Brave and Chrome Browsers NOT Secure and Private by Default

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

rfrazier

Well-known member
Sep 30, 2020
569
194
As @Steve mentioned on the podcast, Chrome now wants to run just like an app on your PC. That is a really, REALLY, * REALLY! * bad idea. I want web apps to be the MOST restricted things on my PC, not the least restricted.

I am a firm believer in going through EVERY setting in a software program when installing or updating, to see what they've done or set wrong from a security or privacy point of view. They ALWAYS do stuff wrong.

Below you will find comprehensive documentation on around 65 settings in Brave that I have reviewed and, in MANY cases, set differently. They will BLOW your mind at how much the browser is trying to access or do behind your back. In some cases, I don't even know what the functions mean. If I don't use it, or know what it is, I turn it off. I turn everything strange off. Site wants to access my data - NO. Site wants to know my location - NO. Site wants to runs scripts - NO unless I really trust them. Site wants to run third party scripts - NO. Sites wants to access any parts of my PC - NO. Site wants to install "protocols" or "handlers" - NO. Etc. The answer is NO, NO, NO unless I have a reason to allow it. The default Firefox and Brave and presumably Chrome settings are WAY too promiscuous. Therefore, I have to reset a whole bunch of stuff. Every time Brave / Chrome updates, they tend to add things, so I have to go through the settings again. The same is true of Firefox.

My extensions in Brave are Privacy Badger, Ublock Origin, Ublock Origin Extra, Tabs Outliner, Lastpass, and H246ify (forces H264 playback on YouTube and optionally forces 30 FPS for lower CPU usage).

If you haven't delved into the Brave / Chrome settings, or haven't done so for Firefox lately, you should. I really think lots of this is stuff your listeners should know. I hope you find this helpful. Thanks for the podcast and for SpinRite.

Sincerely,

Ron

-----------------

Brave Version 1.9.76 Chromium: 81.0.4044.138 (Official Build) (64-bit)
Note how many settings you have to CHANGE when you go through them for the first time.

click lion icon in toolbar, click global shield defaults - goes to shields section of settings

--- shields section ---, select advanced view (This menu has changed a bit since this was written.)

block cross-site trackers ON
upgrade connections to HTTPS ON
block scripts ON
cookies BLOCK CROSS SITE COOKIES
fingerprinting BLOCK ALL FINGERPRINTING

--- social media blocking section ---

allow google login buttons on third party sites OFF
allow facebook logins and embedded posts OFF
allow twitter embedded tweets OFF
allow linkedin embedded posts OFF

--- extensions section ---

(WHAT the heck is all this? I don't want any extensions unless I add them!)

web3 provider for using dapps NONE
hangouts OFF
IFFS companion OFF
media router OFF
private window with tor OFF
web torrent OFF
widevine OFF

--- click additional settings ---

--- privacy and security section ---

(They keep making this harder and harder to access. Now you have to click arrows to open up sub parts of these sections or you'll never see them all.)

autocomplete searches and URL's OFF
webrtc ip handling policy DEFAULT
automatically send completely private product analytics to Brave OFF
use google services for push messaging OFF
remote debugging OFF
help improve brave's features and performance (crash reports) ON

--- clear browsing data subsection ---
(Each person's preferences will differ.)

on exit

browsing history OFF (ie don't clear on exit)
download history ON (ie do clear on exit)
cookies and other site data ON
cached images and files ON
passwords and other sign-in data ON
autofill form data ON
site and shields settings OFF
hosted app data ON

--- site and shields settings subsection ---

(NOTE I block anything and everything that the sites might want to do or access on the computer unless I specifically need that function. Then I turn it on on a site specific basis. The keyword in all of this is do you want a (random) SITE to access this or that or do this or that. The answer is almost universally (for me) NO!)

--- cookies and site data sub subsection ---

allow sites to save and read cookies ON
(subject to the block cross site cookies shield setting)
clear cookies and site data when you quit brave ON

--- location sub subsection ---

location BLOCKED
(Heck NO!)

