The Semi-Paranoid Geek’s Guide to Brave Browser
Multiple Profiles, Ad Blocking, and More
Table of Contents
- 1. Introduction
- 2. Revision History
- 3. Why Brave Browser?
- 4. History of Brave Browser: a Battle between Politics, Ethics, and Visions
- 5. Installation
- 6. A Walk-Through of Settings
- 7. Brave Shields
- 8. Multiple Profiles
- 9. Useful under-the-hood things →
about:
URLs - 10. Bonus: Isolating Widevine (DRM) Libraries to a “Tainted” Area
- 11. Features I really like
- 12. Features I miss
- 13. Features I Have Yet to Test
- 14. Conclusion
Dear user: This article has moved to a new location. Please update your bookmarks.
1. Introduction
The modern web is a jungle. In these dark days of large JavaScript toolkits, batteries-included tracking, and increasingly obnoxious banner ads, we need a web browser that protects our interests: user freedom, privacy, and peace of mind. Ten years ago, that web browser was Mozilla Firefox. Today, the contender is Brave Browser1.
Let’s take a dive into the feature offering of Brave Browser, the new web browser on the block. In particular, let’s focus on how to use multiple browser profiles to make the modern web a little more pleasant to use.
2. Revision History
Version | Date | Comment |
---|---|---|
1.0 | 2021-07-01 | First release |
3. Why Brave Browser?
3.1. The Problems
- Web sites track you. Any big tech company with insufficient moral fiber is already tracking your movements across the web. If you see a button for a social media site on a web page, then that social media site knows you looked at that web page. (The keywords for research are “Referer header” and “3rd party cookies.”)
- Web browsers track you. What better way is there to track you than to phone the mothership? This is why Google Chrome is married to Google’s other online services.
- Mozilla is no longer “about freedom.” What once was the shining example of open source software is now a dismal shadow of its former self. Believe it not? Consider how the usage share of Mozilla Firefox (as of June 2021) is below 4%2.
3.2. The Solutions
- Brave frustrates web trackers. The Shields Up component of Brave Browser blocks ads, tracking scripts, and 3rd party cookies by default. Brave also has an excellent profile system (inherited from Chromium) that can be used to segregate user data into separate browser profiles.
- Ties to Google are severed. Under the hood, Brave Browser is Chromium (the open source base of Google Chrome) with the Google-encumbered parts removed. You cannot “sign into Brave” like you can “sign into Google Chrome.”
- Brave is a visionary. While Mozilla Firefox and Google Chrome have stagnated, Brave has been happily improving Shields Up, testing out an experimental system for microtransactions, and testing a new distributed hash-based file system.
4. History of Brave Browser: a Battle between Politics, Ethics, and Visions
Brave, the company, was founded by Brendan Eich, the programmer who wrote the first JavaScript implementation in 10 days at Netscape. In March 2014, Eich became CEO of Mozilla Corporation, but he soon became the center of a controversy when it was discovered that several years before, Eich had donated personal funds to a political campaign which many inside Mozilla strongly opposed3. Outrage broke out in the Mozilla Company and Eich was pressured into resigning.
Authority in an open source software project is traditionally determined by meritocracy. The top contributor tends to be the leader in charge of the project. In taking a stance on a political issue and ousting someone over it, Mozilla revealed that it was no longer a meritocracy.
Fast forward a few years: Mozilla’s usage share is an all-time low below 4%, and Google Chrome has become the de facto web browser2. As each year continues, Mozilla’s vision of a free and open Internet becomes gradually more like a pipe dream as Google increases its grasp on web standards. History is going to record Brendan Eich’s resignation as a catastrophe for Mozilla and the web. Meanwhile, Eich and his new company Brave are starting to shake up things with creative solutions to the big problems on the modern Internet.
5. Installation
Enough soapbox. Let’s test drive Brave Browser.
To install Brave Browser, point your existing (clumsier) web browser to https://brave.com and download the build of Brave for your platform. If you are using Windows, then download the Windows installer and run it. If you are using MacOS, then download the MacOS version. If you are using Linux (like I am), then do what works best on your distribution; Brave supplies binary builds for your convenience.
The marketing on Brave’s website sets some lofty promises in terms of speed improvements. Don’t expect actual performance to keep par with claims on the order of “3x the speed.” However, if you are used to heavy JavaScript-laden web pages, then you will definitely notice an improvement.
6. A Walk-Through of Settings
Now that we have Brave installed, let’s launch Brave and take a good look at it.
