Brave launches Brave Together video calling in latest Nightly version
The makers of the Brave web browser announced the launch of a "private and unlimited video calling service" in Brave called Brave Together on May 26, 2020. The service is based on the open source solution Jitsi and currently only available to Brave users who run development versions of the web browser.
Brave revealed that it is only available to users from North America but the functionality appears to be working in other regions as well at the time of writing.
It takes just a few steps to start using Brave Together. Visit the Brave Together website in the Brave browser and hit the "Start video call" button to get started; this creates a new room and a link that you may share with others; you may also copy the URL as it is the URL that others need to open to join the chat. You may password protect the room optionally to block unauthorized access to the room.
The interface looks very similar to the default interface that Jitsi provides. It is a branded version of that and provides the same functionality.
Here is a list of things that Brave Together supports:
- Screen sharing.
- Moderation options such as muting everyone or muting individual users.
- Share a YouTube video with everyone.
- Support for shortcuts to control the chat using the keyboard.
- Set video quality.
- Configure initial settings such as "everyone starts muted".
- Option to raise/lower hand.
Some Jitsi option such as the ability to blur the background (beta) seem unavailable at the time of writing.
Brave Together is an interesting feature that worked well during initial tests. Brave calls it a "trial version" and it is likely that the service will see improvements in the coming months before it lands in the stable version of the browser.
One of the most appealing things about it is that it is really easy to use yet provides enough options to make the video chats private and secure. Jitsi supports end-to-end encryption but I could not find that option in the first Brave release.
Brave revealed little about Brave Together at this point in time and it may take a while before an official blog post reveals more details on the integration in the web browser.
Now You: Video chat in the browser, is that something that you are interested in? (via Techdows)
Perhaps I’m missing something, but with how easy Jitsi already is, why would someone use the Brave implementation instead?
Good question, maybe through better integration in the browser?
Isn’t Jitsi currently just an Apple and Android thing?
No, Jitsi works across all platforms and browsers. Just type in the room name and it automatically connects to the camera, mic, and speakers. No account needed.
More options are good.
My guess is that it exposes it to a wider audience. There are people who have no idea what Jitsi is and are not necessarily particularly looking for a service using it who may use Brave as their web browser, see a new feature, and once it’s in front of them all ready to go say “Neat! I’ll give this a try.”. You reduce the friction involved in discovering something, deciding to use it, and getting it setup; and you increase users (In theory).
That said, this sound an awful lot like that chat service Firefox had for a while that was heavily promoted at the onset, used by about 5 people, and discontinued (What Firefox did was with text and this is video, but it seems like a similar concept). I think Brave’s CEO was even at Mozilla during those years. It’s kind of funny to think that he might be involved in what could be the same mistake twice.
What I think they may be hoping would be different about doing this with Brave than the Firefox chat thing is this may be video chat’s moment culturally where it’s going mainstream because of coronavirus. We see other existing implementations like Zoom really taking off. However, this is coming a tad late where people have already picked their quarantine video chat services, by and large, and Brave’s user-base leans conservative (Look, we all know that’s true. Please don’t anyone jump in and a deny it. To be clear: I am not saying that people of other political affiliations and ideologies don’t also use Brave, I am saying that it has a higher percentage of conservatives users relative to the average browser.), and I am not sure that this product is well-positioned for that audience, because that audience is disproportionately likely to be taking the virus less seriously and thus has less of a use for this product than an average cross-section of the world (With the caveat that with 80% of Americans opposing re-opening measures at one point- *some* conservatives must be taking this very seriously. But the people who are protesting stay at home measures and the like are right-wingers. Left-wing opinion is almost unanimous [Not literally, but probably like 80% or 90%] in taking this stuff very seriously.).
Also, I think there could be some bashlash to this just from the perspective of it being browser bloat and what appears to be a separate service (Even if it’s owned by Brave) being integrated with the browser. People may see it a lot like they saw Firefox’s integration with Pocket (Which is owned by Mozilla, which also owns Firefox- they bought it from it’s original developers). I’d imagine that you can probably get this out of your face if you’re a Brave user using some sort of an options menu or something (Just a guess- not confirmed), but I’m typing this on Firefox right now and don’t see a Pocket icon anywhere, so people can get Pocket out of their faces on Firefox, too, and it didn’t stop all of them from complaining (I’m not trying to diss the people who complained or are complaining, just a statement of fact as I remember it.).
Some people just want their browser to be a browser.
In Brave, we have stripped out the analytics in Jitsi, and to avoid “Zoom” bombing the meeting hashes are much more larger. Very little “bloat”, most of the work is on the serverside, with some clientside code for the widget.
Given most people are working from home during these times (and possibly longer), isn’t it handy feature to have? Like with any option, you have the option to hide the widget if its not needed.
[email protected] (Filterset Eng)
Brave is my preferred browser. ( and has been since the beginning)
security on the web is very important to me.
I am a signal user.
I don’t like the idea of having to post my phone number to be a signal user.
I once sent to comment to brave blog asking them if they had ever considered merging signal with their browser.( received a very polite email back)
I find it annoying to have to open multiple applications (it feels very inefficient to me)
I am very excited at the opportunity to enjoy private E2ee communications, screen sharing, texting, etc all incorporated into the browser itself.
I wish the Brave team, Godspeed, in this latest effort.
I consider this to be bloat. As many here know, I am a proponent of the Brave browser, but I’d much prefer that they keep the browser lean and simple. There is no need to add bloat which is better handled by specialized software. I’ll deactivate it when it reaches stable. Just my 2 cents.
Sometimes I just get tired of thinking about all the things that need to be disabled in Brave. :) So what’s a viable alternative? Vanilla Chrome (the spyware) – not in a million years. Iridium is not updated regularly (repository for Debian-based systems hasn’t been updated for over a year FFS!) and that’s a big no-no for a browser. Firefox used to be good but now it’s just kind of meh. Vivaldi is not an open-source browser (many people actually do mind) and is the biggest bloat of all. So, what’s left? ungoogled-chromium is the answer! :)
@xyz
Except Chromium (ungoogled or otherwise) looks like ass with regards to GTK or Plasma integration :(
@xyz – So what’s a viable alternative?
