Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I don't know what you're referring to. Was Firefox intentionally ID'ing people?
Every time an addon is installed it alters the fingerprint of the browser slightly. Journalists as an example have strict standards of maintaining a common fingerprint to hide their identity and location the Tor browser also utilizes this practice and will warn you before allowing any addons as it defeats the point of using it. We will never know the fallout from this since China, Iran etc will never publicize catching undercover reporters or dissidents and Mozilla hide behind we don't guarantee your privacy/safety in their terms and conditions to use the browser.

Cool test to see if you are able to be tracked because of your browsers setup alone: https://www.amiunique.org/
 
Last edited:
  • Wow
Reactions: Alfredo_Delgado
Here is a DNS capture of a fresh Firefox install
detectportal.firefox.com.
location.services.mozilla.com.
locprod1-elb-eu-west-1.prod.mozaws.net.
mozilla.org.
www.mozilla.org.
firefox.settings.services.mozilla.com.
d2k03kvdk5cku0.cloudfront.net.
ocsp.digicert.com.
cs9.wac.phicdn.net.
incoming.telemetry.mozilla.org.
pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com.
search.services.mozilla.com.
spocs.getpocket.com.
getpocket.cdn.mozilla.net.
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com.
search.r53-2.services.mozilla.com.
ocsp.sca1b.amazontrust.com.
push.services.mozilla.com.
autopush.prod.mozaws.net.
content-signature-2.cdn.mozilla.net.
d2nxq2uap88usk.cloudfront.net.
img-getpocket.cdn.mozilla.net.
shavar.services.mozilla.com.
shavar.prod.mozaws.net.
firefox-settings-attachments.cdn.mozilla.net.
d80i88epwmv41.cloudfront.net.
tracking-protection.cdn.mozilla.net.
d1zkz3k4cclnv6.cloudfront.net.
snippets.cdn.mozilla.net.
d228z91au11ukj.cloudfront.net.
accounts.firefox.com.
getpocket.com.
slate.com.
www.nextadvisor.com.
www.gq.com.
jezebel.com.
fe2.edge.pantheon.io.
www.theguardian.com.
condenast.map.fastly.net.
dualstack.guardian.map.fastly.net.
www.youtube.com.
www.facebook.com.
www.reddit.com.
youtube-ui.l.google.com.
www.wikipedia.org.
star-mini.c10r.facebook.com.
twitter.com.
reddit.map.fastly.net.
dyna.wikimedia.org.
www.vox.com.
www.washingtonpost.com.
medium.com.
vox-chorus.map.fastly.net.
e9631.j.akamaiedge.net.
www.joinhoney.com.
landing.chirpbooks.com.
www.reviewed.com.
joinhoney.com.
secure.pageserve.co.
domains.gannett.map.fastly.net.
www.google.com.
ocsp.pki.goog.
pki-goog.l.google.com.
www.netmeister.org.
panix.netmeister.org.
incoming.telemetry.mozilla.org

Brave fresh install DNS capture:
updates.bravesoftware.com.
f2.shared.global.fastly.net.
static1.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
laptop-updates.brave.com.
no-thanks.invalid.
go-updater.brave.com.
componentupdater.brave.com.
brave-core-ext.s3.brave.com.
tor.bravesoftware.com.
crlsets.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
krdjdubihfhlri.cable.rcn.com.
rhqnzult.cable.rcn.com.
ckzlqdialux.cable.rcn.com.
krdjdubihfhlri.cable.rcn.com.
krdjdubihfhlri.
rhqnzult.cable.rcn.com.
ckzlqdialux.cable.rcn.com.
rhqnzult.
ckzlqdialux.
rhqnzult.
ckzlqdialux.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
static.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.

SOURCE:https://www.netmeister.org/blog/browser-startup.html
Looked like you slipped a few extra URLs into your "fresh" install.
 
Looked like you slipped a few extra URLs into your "fresh" install.
I linked the source
"Of those, only www.netmeister.org was a domain entered by the user. (You may also notice a number of domains listed above that are e.g., AWS systems that the original name already references via a CNAME result. In this case, the response to the initial lookup included the A records in its ADDITIONAL SECTION, but did not provide any AAAA records (because e.g., AWS is primarily IPv4 only). As a result, a second, explicit AAAA query is made.)"
 
