Comparison to UnGoogled Chromium and Iridium

[ajvsol]

Wasn't sure where to put this question - how does this project's goals and progress compare with those of UnGoogled Chromium and Iridium?

From what I understand these projects are similarly focused on enhancing the security and privacy of Chromium, but they are also strongly focused on removing any proprietary blobs and any calling home to Google.

Are these goals of this project and if so where can I track issues related to fixing these problems? Thanks.

[privatzee]

"...removing any proprietary blobs and any calling home to Google."

Let's hope there is an answer to this. Worst of all would be Brave one day announcing that they are "partnered" with google.

[It was encouraging that they use Piwik on the website and not google-analytics]

[JaneSmith]

I too would like an answer to this. Privacy is the main reason I'm interested in Brave in the first place - I want to get away from Google because of their activities, and I've been put off Firefox because of Mozilla's recent behaviour. However, the fact that Brave is built on top of Google's Chromium base concerns me. Does Brave have any modifications like ungoogled-chromium or Iridium? I don't want anything calling home to Google.

[luixxiul]

chromium is ungoogled itself and Iridium is also based on chromium code base as well as Brave is.

[JaneSmith]

I'm no expert, but if Chromium were "ungoogled itself" as you say, then what are all these Google-related changes that ungoogled-chromium and Iridium are making to it?

• https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium
• https://github.com/Eloston/ungoogled-chromium

I'm aware that Chromium is open source and different to Google Chrome, but from what I can tell it looks like there are still plenty of ties to Google services and such left in it.

[luixxiul]

If you have specific concerns about the security of Brave, would you mind indicating which should be added to Brave from this?

• https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium#security-improvements
• https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium#privacy-enhancements
• https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium#disabled-features
• https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium#networking-changes
• https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium#google-safe-browsing

Of that page, as far as I know, these below are not available (ie not disabled by default) on Brave. CC @diracdeltas for corrections

## Security improvements

* Increase RSA keysize to 2048 bits for self-signed certificates (used by WebRTC)
* Generate a new WebRTC identity for each connection instead of reusing identities for 30 days
* Generate a new ECDHE keypair for each WebRTC connection instead of reusing them for multiple connections

Still, you can disable WebRTC at all by enabling Fingerprinting Protection mode anyway, which is not enabled by default for now, though Block 3rd party fingerprinting will be enabled by default since 0.21. I must say it is a great news for privacy protection.

## Privacy enhancements

* Always send "Do-Not-Track" header
* Link auditing (`<a ping="...">`) is disabled by default
* Site data (cookies, local storage, etc.) is only kept until exit, by default
* Passwords are not stored by default
* The default search provider is [Qwant](https://www.qwant.com)

All of the above can be configured on about:preferences, except link auditing.

Edit: search engine page is not displayed on a new tab by default

## Disabled features

Everything in this section is implemented on Brave too. I'm not sure about the EV certificates. CC @diracdeltas

## Networking changes

I think link auditing is not disabled, which I mentioned as above already.

## Other changes

* Don't warn about missing API keys (services are not used anyway)
* Iridium will show a warning bar when running possibly unwanted requests (trk prefix)

## Google Safe Browsing

Google safe browsing is disabled.

--

If you are still concerned about Brave's privacy, please have a look at https://github.com/brave/browser-laptop/wiki/Fingerprinting-Protection-Mode for that. You can enable security options from the top right lion icon.

The fact that Chromium has something added by Google team does not mean that Brave is invading your privacy in cooperation with Google. Actually Brave is one of the few browsers which have so strong privacy protection features on board by default.

Hope this helps.

[ajvsol]

Brave is still comparatively weak for privacy when compared against UnGoogled Chromium or Firefox (with a few extensions) or Tor Browser, so I'm surprised by how little attention this issue is getting.

Other than areas of weakness present in Brave which the UnGoogled Chromium project has eliminated there are also issues in Chromium that the Tor Project has identified and the privacy harm of Instart Logic tech just to start with.

It's great that you've put in the initial groundwork but I'd want to see the problems other projects have solved/identified to be implemented, as well as a stronger focus on anti-fingerprinting like Mozilla's Tor Uplift initiative or the Tor Project's continuous work in this area before I make Brave my daily driver.

[luixxiul]

See #1185 for Tor implementation. It's planned.

[luixxiul]

@JaneSmith if you are not convinced with my explanation on https://github.com/brave/browser-laptop/issues/4730#issuecomment-323387354 above please let me know.

[diracdeltas]

Link auditing is also disabled in Brave by default. https://github.com/brave/muon/issues/250

https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs is out of date and some of those issues don't apply to Brave. The proxy leaks are not a concern by themselves unless you're using an application-specific proxy, which isn't supported in Brave yet.