Brave Browser is getting protections against undesirable Localhost access
Brave Software plans to introduce new localhost access controls in Brave Browser 1.54. Localhost refers to resources that are usually found on the user's device and not on the Internet.
Some popular sites and services, Intel's Driver Assistance check comes to mind, require access to localhost resources to work. The feature, which is not limited by most browsers, may also be abused by malicious or shady sites, for instance as a data source for fingerprinting tracking.
Historically, browsers have always allowed access to localhost resources. Legitimate web applications, like Intel's driver assistant, use localhost resources for functionality. Brave Software lists banks, security software, crypto wallets and some hardware devices as other examples of services that make use of localhost connections.
The number of services that access localhost for legitimate purposes is relatively small.
Brave 1.54: localhost protections
Brave Software plans to introduce a change in Brave Browser 1.54 that uses the browser's permission system to give users control over access to localhost resources.
First visit to Intel's driver & support assistant website, for instance, will trigger the prompt and users may allow or decline access using it. Most sites that try to access localhost resources won't trigger the prompt, but users may allow access using the permissions system.
Brave Browser uses the following logic regarding localhost access when the change is introduced:
- Localhost access from localhost contexts are always allowed by default.
- Brave's existing protections against malicious scans of localhost resources and other abuses of localhost resources continue to block these connection attempts.
- The new Localhost permission gives users control over access. Sites with the localhost permission set to allow may "make sub-resource requests to localhost resources". Sites do not have the permission by default and most sites won't display a prompt when they try to access localhost resources.
- Brave maintains a list of trusted sites, accessible here, that will trigger a prompt when they are accessed for the first time.
The company explains that it made the deliberate decision to limit permission prompts, as it believes that the number if illegitimate prompts outweighs legitimate access significantly.
Brave plans to improve the feature in the future. One of the improvements will introduce the localhost permission prompt for all requests made to localhost resources. Brave Software may introduce this once it has come up with an easy to understand explanation that it can display to users whenever such access is observed.
Brave Software plans to release Brave 1.54 later this month.
Closing Words
Brave notes that other browsers, with the exception of Apple's Safari browser, are allowing localhost access at the time and do not include protections or a permissions system.
Now You: what is your take on this new feature of Brave Browser?
Nice. Brave and Firefox are the best.
Nice feature – BUT – Chromium based browser – clear no-go
Here the list of acceptable browsers one’s SHOULD/COULD use=
Floorp
Pulse browser
Seamonkey
Pale Moon
Librewolf (Un-Mozilla’d Firefox)
Waterfox (if you can ignore the fact that it is bought by a commercial company)
Very important when using that Mozilla code based browser – to avoid even further officially supporting Mozilla=
– Change user agent to NOT officially supporting Mozilla
– Turn off telemetry and all the other Mozilla baked trash
@Sajadi lol you sound triggered.
@Anonymous Why? It is a simple fact that Mozilla code based browsers (not official Firefox) are much better than anything Chromium.
In fact, in the last couple of weeks i have banished all Chromium ware from my machine and replaced it with Pale Moon as main again and Floorp/Waterfox as backup.
Was the best thing i was able to do, but worry not, my hate for Mozilla-new itself is still unbroken, but at least both variants have more customization and features than normal Chrome-imitation-fox – and one single switch allows me to reduce Firefox processes to 8 as a whole – and i can push the same way all Cache into memory and fully deactivating disk cache :P
May help anyone new to uBlock:
https://12bytes.org/articles/tech/firefox/ublock-origin-suggested-settings/
A quick search shows working with the Windows Firewall offers myriad options for blocking incoming requests without breaking Internet access.
Suggest reading . . . how it’s done.
And one can block the listening port for the LocalHost.
Many options for the privacy centered user.
@Bobo–Back to YT ads; if so many users are having problems with YT ads and new algorithms, then something is terribly wrong. Per earlier comments, no issues here, never have had an issue with advertisements or pop-ups, etc. A tool, an extension, a firewall rule–something needs tweaking if advertisements are a problem.
@VioletMoon
You clearly don’t read tech news do you? Adblockers work, for now. Google will put a stop to that very soon.
Thanks for trying, don’t quit your dayjob.
@VioletMoon,
> the Windows Firewall offers myriad options for blocking incoming requests without breaking Internet access.
I agree too.
This technique (blocking with OS level firewall) is considered appropriate.
Windows Filtering Platform:
https://docs.microsoft.com/en-us/windows/desktop/fwp/windows-filtering-platform-start-page
Note, The main thing is that default Windows Firewall could be not really trustworthy (just like the hosts file) for those, who cares about privacy. You may use third-party firewall for manual management.