While I appreciate efforts to increase privacy, I will "NEVER" fully trust any browser/vpn combination for 100% privacy. Let's be honest, if you actually wanted to search for "Best poison to kill someone" would you feel comfortable using the Brave browser along the Brave search engine and your VPN? My point is that true privacy will always be an illusion in the digital age.

Hell, I don't even trust my Duck Duck Go searches using my Tor Browser and VPN. Sure, it's good for blocking Ad Tracking but that's the only thing I'm certain of.
 
While I appreciate efforts to increase privacy, I will "NEVER" fully trust any browser/vpn combination for 100% privacy. Let's be honest, if you actually wanted to search for "Best poison to kill someone" would you feel comfortable using the Brave browser along with your VPN? My point is that true privacy will always be an illusion in the digital age.
I would use a disposable OS on ARM architecture using Mullvad VPN in Switzerland via multihop then use the Tor browser to search an onion version of searx. Even then who knows.
 
How is this related to Apple? My health insurance provider just rolled out a new security practice for dependents on a policy, but I wouldn't expect to read about it on macrumors.
 
Every time an addon is installed it alters the fingerprint of the browser slightly. Journalists as an example have strict standards of maintaining a common fingerprint to hide their identity and location the Tor browser also utilizes this practice and will warn you before allowing any addons as it defeats the point of using it. We will never know the fallout from this since China, Iran etc will never publicize catching undercover reporters or dissidents and Mozilla hide behind we don't guarantee your privacy/safety in their terms and conditions to use the browser.

Cool test to see if you are able to be tracked because of your browsers setup alone: https://www.amiunique.org/
The browser doesn't generally report what extensions it has installed unless that particular extension is doing so. "Plugins" are different and have to do with rendering special content. I just tried that site with a version of Firefox running uBO, and it didn't say anything about it.

Unrelated, not sure why that site says my input devices are unique. Just says:
videoinput
audioinput
audioinput
 
I would use Safari, if Safari didn’t take it upon itself to reload browser tabs when it thinks the page is using too much memory.
It has several issues related to that, media content quality is also reduced when you navigate away from said tab.
  • Sound management is mediocre, gets messy very easy, have a paused youtube tab and join a meet in another tab and likely will end up with no sound on either one having to restart Safari.
  • 2022 still no built-in ad-blocker for a "privacy oriented" browser.
  • Most extensions are a joke, even paid ones.
  • Dev tools feel like they were made for kids.
  • The experimental features list displays almost 100 different options with no check or uncheck all possibility, you have to manually enable or disable them, unless you go default pre-selected ones. UX at it's finest.
  • Responsive mode still shows an iPhone 8 as the latest mobile, want to enter custom resolution dimensions? you can't, have to drag the frame which is not accurate for some specific breakpoints.
  • Love the UI refresh, but the UX is subpar.
 
For me, Google performs waaaay better than Bing and duckduckgo.
Sure I don't like Google tracking me, but something I don't like even more is ****** search results.
We can all search with Google once DuckDuckGo or another fails. We don't have to start with the tracking.
 
DuckDuckGo is my default search engine. But it tends to get confused rather easily.
 
Last edited:
For me, Google performs waaaay better than Bing and duckduckgo.
Sure I don't like Google tracking me, but something I don't like even more is ****** search results.
Aye. I resort to Google when DDG fails me, usually with non-Engish searches. DDG does a piss poor job with Asian languages. Bing? Dunno what the secret sauce is, but I get too many misses with Bing. DDG is my goto search engine.
 
Stopped using them after this one:

You must not use any browser then as they've all done similar or worse things. What browser do you use?


Love the Brave browser but not a fan of centralizing everything.
You must hate Apple products then.


How is this related to Apple? My health insurance provider just rolled out a new security practice for dependents on a policy, but I wouldn't expect to read about it on macrumors.
Are you serious?
 
You must not use any browser then as they've all done similar or worse things. What browser do you use?
Firefox and Safari, which haven't done similar or worse things. Even Chrome doesn't mess with your links.

