[girst]

well, compared to undisclosed affiliate marketing for trading sites[1], soliciting of donations without consent[2] or the recent redirection through affiliate links[3], this seems pretty tame.

[1]: https://github.com/brave/brave-browser/issues/8793

[2]: https://davidgerard.co.uk/blockchain/2019/01/13/brave-web-br...

[3]: https://news.ycombinator.com/item?id=23442027

[bartread]

I've disliked Brave from the beginning. Initially because of the pretentious - and frankly appropriated - name, but now for the much more substantive reasons you've cited.

Seriously, if you want a browser that gives you control over your data and privacy, use Firefox. It doesn't do any of this shady nonsense.

[morganvachon]

> I've disliked Brave from the beginning.

As have I. The entire money making scheme behind it, while innovative, is a privacy nightmare.

> Seriously, if you want a browser that gives you control over your data and privacy, use Firefox. It doesn't do any of this shady nonsense.

Agreed, with the caveat that Firefox does have its own, completely different privacy issues[1][2]. Still, it's probably the best choice for a mainstream browser, and there are open source scripts out there[3] to plug up Firefox's few leaks. I used to use (and recommend) Waterfox as a more secure, private alternative to Firefox, but lately Firefox with Shawn's or a similar script applied is just as good. It's generally better to get FF from your operating system's repository and keep it updated that way rather than manually installing a fork.

[1] https://support.mozilla.org/en-US/kb/shield?as=u&utm_source=...

[2] https://www.mozilla.org/en-US/privacy/firefox/#health-report

[3] https://github.com/shawnanastasio/firefox-privacy-restorer

[esperent]

Your first link is about Firefox studies.

I had never heard of these before, but when I go to about:studies, I see that I have never participated in any studies, and when I click the link from that page to "Firefox data collection and use" setting, I see that I am opted out from everything. Pretty sure I didn't do that manually.

Your second link is to a page called "Firefox health report". I have no idea what conclusions I'm supposed to draw from that.

Can you provide more info about the privacy violations you're referring to?

[resfirestar]

> when I click the link from that page to "Firefox data collection and use" setting, I see that I am opted out from everything. Pretty sure I didn't do that manually.

Are you on Linux? Many distributions include their own tweaks to the Firefox package, including disabling data collection.

[afiori]

> but when I go to about:studies, I see that I have never participated in any studies

Are you in the US? I also have not participated in any studies but in the preferences it is marked as active. My guess would be that they either run very few of them or are restricted to the US.

[kop316]

I am in the US. It was disabled by default in Debian, but it is on in Windows. It looks like I have not participate din any studies on the Windows machine.

[esperent]

No, Vietnam.

[basch]

>The entire money making scheme behind it, while innovative, is a privacy nightmare.

Is it? An ad bundle is downloaded to your pc. Your pc tracks some usage, and stores every analytic locally. Using the analytics, your local client chooses which ads to target you with. You wipe your local data cache, your analytics disappear. I would guess people wished more advertising respected privacy this way.

This seems like much LESS of a privacy nightmare than Google, Facebook, Verizon, Microsoft, Amazon storing a named profile for each person.

[TedDoesntTalk]

There are many other questionable privacy policies from Firefox. Here's one (mobile):

https://support.mozilla.org/en-US/questions/1265029

But there are many others, just search "firefox privacy concerns" or similar keywords. Telemetry data -- Pocket suggestions -- etc.

[morganvachon]

You're right, and Pocket being integrated into the browser itself rather than remaining a plugin was the one that drove me to Waterfox a few years ago. I just listed a couple of general issues above for brevity's sake.

[manigandham]

Mozilla owns Pocket. Why wouldn’t they include their own service in the browser?

[morganvachon]

Before they bought Pocket it was a plugin/service that was completely optional. They bought Pocket and integrated it into the browser at a much deeper level, making it opt-out instead of opt-in (and very difficult for the average user to opt out; you have to change several settings in about:config which most users have no idea even exists).

I felt they should have made it an opt-in service that the user can choose on the first launch. Taking away user choice is rarely a good thing, and even less so when dealing with anything privacy related.