If Brave reminds you a little bit of Google Chrome (with a customized homescreen), then your intuition is strong. Brave is in fact based on Chromium, the open source part of Google Chrome. So, there are many similarities in both face and guts to Google Chrome.
The default homescreen of Brave is nice, but it may be a little overkill for some folks. Click on Customize in the lower right corner.
I disable the background image.
I don’t use the Brave Today newsfeed, so disable it.
Personal pet peeve: 12 hour clocks need to show AM/PM. Since that’s not the case in Brave, 24 hour we go!
Disable all of the cryptocurrency cards (unless you use one of them, in which case it might be useful).
Ah, much better!
Remember that the estimations of bandwidth saved and time saved are just estimations. In order to get an accurate measurement, Brave would need to load all of the advertisements, render them, and benchmark them. Obviously, Brave doesn’t do all that. Brave just blocks them to save you time.
Now, let’s go to ≡ Menu > Settings
Under ‘Get Started’, we can set the profile’s colors and icon. This is useful for distinguishing different profiles from each other, otherwise every Brave Browser window will look the same.
Also, we have an option to determine what pages are displayed when you launch Brave. By default, the previous browser session’s tabs are opened when you launch Brave. (I usually set this to ‘New tab page’.)
Then, there are settings for adjusting the appearance of Brave. The light/dark colors preference affects the display of some web pages. Other browsers have a light theme by default, so I like to set this to light (applies across profiles).
Other settings you may wish to set: ‘Use wide address bar’, ‘hide Brave rewards button’, and ‘Always show full URLs’.
Moving further down, we have Shields Up – Brave Browser’s builtin blocker of ads, cookies, scripts, and other nasty things. (I’m a nerd, so I like Advanced view by default.) Notice that 3rd-party cookies are blocked by default (here dubbed “Cross site cookies”). This is a very good default to have because it frustrates many of the trackers.
Then, we have “Social media blocking.” Some websites allow you to sign in with your Google, Facebook, or Twitter account. What these options do is allow exceptions for third party cookies so that these authentication mechanisms work. I recommend disabling them unless they are needed.
Switch to DuckDuckGo4 or Brave Search5. They neither track you nor bubble you, and the bang syntax is indispensable once you learn it.
There are several extensions that come bundled with Brave. The Tor Private Window is an interesting feature that you may or may not desire. Tor Private Window is a Private Window, except with everything routed through TOR. TOR is a multi-layer proxy that political dissidents in despotic nations use to hide their footprints6. It is rather useful as a quick anonymizer, and I have used it on several occasions as such. Be warned however: TOR is also the same multi-layer proxy that criminals and no-lives use, so it might draw the attention of the nearest network admin.
I have not used WebTorrent yet. I think it is a BitTorrent client built in to the browser. There are legitimate uses and illegitimate uses of BitTorrent, so you may or may not desire this extension.
Options that enable or disable extensions usually apply to all browser profiles.
IPFS (Internet Protocol File System) is a distributed file sharing protocol. I have yet to use IPFS. If you are using it and liking it, please share with me your use case. This sounds like a very cool feature.
At the bottom of the Settings page, there is a hidden section for advanced settings.
Disable product analytics if you don’t like sending usage stats to the mothership (affects all profiles).
There are sub-menus here to adjust browsing data, cookies, and site-specific settings. Under the ‘Cookies and other site data’ sub-menu, there is an option to ‘Clear cookies and site data when you quit Brave’, which is extremely useful for the untrusted profile that we will create shortly.
The automatic Wayback Machine prompt is very cool, and it has saved my rear end a few times already.
Disable the running of background apps when Brave is closed (affects all profiles). I am unsure why this option defaults to ‘on’.
If you have been following along making the customizations that I have suggested (including switching to light mode, which changes the look of the browser drastically), then you should have a new tab page like the following.
After switching to light mode, the resemblance to Google Chrome becomes more obvious. Nevertheless, don’t be fooled. Ties to Google are severed.
7. Brave Shields
Brave Shields is the tool that blocks advertisements and trackers. It can be controlled by clicking on the Brave icon at the end of the address bar.
Here we have a switch to toggle Shields for the current site, as well as a report of how many “creepy things” were blocked.
Advanced View gives us a little more information.
Here we have options to adjust how aggressive the content blocker is, the option to opportunistically upgrade a connection from HTTP to HTTPS, the ability to block JavaScript outright, cookie settings, and fingerprint blocking.
The scripts setting blocks all JavaScript on the page. In a pinch this can be used to disable scripts that override context menus or load headache-inducing banners.