Dissenter browser. It is a fork from Brave, but with all that Brave’s crap removed.
Just tried Dissenter, as I never heard of it before. The major failure of Dissenter is that it overrides the New Tab page and forces its own. Supposedly this was fixed last year, but it is not fixed for me. Uninstalled as quickly as I installed it.
@xyz
Well, Ungoogled Chromium is a fine browser in terms of privacy. However, it suffers from usability issues on Windows and macOS. For one, you have to update it manually, as it doesn’t come with an internal updater. You also have to add extensions manually and have to keep them updated manually. Over time, this becomes pretty tiresome.
Apart from that, there is also another problem: Manifest V3 a.k.a. Google crippling adblockers is on the horizon, and I have my doubts regarding the ability of the Ungoogled Chromium developer to get around that one. It very well could be that you won’t have any functional adblockers left once Google makes Manifest V3 mandatory by removing Manifest V2 compatibility from Chromium. At the same time, the internal adblocker of Brave is not an extension, and therefore won’t be affected by any change Google makes to the extension APIs.
So yes, I am aware of Ungoogled Chromium, but I’ll stick with Brave until the dust surrounding Manifest V3 has settled.
@Iron Heart
Allows adding extensions from chrome web store on ungoogled-chromium. Also adds semi-automatic extension updating…
https://github.com/NeverDecaf/chromium-web-store
Script for Windows to keep ungoogled-chromium up to date…
https://github.com/NeverDecaf/ungoogled-updater
I see what you’re saying about Manifest 3 and the difference between having an ad-blocker built-in, which wouldn’t automatically be effected by the lack of effect ad-blockers in the Chrome webstore once Manifest 2 compatibility is removed, like Brave does, or even having their own app store, like I think Edge does (I’m not sure, to be honest- it actually has a built-in ad-blocker on Android), in which they could continue to offer Manifest 2 extensions or an alternate format to Manifest 3 could be similar to the canonical Manifest 3 except with restored APIs from Manifest 2.
However, I do think in the long run, Google could in theory crush these third-party Chromium forks’ ability to continue on with built-in ad-blockers or more powerful than Manifest 3, or alternate webstores with such ad-blockers, depending on how obvious they want to be about using their monopoly to enact their will.
The way Google could do that, in a broad sense, is by building out Chromium, through changes over time, in such a way that it would become very difficult to have a powerful built-in ad-blocker or extensions with Manifest 2-level API access in those areas, without cutting out large swaths of Chromium code that relates directly to browser operation.
At that point, these forks would have to either cave on this issue, or hire a lot more developers and pour a lot more money into their operations to develop a full or fuller fork that does more of the development in-house rather than the general way Chromium forks operate now, which is typically to have their set of changes and, every so often, take the latest update of Chromium and merge their unique code elements, old and new, in, and then release it as an update to their browsers.
Developing a browser yourself without code merges, and really going your own way, takes hundreds of people, typically, and many forks of open-source browsers turn out to only have as few as one or as many as a dozen or so people working on them full-time. It also tends to take money, and even beyond the question of whether each Chromium fork has it is the question of whether or not they are willing to spend it.
For example, Microsoft has more than enough money to take Edge and fork it completely from Chromium if necessary, taking all of it’s development in house. However, one of the main reasons they adopted a Chromium-based version of Edge was likely to save money, and they may not find having good ad-blockers enough of a priority for them to move away from using Chromium as a base for continuing updates.
Browsers like Brave and Vivaldi might have benefactors with enough money to do it (I don’t know if they really do have enough money, I just know they have a lot more money than I do. ;) ), but, even if they do, said people may not to risk a large chunk of their personal fortune on really going at it themselves because they are annoyed at a change in Chromium’s code. Right now, their browsers are probably costly, but in the realm of hobby month for someone who’s independently wealthy- maybe stuff they can even take a loss on because they want to see it. Suddenly, if they are going at it themselves, they may have to start selling personal assets and taking out mortgages and second mortgages on their homes and stuff, which may be too much for them.
I’m not saying Google will intentionally make things that difficult, but I don’t know that they won’t.
Though I understand why Firefox frustrates a lot of people, they already do have large offices and hundreds of employees, doing independent development, for the most part. If we lose Firefox, we will have likely lost the last browser that does that other than Chrome and Safari, and Safari already has Manifest 3-like restrictions of their own (Ad-Blockers that can’t do what Ad-Blockers can do on other browsers), from what I read (I don’t own any Apple products at present, so I can’t verify that). So, Firefox might be our best hope on this front. The UBlock Origin guy seems like he may think so, when one reads between the lines.
@John
Thank you for your reply. Some comments on my part: The way I understand it, Enterprises will still have access to the webRequest API (the API Chromium adblock extensions currently use), Google will just be hard-blocking it for private users. Now, I don’t know how hard it will be to unlock Enterprise-exclusive features in Chromium if they are disabled by default, but it could be doable, depending on how determined Google is here.
Side note: I think that Google’s basic reasoning for disabling the webRequest API is somewhat sound. As it stands, extensions can monitor the traffic of the browser and can actively intervene in it, this is how adblockers block stuff. Malevolent parties could (and already did) misuse this capability for their own ends, e.g. by creating redirects. Under the new system (declarativeNetRequest API), the extension “tells” the browser what to block and the browser blocks it on behalf of the extension, i.e. the extension can no longer manipulate the traffic by itself. If they have a good malware blocklist in place, this could prevent malicious extensions from spying on the traffic of users and from changing its destination, and would make Chromium less attractive for malicious parties. However, the browser blocking things on behalf of the extension could also be abused by the browser vendor, e.g. when an extension has a Google tracker blacklisted, which is whitelisted by the browser – the browser then wouldn’t block this tracker despite it being blacklisted by the extension. Google also abuses their power by limiting the maximum number of active rules to 150,000, there is no sound reason to limit the number of rules, other than deliberately making good adblocking impossible. So yeah, I would be in favor of the new method as long as a) no commercially-driven in-browser whitelist is in place and b) the arbitrary rule limit is lifted / raised to “indefinite”. If those two criteria can be achieved by a fork, I think the change Google proposes here would be a net-gain (security enhancement).
