We are introducing a powerful new element of user privacy protection – unlinkable redirects. It protects your navigation to an insecure (or suspicious) site by routing the request through new temporary storage (cookies, localStorage, etc.). This prevents the site from identifying you by linking this visit to previous visits, while still allowing the site to function as expected. This temporary storage is deleted as soon as you leave the suspicious site, preventing it from re-identifying you on future visits. Essentially, each visit becomes a unique first visit to the site, which anonymizes you.
We currently use non-linkable redirects as an additional security measure that works with our other privacy technologies that we’ve covered in the blog. Non-binding redirect is the first step towards our new approach “major Ephemeral Repositories, which we will discuss in more detail shortly.
What is redirect tracking?
Websites use redirect tracking to follow you even if your browser cuts off trackers (either by itself or through extensions). Browsers that care about user privacy prevent sites from learning about your activities on other sites. Redirect trackers try to bypass this protection by treacherously changing the behavior of the browser at the moment of transition from one site to another: namely, they add an intermediary tracking site to your route.
For example, if you are on the site rabbits.rfand click on the link turtles.rfupon transition, the tracker substitutes an intermediate URL, and in fact you will be sent to tracker.rf. This tracker site will know that you are interested in both rabbits and turtles, and only then will it redirect to the destination address, turtles.rf. If the tracker in our example succeeds in embedding in your transitions enough times, over time it will be able to create a detailed (and, of course, maliciously violating your privacy) profile of your interests.
How unlinkable redirects protect against redirect tracking
Unlinkable redirect is the fourth technology we use to defeat redirect tracking. Let’s take a look at existing technologies and how non-binding redirects complement them.
If you turn aggressive blocking trackers and ads, Brave will warn you about a possible visit to a suspicious tracker site. This feature allows users to manually opt out of following a link if they don’t want to be redirected to the tracker url. However, this is just a warning; by itself, it does not protect users if they need to go to the destination site.
Brave removes already known tracking parameters from the address you go to. This is very effective against the most inveterate attackers (Google, Microsoft, Facebook), but it does not help against intermediary tracking sites that can still learn about your activities on the network.
Brave can debounce, i.e. bypass the intermediary site and direct you directly to the destination address if the browser determines that you will now go to the tracking site. This is a powerful privacy measure, but sometimes Brave can’t determine your destination based on the URL of the intermediary tracking domain alone.
Non-binding redirects complement these mechanisms by preventing the intermediary tracking site from gaining information about you over time. Embedded site tracker.rf can still find out that someone is moving from rabbits.rf on the turtles.rfbut the unlinkable redirect doesn’t let the tracker know it’s the same person who was on those sites yesterday.
Together, these four mechanisms provide the best possible redirect tracking protection of any popular browser.
How does a non-binding redirect work?
It works like this:
If the URL appears in these lists, the browser checks the shield settings for the destination site. If trackers and ads are blocked aggressivelya warning is shown to the user so that, if desired, he could not continue navigating to the site (we wrote about it earlier).
If the shields are set to standard blocking of trackers and adsor if the user decides to continue the transition anyway when aggressive settings, the browser checks the basic values of the DOM stores (cookies, localStorage etc.) for the destination site. If the user has any data saved, the transition continues with that data saved (in other words, no unlinked redirect is applied). If there are no saved DOM storage values for the destination site, the browser creates a new temporary storage for the destination site.
Shortly after you leave a site suspected of redirect tracking (i.e. you don’t have any open tabs for that site) the temporary storage is cleared, which will prevent the site from re-identifying you the next time you are seen by the tracker.
Core ephemeral stores: how we will develop non-binding redirects
Non-binding redirect is the first use of our powerful new system called “master ephemeral storage”. This is a set of technologies that will allow the site to remember (or identify) you only when you are on the site. Basically, it is similar to clearing browser storage every time you leave the site, only it offers a more powerful and convenient degree of protection.
This system is based on the already existing protection against third-party tracking. Brave currently uses a unique third-party tracking protection system, ephemeral repositorieswhere all external site storage is cleared when you leave the original site.
Essentially, the original sites could remember your various visits (that is, you stayed logged in), but third-party elements could not remember you. This approach to 3rd-party elements is unique to Brave, and is the most restrictive, and therefore the most private, of any browser.
Primary ephemeral repositories take this idea further and prevent the original sites from re-identifying you: they can only remember you if you choose to. This is a radical change in approach to standard web behavior: until now, browsers have assumed by default that users want all sites to remember them, unless the user consciously takes some steps to prevent this from happening. We proceed from the principle that, by default, sites should not remember you, which means they should keep your privacy.