Case I’m using: simplewall
https://www.henrypp.org/product/simplewall
Built-in blocking rules for that app:
https://github.com/crazy-max/WindowsSpyBlocker
“…Brave notes that other browsers, with the exception of Apple’s Safari browser, are allowing localhost access at the time and do not include protections or a permissions system.”
That sounds, errr, not very good…
It’s good to see a browser maker actually making meaningful changes, rather than just adding more and more privacy invading junk.
For those who refuse to use this adware browser, a blocklist can be enabled instead in ublock origin to deny web access to localhost, named “Block Outsider Intrusion into LAN”.
“Brave maintains a list of trusted sites, accessible here, that will trigger a prompt when they are accessed for the first time.”
Apparently it’s supposed to be an unbreak whitelist, which could be of some use if there weren’t only 4 sites on it.
“Brave notes that other browsers, with the exception of Apple’s Safari browser, are allowing localhost access at the time and do not include protections or a permissions system.”
Because 1) they belong to the same surveillance capitalism industry as Brave so won’t bundle an adblocker, and 2) anyway even ublock origin can’t afford for now to enable it by default because it lacks the number of users necessary to avoid breakage (for the reason 1).
I’m surprised that the Brave’s “privacy engineer” who happens to also be in charge of the main ublock origin blocking lists didn’t make his company consider writing the Brave unbreak whitelist in a format that could be used by adblocking tools. But again it’s only 4 sites, so not a great loss.
> a blocklist can be enabled instead in ublock origin to deny web access to localhost, named “Block Outsider Intrusion into LAN”.
why isnt the Block Outsider Intrusion into LAN ublock filter enabled by default?
https://www.reddit.com/r/LibreWolf/comments/t23rh1/why_isnt_the_block_outsider_intrusion_into_lan/
https://gitlab.com/librewolf-community/browser/source/-/issues/23#note_856123514
Alternative means: Browser extension “Behave!”
https://github.com/mindedsecurity/behave#readme
>”For those who refuse to use this adware browser, a blocklist can be enabled instead in ublock origin to deny web access to localhost, named “Block Outsider Intrusion into LAN”
Thanks for the tip, I’ve added it to my filter lists on eMatrix for the Pale Moon browser, I’ll give it a test and see if it breaks the web or seems to work well.
@Andy Prough
Maybe I’m missing something here, but why would you need a LAN blocklist for e(/u)Matrix when it already blocks this sort of stuff by default and you’d have to explicitly whitelist such access for a specific site? You seem to have some sort of conceptual confusion about how these whitelist-based tools work compared to (typically) blacklist-based uBlock.
Quite interesting feature for sure! Thanks @Martin for the article! :]
I regret not having swapped to this browser earlier!
The only thing Brave should be focusing on right now is to block ads on YouTube when they will force you to watch ads, buy YouTube Premium or be blocked. I’m such a bastard that I would rather pay double what YouTube Premium costs for an adblocker that can circumvent this but costs money. Google has enough money and I watch no ad on the internet. Period.
@Bobo
If they really successfully lock adblockers out (a website can detect whether or not resources are being blocked, after all), there is still the option to use a VPN with an IP address of a country where YouTube does not display ads (like Albania, for example).
@Iron Heart
Thre’s no doubt in my mind that Google will buy Albania if people would resort to this. Funny thing is that Albania would sell itself to Google in a flash too.
Jokes aside, will be interesting to see how this plays out. NewPipe are apparently already completely rewriting the app so maybe they know something we don’t know. It will probably be easier to circumvent on Android than on the desktop, maybe..
Still, I will never pay for youtube. Most of the things I watch are videos/music private people have uploaded. No “youtubers” that beg for your subs and likes etc like the whores they are, but just someone that wanted to share a copy of that weird heavy metal album from the early eighties that no one has a copy of anymore and the bandmembers died ages ago and the record company went broke in 1983. Google most certainly does not own videos like that and have no right to charge for them either. There’s probably a hundred million videos like that on youtube. You know “Here’s Uncle Joe falling drunk in the campfire, again”-videos, which are nothing like “heeey look at my ass while I pretend to build a cabin on the north pole all by myself in a bikini, PLEASE LIKE AND SUBSCRIBE”-videos. What Google SHOULD do, is to separate those videos that are in a grey zone and that would be the FREE YouTube and then concentrate on the greedy moneygrabbing whoreTube instead where people talking about soccer shoes can become millionaires for some insane reason. I won’t pay for that. The bottom line is that easily 50% of all videos on YouTube are illegal uploads in some way and Google pretends they own them.