As for Manifest V2, as I said, they won’t be removing Manifest V2 code from Chromium itself. However, it will be de facto removed for all non-Enterprise Chromium users out there by virtue of being totally deactivated. Developers will likely be unable to distribute (updates to) extensions that still use Manifest V2 in the Chrome Web Store. Chrome users are by far the majority of users of the Chromium codebase, so developers might also just give up in frustration, because it isn’t worth their time to develop their extension exclusively for Brave, Opera, Vivaldi or whatever small market share browser. So really, we are facing three problems here:
1. Will it be possible to unlock Enterprise-exclusive features in Chromium? – Unknown, but likely doable.
2. Developers would have to host their extensions elsewhere (not in the Chrome Web Store), since the Chrome Web Store certainly won’t allow (updates to) extensions using Manifest V2 capabilities.
3) Developers need to care enough about the small rest of “non-Chrome” Chromium users to continue developing their extensions (unlikely).
I think you are right to question whether Google might sabotage the development of internal non-extension adblockers in competitor browsers. And while I wouldn’t totally rule it out, especially if alternative Chromium-based browsers become more popular than they are now, I consider it to be unlikely. When Google disables / de facto removes Manifest V2 capabilities, they will have catched 90%+ of all Chromium-based users already (those who use Chrome) with that move alone. Will they really go after the rest? I somewhat doubt it, considering that there are even more methods to block ads aside from browsers (system-wide blockers like Adguard, network-wide adblockers like Pi-Hole), those who are hell-bent on blocking ads would pursue that route even if Google manages to successfully sabotage Brave.
As for Firefox, Mozilla hasn’t made it entirely clear yet whether or not they will adopt Manifest V3 – non-official remarks from Mozilla employees point to them not adopting it, but you should wait for an official announcement of theirs before asserting that they won’t adopt it. After all, they started pushing for WebExtensions in an effort to increase their compatibility with Chromium extensions and to ease transition for developers, not adopting Manifest V3 would somewhat undermine this goal. On the other hand, it would be tremendously stupid of them to give up a selling point by following Google here. So I am not quite certain, but them adopting it is more likely, IMHO. But if my hand was forced into using Firefox (unlikely considering Brave, Adguard, Pi-Hole etc.), I would likely opt for a privacy-preserving fork of it, like Waterfox or IceCat.
vivaldi is actually open source. unless you talking about how you can’t contribute to it
Yep. A working sync would be more welcome (xBrowserSync is doing OK for now).
@Nano
Yes, without a doubt it is in bad shape as it stands, but behind the scenes Brave Sync is undergoing a complete rewrite, scheduled to be complete in the summer. So there is hope…
totally agree with you.
Sometimes i dont like your comments to promote Brave ( I use Brave as primary browser on 2 windows machine ); In this case, I agree with you that’s bloat.
It will be interesting to see whether Brave can compete against the new Edge. MS will certainly try to crush the other competitors on Windows like Brave, Firefox, Opera, etc.
Things like video calling, crypto conversion and crypto ads isn’t exactly what an average person expects from a browser.
Brendan Eich may be good at what he does, but without gaining momentum it will be difficult to get into a positive ROI
It will only be an option when there’s an UnMicrosoft’d Edge version :)
@Trey
Since MS Edge is just Chromium with added Microsoft botnet, the browser you ask for already exists: Ungoogled Chromium.
Who needs this spyware, which whitelists facebook and tweeter trackers?
@sp808
Stop spreading misinformation, please. Facebook and Twitter misuse tracking cookies for legitimate functionality, i.e. if you block those cookies, the login will fail. Brave used to block these by default, but complaints coming from the community led to them being whitelisted. Brave is transparent about the whitelist and you can disable it in the settings. Ultimately, you have to strike a balance between privacy and website breakage when you are a browser developer, Brave has to prioritize working websites, but gives you an easy to disable the whitelist.
By the way, not even well-regarded privacy extensions like uBlock Origin block these by default, if they did, you wouldn’t be able to log into Facebook or Twitter with uBlock Origin enabled. Firefox’s tracking blocker whitelists those as well, they are not as transparent as Brave about their whitelist though (nowhere can you access it in the browser).
Iron Heart is correct. The issue here is that of cross-domain login flows that essentially break first party isolation. Browsers’ own internal blocking mechanisms need to ship as working for **all end users by default** – hence you will get whitelisted exceptions. Blame the websites, not the browsers. It’s not “see bad word, scream spyware” – it’s simply a reflection of how open standards are being used (and adapted for linkability and functionality) and how privacy techniques are adapting to fight said abuse.
Firefox and Tor Project’s FPI (which is not front facing) has the same issue. Mozilla have come up with a hybrid system. FPI is more robust for now, but I see it being replaced. This is dynamic FPI (dFPI), where it blocks the known trackers as per usual in it’s Enhanced Tracking Protection (i.e it blocks cookies and therefore localStorage, IDB service worker cache etc, not actual content, e.g. images etc) with exceptions – but anything outside of being blocked is isolated to first party. This then allows the cross-domain login flow, but now users are going to be using essentially FPI for the rest. dPI is being ramped up as I type, to start to included all the things FPI does: such as DNS, HSTS, HKPK, cache, media cache, blobs, favicons, shared workers etc. And I fully expect it to become the default setting when it is ready – effectively, every site then becomes it’s own automatic container with third parties already allowed.
> they are not as transparent as Brave about their whitelist though
Calling Firefox “not as transparent” on one tiny metric (viewing the list in whole in the browser) is a massive stretch.
It’s more about the Firefox went about the graphical UI changes over time: the lists themselves can easily be checked elsewhere but that’s not the point, 99% of end users wouldn’t even care about looking at a full list. Instead, there is a blue ETP shield on each site, so they can see in a much more meaningful and user-friendly way exactly what ETP is doing on each site you visit (and users can allow exceptions). How is that not transparent?