Brave is a scam, in that it pretends to be about privacy but isn't, and half the people recommending it are just trying to increase the value of the Brave cryptocurrency they're holding.
 
Last edited:
  • Like
Reactions: mhnd and nvmls
As a duckduckgo user (and this has been around for a while) I feel it only recently started to be a half-decent alternative to google (results wise).

I cannot see new contenders getting a decent market share anytime soon
 
Here is a DNS capture of a fresh Firefox install
detectportal.firefox.com.
location.services.mozilla.com.
locprod1-elb-eu-west-1.prod.mozaws.net.
mozilla.org.
www.mozilla.org.
firefox.settings.services.mozilla.com.
d2k03kvdk5cku0.cloudfront.net.
ocsp.digicert.com.
cs9.wac.phicdn.net.
incoming.telemetry.mozilla.org.
pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com.
search.services.mozilla.com.
spocs.getpocket.com.
getpocket.cdn.mozilla.net.
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com.
search.r53-2.services.mozilla.com.
ocsp.sca1b.amazontrust.com.
push.services.mozilla.com.
autopush.prod.mozaws.net.
content-signature-2.cdn.mozilla.net.
d2nxq2uap88usk.cloudfront.net.
img-getpocket.cdn.mozilla.net.
shavar.services.mozilla.com.
shavar.prod.mozaws.net.
firefox-settings-attachments.cdn.mozilla.net.
d80i88epwmv41.cloudfront.net.
tracking-protection.cdn.mozilla.net.
d1zkz3k4cclnv6.cloudfront.net.
snippets.cdn.mozilla.net.
d228z91au11ukj.cloudfront.net.
accounts.firefox.com.
getpocket.com.
slate.com.
www.nextadvisor.com.
www.gq.com.
jezebel.com.
fe2.edge.pantheon.io.
www.theguardian.com.
condenast.map.fastly.net.
dualstack.guardian.map.fastly.net.
www.youtube.com.
www.facebook.com.
www.reddit.com.
youtube-ui.l.google.com.
www.wikipedia.org.
star-mini.c10r.facebook.com.
twitter.com.
reddit.map.fastly.net.
dyna.wikimedia.org.
www.vox.com.
www.washingtonpost.com.
medium.com.
vox-chorus.map.fastly.net.
e9631.j.akamaiedge.net.
www.joinhoney.com.
landing.chirpbooks.com.
www.reviewed.com.
joinhoney.com.
secure.pageserve.co.
domains.gannett.map.fastly.net.
www.google.com.
ocsp.pki.goog.
pki-goog.l.google.com.
www.netmeister.org.
panix.netmeister.org.
incoming.telemetry.mozilla.org

Brave fresh install DNS capture:
updates.bravesoftware.com.
f2.shared.global.fastly.net.
static1.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
laptop-updates.brave.com.
no-thanks.invalid.
go-updater.brave.com.
componentupdater.brave.com.
brave-core-ext.s3.brave.com.
tor.bravesoftware.com.
crlsets.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
krdjdubihfhlri.cable.rcn.com.
rhqnzult.cable.rcn.com.
ckzlqdialux.cable.rcn.com.
krdjdubihfhlri.cable.rcn.com.
krdjdubihfhlri.
rhqnzult.cable.rcn.com.
ckzlqdialux.cable.rcn.com.
rhqnzult.
ckzlqdialux.
rhqnzult.
ckzlqdialux.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.
static.brave.com.
no-thanks.invalid.
no-thanks.invalid.cable.rcn.com.

SOURCE:https://www.netmeister.org/blog/browser-startup.html
Firefox probably hits those third-party ones to get favicons of top sites. It's not a big deal anyway, nor are DNS lookups alone (vs actual payloads) indicative of much. Open your Wireshark and see how many times your Mac phones home by default just in the background.
 
