Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How does the Brave Browser "-tor" option work differently than the Tor Browser Bundle?
52 views
Skip to first unread message
arlen holder
Mar 26, 2019, 12:36:58 AM3/26/19
to
How does the Chromium-based cross-platform Brave browser "-tor" option work
differently than the Firefox-based cross-platform Tor Browser Bundle?
<https://brave.com/download/>
Linux: brave-browser --incognito --tor
Windows: C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe --incognito --tor
I know only the basics of how the Tor Browser Bundle works, at least
superficially, where you first get a directory server and then you have an
entrance, middle, and exit node, where each node-to-node traffic is
encrypted separately.
I can "presume" that the Brave browser "--ingognito --tor" option set works
similarly, but, maybe it's completely different in how it works.
I see the question on the net of how the "Brave browser with tor" differs
from the "Tor Browser with tor", where the answers imply "something" is
different, as shown below.
o Brave adds Tor to reinvent anonymous browsing
<https://nakedsecurity.sophos.com/2018/07/02/brave-adds-tor-to-reinvent-anonymous-browsing/>
"For users who currently require leakproof privacy, we recommend
using the Tor Browser, which provides much stronger and well-tested
protection against websites or eavesdroppers using advanced techniques
to uncover a true IP address."
o Brave Browser Integrates Tor Into New Private Tab Feature
<https://www.pcmag.com/news/362191/brave-browser-integrates-tor-into-new-private-tab-feature>
"What's different with Brave's implementation? Mainly convenience.
You can open normal tabs in the browser, and then Tor-powered
tabs alongside them — all within one window. ...
Brave's implementation of Private Tabs using Tor is experimental
and has some known leaks which we intend to fix in future versions"
Do you have further knowledge or information on how the two browsers differ
in terms of tor-based anonymity?
differently than the Firefox-based cross-platform Tor Browser Bundle?
<https://brave.com/download/>
Linux: brave-browser --incognito --tor
Windows: C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe --incognito --tor
I know only the basics of how the Tor Browser Bundle works, at least
superficially, where you first get a directory server and then you have an
entrance, middle, and exit node, where each node-to-node traffic is
encrypted separately.
I can "presume" that the Brave browser "--ingognito --tor" option set works
similarly, but, maybe it's completely different in how it works.
I see the question on the net of how the "Brave browser with tor" differs
from the "Tor Browser with tor", where the answers imply "something" is
different, as shown below.
o Brave adds Tor to reinvent anonymous browsing
<https://nakedsecurity.sophos.com/2018/07/02/brave-adds-tor-to-reinvent-anonymous-browsing/>
"For users who currently require leakproof privacy, we recommend
using the Tor Browser, which provides much stronger and well-tested
protection against websites or eavesdroppers using advanced techniques
to uncover a true IP address."
o Brave Browser Integrates Tor Into New Private Tab Feature
<https://www.pcmag.com/news/362191/brave-browser-integrates-tor-into-new-private-tab-feature>
"What's different with Brave's implementation? Mainly convenience.
You can open normal tabs in the browser, and then Tor-powered
tabs alongside them — all within one window. ...
Brave's implementation of Private Tabs using Tor is experimental
and has some known leaks which we intend to fix in future versions"
Do you have further knowledge or information on how the two browsers differ
in terms of tor-based anonymity?
Mike Easter
Mar 26, 2019, 2:58:34 PM3/26/19
to
arlen holder wrote:
> How does the Chromium-based cross-platform Brave browser "-tor" option work
> differently than the Firefox-based cross-platform Tor Browser Bundle?
I don't know all of the answers to your question, but...
> How does the Chromium-based cross-platform Brave browser "-tor" option work
> differently than the Firefox-based cross-platform Tor Browser Bundle?
In the case of TBB rigged by the Tor Project, the Ffx is configured more
securely in more ways than just using the tor network for connectivity.
The Tor Project describes the strengths and weaknesses of their
strategy, but I can't connect to that part of their site just now, just
its faq section.
The business about how Brave works wrt ads and such is quite different
from traditional browser ad relationships; and to me, that is the BIG
difference between Brave & Ffx besides the other fundamental difference
of being based on Chromium which has a different display engine than
Ffx. Chromium is also different from but similar to Chrome browser.
Also, the TBB is based on an ESR v. of Ffx, as opposed to the more
'dynamic'/changing/ evolving regular Ffx
A different and perhaps better question might be, "Which of the more
secure browsers should I use for privacy purposes?"