I don’t use Brave, but does Brave have an indicator or per site info and easy exceptions? Surely it has some sort of per site front end for usability? I honestly don’t know, that’s why I’m asking
@Pants
First of all, I agree that @sp808 is barking on the wrong tree here. What makes me angry though is that Brave is getting attacked for being TOO transparent here. They make it obvious in their settings that a whitelist exists…
https://www.trishtech.com/wp/wp-content/uploads/2020/02/brave-social-media-blocking-0-1280×720.jpg
…and let users disable it either fully or partially in an easy manner. The thanks they get for being transparent here is comments by users who understand little to nothing: “See, Brave unblocks Facebook and Twitter cookies! Spyware!” without ever asking whether Brave or Facebook / Twitter are to blame here.
As for Firefox, of course they show you what is being blocked if you click on the shields icon, that’s not the point. The point is that Firefox never makes it obvious within the browser itself(!) that a whitelist exists, like Brave does. You can view their whitelist if you go to the Disconnect website, but this clearly this does not count as “making it obvious within the browser itself”. And the menu under the tracking shield in the address bar only shows you what is actually getting blocked, of course it doesn’t show you any whitelisted items, they never appear in the list of blocked items, because they are, well, whitelisted.
> I don’t use Brave, but does Brave have an indicator or per site info and easy exceptions? Surely it has some sort of per site front end for usability? I honestly don’t know, that’s why I’m asking
Of course Brave is indicating what is getting blocked on a per-site basis, any you can whitelist stuff yourself:
https://support.brave.com/hc/article_attachments/360042750232/shieldsdetails.gif
> The point is that Firefox never makes it obvious within the browser itself(!) that a whitelist exists, like Brave does
That’s just privacy theater. The mechanism is a blocklist, not a whitelist. **Everything** is whitelisted, unless it is on the list, with exceptions within that blocklist for some combinations (such as google on youtube). No one cares about the 3rd party trackers that aren’t blocked by the browser, because you can’t guarantee to get them all – it’s a false sense of privacy and 99% of users wouldn’t even be interested in looking at a list. They couldn’t care less, they just want sites to work by default.
How’s Braves first party isolation coming along? Or their containers? Or dynamic FPI?
Maybe if they didn’t waste time on theatrics, Brave could have fixed that bug a lot faster: you know the at least 3 months old one that ignored settings (not opting into Brave Rewards of all things, or using the Crypto Wallet) and made 3rd party connections, literally thousands of them a day, every day, for months, and it couldn’t be disabled. A bug that affected all brave users. The one where the devs after being told literally didn’t do anything (absolutely no urgency) and some random user had to open an issue for them on their own issue tracker, and finally, after weeks of no action, another user had to beg and name call the CEO, and still nothing.
I guess your answer is there was **no** privacy issue (I disagree). There wasn’t any with Mr Robot either, and that was a tiny % of users and was disabled by default – unlike this Brave one. Really bad optics by Brave there – no urgency at all. You bemoaned the other day that the people that allowed/enabled Mr Robot are still at Mozilla, and years later you still always bring up Mr Robot. This is worse. Will you hold them to the same standard, or will you just say “bugs happen”. Would you might if I occasionally keep bringing this up for the next 30 months?
Really, anything said at this point would be hypocrisy, but have at it. Please explain why this is not an issue (but Mr Robot still is after 2 and a half years)
@Pants
> That’s just privacy theater. The mechanism is a blocklist, not a whitelist. **Everything** is whitelisted, unless it is on the list,
My dear Pants, whom are you trying to fool here? There is a clear and distinct difference between a totally new cookie that needs to be evaluated before either getting blocked or whitelisted, and a cookie that is already known, was thoroughly evaluated, and then whitelisted. New cookies not yet evaluated not being blocked yet ≠whitelisted cookies not being blocked deliberately. I’ll stop here, no need to further discuss it until you admit that there is a fundamental difference.
> No one cares about the 3rd party trackers that aren’t blocked by the browser, because you can’t guarantee to get them all – it’s a false sense of privacy and 99% of users wouldn’t even be interested in looking at a list.
Just because you can’t really catch all (especially new) tracking cookies doesn’t absolve you from the duty to catch as much as you possibly can.
> They couldn’t care less, they just want sites to work by default.
Some items on the Disconnect whitelist wouldn’t break sites if they were blocked. I’d believe your argument if there were solid reasons for whitelisting certain cookies. The Disconnect list is unnecessarily Google-friendly, for instance (hardly surprising that Mozilla uses this list, then, considering the fact that Google funds Mozilla).
> How’s Braves first party isolation coming along? Or their containers? Or dynamic FPI?
It doesn’t, and neither does it in Firefox, as long as it breaks login forms left and right (were you not the one talking about sites not breaking being a priority)? Yes, indeed it is a great idea to introduce something like this in our time, where many services use Google / Facebook accounts as an alternative option in their login forms. As for the cookies being set here, they don’t survive after the related tab being closed here anyway (Cookie AutoDelete), and most are getting blocked way before that has to happen.
By the way, how is Firefox’s weak ass sandbox and lack of real site isolation (rather than just isolating content as a whole) is getting along? -> https://grapheneos.org/usage#web-browsing
> Maybe if they didn’t waste time on theatrics, Brave could have fixed that bug a lot faster: blah
Yes, it was a bug. Brave Rewards is not a native function of Chromium (how could it possibly be…), it was implemented via an internal extension. This extension isn’t being terminated properly at the code level, as it stands.
> 3rd party connections, literally thousands of them a day, every day, for months,
How often a server is being hit is irrelevant, the information being transmitted is all that matters. Only if you know what (not how often… irrelevant) something is transmitted, you can judge. It doesn’t make a difference if a server is it 10 times or 1000 times, please tune down the dramatic music a bit, thank you.
> (absolutely no urgency)
Because it’s not and never was a privacy issue, there was no urgency indeed. But my belief is that the bug was just somewhat mismanaged / forgotten, instead of outright being ignored.
> I guess your answer is there was **no** privacy issue (I disagree).
