Checking Brave Privacy

Brave’s mission is to fight user tracking on the web, and that includes protecting the privacy of the browser’s connections to our own servers. Don’t take our word for it: we’ve created a tool to help you make sure your data is safe. This is your data and you have the right to know how it is being used.

Address Privacy

When devices send and receive data on the Internet, they use IP addresses to identify themselves. These addresses are not necessarily unique and not necessarily permanent, but without them the network does not work.

This poses a potential user identity risk, and to combat this, we sometimes route our users’ traffic through a proxy. The proxy sees the visitor’s IP address, but we only see the proxy’s address; the traffic, in turn, is encrypted, and the proxy does not know anything about the user’s request – this remains between the user and us.

For example, if you use Brave News or Brave Rewards, your browser decides what to show you locally on your device – what you see is none of our business. Delivery of some of this content will confidentially held through a proxy.

Unfortunately, almost everyone is after user data, and many proxy providers provide options to forward the original IP address, decrypt the request, and sometimes both. Naturally, this directly contradicts our goal, and it is important for us to disable such features when configuring the use of a proxy.

Verification

To view the current Brave proxy configuration, visit audit page and examine the settings for each service. They are listed according to the domain name of the service, where we use a proxy to separate the IP address from the content of the request. Here is an example of a correct setup:

Let’s look at the logs, they will be something like this:

{
  "domain": "pcdn.brave.com",
  "modified_on": "2020–06–25T23:16:38.918 708Z"
  "protocol": "tcp/443",
  "proxy_protocol": "off",
  "traffic_type": "direct"
}

Here we see the key values ​​that control Spectrum proxy from Cloudflare for our private CDN:

  • domain: the endpoint where the proxy sends traffic to; it must match the Brave service you are checking out. Cloudflare first accepts traffic from this domain name and routes it to its internal servers to get rid of the original IP address.

  • modified_on: The date the configuration was last updated.

  • protocol: The tcp/443 value indicates that the proxy accepts standard encrypted https traffic.

  • proxy_protocol: this parameter must be set to off, which means that the proxy will not be able to forward the visitor’s IP address through PROXY protocol. This means that Brave will not be able to follow you!

  • traffic_type: Direct traffic (“direct”) means that https traffic is sent directly to Brave servers without decryption. Cloudflare sees the IP address of the client, but cannot know anything about the content of the request itself or our server’s response to this request.

And here is what a setting might look like that allows you to track visitors by their IP address:

Here we see the use of the port for unencrypted http, as well as the transmission of the client’s original IP address. The underlined values ​​are problems in this configuration and you can easily check them.

By publishing these values, we want to show that we cannot track our clients connecting to our services. Also, we cannot influence the check page of these parameters: the configuration data comes directly from Cloudflare, and the request is handled by GitHub. If you want to dive even deeper, check out the GitHub Actions workflow log to make sure the data was correctly retrieved under GitHub control (you must be logged in there).

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *