[jasonvorhe]

> Password sync is coming[1] - surely brave software, who controls that one domain "brave.com" and the entire process of install, update, and password sync, has security procedures that rival Google and Mozilla in preventing unauthorized or malicious code deploys.

How would I know? Is that code on GitHub? If not, why not? That would certainly give your words a lot more weight.

Also, to my knowledge there has never been a leak of Chrome sync data since the feature was first introduced in 2012.

[judge2020]

I say this sarcastically - I don't think anything about Brave's security ops is flawed or even misconfigured [now], but Google and Mozilla have a lot more resources than Brave does dedicated to security and auditing of things like CI servers and access controls.

And the password sync thing was related to the server that runs sync - it's E2EE, but Brave controls the update process and could very well deploy a malicious update that exfiltrates sync data or leaves it open to attacks.

That's why my point is about where you place your trust - if you're not up to the task of building your own browser (or at least auditing and building chromium yourself) and running your own sync software, you have to trust someone; oftentimes this means giving up privacy (Google) or giving up security (Again, choosing Brave isn't really giving up the security of your sync data, you're just now trusting a company that might not have the same security procedures and amount of resources dedicated to audits).