To me, I think the most important question is whether or not one wants
the Brave approach to the ad situation, not the 'with or without tor' issue.
Then, if one wants the Brave approach, the business about the tor tabs
would be a big privacy improvement. But, if one wants to approach the
ad situation more conventionally, then the TBB would be the better approach.
If one wanted to derive the Brave tor tab advantage while using the TBB,
then one would use both the TBB and a conventional browser of their
choice. So, in order to 'shift gears' from tor to non-tor, they would
have to switch windows, not tabs.
--
Mike Easter
aol only
arlen holder
Mar 27, 2019, 12:45:29 AM3/27/19
to
On Tue, 26 Mar 2019 11:58:30 -0700, Mike Easter wrote:
> I don't know all of the answers to your question, but...
Hi Mike,
> I don't know all of the answers to your question, but...
Thanks for hazarding a guess, as this is a tough question to answer
since we basically often just don't have enough information to answer these
kind of "what's the difference" questions, unless we happen to know
something most people don't know (which I don't know).
> In the case of TBB rigged by the Tor Project, the Ffx is configured more
> securely in more ways than just using the tor network for connectivity.
"privacy", in that they turn off things like scripting and they turn on
things like https-everywhere.
But they kind of sort of do that too with the Brave browser, although I
just published a tutorial over here showing what settings "I" would change
in order to make the settings more private for Brave.
o Tutorial: How to install the free Brave privacy-based tor-enabled web browser where YOU want it to install (and how to save a full offline installer in the process)
<https://groups.google.com/forum/#!topic/microsoft.public.windowsxp.general/trm_i2aooeE>
I just brought up the TBB where I see most of the settings I had to turn
off on Brave were already turned off on my TBB, although I may have done
that long ago.
I generally wipe my cache once every couple of months, so I should probably
wipe out the TBB and start fresh to see what settings I had to change for
privacy (e.g., block Microphone & Camera & Location requests).
> The Tor Project describes the strengths and weaknesses of their
> strategy, but I can't connect to that part of their site just now, just
> its faq section.
privacy browser, so, we can hope that security researchers are "looking"
closely at the code (let's hope).
Who knows if _anyone_ is looking closely at how Brave implemented the Tor
relays, for example?
> The business about how Brave works wrt ads and such is quite different
> from traditional browser ad relationships; and to me, that is the BIG
> difference between Brave & Ffx
Chromium-based browsers.
Can you clarify?
I don't see any ads when I use Brave, but I've only used it for a couple of
hours. Am I supposed to see ads?
Are we expecting to have an unique "advertiser ID" kind of code?
I don't allow "Chrome" on my systems, but I use "chromium-based" browsers,
where I'm not aware of what you mean by the "wrt ads" part above.
Can you kindly clarify, where we can both ignore "Chrome" and focus just on
the Chromium-based privacy-focused browsers such as Brave, Epic, & Opera.
> besides the other fundamental difference
> of being based on Chromium which has a different display engine than
I agree that the Chromium browser base has some nice options, e.g.,
you can set a start page to chrome://settings/clearBrowserData
(which, in the case of Brave, is: brave://settings/clearBrowserData).
It's more steps in Firefox-based browsers to do the same thing, e.g.,
about:preferences#privacy
but then you have to root around for the clearing of cookies button.
I also agree that the Chromium-based browsers have a LOT more added
possible things to shut down, e.g.,
o Change Search engine to DuckDuckGo or Startpage (up to you)
o Change "Fingerprinting protection" to "Block all fingerprinting"
o Turn on "Script blocking"
o Turn off "Web Torrent"
o Turn off "Hangouts"
o Turn off "Offer to save passwords"
o Turn off "Auto Sign-in"
o Turn off "Save and fill payment methods"
o Turn off "Save and fill addresses"
o Change the "On startup" to "Open a specific page or set of pages"
o Set the start page to "chrome://settings/clearBrowserData"
o Set the time period to "All time" & check _every_ option to clear!
o Turn off all "prediction services"
o Turn off "Safe Browsing"
o Turn off "Allow sites to check if you have payment methods saved"
o Go to the long section of "Content settings" for the next dozen items
o Turn on "Keep local data only until you quit your browser"
o Block "Location" requests
o Block "Camera" requests
o Block "Microphone" requests
o Block "Notifications" requests
o Block "Automatic downloads"
o Block "Unsandboxed plugin access" requests
o Block "Handlers"
o Block "MIDI devices"
o Block "USB devices"
o Turn on "Download PDF files instead of automatically opening them in Brave"
o Turn off "Allow sites to play protected content"
o Turn off "Allow identifiers for protected content"
o Block "Clipboard" access to web sites
o Block sites installing "Payment handlers"
o Interestingly the browser is set to ask where to download files!
o (It's the 1st time I've seen that sensible setting be the default!)
o Turn off "Continue running background apps when Brave is closed"
etc.