[rattray]

How can I get these two features on Firefox:

1. Block scripts on certain domains

2. Block ads & tracking (including on Android)

Those are my favorite Brave features. How do I get them on Firefox?

[ciarannolan]

On mobile: https://play.google.com/store/apps/details?id=org.mozilla.fe... + enable the extention "uBlock Origin" in the settings (not sure the exact steps while writing this, sorry)

On desktop: regular Firefox + https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...

In uBlock Origin, there is a setting that disables Javascript by default (which I use). You can then enable it temporarily or permanently on a per-site basis.

[rattray]

Thank you! Was very easy. Liking this so far.

[jdeibele]

I'm using Adguard's DNS on my router. 5 of us at home due to Covid-19 and no complaints from anybody about things not working.

NextDNS has a more advanced version (you can add and remove domains) for $19.90/year

It's not quite as good as having a PiHole or similar setup because some devices have their DNS settings hard coded. You have to route those addresses to override your Chromecast, etc.

https://adguard.com/en/adguard-dns/overview.html https://nextdns.io/

[pmoriarty]

I use uMatrix to block scripts on certain domains. I used to use NoScript for this, but switched to uMatrix when I found that it gave me much more fine-grained control over what to allow or block.

For ad-blocking, I supplement uMatrix with uBlock Origin. It has its own block lists that it perodically

On top of that, I use privoxy as an http proxy. Unfortunately, it can't filter https.

Yet another part of my defense is DNS blocklists that I put in to /etc/hosts.[1]

Using this combination, I virtually never see any ads.

[1] - https://github.com/StevenBlack/hosts

[gorhill]

> I use uMatrix to block scripts on certain domains. [...] For ad-blocking, I supplement uMatrix with uBlock Origin.

As the author of both uBO and uMatrix, I don't understand the need to use uMatrix to block scripts when already using uBO, since uBO can do the same.

Even better, uBO supports replacing certain blocked scripts with a local, neutered version (to lower likelihood of site breakage), something which becomes broken if you block the same script with another extension (i.e. in either NoScript or uMatrix).

[pmoriarty]

uMatrix gives me the ability to select on a domain and subdomain level where to block or allow script and other page elements using its matrix interface.

If this is possible to do in uBlock Origin, I don't know how.

AFAIK, uBO does not have a similar matrix-like interface. So if the equivalent control is possible somehow, it must be hidden further down in its interface, which makes it much less convenient for me than the simple matrix that's behind a single mouse click for me in uMatrix.

I'd love to learn how uBO can be used like uMatrix, if that's possible. There's no need for both extensions if uBO can do it all, but as far as I know it can't.

[Normille]

Off-topic, but seeing as we've got gorhill here:

Any plans to update uMatrix so it behaves nicer on mobile? The popup interface resists pinch-to-zoom and the text is so small as to be literally illegible on mobile devices. So I can't read the various domains to decide which ones I want to block or permit!

[uBlock Origin was recently updated to make it more mobile friendly. Although, ironically, out of the two, it was already more usable on mobile as it was possible to zoom and pan round the interface.]

[rattray]

Answering my own question, Firefox Android allows Add-Ons. So installing uBlock Origin for ad blocking and NoScript Security Suite for script blocking was trivial. So far so good, curious to see how it plays out...

[rattray]

And it turns out uBlock does allow you to block scripts on specific domains, so I don't even need NoScript. Nice.

[sozforex]

Install "uBlock Origin" add-on, with "I am advanced user" enabled. And/or "uMatrix" for more fine-grained control.

[stevehawk]

appropriated name?

[bartread]

Yes: the concept of browsing the web with your privacy preserved has literally zero to do with the concept of bravery. The name is clearly a statement but not one that's ever made any sense to me.

[jerf]

That's not "appropriation", that's just marketing. You can call that "appropriation" if you want but it really just dilutes the very concept you're trying to invoke.

[projektfu]

Right, Ubuntu might be considered an appropriated name, but hopefully not because the name is used respectfully by someone who, while not Nguni, is at least familiar with the people.

[wmeredith]

Not sure appropriated is the word you’re looking for.