If we click on the down-arrow on the left side of ‘Trackers & ads blocked’, then we are presented with a list of page elements that have been blocked.
Notably, if a website uses Google Analytics (a very popular tracking tool that collects a lot of information about your browser and your cursor movements), then you will see it blocked here. I am very thankful that Brave blocks Google Analytics by default. I prefer not to tell a site operator where my display’s cursor resides at any given moment.
If you are a server operator relying on Google Analytics to track page hits, then please find another framework. Any user who runs a good ad blocker such as uBlock Origin or Brave Shields is invisible to Google Analytics because good ad blockers block Google Analytics by default. Ad blockers are very common security tools nowadays, so there is a significant portion of your user base that is simply missing from your analytics data.
There is this great tool called
apache.log
. Use it. There is another great tool calledgrep
, and there are more powerful tools calledawk
,python
, andperl
. Use them. All of these tools run server-side and will work reliably regardless of what web browser or ad blocker your users use.
We can add additional filters (even custom ones) to Brave. Go to the
“Three-Bar” Menu (≡) > Brave Ad Block. (Or type brave://adblock
into the
address bar.)
The default settings work fine in my testing.
8. Multiple Profiles
Because Brave Browser is based on Chromium (the open source base of Google Chrome), Brave Browser also inherits one of Chromium’s best features: the ability to create multiple browser profiles.
Why would someone want to use multiple browser profiles? Each profile has its own history, cookie store, settings, and cache. So, each browser profile is a separate identity to the Web. It is possible (and easy) to create one profile for personal browsing, one for work, one for Facebook, and yet another for Google. Each profile is a separate identity to the web.
Let’s create a profile in Brave. Go to the “Three-Bar” Menu (≡) > Create a New Profile.
I generally like to set colors for profiles to make them easy to distinguish from each other. Usually red means untrusted (throwaway data), yellow means semi-untrusted (don’t throw away data), green means semi-trusted (slightly cleaner), and blue means trusted (cleanest of all for sensitive data). This is just a suggestion. You can use whatever colors you like. In this demo, let’s create an untrusted profile and use the shade of red which Brave calls ‘Beige’.
Apply the settings customizations mentioned in the previous section to the new profile. For the untrusted profile, I also recommend enabling Settings > Additional Settings > Privacy and Security > Cookies and other site data > Clear cookies and site data when you quit Brave. This way, each launch of the untrusted profile creates a clean slate.
Notice the new button on the toolbar. This button lets you switch between profiles and customize profiles. If you hover the cursor over the button, then it prints the name of the current profile in a tooltip.
If you click on the button, then a profile switcher is displayed.
Clicking on a profile’s name will open that profile’s browser window. (Now the reasoning behind the earlier suggestion to color code profiles should be clearer. Different colors make different profiles easier to distinguish.)
Clicking the name of the current profile opens the Manage Profile settings screen, which allows you to change the colors and icon of the current profile.
Clicking the gear icon in the profile switcher opens the “Who’s using Brave?” window, which lets you quickly manage a bunch of profiles.
Let’s relabel ‘Profile 1’ as ‘Trusted’. Click the three dots next to ‘Profile 1’ > Edit. The Manage Profile settings screen will open in ‘Profile 1’. Change the name to ‘Trusted’ and set the color of the theme and avatar to light blue (or whatever color you like).
Note: ‘Profile 1’ is a little special. To see why, type
brave://version
into the address bar and examine the ‘Profile Path’. The ‘Profile Path’ of ‘Profile 1’ ends withDefault
. However, every other profile has a path ending withProfile N
whereN
is a unique integer.
Now, you can use the Trusted profile to sign into websites you trust. Feel free to create as many profiles as you want. My setup looks like the following screenshot.
9. Useful under-the-hood things → about:
URLs
Since the dark days of the web, web browsers have included a hidden about:
URL scheme7 that allows the user to access backstage areas of the
browser, ranging from user-facing settings screens to geeky debugging
information. Perhaps the most widely known about:
page is about:blank
,
which displays a blank page used as an initial page for new browser sessions.
A useful cross-browser page is about:about
, which lists all about:
pages.
(Try it!)
A slight note about naming: Brave is based on Chromium, which automatically translates
about:
tochrome://
. Brave applies a further substitution:chrome://
tobrave://
. The net effect is thatabout:about
is translated tobrave://about
. For all intents and purposes,about:about
,chrome://about
, andbrave://about
refer to the same page, and you can enter any one of the three URLs in the address bar to retrieve the same page.