May I ask why you disagree? There is no indication that that any kind of personal data was transmitted to any outside server, this is substantiated by the connections Brave established triggering downloads rather than uploads, as well. Just saying “I disagree” without saying why you disagree exactly is hardly an argument – but I see why you did it, since there was no privacy threat involved, you have to make up one, and you know that I would notice when you are making things up. Bad position, this is.
> Will you hold them to the same standard, or will you just say “bugs happenâ€.
Mr Robot was unquestionably deliberate, and the method of how it was inserted in Firefox allows for further abuse still. The Brave issue was a clearly a bug, this is substantiated not just by me saying so, all observations of users reporting in point to it being a bug, the Brave devs also clearly said the behavior is not how they intended it to operate. I am holding everyone to the same standards, if Brave had remotely sneaked in some add-on I was not aware of and which has seemingly no functionality at all, I would complain as well, and I would most certainly question and criticize the mechanism they used to insert it.
> Please explain why this is not an issue (but Mr Robot still is after 2 and a half years)
It’s not an issue because it was unintentional on Brave’s part and was not a privacy threat, Mr. Robot is an issue because it was clearly intentional and the mechanism which was used is still open for potential abuse.
On a more general note, would you please stop to wasting my time, @Pants? I’ve understood by now that discussions with you are pointless, fruitless, always needlessly escalate, and bear no profit for anyone. I was trying to treat you fairly, as I believed (and still do believe) that your heart is in the right place, in that you want to improve the privacy situation of Firefox users… But if you insist on annoying me any further, perhaps I’ll have a closer look at your user.js, explaining to you which (presumably) ill-researched entries are extremely likely to break stuff in the wild, and perhaps I’ll also give you some hints on how to sanitize your recommended add-ons list, since half of its entries are either outdated, ineffective, or have been replaced with better alternatives quite some time ago. But please, spare me the effort, I do not really care about your project that much, I’d only do it to show interested third parties with what kind of competence they are really dealing here.
> There is a clear and distinct difference
Invalid. No one said anything about “new” (and they don’t have to be cookies). The implementation in both browsers is a blocklist. No one claims to block all tracking: the only thing that matters is the quality of the service (block what can without breaking anything). Looking at a list is irrelevant except at a technical level
> hardly surprising that Mozilla uses this list, then, considering the fact that Google funds Mozilla
Invalid. Off-topic. Unproven allegations of corruption/favoritism
> how is Firefox’s weak ass sandbox and lack of real site isolation
Invalid. Off-topic. Has nothing to do with tracking
> It doesn’t make a difference if a server is it 10 times or 1000 times
Invalid. I’m only reporting the facts. Even if it only makes one connection a day, it’s still one too many
> Because it’s not and never was
It *is* a privacy issue (I said issue, not breach), at the very least from the optics of it – unsolicited third party connections. No one is saying there is malfeasance – but how does an end user (or even you) know for sure what was transmitted, and what about the metadata of connections, what about passive fingerprinting
> Mr Robot was unquestionably deliberate
Invalid. All shield experiments are deliberately created
> It’s not an issue because it [brave] was unintentional
Invalid: Mr Robot was also unintentional (i.e no one wanted to scare users with a new unexplained extension showing up). The breakdown was in not having proper checks in place, to either can a study, or make it more user friendly
> the method of how it was inserted in Firefox allows for further abuse still
Invalid. Shield studies have a valid use, and can disabled it in the graphical UI. This is a trust issue – there’s nothing to stop any company abusing their software – except reputation and scrutiny. In the 30 months since (Robot, Cliqz), it’s never happened again – because Firefox took steps to create more accountability, tighter sign-offs, and a document trail.
> Brave vs Mozilla
Both issues were caused by humans. Brave was a code bug (by a human) and a lack of testing. Mozilla’s was a human judgement error and a lack of enough oversight.
– Mozilla: promptly posted about it (and did so several times with followups), apologized, took in feedback, did a post-mortem, and took steps to mitigate any future re-occurrence
– Brave: short of finally fixing it a week ago, after at least three months, not a word
So just to be clear… Brave makes a mistake, which at the very least the optics of it is very privacy concerning (unsolicited 3rd party connections), handles it in an untimely fashion (not even creating a bug issue for it) and says nothing, not even an apology… and that’s OK. Mozilla makes a mistake, and there no privacy concerning unsolicited connections), and does the opposite of Brave (publicly acknowledges it, apologizes, does a post-mortem, implements changes so it doesn’t happen again, and follows up with more posts to inform users)… and that’s worthy of being pilloried over: even 30 months later.
I have one word for that: hypocrisy
> On a more general note, would you please stop to wasting my time
Then don’t reply, or don’t read my comments. I’m only responding to what **you** write. If you don’t like me pointing out your hypocrisy and double standards – then stop bringing up invalid Firefox criticisms. Given your history of abusive behavior to others on this site, I find your stance hilarious
> But if you insist on annoying me any further, perhaps I’ll have a closer look at your user.js
Go ahead. It’ll be great to have another set of eyes on it to help find any inconsistencies. Don’t forget to read all the qualifying statements
> I do not really care about your project that much
Awesome. I don’t care about Brave – talk all you want about that. I’m just going to call you out when you make ludicrous statements about Firefox
PS: Out of interest, does Brave handle CNAME bypassing with it’s built in blocking? I know Firefox does with ETP (and allows extensions to also use the DNS API)
@Pants
> the only thing that matters is the quality of the service (block what can without breaking anything).
As I’ve already said, the quality of the Disconnect blocklist is bad, since it whitelists cookies that can be blocked without breaking anything.
> Looking at a list is irrelevant except at a technical level
Looking at the list is the first thing one has to do if its quality is to be judged, this has then to be confirmed by further testing (does cookie X really have to be on the whitelist…).
> Off-topic. Unproven allegations of corruption/favoritism
I can prove that the Disconnect list treats Google favorably. It’s also provable that Google funds Mozilla. But sure, no connection there. Sheesh, yeah, all imagined and / or coincidence.