On the other hand, Firefox-based browsers have a well-hone set of user.js
scripts already set up for privacy, e.g.,
<https://www.ghacks.net/2017/12/29/automation-comes-to-the-ghacks-user-js-configuration-for-firefox/>
In short, I agree with you that the entire ecosystems are DIFFERENT between
Brave (Chromium based) and the Tor Browser Bundle (Firefox based).
> Also, the TBB is based on an ESR v. of Ffx, as opposed to the more
> 'dynamic'/changing/ evolving regular Ffx
Who knows which Chromium (or is it Chrome?) version that Brave is based off
of.
> A different and perhaps better question might be, "Which of the more
> secure browsers should I use for privacy purposes?"
o I agree it's the FUNDAMENTAL question.
Choice is good; but with choice comes the responsibility of knowledge to
make a good choice.
> To me, I think the most important question is whether or not one wants
> the Brave approach to the ad situation, not the 'with or without tor' issue.
Can you clarify?
I don't see any ads when I use Brave, but I've only used it for a couple of
hours. Am I supposed to see ads?
Are we expecting to have an unique "advertiser ID" kind of code?
I don't allow "Chrome" on my systems, but I use "chromium-based" browsers,
where I'm not aware of what you mean by the "wrt ads" part above.
Can you kindly clarify, where we can both ignore "Chrome" and focus just on
the Chromium-based privacy-focused browsers such as Brave, Epic, & Opera.
> Then, if one wants the Brave approach, the business about the tor tabs
> would be a big privacy improvement. But, if one wants to approach the
> ad situation more conventionally, then the TBB would be the better approach.
What I do is likely different from most people, where I install as many
different browsers as I need (e.g., for Chromium-based browsers, there's
Opera, Brave, Epic, Iron, etc., and for Mozilla-based browsers, there's
Firefox, SeaMonkey, IceDragon, PaleMoon, Waterfox, etc., and there are a
couple of Windows-based browsers also).
The sum total is over a dozen different browser, where what I do is set up
each browser for one web site and purpose only.
That way I can customize the browser to do what I do at _that_ web site.
For example, if scripts aren't needed for that site, I turn them off.
If images aren't needed for that site, I turn them off.
If the site needs to have Flash enabled, I turn it on.
etc.
Each browser visits only one site so it's set up only for that site.
Since my TBB is already relegated to a particular site, it's nice to have
Brave, if I need onion routing anonymity for another site.
I don't know of _any_ other Tor-enabled "privacy browser", do you?
> If one wanted to derive the Brave tor tab advantage while using the TBB,
> then one would use both the TBB and a conventional browser of their
> choice. So, in order to 'shift gears' from tor to non-tor, they would
> have to switch windows, not tabs.
tor network and the other not being in the tor network, you can't do that
with TBB but you can do that with Brave.
Personally, I wouldn't do that, where I'd use Brave _always_ in the same
mode.
$ brave-browser --incognito --tor
In fact, I'm having problems with exactly that setup (on Windows) since I
would like to use Brave ONLY in the TOR mode, where there are three modes
for Brave on Linux & Windows:
o brave.exe (normal mode)
o brave.exe --incognito (privacy mode)
o brave.exe --incognito --tor (anonymity mode)
I haven't tested Brave on Linux yet, but it appears to have the same
options as per this document on GitHub:
<https://github.com/brave/brave-browser/issues/2105>
My setup problem is I can't get the Windows shortcut to open up directly in
"anonymity mode".
I can get it to open up in "privacy mode", but not "anonymity mode"
That is, these TARGETs in the Windows "brave.exe.lnk" shortcut WORK:
C:\app\browser\brave\Chrome-bin\brave.exe
C:\app\browser\brave\Chrome-bin\brave.exe --incognito
But these TARGETs fail:
C:\app\browser\brave\Chrome-bin\brave.exe --incognito --tor
C:\app\browser\brave\Chrome-bin\brave.exe --tor
I tried with and without doublequotes, where it might just be a bug,
but it hampers my setup as I like to be one-click efficient, where I have
so many browsers that I would _only_ use Brave in "anonymity mode".
<https://github.com/brave/brave-browser/issues/690>
Followup to a.o.l respected.
