Brave browser leaves traces of onion addresses in DNS traffic

[Carder]

Brave's Tor mode allows users to access .onion sites in a private window without having to separately install Tor. However, as it turns out, onion addresses leave their mark in the browser's DNS traffic.

The problem was first discovered by an anonymous researcher who reported this week that in Tor mode, the Brave browser sends requests for .onion domains not to Tor nodes, but to public DNS resolvers. At first, the statement of the unknown researcher was questioned, but soon recognized specialists managed to reproduce the problem.

"Just confirmed that yes, in Tor browser mode, all onion addresses you visit are visible to your DNS provider," said James Kettle, research director at PortSwigger Web Security.

“I can confirm. All addresses, standard and .onion, are sent to the DNS server used by the OS. Tested on Windows, ” said Will Dormann, analyst at CERT Coordination Center.

DNS leaks pose a big privacy threat as they leave traces in the DNS server logs for Brave users' Tor traffic. While this may not be a problem in Western countries, in countries with totalitarian regimes, using Tor in Brave can be costly for users.

The Brave team fixed the issue on February 19, 2021. The fix has already been implemented in the "night" version of the browser, released two weeks ago, but after the problem became known to everyone, it will be sent out along with updates for the stable version of Brave.

The problem was the ad blocker built into the browser. The component used DNS queries to find sites trying to bypass its blocking, but forgot to exclude .onion domains from these checks.

 

[Tomcat]

Brave browser protects user privacy by generating random fingerprints​

The developers of the Brave browser said that they are working on a function that will randomly generate "fingerprints" every time a user visits a particular site.
In this way, engineers hope to improve the privacy of their users, as advertisers and analytics companies increasingly track people not using cookies, but using fingerprinting. Let me remind you that this concept includes a wide range of technical details about the user, his system and browser, including information about the operating system, browser type and version, hardware specifications, a list of installed fonts, resolution information, and much more ... Collected in this way, "fingerprints" allow you to effectively identify and track the user as he moves around the network.

Life for analytics and advertising companies got complicated after May 2019, when Google announced plans to start blocking third-party cookies used to track people. During 2019, advertisers and analytics providers began to adapt to these upcoming changes with the release of Chrome 80. As a result, fingerprinting has now become the main method of tracking users.

Firefox was previously the first major browser to tackle this growing problem by adding an anti-fingerprint setting to the browser to block attempts to collect browser fingerprints. Apple followed Mozilla's lead a few months later, but took a different approach, forcing Safari to return identical values for some data, such as fonts.

“Unfortunately, despite good intentions, none of these approaches are effective in preventing fingerprinting,” write the Brave developers. "Unfortunately, the sheer variety of fingerprinting approaches in modern browsers makes all these 'blocking', 'false data' and 'permissions' insufficient and useless."

Brave's own approach to the problem is different. It aims to make each browser really look completely unique on different sites and during different sessions. Due to the fact that the browser looks different all the time, sites cannot collect user profiles, and therefore cannot effectively track people.

Currently, this feature is already active in versions of Brave Nightly, and its wide release is scheduled for the end of this year. Technical details on how the Fingerprint Randomization feature will work are available here. A demo site to test this feature in Brave Nightly and other browsers is available here.

Let me remind you that earlier the Brave team has already announced plans to deploy a system that will hide page elements that are detrimental to user privacy. The engineers said the system would help the browser block third-party ads that cannot be blocked at the network level.