> I’m only reporting the facts. Even if it only makes one connection a day, it’s still one too many
You added a certain kind of melodrama to the facts, because again, number of connections is invalid. And as for outgoing connections…
https://www.ghacks.net/2020/05/25/ebay-is-port-scanning-your-system-when-you-load-the-webpage/#comment-4463830
…I think Brave is not the worst offender. Sure, you will now be claiming that those are all first party connections. However, 1) many of those are also unnecessary / redundant / problematic and 2) a first party can also sell the data to third parties, making the differentiation third party vs. first party quite artificial, unless you are also accustomed to their business relationships and accounting.
> It *is* a privacy issue (I said issue, not breach), at the very least from the optics of it
How long will you be riding the dead “optics” horse? Optics don’t prove anything.
> but how does an end user (or even you) know for sure what was transmitted,
Data was being downloaded, not uploaded here.
> Invalid. All shield experiments are deliberately created
So my argument that Mr Robot was deliberate is invalid, because all Firefox Experiments (including Mr Robot) are deliberate? What the hell?
> Mr Robot was also unintentional (i.e no one wanted to scare users with a new unexplained extension showing up).
Mr Robot was intentionally inserted into Firefox installations from afar, that the reaction was not positive, as Mozilla expected, suddenly means that the act of inserting it was not deliberate? Again, what the hell?
> Invalid. Shield studies have a valid use, and can disabled it in the graphical UI.
The Shield Studies Firefox comes with out of the box cannot be disabled. And something can have valid use case and can still be abused – one does not rule out the other.
> Brave makes a mistake, which at the very least the optics of it is very privacy concerning (unsolicited 3rd party connections), handles it in an untimely fashion (not even creating a bug issue for it) and says nothing, not even an apology… and that’s OK. Mozilla makes a mistake, and there no privacy concerning unsolicited connections), and does the opposite of Brave (publicly acknowledges it, apologizes, does a post-mortem, implements changes so it doesn’t happen again, and follows up with more posts to inform users)… and that’s worthy of being pilloried over: even 30 months later.
The Brave issue was a bug, i.e. unintentional. Do you expect them to apologize for any and all bugs? In that case they would have have to do lots of apologizing, considering that a codebase like Chromium likely has thousands of bugs… Mozilla intentionally inserted Mr Robot from afar, this was not a bug, and an apology was of course expected here. No hypocrisy on my part, despite you desperately wanting to make it seem that way.
> If you don’t like me pointing out your hypocrisy and double standards – then stop bringing up invalid Firefox criticisms.
True version of this sentence: “If you don’t like me (Pants) making up hypocrisy and double standards you actually don’t hold – then stop bringing up valid Saint Firefox(TM) criticisms.”
> Given your history of abusive behavior to others on this site, I find your stance hilarious
You can call my inherent bluntness “abusive” all you like all day long, if you are that snow-flakey, but at least I am not trying to weasel my way out of the situation when someone brings up valid criticisms, like you do all the time. Your brand loyalty blinds you, but that’s okay – it’s called fanboyism and is fairly common.
> I’m just going to call you out when you make ludicrous statements about Firefox
You make ludicrous statements about Brave that are very far-fetched, in order to counter my reports of past and present Mozilla abuses, how sad is that? None of my statements about Firefox was “ludicrous”.
> Out of interest, does Brave handle CNAME bypassing with it’s built in blocking? I know Firefox does with ETP (and allows extensions to also use the DNS API)
Firefox has weaknesses that Brave doesn’t have, Brave has weaknesses that Firefox doesn’t have. We can play this game all day long. It makes more sense to block CNAMEs network-wide with Pi-Hole, if you don’t do that, you are doing it wrong anyways. Your reasoning: “Lolz, let’s bring up CNAME blocking despite it not being prevalent, Chromium can’t block that, so I assume it’s impossible…” *Yawn*
PS: You seem to like the word “invalid”, but next time try to use it to describe statements that are *actually* invalid, and try to use the word in a manner that makes logical sense.
You don’t seem to want to, or can’t, understand or consider the other person’s point of view. And Firefox always has to be guilty, and you always have to be right.
Maybe I’m not very clear (I don’t really have that problem elsewhere), maybe you lack verbal reasoning skills, maybe you’re not very clear – but any attempt to have a discussion with you, ends up on wild tangents and goes completely off-topic – and based on my three threads with you, when you do that, I’m just going to reply to it as invalid
—
In my question/discussion – I said the list viewed in the browser is privacy theater. So consider 99% of users don’t care about looking at a list. No one is looking at the list except technical users (1%). It’s just not that important. I’m saying that it’s pretty much a useless feature (not totally useless, just 99% useless). Looking at it doesn’t change how it works or the quality of it – and all 99% of users want is a working browser. 99% of users just don’t care. That’s my point.
Irrelevant to my argument: Disconnect, Google, the quality of the lists, comparing browser lists, insinuating without proof that there is some collusion over the Firefox list, etc
—
In my argument/discussion – I said don’t you find it hypocritical to bring up Mr Robot even after 30 months considering Brave’s bug? So consider that Firefox has shield studies (for a valid reason), and Brave has built in BAT/Brave Rewards and a Crypto Wallet (for valid reasons). It’s about companies making a mistake and how they address it and learn from it. I’m comparing the optics of Brave’s error, with the optics of Mr Robot. They’re comparable in the sense that both were human errors with both companies lacking something else (sufficient testing/oversight), and both are enough of a “serious” issue (for lack of a better word): i.e one has privacy implications (not saying there was any leak or PII or anything) and the other spooked users. Both are comparable in that they don’t “look good”. That’s my point, and the validity of comparing their responses. That’s the hypocrisy I’m talking about
Irrelevant to my argument: Whether or not shield studies (or BAT etc) exist, or the default for shield studies (or BAT etc). Expecting Brave to apologize for every bug (no one suggested that) etc. Or that it was deliberate. Or that PII was/wasn’t involved. etc Why some people are still employed at Mozilla, or who the CEO is or their salary, or Antifa, or Daniel Micay (those ones from the other thread, also about Mr Robot vs this Brave bug)
—
> Firefox has weaknesses that Brave doesn’t have, Brave has weaknesses that Firefox doesn’t have. We can play this game all day long
That’s practically what I said in the other thread – thanks for agreeing. First party isolation, and CNAMEs was a little off scope, but very relevant to tracking – especially CNAMES and internal blocklists. I wanted to know the answers. I’m sure others did too.