Another useful page is about:
(without any page specified), which lists
version information in most web browsers. In Brave it translates to
brave://version
and lists the browser version, the command line, and the
profile path.
A useful page for your Untrusted profile is about:settings/siteData
(case
sensitive), which takes you directly to the settings screen for managing
cookies and site data. This is the list of data that is deleted upon exit if
you enable ‘Clear cookies and site data when you quit Brave’. From this page,
you can remove an individual site’s cookies immediately by clicking the trash
bin icon. (I use this settings screen so often that I bookmarked it.)
about:flags
allows you to enable experimental features.
about:dino
is a fun Easter egg in Brave (and other Chromium-based browsers).
about:dino
starts a minigame starring a dinosaur jumping over cacti in a
desert. This minigame is also activated when pressing <Space> on a network
error screen.
10. Bonus: Isolating Widevine (DRM) Libraries to a “Tainted” Area
If you frequent video streaming websites, then you may see the following message.
If you have not seen this message, then point Brave to https://shaka-player-demo.appspot.com/ and try to play the “Sintel” short film, which is protected by Widevine DRM. (In my testing, I needed to select the compiled version of the player.)
The warning about Widevine has teeth. The Widevine module is Google’s implementation of Encrypted Media Extensions (EME), which is a form of Digital Restrictions Management (DRM)8 for the web. The Widevine module is a dynamically linked library, so it integrates very closely with the unsandboxed browser code. Furthermore, source code for Widevine is not publicly available, so there is no way to audit Widevine.
Short version: Widevine is very bad in terms of security and makes both you and content creators politically dependent on Google.
Nevertheless, tech organizations that should know better (e.g. Netflix) have adopted Widevine, mostly at the vocal insistence of large entertainment conglomerates that are too ignorant to know any better. So, until the political problems of copyright law are solved, we are stuck with the technical “solution” of Widevine.
Historical digression: Mozilla had a chance to stand against widespread adoption of Widevine in 2013. Nevertheless, they caved without much resistance and contracted Adobe to implement an EME module for Firefox. Considering all forms of DRM contradict the Mozilla Manifesto, it was a shocking scandal for Mozilla fanboys. Imagine what could have happened if a major browser stood up for freedom on the Internet.
The workaround: sandboxing. If you are thinking of browser profiles, then your instinct is strong. Don’t let this Widevine blackbox touch your main browser profile!
Unfortunately, it is impossible to enable Widevine in one browser profile.
Enabling Widevine in one profile enables Widevine in all browser profiles!
So, an additional layer of sandboxing is required: --user-data-dir
. Brave
browser inherits Google Chrome’s secret command line parameter
--user-data-dir
, which specifies a custom user data directory.
Invoke Brave browser with a custom user-data-dir:
brave-bin --user-data-dir=$HOME/.config/BraveSoftware/Brave-Browser-widevine
Obviously, the path you choose (and the mechanism of invocation) will vary
depending on your operating system9. The above example applies to Linux
and will create a new user-data-dir
(~/.config/BraveSoftware/Brave-Browser-widevine
) and a new cache directory
(~/.cache/BraveSoftware/Brave-Browser-widevine
). Both directories are
siblings of the default directories that Brave uses.
I have a two-line shell script (brave-bin-widevine
) that I use to launch the
custom user-data-dir. It is possible to launch both the default Brave
user-data-dir and the custom user-data-dir simultaneously.
#!/bin/bash exec brave-bin --user-data-dir="$HOME/.config/BraveSoftware/Brave-Browser-widevine" "$@"
In Windows, you will probably want to create a new shortcut with the
--user-data-dir
and install it in your Start Menu.
In MacOS, I have no idea what to do. If you use other platforms, please let me know how you do it. I can include hints and instructions.
This custom user-data-dir is going to become a sandbox for Widevine. This sandbox will have its own separate set of browser profiles independent from your regular set of profiles in your regular user-data-dir.
Once you have Brave launched with a custom user-data-dir, go to Settings > Extensions and enable the Widevine module. This will enable Widevine only in the custom user-data-dir.
Brave will download the latest Widevine module from Google and load it.
(Widevine will also appear in about:components
.)
Now, point Brave to https://shaka-player-demo.appspot.com/ and try to play the “Sintel” video again. The video should play now.
11. Features I really like
11.1. Multiple profiles
As detailed above, the ability to create multiple browser profiles and implement security by compartmentalization is indispensable on the modern web.
