I used to be optimistic about Brave, but I no longer consider it to be a good project. It has had some serious issues with security and the intent behind it is starting to seem nefarious. Monetizing other people's content was always sketchy and their DRM is going far beyond EME.
Conversation
At the core, it's an attempt to monetize other people's content on the web with a cryptocurrency based on the value of people's attention, i.e. the core of the advertising industry. I was interested in their work on privacy improvements but it's clear that's just window dressing.
1
13
I'm not a fan of using attestation to build DRM implementations, especially in a way that goes out of the way to shut out other platforms. They wouldn't even respond to my suggestion to use an approach that is both *stronger* and would allow them to whitelist operating systems.
1
10
Replying to
As long as you can use it without the attention-coin-mining bullshit enabled... Refusing to enable it on "untrusted" operating system is kinda a feature. ;-) But yeah, it's all grossing me out.
1
1
Replying to
I do think that on a technical level, it's a decent choice. The Chromium base is the most secure option and they set privacy-unfriendly defaults, disable invasive optional services and make some important tweaks. Built-in content filtering is also the right approach by far.
1
1
However, they haven't have the best attitude towards security and there have been some major issues. The previous Electron-based desktop browser was awful too. The approach on mobile was saner from the start, and that's what I recommended to people as a decent option in the past.
1
1
The main thing is that they clearly have the wrong motivations. The DRM issue was the last straw for me. I don't like attestation being used for DRM. I see a lot of value in it as a security feature for users but having a root of trust makes it possible to (ab)use it for DRM.
1
2
Attestation would still work without a root of trust and then it couldn't be used by projects like Brave for DRM. It could still be used by users to verify or monitor devices, including a company monitoring the security / patch level / etc. for a fleet of devices that they own.
1
1
I strongly dislike how their attitude for the Android app is that it should have a hard dependency on Play Services too. Meanwhile, Google themselves explicitly avoids hard dependencies on Play Services for Chromium so Brave is actually a regression from Chromium in this regard.
1
2
There's just something so horribly wrong about them adding a hard dependency on Play Services for SafetyNet attestation as part of the attention span nonsense. I could brush it aside as silly nonsense that won't work out before but it's clearly the core of their project...
Replying to
Did they break running on microg without SafetyNet crap? That would be a serious regression making it unusable to me.
1
Replying to
No, but they made the attention span feature depend on it. It still works without it, and you wouldn't have wanted to use that anyway. I still find it to be over the line despite being optional and it just makes it so clear that their goals are totally incompatible with mine.
1
1
1
Show replies