No point replying to any of the rest, I’ll just let the readers be the judge
—
I thought you might have changed after https://www.ghacks.net/2020/04/17/mozilla-adds-dynamic-first-party-isolation-option-to-firefox-77/#comments and Martin had to take action
But look at how your responses change in https://www.ghacks.net/2020/05/25/ebay-is-port-scanning-your-system-when-you-load-the-webpage/#comments , not to mention here
You revert to… whats SEEMS to me… attacking the other person, name calling, mild threats (to “go after” the ghacks user.js, which, BTW you used to reference and link to and use as a source, until recently – what changed – anyway, have at it), use aboutwhatisms, make unfounded claims and insinuations, exaggerate, twist words, ignore or don’t answer the actual questions, and other fallacies. And despite my best efforts, I start to reply a little in kind. And all that causes long posts and the actual topic gets side-tracked
I don’t care what you write, and I don’t care about Brave. Sometimes I will post comments where applicable – and that includes replying to or asking questions about what **I think** needs addressing or given another viewpoint – from **anyone**, not just you.
Still no Brave Sync on desktop… pfff…
Bloat
What’s the point of a brave to brave video chat? What’s the point of the 100th video chat app anyway?
IDK, Motion creates the illusion of progress?
Actually, I think this is just capitalizing on the current stay at home situation. Seems every tenth ad on TV is a laggy chat screen selling itself.
Is this just a wrapper around Jitsi Meet (meet.jit.si)? If so, it’s completely worthless – no more secure, no more feature-rich, and limits yourself to communicating with only other Brave users.
Or is this a separate deployment of the Jitsi software, hosted by the Brave Software Inc? If so, I can at least understand why *some* people (not me) would be interested – perhaps they trust Brave more than they trust 8×8 (the company that hosts Jitsi Meet).
I think I answered my own question. The Brave feedback page links to the Jitsi Meet manual:
https://community.brave.com/t/about-the-brave-together-category/129628
Completely worthless it is.
Brave Browser = Bloated Browser
@Sam
I don’t think that you can justifiably make this argument so far, for the current state of the Brave browser. It really isn’t bloated as it stands. That being said, I won’t make any effort to defend the bloat described in the article above, since that is bloat indeed.
One can *easily* be justified in stating that Brave Browser is a Bloated Browser.
The Brave “browser” contains it’s own advertising system to show you its own advertisements, a questionable cryptocurrency system, a repackaged video meeting system, and sadly, an ad blocker that is inferior to uBlock Origin.
All of that bloat is included with every browser downloaded from Brave. They don’t offer any options to not download and install all that crap. It’s definitely bloatware.
@Sam
> The Brave “browser†contains it’s own advertising system to show you its own advertisements, a questionable cryptocurrency system,
That’s part of the reason why it exists in the first place, and in terms of the scope of code changes required for it to exist, it’s minor.
> a repackaged video meeting system
I agree that this is bloat, although it is not present in the stable channel of Brave as of yet.
> an ad blocker that is inferior to uBlock Origin.
It’s not as feature-complete as uBlock Origin yet (emphasis on “yet”), but in terms of its technical specs, it is more impressive. It is 70x faster and far more efficient than uBlock Origin, as it is written in Rust, while uBlock Origin utilizes JavaScript.
> It’s definitely bloatware.
Vivaldi is bloatware, for a reference.
@Iron Heart
Not to hijack this thread, but in the case of bloatware, do you have any answer to the following processes that run in the background (via the Brave Task Manager Window)?
-Bat Ledger Service
-Bat Ads Service
-Crypto Wallet
If you manually end the tasks, they automatically start back up, so having them (especially the wallet extension, which I don’t use) use resources seems like bloat to me. I’ve asked multiple times over at the reddit, but they seem to either ignore anything non-bat or ad related or simply do not wish to inform people of these extensions. As I said, I don’t participate in the BAT system or use a wallet, so these processes, which are using significant memory (the wallet extension in particular, which uses more resources than Ublock) seem rather redundant to need to be running constantly.
@Brian here you go: https://github.com/brave/brave-browser/issues/5429
Thank you for the link. Unfortunately, I’ve been down that rabbit hole already and as most others on the github page have stated, we seem to only get a simple run around answer as to why those are “needed”. My issue is, if Brave is trying to not be the next chrome, then processes like these need to be optional (or the ability to be disabled at least). Forcing processes and extensions, that have nothing to do with the basic functions of the browser and more to do with Ads and BATs, seems very Microsoft and googlesque. At the end of the day, it’s not using massive amounts of resources, but still unnecessarily doing so and with almost no legitimate answer as to why they need to be running (as opposed to why they are running) seems shady to me.
That’s a great point!
@Brian
You are not hijacking this thread, I’ll try to answer your question to the best of my abilities, for what it is worth. First off, the issue you mentioned is being tracked in three separate GitHub issues:
BAT Ledger Service: https://github.com/brave/brave-browser/issues/5429
BAT Ads Service: https://github.com/brave/brave-browser/issues/9196
Crypto Wallet: https://github.com/brave/brave-browser/issues/8742
There is good news regarding the Crypto Wallet, it seems there is a possible fix in the making, due to release in the next major update of Brave (version 1.10.x): https://github.com/brave/brave-core/pull/5513
What is happening in all three cases is essentially this, to my understanding: Brave Rewards and Crypto Wallet are internal extensions that, even if officially unused / disabled, are at least kept in a state of readiness, i.e. they are always being loaded, prepared for the user to officially activate them. This increases the RAM usage and is kind of stupid to be honest, yet it seems like the Brave developers understand this as well, which is why they try to change this behavior.
Now, there is no indication that this is a threat to privacy. Brave Rewards are based on a local algorithm that analyzes your browsing behavior, and picks fitting ads from an internal list of ads. The ads themselves only consist of a text and a related hyperlink, no tracking script whatsoever is part of these ads. So in summary, it doesn’t send your data to any kind of server, and no nefarious script within the ads themselves is at play here.