--- camera sub subsection ---

camera BLOCKED
(Heck NO!)

--- microphone sub subsection ---

microphone BLOCKED
(Heck NO!)

--- motion sensors sub subsection ---

sites' use of motion sensors BLOCKED
(Heck NO!)

--- notifications sub subsection ---

sites' use of notifications BLOCKED
(Heck NO!)

--- autoplay sub subsection ---

ask when a site wants to autoplay media ON
(I am very selective about what I allow to autoplay.)

--- javascript sub subsection ---

(NOTE I have global shields set to block scripts. On a site by site basis, I click the lion icon in the toolbar and allow scripts if I want to, similar to the way noscript works. However, only the main site is allowed when I approve it. In some cases, some sites still break even after the main domain is approved. In such cases, I may go over to firefox and look at noscript, which I still run, to see what other domains might need approval. I can then add them in this subsection. Unless I add scripting either via the lion icon in the toolbar, or in this subsection, scripts are blocked. Sometimes I run sites that break in firefox instead rather than fiddling around here. The noscript interface makes it easier to add various sites to the trust list.)

--- flash sub subsection ---

(NOTE The screen says flash settings will be kept until you quit Brave. So, you cannot save the settings. Also, a banner periodically pops up in Brave that says flash support will be ending.)

ask before running flash ON

(I am very reluctant to allow this permission when asked.)

--- images sub subsection ---

show all images ON

--- pop ups and redirects sub subsection ---

pop ups and redirects BLOCKED
(Heck NO!)

--- sound sub subsection ---

mute sites that play sound MUTING ACTIVE
(Heck NO!)

(NOTE the language is confusing as the slider switch on this screen is off while muting is active. An icon pops up on the toolbar which I can click and allow sound when I want to. Or I can add the site in this subsection.)

--- automatic downloads sub subsection ---

(NOTE This is relevant to an issue you discussed in a recent SN episode. I have had a few times where I wanted to initiate a download and the site wanted to download multiple parts. This also disables that. I don't know for sure if this disables the 1st automatic download.)

(NOTE the language is confusing as the slider switch on the screen is off while download blocking is active.)

do not allow any site to download multiple files automatically ACTIVE

--- unsandboxed plugin access sub subsection ---

(NOTE again confusing language)

do not allow any site to use a plugin to access your computer ACTIVE

--- handlers sub sub section ---

(NOTE confusing language)

do not allow any site to handle protocols ACTIVE

--- MIDI devices sub subsection ---

(NOTE confusing language)

do not allow any sites to use system exclusive messages to access MIDI devices ACTIVE
(Heck NO!)

--- USB devices sub subsection ---

(NOTE confusing language)

do not allow any sites to access USB devices ACTIVE
(Heck NO!)

--- serial ports sub subsection ---

(NOTE confusing language)

do not allow any sites to access serial ports ACTIVE
(Heck NO!)

--- file editing sub subsection ---

(NOTE confusing language)

do not allow any sites to edit files or folders ACTIVE
(Heck NO!)

--- pdf documents sub subsection ---

download pdf files instead of automatically opening them in Brave ON

--- protected content subsection ---

allow sites to play protected content ON
allow identifiers for protected content ON

--- clipboard sub subsection ---

(NOTE confusing language)

do not allow sites to see text and images copied to the clipboard ACTIVE
(Heck NO!)

--- payment handlers sub subsection ---

(NOTE confusing language)

do not allow any site to install payment handlers ACTIVE
(Heck NO!)

--- insecure content sub subsection ---

Insecure content is blocked by default on secure sites. Exceptions can be stored here.

(now backing out of the site and shields settings subsection back to the main privacy and security section)

--- back in main privacy and security section ---

google safe browsing ON

send a do not track request with your browsing traffic ON

allow sites to check if you have payment methods saved OFF

preload pages for faster browsing and searching OFF

--- autofill section ---

(NOTE I don't autofill anything. I don't want my browser remembering anything. I use lastpass for passwords.)

