I used to be optimistic about Brave, but I no longer consider it to be a good project. It has had some serious issues with security and the intent behind it is starting to seem nefarious. Monetizing other people's content was always sketchy and their DRM is going far beyond EME.
Conversation
Replying to
What are the serious issues with security, how are they any different to every other software-at-scale project and how has unsatisfactorily dealt w them?
2
1
1
How is their intent nefarious? Have seen a lot of vague attempts at casting shade on project with nothing of substance.
Criticism of monetising content is criticism of entire internet industry, not particular to Brave? In that context theirs seems like better model?
1
1
DRM to enforce viewing advertising as part of building their business model based on monetizing attention spans is nefarious and a terrible precedent. They've set the precedent now and good luck to them at preserving their business model if web sites end up doing the same thing.
2
1
1
Also, enumerating badness simply isn't a viable approach to privacy and security. The same goes for doing it to try externally replacing the monetization model for the web. Needing to use DRM to try to make their broken model work demonstrates exactly why it's not a viable one.
1
How is using SafetyNet going to make any difference when it's such a weak software-based attestation model, anyway? They could use the hardware-based attestation but a model based on the root of trust rather than pairing is inherently not very strong. Way better than that though.
What are they going to do on platforms without support for arbitrary application-defined DRM via attestation? They could use hardware key attestation on Android (SafetyNet attestation is what they used and is easily bypassed) and some half measure on iOS, but what about desktops?
1
Thanks for sketching out some of your concerns in a bit more detail. Need to ponder.
So is weak attestation bad, or all attestation b/c it ultimately leads to lack of user agency?
Is the bigger criticism simply that ad-funded model is totally unworkable as a model?
1
Show replies