Posted on 02/25/2021 5:41:01 AM PST by rarestia
Brave has fixed a privacy issue in its browser that sent queries for .onion domains to public internet DNS resolvers rather than routing them through Tor nodes, thus exposing users' visits to dark web websites.
The bug was addressed in a hotfix release (V1.20.108) made available yesterday.
Brave ships with a built-in feature called "Private Window with Tor" that integrates the Tor anonymity network into the browser, allowing users to access .onion websites, which are hosted on the darknet, without revealing the IP address information to internet service providers (ISPs), Wi-Fi network providers, and the websites themselves. The feature was added in June 2018.
This is achieved by relaying users' requests for an onion URL through a network of volunteer-run Tor nodes. At the same time, it's worth noting that the feature uses Tor just as a proxy and does not implement most of the privacy protections offered by Tor Browser.
But according to a report first disclosed on Ramble, the privacy-defeating bug in the Tor mode of the browser made it possible to leak all the .onion addresses visited by a user to public DNS resolvers.
"Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP," the post read.
DNS requests, by design, are unencrypted, meaning that any request to access .onion sites in Brave can be tracked, thereby defeating the very purpose of the privacy feature.
This issue stems from the browser's CNAME ad-blocking feature that blocks third-party tracking scripts that use CNAME DNS records to impersonate the first-party script when it is not and avoid detection by content blockers. In doing so, a website can cloak third-party scripts using sub-domains of the main domain, which are then redirected automatically to a tracking domain.
Brave, for its part, already had prior knowledge of the issue, for it was reported on the bug bounty platform HackerOne on January 13, following which the security flaw was resolved in a Nightly release 15 days ago.
It appears that the patch was originally scheduled to roll out in Brave Browser 1.21.x, but in the wake of public disclosure, the company said it's pushing it to the stable version of the browser released yesterday.
Brave browser users can head to Menu on the top right > About Brave to download and install the latest update.
Mine shows Version 1.20.110 as current version.
Brave logo
Brave
An error occurred while checking for updates: Update check failed to start (error code 4: 0xA0430817 — system level).
Learn more
......................................
Why would the CIA release a browser without that feature.
Brave logo
Brave
Brave is up to date
Version 1.20.110 Chromium: 88.0.4324.192 (Official Build) (64-bit)
Get help with Brave
They should change the name to Hubris. :)
Thanks for the heads-up; am patching my system now.
BFL
There is no way anyone can trust anything anymore.
Just serving the overlords of the deep state.
You can trust me. /snark
That would be a good tagline.
Even Brave admits that their implementation of The Onion Network is less secure than the Tor browser’s is.
But you’re also not getting the best out of Tor browser if you’re running it on Windows.
DNS over HTTPS + VPN + TOR, regardless of OS, is as private as you can get. If you want to use Linux, go for it, but it’s no more secure than Windows. Your OS is only as secure as your patch level, whether it’s Windows, Linux, or Apple.
Tech Ping
For me. It might as well have been written in Greek.
The takeaway should be that regardless of your platform/browser/application of choice, don’t blow off updates.
I never understood why the tor feature. If you want to use tor use the tor browser.
I’m on 1.21.44 going to 1.22.45
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.