--- passwords subsection ---

offer to save passwords OFF

auto sign-in OFF

--- payment methods subsection ---

save and fill payment methods OFF

--- addresses and more subsection ---

save and fill addresses OFF

--- downloads section ---

ask where to save each file before downloading ON

--- help tips section ---

show wayback machine prompt on 404 pages OFF

--- system section ---

continue running background apps when brave is closed OFF
(Heck NO!)

(NOTE I feel this is a critical security item. If I close the browser, I want everything related to it shut down, PERIOD.)

use hardware acceleration when available ON

Those are my settings. Hope this info is useful.
 
They change Chrome (and derivatives like Brave) all the time. The settings you see might be slightly different. The main point is don't trust all the default settings to be what you want. Also, be aware that the more restrictive the settings are (like mine) and the more things you turn off, the more websites break. Good luck.

Ron
 
  • Like
Reactions: CredulousDane
As @Steve mentioned on the podcast, Chrome now wants to run just like an app on your PC. That is a really, REALLY, * REALLY! * bad idea. I want web apps to be the MOST restricted things on my PC, not the least restricted.

I am a firm believer in going through EVERY setting in a software program when installing or updating, to see what they've done or set wrong from a security or privacy point of view. They ALWAYS do stuff wrong.

Below you will find comprehensive documentation on around 65 settings in Brave that I have reviewed and, in MANY cases, set differently. They will BLOW your mind at how much the browser is trying to access or do behind your back. In some cases, I don't even know what the functions mean. If I don't use it, or know what it is, I turn it off. I turn everything strange off. Site wants to access my data - NO. Site wants to know my location - NO. Site wants to runs scripts - NO unless I really trust them. Site wants to run third party scripts - NO. Sites wants to access any parts of my PC - NO. Site wants to install "protocols" or "handlers" - NO. Etc. The answer is NO, NO, NO unless I have a reason to allow it. The default Firefox and Brave and presumably Chrome settings are WAY too promiscuous. Therefore, I have to reset a whole bunch of stuff. Every time Brave / Chrome updates, they tend to add things, so I have to go through the settings again. The same is true of Firefox.

My extensions in Brave are Privacy Badger, Ublock Origin, Ublock Origin Extra, Tabs Outliner, Lastpass, and H246ify (forces H264 playback on YouTube and optionally forces 30 FPS for lower CPU usage).

If you haven't delved into the Brave / Chrome settings, or haven't done so for Firefox lately, you should. I really think lots of this is stuff your listeners should know. I hope you find this helpful. Thanks for the podcast and for SpinRite.

Sincerely,

Ron

-----------------

Brave Version 1.9.76 Chromium: 81.0.4044.138 (Official Build) (64-bit)
Note how many settings you have to CHANGE when you go through them for the first time.

click lion icon in toolbar, click global shield defaults - goes to shields section of settings

--- shields section ---, select advanced view (This menu has changed a bit since this was written.)

block cross-site trackers ON
upgrade connections to HTTPS ON
block scripts ON
cookies BLOCK CROSS SITE COOKIES
fingerprinting BLOCK ALL FINGERPRINTING

--- social media blocking section ---

allow google login buttons on third party sites OFF
allow facebook logins and embedded posts OFF
allow twitter embedded tweets OFF
allow linkedin embedded posts OFF

--- extensions section ---

(WHAT the heck is all this? I don't want any extensions unless I add them!)

web3 provider for using dapps NONE
hangouts OFF
IFFS companion OFF
media router OFF
private window with tor OFF
web torrent OFF
widevine OFF

--- click additional settings ---

--- privacy and security section ---

(They keep making this harder and harder to access. Now you have to click arrows to open up sub parts of these sections or you'll never see them all.)

autocomplete searches and URL's OFF
webrtc ip handling policy DEFAULT
automatically send completely private product analytics to Brave OFF
use google services for push messaging OFF
remote debugging OFF
help improve brave's features and performance (crash reports) ON

--- clear browsing data subsection ---
(Each person's preferences will differ.)

on exit

browsing history OFF (ie don't clear on exit)
download history ON (ie do clear on exit)
cookies and other site data ON
cached images and files ON
passwords and other sign-in data ON
autofill form data ON
site and shields settings OFF
hosted app data ON

--- site and shields settings subsection ---

(NOTE I block anything and everything that the sites might want to do or access on the computer unless I specifically need that function. Then I turn it on on a site specific basis. The keyword in all of this is do you want a (random) SITE to access this or that or do this or that. The answer is almost universally (for me) NO!)