Why am I telling you this? I am telling you this because I don’t know exactly if the internal Brave Rewards extension is just in a state of readiness, or is actually active, just without displaying any ad to you. Let’s assume the worst and suppose it is active, then there is still no threat to your privacy involved, based on how Brave Rewards operate. I am being honest with you when I tell you that I do not know exactly whether Brave Rewards is just in a state of readiness, or actually active. I’d have to dig deeper to see if it just being loaded into the RAM or if any callbacks are actually made to these extensions at the code level, which would imply that they are active. Worst case would be Brave Rewards being covertly active, no matter whether or not this behavior is intentional (could be a bug), but even then the threat to your privacy is exactly zero, it just consumes RAM.
As for you being unable to kill these processes, it could be possible that Brave is doing an integrity check, i.e. it actively checks for and requires these processes to start up, and perhaps crashes if they are not running, and / or starts the processes up again when you manually terminate them. This in turn doesn’t in any way indicate whether they are just in a state of readiness or if any callbacks are being made, I mean apart from the command that forces them to start up, either intentionally or by mistake (seems to be by mistake or flawed design, since the developers are willing to change this behavior).
What I can tell you with some certainty is that this is most probably not a privacy threat, just annoying in terms of RAM consumption.
Well, thank you very much for the in depth and thoughtful reply. I certainly appreciate it! I’m still a big brave supporter, so I have no intention to jump ship just yet, just someone who likes to know all the little things (or at least ones that catch my attention.) I have no reason to distrust brave as of yet privacy wise, so I’m not concerned about these processes calling back or what not. I suppose it’s just the idea of have my RAM consumed for no real viable reason (as far as we can tell), but as I said earlier, it’s not exactly gobbling up excess amounts of resources.
Anyhow, thank you and everyone else who has replied to my question. I always value any information and the time those take to help educate myself and others. Kudos to you.
For a privacy-first and privacy-focused browser ‘most probably not a privacy threat’ is just not good enough.
It’s not a privacy threat, even in the “worst case scenario” (so to speak) of Brave Rewards being active, instead of just being loaded. Brave Rewards is based on a local algorithm that doesn’t send your personal data to any kind of server.
And may I add, other browsers have actual, provable, non-imagined privacy issues you can worry about.
@IronHeart: In what way is Vivaldi bloatware? It offers a ton more UI and other options built-in than the other Chromium browsers, so I suppose I can see how the size of that could be considered bloat after a fashion, but usually I think of bloatware as where random things are added that having nothing to do, or only tenuous connections with, browsing- like an email suite or something. Vivaldi’s options are all geared towards browsing, for the most part (I agree that the new clock thing probably isn’t [And seems pretty inexplicable to me, they position a clock right over where the clock is on the Windows taskbar- talk about redundant. But it’s just a clock, and you can get rid of it], but the clock thing is not exactly an ambitious project that takes up a lot of resources).
@John
Vibaldi is bloat in the sense that a massive UI, utilizing Javascript, is bogging the entire browser down in terms of responsiveness. Now, I realize that they had to make their own UI, as plain Chromium doesn’t allow for much customization – I just criticize how they went about it. Vibvaldi is the only browser I know of, frankly, where rendering the UI lowers the overall performance / responsiveness, this shouldn’t be happening under any circumstances.
And when it comes to features – they have their share of bloat there, as well. Philips Hue, Notes, Razer Chrome integration, a detailed panel for the characteristics of image files etc.
*Vivaldi, of course
Reminds me of Firefox Hello. It didn’t work out.
https://www.ghacks.net/2016/07/30/mozilla-plans-to-remove-hello-from-firefox-49/
Requires Brave Browser. They can keep it. Why not make it work on all browsers?
I want virus-free earth !
Who needs Brave browser, and this spy/bloatware…
Another great Brave feature: https://www.pcmag.com/news/brave-browser-caught-redirecting-users-through-affiliate-links
are you parroting what you don’t even understand but you want to look cool for “bringing it up” on this post?
Did you even understand the “issue”? because it wasn’t even an issue, it was a bug in the code that caused an unexpected behavior, which they quickly corrected. I am 100% sure it never affected you, it would never affected you and it wasn’t going to affect you in anyway, but you come here wanting to complain about it?
If you don’t understand the issue I will explain it, because I am also 100% you don’t know what you even complaining about.
The so “evil action” done by Brave Browser was that the referral link appeared on the FIRST suggested site element on the address bar when you typed Binance word or address. That’s all.
Have you ever thought how many people ACTUALLY typed binance address in Brave? and from those people few probable rare cases, how many people didn’t select the address without the referral link but then complained about it?
So, people could still select the link without referral link and most people (of the few, again, cases that would want to go to binance on brave browser) probably searched it and clicked on the link in whatever search engine they were using.
The referral link didn’t and doesn’t appear unless you use the address bar suggestions, it didn’t hijacked any link, it didn’t added any ref link without the user clearly seeing the address. it didn’t share any data or information from your browser.
So what’s the issue? are people that dramatic and dumb that they complain about a referral link when they could have chosen 100% of the time not to use it? People make it seem like brave browser held a gun on their heads and forced them to click on it, but guess what? people ALWAYS had an option to choose non referral link. Are people so dumb these days they always clicked the referral link and then complained about it when it was obvious?
It’s not like people couldn’t bring the referral link issue in guthub issues and let them do what they did, in matter of days: give users the choice if they want and how they want.
But to complain about it and make it seem like the biggest threat to users and now Brave is evil and say “my trust is broken” and switching browsers and holding pitchforks because of it and making some dumb crap excuses even if this “issue” probably didn’t affect them or more than 1% of Brave users who werent so smart not to click the non referral link…. it’s just some dumb behavior by dumb internet users.
So if you want your profile built and ads delivered by someone else than Google, why not try Brave. It even brings extra bloat that they lovingly made for you.
Well, as long as there are enough uncompromised alternatives, I’ll be using those, thank you.
Well, I tried Brave and this new “feature”. I was disappointed by both. Brave felt sluggish and the video calling just didn’t work. Double fail.