[ilikehurdles]

re-appropriated

[jmkb]

Brave bought the brave.com domain from the band Brave Combo, whose homepage was listed as http://brave.com/bo since the early days of the web. Last year I was pleased to see that they kept a redirect in place from https://brave.com/bo to band's new site https://bravecombo.com but it appears they've discontinued that courtesy. Too bad.

[mapgrep]

Doesn’t have anything to do with firefoxes or electroplated chromium either. Shrug.

[jefftk]

Pedantic historical browser etymology note: Firefox began as Phoenix, because it was metaphorically rising from the ashes of Netscape. For trademark reasons, they changed it to Firebird. Then they learned that there was already an open source DB using that name, so they picked Firefox.

[gsich]

The other browsers don't have "normal" names either.

[yjftsjthsd-h]

Chrome and Internet Explorer are both trivially descriptive names.

[Grimm665]

Internet Explorer maybe, but Chrome? I don't think "Chrome" screams web browser to me. "Safari" seems more trivial than Chrome.

[gsich]

Internet Explorer yes, Chrome no.

[BeniBoy]

I've met Johny Ryan and he seems like an honest and privacy-focused guy. He seems to really care about his work.

I must admit that does not quite fit with a lot of the thing I've read about Brave over the years.

[hitpointdrew]

>I've disliked Brave from the beginning. Initially because of the pretentious - and frankly appropriated - name

I always joked that if you were really Brave you wouldn't need their browser, it should be more aptly named "Wimp".

[Can_Not]

I think a better joke would be how you would have to be brave to try a browser that vaguely uses cryptocurrency/blockchain in any way.

[0xfffafaCrash]

Brave is trash, but to say Firefox hasn't done shady things is a bit of joke after the whole incident where they sent full site URLs and interaction data over to Cliqz's servers for a random sampling of users in Germany while being neither opt-in nor clear to the users about what data was being sent.

[lopis]

Short sighted and terrible PR, yes, but to say that what Firefox was doing was shady, specially anything close to as shady as Brave, is being straight out disingenuous.

[0xfffafaCrash]

I was pretty clear about my stance on Brave in the first three words of my comment, but I'm skeptical of any interpretation of user privacy which is so eager to excuse sending user browsing history without asking as not "shady" but simply "short sighted and bad PR" just because Mozilla's the one doing it

[yaiNua9o]

Firefox prevents me from installing webextensions from sources and even forces me to send the code of my own extensions for my own usage to their webservices in order to use them. This is certainly not a browser that "gives you control over your data", when you're a hacker.

[paulryanrogers]

You can load local extensions from about:debugging. They just won't be permanently installed. (Developer edition may be different.) And Chrome's local loading comes with a disable modal at every startup. So I'm curious what browser you consider worthy.

Edit: forgot to mention you can install from 3p sources as I've done from my own site in the past. They just need to be signed by Mozilla first.

[nix23]

>They just need to be signed by Mozilla first

No they don't, xpinstall.signatures.required to false

[yjftsjthsd-h]

Doesn't work on "normal" Firefox, does it? Only dev builds or the unbranded version without automatic updates.

[nix23]

Sorry true, should have mentioned that, just works on dev build's and some version from distributions.

[yaiNua9o]

Yes, you can temporarily load extensions in firefox, but I certainly won't reload all my extensions manually at every startup :)

I don't think there's really a good browser for both privacy and hacking. I use chromium when I have no choice (not sure what you're referring to concerning the disable modal ; if it's an issue with chromium too, I haven't hit it, and I have 11 extensions loaded from sources).

But my "main browser until it's not enough" is elinks (slightly modified by me to fix ruby support and offer a few more api methods to extensions). I can write extensions as simple ruby scripts, doing things like adding native markdown support, allowing to edit local files, adding proper indentation to HN comments, etc. It's the perfect browser for me (and with cookies disabled and js, css and images not fetch nor executed, it's a good privacy browser as well). But of course, you won't be able to use that to buy something on the web. Still, it's surprising how much I can accomplish with just that.

[paulryanrogers]

Disable modal may only impact unpacked extensions then. My apologies for the confusion.

Forking a text browser is impressive. Though to be honest the older I get the less energy and time I have to be picky. (And building Firefox was so painful I vowed to only make changes via extensions.)