--- cookies and site data sub subsection ---

allow sites to save and read cookies ON
(subject to the block cross site cookies shield setting)
clear cookies and site data when you quit brave ON

--- location sub subsection ---

location BLOCKED
(Heck NO!)

--- camera sub subsection ---

camera BLOCKED
(Heck NO!)

--- microphone sub subsection ---

microphone BLOCKED
(Heck NO!)

--- motion sensors sub subsection ---

sites' use of motion sensors BLOCKED
(Heck NO!)

--- notifications sub subsection ---

sites' use of notifications BLOCKED
(Heck NO!)

--- autoplay sub subsection ---

ask when a site wants to autoplay media ON
(I am very selective about what I allow to autoplay.)

--- javascript sub subsection ---

(NOTE I have global shields set to block scripts. On a site by site basis, I click the lion icon in the toolbar and allow scripts if I want to, similar to the way noscript works. However, only the main site is allowed when I approve it. In some cases, some sites still break even after the main domain is approved. In such cases, I may go over to firefox and look at noscript, which I still run, to see what other domains might need approval. I can then add them in this subsection. Unless I add scripting either via the lion icon in the toolbar, or in this subsection, scripts are blocked. Sometimes I run sites that break in firefox instead rather than fiddling around here. The noscript interface makes it easier to add various sites to the trust list.)

--- flash sub subsection ---

(NOTE The screen says flash settings will be kept until you quit Brave. So, you cannot save the settings. Also, a banner periodically pops up in Brave that says flash support will be ending.)

ask before running flash ON

(I am very reluctant to allow this permission when asked.)

--- images sub subsection ---

show all images ON

--- pop ups and redirects sub subsection ---

pop ups and redirects BLOCKED
(Heck NO!)

--- sound sub subsection ---

mute sites that play sound MUTING ACTIVE
(Heck NO!)

(NOTE the language is confusing as the slider switch on this screen is off while muting is active. An icon pops up on the toolbar which I can click and allow sound when I want to. Or I can add the site in this subsection.)

--- automatic downloads sub subsection ---

(NOTE This is relevant to an issue you discussed in a recent SN episode. I have had a few times where I wanted to initiate a download and the site wanted to download multiple parts. This also disables that. I don't know for sure if this disables the 1st automatic download.)

(NOTE the language is confusing as the slider switch on the screen is off while download blocking is active.)

do not allow any site to download multiple files automatically ACTIVE

--- unsandboxed plugin access sub subsection ---

(NOTE again confusing language)

do not allow any site to use a plugin to access your computer ACTIVE

--- handlers sub sub section ---

(NOTE confusing language)

do not allow any site to handle protocols ACTIVE

--- MIDI devices sub subsection ---

(NOTE confusing language)

do not allow any sites to use system exclusive messages to access MIDI devices ACTIVE
(Heck NO!)

--- USB devices sub subsection ---

(NOTE confusing language)

do not allow any sites to access USB devices ACTIVE
(Heck NO!)

--- serial ports sub subsection ---

(NOTE confusing language)

do not allow any sites to access serial ports ACTIVE
(Heck NO!)

--- file editing sub subsection ---

(NOTE confusing language)

do not allow any sites to edit files or folders ACTIVE
(Heck NO!)

--- pdf documents sub subsection ---

download pdf files instead of automatically opening them in Brave ON

--- protected content subsection ---

allow sites to play protected content ON
allow identifiers for protected content ON

--- clipboard sub subsection ---

(NOTE confusing language)

do not allow sites to see text and images copied to the clipboard ACTIVE
(Heck NO!)

