[judge2020]

https://twitter.com/jonathansampson/status/11653912236932218... "thanks brave for proxying the content for me, no doubt google runs a global middleware on all requests to their domains to power their adtech machine!"

Your trust for privacy has to go somewhere - do you trust the megacorp with antitrust investigations and hundreds of perpetually pending lawsuits, or "Brave Software, Inc"? Security as well. Password sync is coming[1] - surely brave software, who controls that one domain "brave.com" and the entire process of install, update, and password sync, has security procedures that rival Google and Mozilla in preventing unauthorized or malicious code deploys.

1: https://twitter.com/jonathansampson/status/11653993492890173...

[jasonvorhe]

> Password sync is coming[1] - surely brave software, who controls that one domain "brave.com" and the entire process of install, update, and password sync, has security procedures that rival Google and Mozilla in preventing unauthorized or malicious code deploys.

How would I know? Is that code on GitHub? If not, why not? That would certainly give your words a lot more weight.

Also, to my knowledge there has never been a leak of Chrome sync data since the feature was first introduced in 2012.

[judge2020]

I say this sarcastically - I don't think anything about Brave's security ops is flawed or even misconfigured [now], but Google and Mozilla have a lot more resources than Brave does dedicated to security and auditing of things like CI servers and access controls.

And the password sync thing was related to the server that runs sync - it's E2EE, but Brave controls the update process and could very well deploy a malicious update that exfiltrates sync data or leaves it open to attacks.

That's why my point is about where you place your trust - if you're not up to the task of building your own browser (or at least auditing and building chromium yourself) and running your own sync software, you have to trust someone; oftentimes this means giving up privacy (Google) or giving up security (Again, choosing Brave isn't really giving up the security of your sync data, you're just now trusting a company that might not have the same security procedures and amount of resources dedicated to audits).

[jonathansampson]

Point of clarification: Brave supports Sync today, but passwords are not yet included. You can read about how we implement end-to-end encrypted sync here: https://github.com/brave/sync/wiki/Design

[axaxs]

Nonsequitor here, but is there a timeline? It's been 'coming' since I first looked into it many months ago.

[jonathansampson]

We began developing Sync during our "Muon" days, when our browser was a fortified fork of the Electron project. We then moved over to "Core", which is a soft-fork/patch of the Chromium code-base. As such, this required us to back-track just a bit, and recover some ground. Efforts were then directed at shipping a MVP of Sync across Windows, macOS, Android, and iOS. We succeeded in doing that not too long ago, and are now working towards expanding support for more data types. Hope this helps!

[efreak]

Any possible chance of supporting third party sync? I'd love to have Brave (my primary mobile browser) sync natively with Firefox (my primary desktop browser).

[axaxs]

hey thanks for taking the time to reply. I'm eagerly awaiting that feature, it's the only thing keeping me away at the moment.