Last edited:
  • Like
Reactions: nvmls
I linked the source
"Of those, only www.netmeister.org was a domain entered by the user. (You may also notice a number of domains listed above that are e.g., AWS systems that the original name already references via a CNAME result. In this case, the response to the initial lookup included the A records in its ADDITIONAL SECTION, but did not provide any AAAA records (because e.g., AWS is primarily IPv4 only). As a result, a second, explicit AAAA query is made.)"
You seem like you're a big fan of Brave, given the amount of comments in this thread in which you're defending them and/or in which you're displaying some form of whataboutism.


Even going as far as selectively quoting netmeister to paint a certain picture.
I think a reasonable person would agree that a DNS lookup, not dissimilar to looking up someone's phone number in a phone book, is less of an issue than actually connecting to a remote service and dropping a payload with questionable content.
The former can have legitimate uses, some of which are:
  1. Pre-fetching the IP address in case the user wants to visit that URL to provide for a smooth and expedient experience
  2. To detect if the device is properly connected to the internet and to detect if there are (DNS related) connectivity issues
  3. To detect if if there are certain firewall restrictions in place, in particular government restrictions (e.g. Great Firewall of China)
  4. To detect if DNS hijacking is taking place, which some ISPs do. Preferably this detection is done in a considerate manner, unlike Chromium browsers, but more on that later.
There are other legitimate uses, but these are the ones seen most often in the wild.
In particular 3 is used very often, even by VPN clients, by simply doing a DNS lookup for domains that are known to be blocked in say, China or Russia, to see if special workarounds are necessary to connect the client to the VPN server.
1 is also used very often by most browsers.

However, in this case we don't have to guess why Firefox is doing these DNS lookups, now do we? Because your own source plainly states the reason and we can see that the screenshot provided in the article corroborates the part about the get pocket widget:

The list of DNS queries performed varies from time to time, likely based on the getpocket widget in the welcome screen. It's also worth noting that not all of the names looked up are actually contacted; this is part of the DNS pre-fetching enabled in Firefox (see this link and this link for more details; in about:config, you can toggle network.dns.disablePrefetch to true to disable this behavior).

Also, I'm not sure why you're quoting the snippet below, seemingly implying it supports your argument, when it does the exact opposite? I don't want to make assumptions, but it seems like you don't seem to understand what it says:

Of those, only www.netmeister.org was a domain entered by the user. (You may also notice a number of domains listed above that are e.g., AWS systems that the original name already references via a CNAME result. In this case, the response to the initial lookup included the A records in its ADDITIONAL SECTION, but did not provide any AAAArecords (because e.g., AWS is primarily IPv4 only). As a result, a second, explicit AAAAquery is made.)


Either way, let's keep going. As I said, DNS lookups have legitimate uses, actually connecting to drop off and retrieve a payload with questionable content however, not so much. Or at least, not from the perspective of the user, I'm sure Brave feels they have a legitimate use case.

Let's look at some of those payloads and responses, shall we?

First there's a connection to static1.brave.com, which results in the Brave browser receiving:
JSON:
{ "cpan_eligible_bin_wl_regex": ["^4[0-9]{15,18}$"] }

{ "cpan_eligible_merchant_wl": ["dump-truck.appspot.com"] }

dump-truck.appspot.com is a little repository linked to the Chromium project that contains autofill smoke tests. On it's own those tests are not strange, what is curious however is why a production version of a web browser would receive a url to a repository with autofill tests that primarily revolve around credit card data.
Most likely it's an innocent thing that someone forgot to remove, but it doesn't help when Brave already has a questionable reputation.

Then there's a connection to laptop-updates.brave.com. It sends off the payload below:

JSON:
{
    "api_key": "fe033168-0ff8-4af6-9a7f-95e2cbfc9f4f",
    "platform": "osx",
    "referral_code": "BRV001"
}