--- payment handlers sub subsection ---

(NOTE confusing language)

do not allow any site to install payment handlers ACTIVE
(Heck NO!)

--- insecure content sub subsection ---

Insecure content is blocked by default on secure sites. Exceptions can be stored here.

(now backing out of the site and shields settings subsection back to the main privacy and security section)

--- back in main privacy and security section ---

google safe browsing ON

send a do not track request with your browsing traffic ON

allow sites to check if you have payment methods saved OFF

preload pages for faster browsing and searching OFF

--- autofill section ---

(NOTE I don't autofill anything. I don't want my browser remembering anything. I use lastpass for passwords.)

--- passwords subsection ---

offer to save passwords OFF

auto sign-in OFF

--- payment methods subsection ---

save and fill payment methods OFF

--- addresses and more subsection ---

save and fill addresses OFF

--- downloads section ---

ask where to save each file before downloading ON

--- help tips section ---

show wayback machine prompt on 404 pages OFF

--- system section ---

continue running background apps when brave is closed OFF
(Heck NO!)

(NOTE I feel this is a critical security item. If I close the browser, I want everything related to it shut down, PERIOD.)

use hardware acceleration when available ON

Those are my settings. Hope this info is useful.

I think this information is great, but having to do that after each update to chrome? Wow that will take a lot of time. Programs should honor existing settings if an update is occurring.
 
I'll admit I'm not as good as I'd like to be at checking after every update. But, I do try to get around to it. They usually, but not always, leave your old settings intact. But, sometimes, they add new settings, which you then have to go in and tweak. For example, settings that weren't there a year ago ask if you want Brave / Chrome to have direct access to your file system (NO!) and your VR Headset (NO!). So, you still have to check after updates. Ron
 
For a few years now I have been doing a similar routine with Chromium builds - https://chromium.woolyss.com/

As you say, more recently Chrome has been shifting settings into Advanced sub menus / expanding arrow sub-menus, so they are not so obvious to find the important settings. Which affects all Chrome derived browsers.
The new Edge based on Chrome adds its own Microsoft influenced settings scheme so they can Bing you to death.

I don't use Facebook or similar social networks, but I have dabbled just out of curiosity once, and feel the way settings are going in Chrome is similar in obfuscating the more important settings to be harder to find to benefit the marketing / business of the company pushing the free software.

They can still claim (for the appeasement of Privacy advocates) that they do provide methods to suppress any concerning behavior (which wasn't always the case, in the early days of Chrome development it took years for the general public to influence Chrome development to handle something so simple as cookies a little better .. But eventually they came through), its just a pain in the butt finding them, and makes it so that your average user will not even go there and expand arrows for more options .. Which is the reason behind the design to try and make the biggest majority of users leave the settings at their default advantageous position for the company.

Trouble is rolling your own Browser would be a monumental task. So you have a choice out of the free browsers ..

Personally I base my decision primarily on which Browser I think is the most Secure (which I consider more important than Privacy).
Over the last 11 years since Google Chrome was released, and with Googles not insignificant resources aiding massive amounts of Fuzz Testing, I don't think their open source browser code can be beaten, the fact that competing browser companies have adopted and adapted the same code for their own purposes puts the stamp of approval on the Chrome projects reputation more than anything for me.

Iron was a seemingly good attempt for Privacy, but turns out the author had his own advertising agenda.
Dragon by Comodo started out good, but once it gained a crowd of significant supporters, the real mission adding extensions which could not be removed or suppressed emerged.
There have been many similar attempts at sucking in a crowd for Chrome variations advocating Privacy versus Googles Chrome, but they all either die or have mission creep when the bean counters influence the way it evolves.

So I think the only code you can rely on for Security and Privacy overall is the base Chromium Project, without Googles branding additions, or anyone elses hidden agendas.
The only snag with that is it does not auto-update ..