[yaiNua9o]

It's not that a big deal to modify elinks, because it's a codebase way simpler than full blown browsers. But yes, it still a handful of hours of work, like modifying any software, so you have to actually find it fun to tinker with free software :)

Actually, my first attempt to fix my problem was to try to find in firefox codebase where it deletes the extensions loaded from sources, either at the end or the start of the session, I supposed, to shunt that "feature". But after a week a free time spent on it, I made no progress. The codebase and the architecture are just too gargantuan to be tinkered with - at least for me.

[nix23]

Try mothra, the browser for the real 'hackers' ;)

http://man.9front.org/1/mothra

[yaiNua9o]

Thanks, never heard about it, I'll have a look.

[nix23]

As a hacker, you should start to learn howto use google ;)

'about:config' set 'xpinstall.signatures.required' to 'false'

[nvr219]

Yeah, as a hacker,

[erichocean]

Wow, that sucks. We use Chrome extensions (from source) to automate aspects of our customer service work, and we can't distribute these extensions on a hosted store.

So Firefox prevents this perfectly reasonable thing? WTF.

[dblohm7]

> So Firefox prevents this perfectly reasonable thing? WTF.

Not true. You can get them signed without publicly redistributing them.

[erichocean]

Do I need permission from Mozilla to sign things? Or are there self-signed certificates? Does that means source distribution works, or do I have to use their "store"?

[patrickaljord]

About [1], read the reply from the devs, seems reasonable and it was announced on their blog, it was temporary and could be turned off at anytime. Besides eToro is a well established site in Europe to buy stocks (no affiliations here), the reporter seems to really hate them for some reasons.

[2] was fixed a while ago as mentioned in your link.

[3] was also fixed quickly.

I don't know if you've ever run a company but if you do, I hope your users won't attack you and remember every single mistakes you've ever made even if just 3.

Disclaimer: I don't work for Brave and rarely use it sometimes as secondary browser.

[rsynnott]

> mistakes

These aren't mistakes, though, at least not in the sense of accidents. They were bad ideas, but it certainly wasn't a case of "oops, I accidentally added affiliate hijacking, silly me".

I mean, I suppose you could interpret them as severe naiveté and/or incompetence? That's probably the most charitable way to look at them, but still wouldn't exactly encourage me to use the product.

[freediver]

I did run a company and I feared making mistakes. In principle the best way to avoid making kinds of mistakes your users will hate you for is to put user interest first. By looking at Brave's profile I can not say they are living by that principle 100%.

For example, the decision to hijack links to insert their own affiliate links is not a mistake, it was a decision. These kind of decisions are not made by a developer in the team, it is a leadership level decision, coming from principles those leaders live by, and also one that does not put users first. On the contrary, it takes advantage of the users.

The principle of 'forgiving mistakes' applies only to honest mistakes. Otherwise we would all be browsing with Chrome/posting on Facebook/[insert currently hated company on HN here] and forgiving them all their 'mistakes'.

[patrickaljord]

Putting your users interest first needs to be balanced with remaining profitable so you can keep existing. It's hard to put your user interest first when you don't exist anymore.

This is why Firefox decided for example to support non-free mp4 or EME (DRM), even though it goes against their mission of supporting the open web. They decided that not supporting these features would kill their market share, relevance and revenue making it hard to support their users in the future.

When Brave made the decision to insert affiliate, they saw it as a way to help with their revenue which helps their mission without hurting privacy too much (they still block more trackers than any other browser in the market including firefox). Still, they rectified this quickly showing that they are not stubborn and are ready to sacrifice revenue for their users. Anyway, it's not easy to balance all this and you will be hard put to find saints that do it all perfectly out there, good luck finding one though.

[freediver]

> Putting your users interest first needs to be balanced with remaining profitable so you can keep existing.

Although this can be a sound principle for many, I do not agree with it. Brave is not 'entitled' in any way nor should the world bend to make Brave possible. It's a company like any other, with a product like any other and with, IMO, questionable leadrship principles demonstrated over and over again. The market will 'price' it accordingly in terms of market share.

If I was to build a browser (which btw I am doing) I would put 100% user interest first, at the price of not succeeding in the market. That is the only way I could sleep well at night.