“No, Mr. Amazon, I’m Alice. I don’t know anyone named Bob, much less whether Mr. Bob’s guilty pleasure is horse movies.”
11.2. Ad blocking configured by default
I know of no other browser that enables ad blocking by default. This is, as far as I know, a first. Brave blocks ads, third party cookies, and malicious domains by default. You need not do a thing in order to activate it. There are no such things as “approved ads.” All ads are blocked.
Furthermore, Brave provides a cryptocurrency system to provide a way to fund the websites you like, should you choose to use the cryptocurrency. (It is opt-in.) Otherwise, you are more than welcome to find the website’s donation button yourself. (It should be easier with distracting ads blocked.)
11.3. “Interesting” privacy features
You may have noticed that you can open a “new private window with Tor.” The Onion Router (TOR) is a multi-layer proxy distributed around the world6. Brave has TOR support built into the browser; all you need to do is open a private window with TOR. (≡ Menu > New private window with Tor)
When you open a private window with TOR, Brave will tunnel through a random chain of proxies on the TOR network and pop out somewhere thousands of miles away from your current location. Anything you do in this TOR window is routed through the TOR network. To further frustrate attempts to trace your proxy jumps, TOR generally builds a new chain of proxies every 10-15 minutes, which means you will pop out from another remote region in the world.
TOR is used by journalists and political dissidents in countries with malicious governments. TOR allows a user to present an anonymous face to the Internet. So, the inclusion of this rather extreme privacy tool is a nice bonus. However, be warned: criminals and no-lives use the same TOR exit relays, so do not send sensitive personal information across TOR. If you identify yourself, then you lose your anonymity.
Furthermore, if you are on a corporate network, you may wish to disable this feature entirely to prevent an accidental fat-finger launch. While TOR is great at concealing your identity from Web servers, the reverse is not true. TOR effectively announces to others on your local area network, “Hey! This guy has something to hide!”
12. Features I miss
12.1. <Shift>+<right click> to force context menu
Mozilla Firefox lets the user force the context menu to appear by using <shift>+<right click>, even on web pages that attempt to disable the context menu. This feature was a lifesaver for poking around obnoxious websites.
I am aware of addons that disable scripts that override the context menu. However, they require a page reload to work. It is nice to have this simple feature built into the browser.
12.2. JSON viewer
If you poke around Web APIs, then you might have noticed Mozilla Firefox has a nice way of rendering JSON10 in an interactive tree. Brave does not have this feature. (Neither does Google Chrome.) So, if a server sends you minified JSON (without any whitespace), then it is almost impossible to read.
13. Features I Have Yet to Test
13.1. Sync
Problem 1: lack of necessity. These days I store bookmarks in org-mode.
Problem 2: how to synchronize multiple profiles, each used for a different set of websites, in an elegant way. I am sure it is possible, but execution is difficult.
13.2. IPFS
The only things I know about Internet Protocol File System (IPFS) are what I read from a paper a couple years ago. IPFS is a distributed hash-bashed filesystem. Each file is hashed, and the hash becomes its unique ID. Then, the file can be shared among several peers.
I admit I am biased toward hash-based data stores and Merkle trees. If you are using IPFS, please contact me. I am very interested to hear how well it works for you.
13.3. BAT
Basic Attention Token (BAT) is Brave Browser’s builtin cryptocurrency. One of the goals of BAT is to enable microtransactions on the Internet. Combined with the ad blocking, the vision is to allow a viewer to optionally contribute to the websites he frequents.
I think the intention is noble, so please contact me if you are using BAT and you find it useful. Cryptocurrency is a relatively new technology, so I have not yet dipped my toe in the water.
14. Conclusion
Brave Browser is the underrated web browser of 2021. Brave blocks ads and trackers by default, making the web a lot more pleasant to use. Brave’s profile system is an immensely useful feature; I hope this guide provides some useful guidance about using profiles. Innovative features such as IPFS support and the builtin TOR mode are the kind of forward-looking wild ideas that provide hope for a better future of the web.
Are you tired of web sites that track you? Brave has mitigations. Are you annoyed with full-screen banners? Brave blocks them, by default. Are you reluctantly losing hope in Mozilla as they continue to twirl around the tube? Try Brave today!
Footnotes:
The political campaign was California Proposition 8: one of the efforts to define civil marriage as strictly between one man and one woman.
Some sources call it “Digital Rights Management.” Both are valid, but “rights” is a form of doublethink.
JSON is just another plain text data format, although one that is strictly hierarchical and intended for machine consumption. https://en.wikipedia.org/wiki/JSON