Brave brings HTTPS by Default to iOS
Starting with version 1.68, Brave will become the first iOS Web browser to try to upgrade all sites to HTTPS by default.
Read this article →By the Brave Privacy Team
This is the 25th post in an ongoing, series describing new privacy features in Brave browsers. This post describes work done by Staff Engineer Aleksey Khoroshilov and was written by VP of Privacy Engineering Peter Snyder.
Most Web browsers are finally getting serious about limiting third-party tracking on the Web and—while no browser is as aggressive as Brave—third-party trackers are taking notice of the trend. In response, third-parties are increasingly relying on first-party storage to continue tracking users. Forgetful Browsing is the first in a series of upcoming tools Brave has planned to continue protecting Brave users and address first-party reidentification.
Starting with desktop version 1.53, and Android version 1.54 1, Brave browsers will include a new feature called “Forgetful Browsing,” which allows users to always clear cookies and other storage when the site is closed. Forgetful Browsing can help you:
Forgetful Browsing is similar to, but more powerful and protective than, popular browsing extensions and private browsing modes. It’s another example of Brave offering the most powerful privacy features of any popular browser.
Many privacy problems on the Web have a common root cause: by default, browsers let sites reidentify users indefinitely, but users only benefit from reidentification on a fraction of sites they visit.
In some cases, it’s very useful for a site to remember you (e.g. so you don’t have to log back into your email every day, or so you can easily use a social media account). But such sites are the exception, not the rule. Most often, you won’t benefit from being remembered by every news site you read an article on, or every shopping site you briefly browsed, or every image hosting site that showed you a cute cat picture.
In this way, all Web browsers get the defaults backwards: they assume you want to be identifiable by every site you visit. And this causes both annoyance (e.g. rate limiting or paywalls) and privacy harm (e.g. being profiled by untrustworthy sites). This problem is called “unwanted first-party reidentification.”
The Forgetful Browsing feature—the next step in Brave’s ongoing project to improve how browsers manage first-party storage—addresses the reidentification problem head-on.
Browsers are getting better at protecting users against third-party tracking, but generally do a poor job of protecting against unwanted first-party identification. Brave already provides best-in-class protections against third-party tracking; Forgetful Browsing is one of several upcoming features in Brave that will provide similarly robust protections against first-party tracking.
Browsers provide some tools to help users prevent unwanted first-party reidentification, but these tools are clumsy, inconvenient, and scoped either too broadly or too narrowly, all of which invite unwanted–and irreversible–reidentification.
Consider this scenario: Khen has two email accounts, dolphinfan4ever@example.com
and serious.guy@example.com
, both of which Khen accesses through his Web browser. Khen doesn’t want the email provider to know both accounts are owned by the same person. Unfortunately, Web browsers make this kind of privacy very difficult.
This is because of how browsers manage first-party storage. Browsers prevent sites from reading another site’s cookies (e.g. yahoo.com can’t read your login cookies for outlook.com), but browsers generally don’t restrict how the same site can read cookies across visits (if you visited chicagotribune.com yesterday, the site can re-read the same cookies next time you visit). Even when you tell a site to log you out, it can’t easily clear some kinds of first-party storage 2. This gives even well meaning sites the ability to reidentify users across visits. Worse, browsers provide few protections against sites that intentionally aim to re-identify you across logins (as in Khen’s situation in the previous paragraph).
Browsers provide some tools you can use to be certain there are no identifying values persisting across site visits. Unfortunately, these tools are difficult to use and/or require user perfection; in many cases a single error can allow a tracker to permanently, irreversibly link to different accounts together.
Private browsing modes: Allow users to visit a site with a clean storage area, but require perfection to prevent unwanted first-party reidentification. If Khen (from the previous example) forgets to use a private window just once, and mistakenly logs into his second email account in a normal window, the email provider will be able to link the two email accounts, indefinitely and irreversibly.
Browser extensions: Can clear first-party storage whenever a user closes a site, but extensions are limited in their ability to clear cached values, or values in nested documents.
Clear all storage: Most browsers contain a feature like this, which clears first-party storage for all sites when closing the browser. However, this feature is, for most users, very inconvenient, since it will log a user out of all their sites, even those the user trusts and wants to stay authenticated with. The feature also does not provide much help for people who tend to leave their browser open for long periods of time. This feature is a sledgehammer when what’s needed is a scalpel.
Advanced site controls: Some browsers include this feature, which advanced users can use to manually clear, or otherwise micro-manage first-party storage for sites. These features are useful, but can be (depending on the browser) difficult to discover, need perfect use to prevent identification, or otherwise can be unsuitable for non-advanced users.
Forgetful Browsing, by contrast, allows Brave users to easily prevent unwanted first-party reidentification, in a way that’s convenient and does not require constant vigilance to get right. Using Brave Shields, users can indicate that they want to be forgotten when a site is closed. When this option is set, Brave will clear first-party storage for the site a few seconds after there are no more open tabs for the site. Forgetful Browsing clears both explicitly stored values (e.g. cookies, localStorage, or indexedDB) and indirectly stored values (e.g. HTTP cache or DNS cache).
Users can enable Forgetful Browsing in one of two ways.
Users can indicate that a specific site should be forgotten when it’s closed. To do so:
Users can also make Forgetful Browsing the default setting for all sites. To do so:
brave://settings/shields
from the Brave browser.Note that users can set this as the global default, and then use the steps outlined above (in the “Set Forgetful Browsing for a single site” section of this post) to create exceptions (i.e. to indicate that particular sites should not be forgotten). This allows you to configure Brave to clear storage everytime a site is closed except for your email site, a social media site you log into often, etc.
Forgetful Browsing differs from other settings in Brave Shields in its scope. Most settings in Brave Shields are set per domain; Forgetful Browsing, meanwhile, is set per site. For example, you can configure first.site.example to use aggressive fingerprinting protections and second.site.example to use standard fingerprinting protections, but all subdomains on site.example will share the same Forgetful Browsing setting. This is necessary to align the Forgetful Browsing setting with how Brave (and most other browsers) enforce storage boundaries.
Forgetful Browsing is one of several existing ways Brave protects against unwanted first-party reidentification on the Web. Brave’s Unlinkable Bouncing feature automatically clears first-party storage whenever the browser is bounced through known tracking domains. And Brave’s CNAME uncloaking feature allows Brave to block trackers even when they try to look like first-party resources. Brave also limits the lifetime of cookies set in JavaScript to seven days to prevent some forms of first-party tracking.
Forgetful Browsing is the first of several upcoming features related to further managing and improving privacy around first-party storage on the Web. Together, these features will address a range of ways first-party storage can be abused to harm users. We look forward to sharing more about these features in the coming weeks and months.
Brave will incrementally enable Forgetful Browsing for users during the 1.53 and 1.54 release processes. Users who want to test the feature now can visit brave://flags
and manually enable the “Enable First Party Storage Cleanup support” flag. Note that Forgetful Browsing is still experimental, and should only be enabled by users who understand the risks of enabling such features. ↩︎
HTTP cached values, storage for embedded third-party iframes (in browsers other than Brave), etc. ↩︎
Starting with version 1.68, Brave will become the first iOS Web browser to try to upgrade all sites to HTTPS by default.
Read this article →With desktop and Android version 1.64 in a couple of months, Brave will sunset Strict fingerprinting protection mode.
Read this article →Starting in version 1.54, Brave for desktop and Android will include more powerful features for controlling which sites can access local network resources, and for how long.
Read this article →