextDNS you can cover a lot of those lists and more, so chose wisely. If you run your own blocklist or use NextDNS enter these domains to the disallowed list, it will prevent brave fingerprinting and tracking you.
- brave-core-ext.s3.brave.com
- static1.brave.com
- laptop-updates.brave.com
- variations.brave.com
- grant.rewards.brave.com
- api.rewards.brave.com
- rewards.brave.com
- p3a.brave.com
So there you have it, a simple route to be braver with Brave and make use of a great browser with a lot more privacy in mind.
Stay Safe, stay secure,
The Privacy Advocate
PS And now the sting in the tail, I promised you at the top of this piece...Brave hardly covering themselves in glory over this perceived privacy faux-pas!