Mike Easter
Mar 27, 2019, 2:16:12 AM3/27/19
to
arlen holder wrote:
only the chromium based browser Brave.
> Can you clarify?
>
> I don't see any ads when I use Brave, but I've only used it for a couple of
> hours. Am I supposed to see ads?
I don't know how to put/express Brave's most important design principles
into a few words. I don't see a quick few words at the Brave site, so I
would refer you instead to the wp article:
https://en.wikipedia.org/wiki/Brave_(web_browser) The browser blocks
ads and website trackers. In a future version of the browser, the
company has proposed adopting a pay-to-surf business model.
> Are we expecting to have an unique "advertiser ID" kind of code?
More complicated than that. We have the BAT Basic Attention Token like
an Ethereum Patreon deal.
> I think what you're saying is that, if you want two tabs, one being in the
> tor network and the other not being in the tor network, you can't do that
> with TBB but you can do that with Brave.
>
> Personally, I wouldn't do that, where I'd use Brave _always_ in the same
> mode.
> $ brave-browser --incognito --tor
Yabbut; I don't see Brave running only in tor (yet).
--
Mike Easter
> Mike Easter wrote:
>
>
>> The business about how Brave works wrt ads and such is quite different
>> from traditional browser ad relationships; and to me, that is the BIG
>> difference between Brave & Ffx
>
> I'm not sure what you mean regarding "with respect to ads" on the
> Chromium-based browsers.
I don't mean generic chromium based browsers; I mean specifically and
>
>
>> The business about how Brave works wrt ads and such is quite different
>> from traditional browser ad relationships; and to me, that is the BIG
>> difference between Brave & Ffx
>
> I'm not sure what you mean regarding "with respect to ads" on the
> Chromium-based browsers.
only the chromium based browser Brave.
> Can you clarify?
>
> I don't see any ads when I use Brave, but I've only used it for a couple of
> hours. Am I supposed to see ads?
into a few words. I don't see a quick few words at the Brave site, so I
would refer you instead to the wp article:
https://en.wikipedia.org/wiki/Brave_(web_browser) The browser blocks
ads and website trackers. In a future version of the browser, the
company has proposed adopting a pay-to-surf business model.
> Are we expecting to have an unique "advertiser ID" kind of code?
an Ethereum Patreon deal.
> I think what you're saying is that, if you want two tabs, one being in the
> tor network and the other not being in the tor network, you can't do that
> with TBB but you can do that with Brave.
>
> Personally, I wouldn't do that, where I'd use Brave _always_ in the same
> mode.
> $ brave-browser --incognito --tor
--
Mike Easter
arlen holder
Mar 27, 2019, 2:41:10 AM3/27/19
to
On Tue, 26 Mar 2019 04:36:56 -0000 (UTC), arlen holder wrote:
> How does the Chromium-based cross-platform Brave browser "-tor" option work
> differently than the Firefox-based cross-platform Tor Browser Bundle?
I ran a quick test of http://panopticlick.eff.org/ fingerprinting.
> How does the Chromium-based cross-platform Brave browser "-tor" option work
> differently than the Firefox-based cross-platform Tor Browser Bundle?
*TBB*: Within our dataset of several hundred thousand visitors tested in
the past 45 days, only one in 752.26 browsers have the same fingerprint as
yours.
*Brave*: Your browser fingerprint appears to be unique among the 297,725
tested in the past 45 days.
The Tor browser conveyed around 9 bits of identifying information; while
the Brave browser conveyed _twice_ that much identifying information!
The big differences appeared to be that Brave was worse in the following:
o Hash of WebGL fingerprint
o Hash of canvas fingerprint
o Time Zone
o HTTP_ACCEPT Headers
o User Agent
Most of the rest were either exactly the same, or close enough.
o Interestingly, TBB was slightly worse than Brave on "System Fonts".
o And TBB was twice as bad on "Screen Size and Color Depth".
As a control, I ran Firefox, which came up with the same number of
identifying bits of information as did the Brave browser in tor mode.
*Firefox*: Your browser fingerprint appears to be unique among the 297,748
tested in the past 45 days.
Some of the offending items were:
o Hash of WebGL fingerprint (it was about double Tor but half of Brave)
o Hash of canvas fingerprint (it was about double Tor but half of Brave)
Interestingly, the identifying bits from "System Fonts" was lowest on
Firefox, but not appreciably so as they were all within one or two bits of
identifying information.