[patrickaljord]

> Brave is not 'entitled' in any way nor should the world bend to make Brave possible.

I never said it was entitled, I said it had to balance things to survive.

> If I was to build a browser (which btw I am doing) I would put 100% user interest first, at the price of not succeeding in the market. That is the only way I could sleep well at night.

A quick look at the history of humanity will show you that even the most moral entities had at a point of their existence have to compromise with morality to survive, or made bad choices out of self-interest. Just like every single human being who has ever lived. I don't think you can never ever ever compromise on anything while accomplishing anything significant. By the way, do you plan on taking out mp4 and user freedom hostile features such as EME support in your browser?

[freediver]

You can balance things without making moral compromises. Making bad choices deliberately is different than making bad choices by a virtue of an honest mistake. For this particular feature Brave could have offered to split affiliate revenue with users 50-50. Then even if the idea was received poorly nobody could argue against the right to experiment and try to survive. Keeping 100% for yourself is greedy, shady and unnecessary not to mention uncovers that they don’t really put users first. Why not just run a bitcoin miner in the browser and keep everything for themselves? Where do you draw a line and say this company is not behaving like you are expecting?

[tripzilch]

> I don't think you can never ever ever compromise on anything while accomplishing anything significant.

I don't think you can never ever ever compromise on anything while accomplishing anything significant.

Not with that attitude you don't.

[NelsonMinar]

It's the nature of the mistakes that matter here. It's not like some dumb bug; time and time again they do unethical things that harm their users. Why?

[lalaland1125]

And that's just a short list of the shady things Brave has done. For example, Brave has also carried out an illegal security offering with their ICO.

[Fiveplus]

I'm already using Windows and despite me ticking all privacy checks - I am, as such, trusting MS with my data. Might as well switch over to Edge when I need a chromium-based browser. Threads like these move me in inch closer to that decision. (currently default: Firefox and secondary: Brave)

ps: Edge's reader mode and narrator are top-notch.

[bad_user]

Edge synchronization doesn't do end to end encryption for your browsing history or bookmarks (for this reason alone you're actually better off with Chrome). Windows 10 also has a low entropy advertising ID, that via Edge is passed to Bing Ads for ads personalization.

Firefox does not send your unencrypted browsing data to Microsoft and it does not send Windows 10's advertising ID to Bing Ads.

---

You may trust Microsoft enough to run Windows 10, but it does not follow that Microsoft already has that data. And giving even more data to a company that already has plenty on you is always unwise.

If you care about privacy or security for that matter, compartmentalization is key.

[Fiveplus]

I hadn't heard about the lack of E2E on Edge's sync, thanks for highlighting it here.

[bartread]

I can definitely see the reasoning. I suppose I'm still debating whether it's good to have all my personal information with only one company or spread around a bit more.

If I was going to plump for one company, Microsoft might not be the worst choice simply because their business model doesn't revolve around monetizing my personal information.

[_emacsomancer_]

> Microsoft might not be the worst choice simply because their business model doesn't revolve around monetizing my personal information.

Yet they seem intent on collecting as much data as possible.

[GloriousKoji]

At least I know some of it will be used in an attempt to make their product's UI better for the user.

Compared to google which continues to make their UI more hostile to users with each iteration.

[_emacsomancer_]

I don't know why you would assume that Microsoft uses their ill-gotten user information to make their UX better and Google to make theirs worse. Is it just because Microsoft's products' UX cannot be made any worse?

[thekyle]

I know right. I don't get it. I would expect a company like Microsoft that makes most of their money selling to businesses would take privacy and security more seriously.

[methodsignature]

my understanding is that most of the web reports back to Google anyways:(

[input_sh]

I mean, sure, but there's plenty of add-ons and filter lists that would make the web stop doing that.

[lowwave]

* when I need a chromium-based browser *

Try ungoogled-chromium:

https://github.com/Eloston/ungoogled-chromium

Put uMatrix, HTTPS everywhere

[gruez]

That either requires you to spend hours building it yourself, or trust random people's builds.

[buboard]

brave's biggest innovation is the introduction of direct payments. i hope that catches on, even if brave fails, because it will truly transform the economics of the internet.