My approach is :
  1. Use good DNS Primary and Secondary servers in all machines (including router). Quad9 9.9.9.9 as primary and Cloudflares 1.1.1.1 as secondary. Read their policies if needs be, but overall I think these are better than my ISP monetizing my internet use when they should just be providing a pipe. I also replace the ISP router if they do not allow me to change DNS servers within the routers settings - Got to be careful with choice of router though, because they can be insecure too. Some ISPs (cough British Telecom cough) also provide services like Parental control options which depend upon their own DNS servers being used, thus making it harder for the customer to get out of using their servers and having behaviour being sold to third parties they have covered in their T&Cs which nobody reads due to the complexity of their arse covering.
  2. Do not use a heap of Browser Plugins / Extensions. Question: Who has audited your choices of plugins when used in combination together, for conflicts or worse inadvertently making an exploit possible expanding your browsers footprint of vulnerabilities?, Answer nobody. I used to use and recommend MVPS.org Hosts file to protect all computer communications going to malware / adware / porn sites and / or block in page elements (malvertising) which have been hijacked and waiting for an innocent unsuspecting click, but using it has technical problems, and updating it .. Family members and friends can't be arsed keeping on top of such things :). I now just use Chromium with UBlock Origin. Nothing else (apart from going through the browsers settings thoroughly periodically). UBlock Origin uses filter lists which are automatically updated, and effectively does the same job as the Hosts file was capable of. Combined with good DNS servers (also using filter lists garnered from the worlds best current intel) protecting us all, and advising people not to use Porn or Warez/Pirate software sites, not downloading "recommended" software from sites which tailor their own installers (to install more than you bargained for), myself and the family have not had any malware for many years. UBlock Origin combined with the DNS servers mentioned stops pretty much all exploit sites and links from catching you off guard. Some folk go a bit more extreme and would advocate against using DNS servers and filter lists because it potentially cuts them out from seeing the whole freedom of the internet, and they feel advanced enough in their knowledge to avoid being exploited .. Which I feel is too much trouble / learning for the average person on the internet, and there is always someone a bit more clever than yourself (to say the least).
  3. Periodically go through your browser of choice settings thoroughly, to see what has changed recently the company producing it have set at default being advantageous to them.
  4. Don't click links in emails, be that in an email client such as thunderbird, or via Web Browser emails, even if the email comes from friends / family who may not have a clue what they are linking you to besides the funny video / pictures. I do use Thunderbird for throw away email accounts, but don't entirely trust it because it has many Browsing capabilities just as complex as a Web Browser, can be easily exploited, and less easy than a Browser to batten down the hatches without going to very advanced "About config" settings and knowing what to look for. So tend to prefer Browser based web mail these days for security and peace of mind.
  5. Be even more wary of all the above on a smart phone which is much harder to protect than a desktop / laptop. My IPhone after every IOS update always switches Bluetooth and Location tracking back on, I really wish Apple did not do that, but they force it to attempt to track your behavior every where you go via those hidden boxes in high street shops, disrespecting my previous choice of not having them enabled.
I just check the volunteer site for newer builds every 3-4 days https://chromium.woolyss.com/ and manually update. Overall I think the Chromium project is the best source for secure browser code which has not been tampered with any other agendas'. There is even a de-googled version, Chromium itself does not have any Google Branding applied, but their are still google influences in the code which the de-googled version endeavors to remove for the very paranoid.

NB : For anyone reading "very paranoid" do not take that as an insult, it's understandable given the many years of being manipulated by the Marketing side of the internet and the tricks they get up to obfuscating where possible public concerns can be found in their software, and how it can affect you personally depending upon your profession or personal circumstances. I just feel we can be too over the top regarding privacy which can be detrimental to the bigger concern of Security.

