Developers are issuing hotfix
UPDATED Brave, the privacy-focused web browser, is exposing users’ activity on Tor’s hidden servers – aka the ‘dark web’ – to their internet service providers, it has been confirmed.
Brave is shipped with a built-in feature that integrates the Tor anonymity network into the browser, providing both security and privacy features that can help obscure a user’s activity on the web.
Tor is also used to access .onion websites, which are hosted on the dark net.
Earlier today (February 19), a blog post from ‘Rambler’ claimed that Brave was leaking DNS requests made in the Brave browser to a user’s ISP.
Read more of the latest privacy news
DNS requests are unencrypted, meaning that any requests to access .onion sites using the Tor feature in Brave can be tracked – a direct contradiction to its purpose in the first place.
The blog post reads: “Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP. With Brave, your ISP would know that you accessed somesketchyonionsite.onion.”
Following the disclosure, well-known security researchers including PortSwigger Web Security’s James Kettle independently verified the issue using the Wireshark packet analysis tool.
“I just confirmed that yes, Brave browsers Tor mode appear to leak all the .onion addresses you visit to your DNS provider,” Kettle tweeted, providing a screenshot for evidence.
Security researcher James Kettle independently verified the Brave browser privacy issue
User response
Considering that the Tor Browser was specifically built to hide a users’ internet browsing from their ISP, the news has provoked a vociferous response online.
“Privacy my ass,” wrote Twitter user @s_y_m_f_m, while other called the findings “appalling”.
The issue has been present in the stable release since November 2020, and was reported “in mid January”, a Brave developer told The Daily Swig.
A fix has since been issued and is available for download here.
INSIGHT Tor security: Everything you need to know about the anonymity network
A spokesperson for Brave told The Daily Swig: “In mid-January 2021, we were made aware of a bug that would allow a network attacker to see DNS requests that were made in a private window in Brave with Tor connectivity.
“The root cause was a new adblocking feature called CNAME adblocking which initiated DNS requests that did not go through Tor in order to check if a domain should be blocked.
“This bug was discovered and reported by xiaoyinl on HackerOne. We responded immediately to the report and included a fix for this vulnerability in the February 4, 2021 in the nightly update.
“As is our usual process for bug fixes, we have been testing the changes in nightly to make sure that they didn't cause regressions or other bugs before releasing to the stable channel.”
They added: “We encourage people to continue to report bugs like this on HackerOne so we can fix them as quickly as possible.
“We also want to remind our community that using a private window with Tor connectivity through Brave is not the same as using the Tor Browser.
“If your personal safety depends on remaining anonymous, we highly recommend using Tor Browser instead of Brave Tor windows.”
This article has been updated to include comment from Brave and further information. An earlier version stated that the issue has been present since 2019, this has been corrected to 2020.
YOU MAY ALSO LIKE BIND implements DNS-over-HTTPS to offer enhanced privacy
FAQs
onion sites using the Tor feature in Brave can be tracked – a direct contradiction to its purpose in the first place. The blog post reads: “Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP. With Brave, your ISP would know that you accessed somesketchyonionsite. onion.”
What is the Tor feature in Brave browser? ›
Tor Bridges
Brave allows users to use Bridges by navigating the "Settings menu → Privacy and security → Tor windows." From there, users can select a built-in Bridge, request one from torproject.org, or enter a bridge they received from a trusted source.
Can Brave access onion sites? ›
Many of our websites, including Brave Search, are available natively on the Tor network via . onion addresses. Note that if your personal safety depends on remaining anonymous, you should use the Tor Browser instead.
Is Brave safe to use as Tor? ›
The answer is simple: both. Use Brave for everyday browsing and Tor in situations where maximum privacy and security are necessary. Brave is fast and reliable. It is also much safer and more anonymous than the vast majority of browsers, but it is not nearly as secure and private as Tor.
What happened to Brave with Tor? ›
There are two reasons why Tor is not working on the Brave browser. First, you need to give it a few moments to establish a connection between your computer and the Tor network. As it doesn't get connected all the time automatically, you need to click on the Disconnected button to connect it.
Is Brave Tor same as VPN? ›
When using through a Brave Browser. Vpn and tor are two complately different things. Vpn routes your traffic via openvpn/wiregaurd protocol to a server owned by a vpn provider (like nordvpn). Vpn gets you new ip address, encrypted traffic and few other benefits.
How do I get rid of Tor in Brave? ›
I have DNS filters so my kids can't get to things I don't want them to, but the TOR browser completely gets around all of it. Can I Disable this feature? Thanks! You can disable it by navigating to brave://settings/extensions > Toggle Tor off.
Can you be tracked on onion browser? ›
Onion routing is a sophisticated means to prevent tracking your location, but there's no such thing as perfect online anonymity. Although your internet traffic is encrypted on Tor, your ISP can still see that you're connected to Tor. Plus, Tor cannot protect against tracking at the entry and exit nodes of its network.
What is the best browser to access onion sites? ›
You can access onion sites only through the Tor browser or special network configurations. The onion domain name reflects the fact that, like the layers of an onion, the Tor browser consists of layers of protection.
Does Brave hide your IP address? ›
With Brave, your browsing behavior is hidden from Big Tech: You're more anonymous regardless of whether you're in a regular or Incognito (private) window. Brave also gives two options to hide your IP address while browsing: private windows with Tor, and our built-in Firewall + VPN.
Is There Something More Secure Than Tor? Yes, I2P is undoubtedly more secure than Tor, as it doesn't rely on potentially compromised exit nodes run by volunteers. However, it's less useful for browsing the regular internet.
Is Brave safe without VPN? ›
No doubt. At least it's much safer than other popular browsers like Chrome and Firefox. Brave has a robust privacy policy and is powered by several digital security shields. Also, unlike popular browsers, Brave can completely discard browsing data when you close the app.
Is Brave Browser safer than DuckDuckGo? ›
While both Brave and DuckDuckGo offer strong privacy protection, they have different approaches. Brave blocks ads and trackers by default, while DuckDuckGo allows users to block these features themselves. Brave also has a built-in wallet, which may appeal to those interested in cryptocurrency.
What browsers can open onion links? ›
You can't access these .onion sites from your normal web browser—the one you're probably viewing this page on. Before clicking any of the dark web links below, you'll need to get the Tor Browser (also called the Onion Browser) or another service that provides dark web access, such as the Brave browser.
Does Brave block malicious websites? ›
The Brave browser automatically blocks cross-site trackers and third-party cookies, fingerprinting, bounce tracking, and some malware and phishing attempts. It blocks invasive ads from every page you visit, offering a faster, uncluttered experience of the Web; it upgrades every connection possible to more secure HTTPS.
Which browser can open onion? ›
Onion sites are simplified versions of websites that can only be accessed by Tor. They are a sure safe way to connect.
Does Brave block unsafe websites? ›
The Brave Browser automatically uses Google Safe Browsing to help protect you against websites, downloads and extensions that are known to be unsafe (such as sites that are fraudulent or that host malware). On desktop, we use the Safe Browsing Update API which relies on storing URL hashes locally on your device.
Security researcher James Kettle independently verified the Brave browser privacy issue