And receives the result below

JSON:
[
    {
        "cookieNames": [],
        "domains": [
            "coinbase.com",
            "api.coinbase.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "coinbase"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "softonic.com",
            "softonic.cn",
            "softonic.jp",
            "softonic.pl",
            "softonic.com.br"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "softonic"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "marketwatch.com",
            "barrons.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "dowjones"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "townsquareblogs.com",
            "tasteofcountry.com",
            "ultimateclassicrock.com",
            "xxlmag.com",
            "popcrush.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "townsquare"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "cheddar.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "cheddar"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "upbit.com",
            "sg.upbit.com",
            "id.upbit.com",
            "ccx.upbit.com",
            "ccx.upbitit.com",
            "ccxsg.upbit.com",
            "cgate.upbitit.be",
            "ccxid.upbit.com",
            "cgate.upbitit.tv"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "upbit"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "eaff.com",
            "stg.eaff.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "eaff"
        }
    },
    {
        "cookieNames": [],
        "domains": [
            "sandbox.uphold.com",
            "api-sandbox.uphold.com",
            "uphold.com",
            "api.uphold.com"
        ],
        "expiration": 31536000000,
        "headers": {
            "X-Brave-Partner": "uphold"
        }
    }
]


{"ts":1583209242790,"status":"ok"}

Ah yes, so brave of Brave to make sure they get their money by making sure everyone knows to pay Brave if you visit and transact with them with your browser.

Anyways, then there's the multitude of connections to go-updated.brave.com and componentupdated.brave.com with the payload below:

JSON:
{
    "request": {
        "@os": "mac",
        "@updater": "",
        "acceptformat": "crx2,crx3",
        "app": [
            {
                "appid": "gccbbckogglekeggclmmekihdgdpdgoe",
                "enabled": true,
                "installsource": "ondemand",
                "ping": {
                    "r": -2
                },
                "updatecheck": {},
                "version": "0.0.0.0"
            }
        ],
        "arch": "x64",
        "dedup": "cr",
        "domainjoined": false,
        "hw": {
            "physmemory": 16
        },
        "lang": "",
        "nacl_arch": "x86-64",
        "os": {
            "arch": "x86_64",
            "platform": "Mac OS X",
            "version": "10.15.3"
        },
        "prodchannel": "stable",
        "prodversion": "80.1.4.95",
        "protocol": "3.1",
        "requestid": "{d5698802-5f71-460d-b3f0-6956886f191e}",
        "sessionid": "{92504c9b-3e1d-4d9e-80b4-59a725cc23e3}",
        "updaterchannel": "stable",
        "updaterversion": "80.1.4.95"
    }
}

Which, isn't that big of a deal normally, it's clearly part of the Omaha Protocol used to check and provide for updates. The issue here however is that I would've expected a better, more privacy friendly update solution from a browser that touts about being all for privacy etc.
There is no inherent need to collect the information in the payload to be able to provide update (information).
Additionally, the fact that this is repeated 10 times and at least one more additional time to a different url, in identical fashion, might point to shoddy coding, diminishing my faith in Brave, for as much as I had any, to keep my information safe and private.

Lastly there is some data being exchanged; "2 x 80 Kb binary data" that's Brotli compressed and "21848 bytes of binary data" according to the author. Binary data is generally time consuming to go through to figure out what it contains and the author doesn't seem to make any indication that they know what the contents are nor that they made an attempt to figure out what the content is.
That said, 80Kb worth of binary data would generally make one's ears perk up, that's a considerable amount of data in the realm of GET requests, enough to make one wonder what's inside of it.


Anyways, respectfully, Brave is not holier than other browsers and any attempts to distract with whataboutism seems rather silly.


Outlets sometimes have this habit to shoehorn in a segue into an unrelated topic. \
E.g. An article could be about Apple airlifting starving orphans from some erupting volcano and then somewhere in the last 1/3 of the article they'll shoehorn in something along the lines of "Apple is under increased scrutiny for the way they operate their App Store" or something.
I'm guessing this is done for SEO purposes so that if you search for that hot topic, you'll end up clicking on the more recent article.

Whatever the reason it's done, I don't think it always makes sense. However, having said that, I think every outlet should include the following two topics every single time they write about Brave:

  • The fact that Brave has been acting shady by giving the impression that you can tip certain content creators when in fact you can't, using their likeness etc. Like in the case of Tom Scott, which clearly still left an aftertaste.
  • The fact that they tried to make a sneaky buck by changing URLs to affiliate links.

ETA: For the promise made earlier about Chromium browsers, basically they hog up root DNS traffic, because of the inconsiderate design in their implementation of checking for DNS hijacking.
 
Last edited by a moderator:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.