All we can do as humans is take the best informed choices available with the technical knowledge we individually possess. Whether my way is the best way (probably not) is subjective, and I do not claim to have all the answers, just passing the benefit of my experience in this topic with technology for those who may not be so aware. Keep safe :)

@rfrazier - None of the above is directed at yourself, this post is intended just to add / expand on the topic. Though for yourself (and the following needs confirmation from someone who knows better) I think I have read on a forum about UBlock Origin that Privacy Badger does duplicate some of what UBlock Origin tries to achieve, and may be in conflict, but at least is redundant if UBlock Origin does everything Privacy Badger does aswell as utilising Filter lists. EFFs plugin is no doubt commendable so I would not like to put people off using it, but in combination with UBlock Origin could it maybe slow down the efficiency of the latter, or even cause UBlock Origin scripting to fail in some circumstances?

8.jpg


I just hope that Chromium always sticks by the original claims depicted in the Google Chrome Comic - https://www.google.com/googlebooks/chrome/small_24.html
(Read on from page 24)

Edit : PS Google Chrome I think was mentioned in a recent Security Now! podcast as drawing the attention of the pwn2own competition this year. I believe those guys (probably the worlds best gathering of hackers) tend to target the most challenging. And any exploits found will have been addressed by Chrome developers as a priority. Using pwn2own as an indicator as to which Browser is the most secure to have a go at, doesn't that put Chromium at the top of the heap in terms of most secure browser currently?. Maybe nation state organizations have even more clever methods of watching what we do, but to be honest if they have got time on their hands to watch me and my interests in gaming and gardening, then they can help themselves :). My immediate concerns with home security are to prevent criminal malware and identity theft ruining my family and friends lives.
 
Last edited:
@alt3rn1ty It's all good. We're all just trying to make a way in a murky world. When I was in engineering school long ago, as the internet was beginning to form, I would never in a million years have imagined that hackers could "reach out and touch someone" as the old telephone ads used to say, the way that they can. Much of what I turn off in a browser is for security. Much is for privacy. My main premise is that the browser is not the computer (for me). The browser is the browser. The computer is the computer. And I want a solid line between the two. It's a continual battle. I used to make fun of sci fi movies when the main character says something like, "Oh yeah. No problem to break into the computers in that (insert name of secure facility). I don't make so much fun of them any more. If I were an alien looking down on Earth, I'd probably say "Humans really do some stupid things." Ron
 
  • Like
Reactions: alt3rn1ty
I appreciate how thorough you were in adjusting Brave's settings. I did the same with Firefox, though it is less complicated than Brave.
Over the last decade, on my WordPress blog, I posted at least fifteen warnings pertaining to Google, Facebook, Twitter, and YouTube, (which I satirically call "CensorTube") over privacy and security issues. Many are unaware that Google is the CIA's bastard child!

I found it necessary to disable many "apps" in Windows 10; too many are devoted to mobile devices that I have no use for.
I also use Duck Duck Go, and disabled Bing, and other search engine options. Thanks for this post.
 
  • Like
Reactions: rfrazier
at this rate the library is looking as a safer solution. We reached a point where all applications want to call come, and use all your computer info. Most applications are easier to contain, since these don't really need to reach out (regardless of what their programmers think). Browsers are unique in that you want them to reach out and connect to all sorts of sites.

Most of my apps are blocked by little snitch (yes I use a mac :) ), and the system has gotten better (worse or more ios like) at blocking access to resources. You can block some sites for the browsers (google, twitter, fb, etc.), but you won't block all connections otherwise it would be rather useless.

Then the other side of the connection. You hope your network has good enough firewalls, but as we have seen on SN these are porous. I started a remotely accessible proxy, and though not openly advertised, it gets people trying out other thing (use opencanary). I wouldn't trust the isp's modem as far as I can throw, but installed something with a little better fw afterwards, but nothing is perfect.

The idea that browser are taking a step back and won't be sandboxed will open more options to hackers. Not that sandboxing is great, defcon and blackhat have shown people exiting the confinement. I use brave since it is supposed to be a little less gossipy, and didn't had the setting (code?) that was described on SN for another privacy issue. Besides as pointed as a theme convenience over security will probably always be the default. Programmers don't want bad reviews nor people complaining about their work