It's hard to summarize, but clearly the Tor Browser Bundle had, overall,
about half the number of bits of identifying information leaked than did
either Firefox or Brave in anonymity mode.
Mike Easter
Mar 27, 2019, 11:36:48 AM3/27/19
to
So far, I haven't found it very useful to wrap my head very far around
panopticlick fingerprinting beyond understanding the concept.
There are privacy concepts which don't seem very useful to me, in which
the price exceeds the payoff too much.
--
Mike Easter
panopticlick fingerprinting beyond understanding the concept.
There are privacy concepts which don't seem very useful to me, in which
the price exceeds the payoff too much.
--
Mike Easter
arlen holder
Mar 27, 2019, 1:40:52 PM3/27/19
to
On Wed, 27 Mar 2019 08:36:45 -0700, Mike Easter wrote:
> So far, I haven't found it very useful to wrap my head very far around
> panopticlick fingerprinting beyond understanding the concept.
>
> There are privacy concepts which don't seem very useful to me, in which
> the price exceeds the payoff too much.
Hi Mike,
> So far, I haven't found it very useful to wrap my head very far around
> panopticlick fingerprinting beyond understanding the concept.
>
> There are privacy concepts which don't seem very useful to me, in which
> the price exceeds the payoff too much.
I appreciate that you provided your opinion, where, I think, for me anyway,
sites like Panopticlick have value in two areas:
o The first is to just realize that fingerprinting is real & easily done
o The second is to realize where the BIGGEST problem lies
For example, for the longest time I had a very specific FONT on my system
which was only used for road signs (roadgeek font) and where it's the
_only_ road-sign font I could find that was licensed for free public use
and which was provided in a Linux-like spirit of community knowledge:
<https://n1en.org/roadgeek-fonts/>
Since I was helping the neighborhood make road signs for a bunch of the
private roads in the area, it mattered greatly that the font be _that_
specific (legal and applicable) roadsign font.
<https://www.fontspace.com/michael-d-adams/roadgeek-2005>
And yet, my "fingerprint" (number of identifying bits) skyrocketed because of it!
Notice the two points I said about are exemplified by this real-world example;
o If you know that certain things give away identifying bits of information
o Then, and only then, can you do something about it.
In the case above, I simply zipped up the fonts when not in use.
In summary, I think panopticlick has useful advantages, but also, be
advised, for all we know, they themselves could be the bad guys (so I
wouldn't use Panopticlick sans some kind of proxy... I won't use the
three-letter word with you... :)
My suggested use model for others is to be AWARE of what fingerprint them most.
o Then eliminate that fingerprinting issue (if you can).
arlen holder
Mar 27, 2019, 1:56:33 PM3/27/19
to
On Tue, 26 Mar 2019 23:16:08 -0700, Mike Easter wrote:
> More complicated than that. We have the BAT Basic Attention Token like
> an Ethereum Patreon deal.
Hi Mike,
> More complicated than that. We have the BAT Basic Attention Token like
> an Ethereum Patreon deal.
I'm confused still, but looking at the cite you provided, I do see things
that are of obvious concern to us all.
For example:
"Brave Software has announced that it is developing a feature allowing
users to opt in to receiving ads sold by the company in place of ads
blocked by the browser."
Oddly, Brave will donate, they say, 70% of the revenue to we users!
o Hmmm... that's a new one to me... where they pay _us_ for ads we see.
I see the section on "Basic Attention Token ad exchange" over here:
<https://en.wikipedia.org/wiki/Brave_(web_browser)#Basic_Attention_Token>
Where is just gets more and more confusing as I delve deeper:
"The 'Basic Attention Token' (BAT) is an open-source, decentralized ad
exchange platform based on Ethereum."
Looking at what the heck "Ethereum" is, I find this Wikipedia link:
<https://en.wikipedia.org/wiki/Ethereum>
Where I don't even want to cut and paste even the _first_ line of that
Wikipedia article, since it means I will have to spend all day figuring out
what the heck it is.
Hence, in summary, based mostly on intuition, I see what you mean in that
Brave has a completely different sustainability model than does the Tor
Browser Bundle.
--
fup to a.o.l respected.
Mike Easter
Mar 27, 2019, 2:05:00 PM3/27/19
to
arlen holder wrote:
> My suggested use model for others is to be AWARE of what fingerprint them most.
> o Then eliminate that fingerprinting issue (if you can).
I accept your anecdote as a good example.
> My suggested use model for others is to be AWARE of what fingerprint them most.
> o Then eliminate that fingerprinting issue (if you can).
--
Mike Easter
0 new messages