cross-posted from: https://sh.itjust.works/post/5572424

This might have been discussed to death by now, unfortunately I couldn’t find any discussion on it on Lemmy. Though I would love to be corrected on that!


How does an always on incognito Chromium with uBlock Origin on medium mode (and other hardening/privacy settings enabled) compare to Brave (with e.g. Privacy Guides’ recommended settings) with respect to security and privacy on Linux[1]?

Commonly heard whataboutisms:

  • “With the looming advent of Manifest v3, this discussion might not be very relevant for long.” I’m aware.
  • “Just use Firefox/Librewolf or any other privacy-conscious browser that isn’t Chromium-based.” I already do, but some websites/platforms don’t play nice on non-Chromium-based browsers due to Google’s monopoly on the web. Sometimes I can afford to not use that website/platform, but unfortunately not always.
  • “Brave’s [insert controversy] makes them unreliable to take services from.” Honestly, I think that if both solutions are as effective that a reason like this might be sufficient to tip the balance in favor of one. Because ultimately this all comes down to trust.
  • "Just use Ungoogled Chromium." Some more knowledgeable people than me advice against it. Though, I’d say I’m open to hear different opinions on this as long as they’re somewhat sophisticated.
  • “Just use [insert another Chromium-based browser].” If it has merits beyond Brave and Chromium with respect to security and privacy, I’ll consider it.

Thanks in advance!


  1. I can be more specific about which distro I prefer using, but I don’t think it matters. I might be wrong though*.
  • qwert230839265026494OP
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    Bounce tracking

    TIL.

    Fingerprinting

    Gosh, I can’t believe I forgot about Brave’s excellent implementation of fingerprint-spoofing.

    Also Brave announced on X/Twitter that they will continue supporting MV2, Chromium won’t.

    This is a big thing. Thank you for mentioning that!

    if you rly don’t like Brave

    I’ve actually for the longest time used Brave as my go-to Chromium-based browser, but it seems as if the support on Linux leaves a lot to be desired. I don’t understand for example why it just isn’t included in the repos of Arch, Debian, Fedora, openSUSE, Ubuntu etc. Sure; the AUR has it -also available as a not up to date nixpkg-, but the others have to either download the .deb or rpm package (which is undesirable due to inability to keep it updated at all times) OR rely on Brave’s own repos, that somehow borks itself every once in a while. Which actually just happened a couple of days ago on my device*. I’m on Fedora Silverblue, so it was already quite hacky to get Brave from its own repos. But due to the repos borking themselves, I didn’t get any automatic system updates at all for the last couple of days. I only noticed it yesterday when I did my weekly manual update. Perhaps I should setup something that notifies me when the automatic system update fails, but I’ll prefer if the repos I rely on don’t call it quits whenever they feel like it. Apologies for my rant*.

    Vivaldi would be a good alternative, but is weaker than Brave, since it includes not all the protections or alternatives which Brave has.

    Would you say that Vivaldi is (at least) better than Chromium for security and privacy?

        • Clay_pidgin
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I’m very happy with Vivaldi as a long time Opera main. (I followed the devs over from Opera) I’m not smart enough to talk about the privacy benefits, though.

          • qwert230839265026494OP
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            Thanks for chiming in! I do think that Vivaldi is excellent in some regards. However, it seems that they don’t apply all security related updates every release, which obviously affects security negatively. Thus, making me less enthusiastic to use it. I was about to install it when I read up on that…

    • t0m5k1@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      I use arch-btw so I get brave from aur, on other Linux distros the way to get brave is via flatpak if the provided repos are borked for you.

      • qwert230839265026494OP
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        on other Linux distros the way to get brave is via flatpak if the provided repos are borked for you.

        I would love to use the flatpak if it was endorsed. Privacy Guides says the following about it:

        “We advise against using the Flatpak version of Brave, as it replaces Chromium’s sandbox with Flatpak’s, which is less effective. Additionally, the package is not maintained by Brave Software, Inc.”

          • qwert230839265026494OP
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Hehe :P . True dat. Maybe one day ;) . Perhaps I’ll just spin up a distrobox in order to get access to Brave through the AUR, but this (excellent) article has worsened my already bad paranoia to clearly unhealthy levels 🤣. So, it seems out of question for now 😅. Though I might be able to spin it up in a Wolfi container. Pessimism doesn’t help though 🤣.

            • t0m5k1@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              Man you’ve gone down a security worm hole that makes me wonder if you should really be running qubes-OS rather than Fedora 🤣.

              Seriously if you need more than the chromium sandbox for brave and want simplicity just use firejail.

              The article you linked to is a wonderfully detailed write up but it is more geared towards those using containers that will be providing services (web, sql, etc) if you just want a browser in a secure container then any of the implementations will be fine for you. The browser is not a vector used to gain access to your OS directly but what you download potentially is so with that in mind your downloads folder should really be a CLAMFS folder or a target folder for on-access scanning by clamav.

              • qwert230839265026494OP
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Man you’ve gone down a security worm hole that makes me wonder if you should really be running qubes-OS rather than Fedora 🤣.

                Hahaha 🤣. Honestly I would, if my device could handle.

                Seriously if you need more than the chromium sandbox for brave and want simplicity just use firejail.

                Madaidan strikes (yet) again. F*ck my paranoia…

                The article you linked to is a wonderfully detailed write up but it is more geared towards those using containers that will be providing services (web, sql, etc) if you just want a browser in a secure container then any of the implementations will be fine for you. The browser is not a vector used to gain access to your OS directly but what you download potentially is so with that in mind your downloads folder should really be a CLAMFS folder or a target folder for on-access scanning by clamav.

                Very interesting insights! Thank you so much! Would you happen to know of resources that I might refer to for this?

                  • qwert230839265026494OP
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    1 year ago

                    Your help is much appreciated!

                    Question: Why do you think need such high security for a browser?

                    Good prompt! I actually started questioning my own motivations from this. And I’d say that the best I could come up with was that it’s required in order to attain the “peace of mind” from having properly secured my browser activity; which happens to be the primary activity on my device anyways.

    • Bitrot@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Aur is just repackaging the official Debian package, that’s a very straightforward process. Most distro repositories don’t work that way, they build the binaries themselves. Some interested party would need to put in the work.

      • qwert230839265026494OP
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Most distro repositories don’t work that way, they build the binaries themselves.

        Interesting. Is this a matter of trust?

    • chenxiaolong@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I don’t understand for example why it just isn’t included in the repos of Arch, Debian, Fedora, openSUSE, Ubuntu etc.

      For the most part, these distros all require that packages are built from source vs. repackaging prebuilt binaries. While Brave is open source, if you compile it yourself, you’ll be missing tons of API keys for accessing Brave’s services: https://github.com/brave/brave-browser/wiki/Build-configuration. While I suspect most folks wouldn’t care if eg. the cryptocurrency things stopped working, other things that break include Brave Sync and the downloading of the adblocker filter lists.

      Brave currently does not provide a way for 3rd parties to generate API keys to access these services: https://community.brave.com/t/does-brave-allow-the-distribution-of-self-compiled-or-distro-compiled-binaries/457833. Outside of reverse engineering their prebuilt binaries to extract the API keys, you’re pretty much out of luck (if you care about these features working).

      For websites that only work in Chromium, I’ve switched to just using plain old Chromium from Fedora’s repos. Being able to build the browser from source without losing features is pretty important to me (eg. I rebuild Fedora’s Chromium with the patches for enabling hardware video decoding on Wayland).