Maximizing Privacy & Security Settings for Brave and partially Chrome-based Browsers

Why Brave

Despite scandals with affiliate links and leaked Tor domains to public DNS, Brave still develop very cool security features not available in Chrome and Edge, owned by corporate giants with radically different financing. Brave earn money in the crypto business, but all this stuff can be disabled or hidden with few clicks; the switch to a cryptocurrency-neutral browser is easy. If you need to use crypto-wallet, better do it with special dedicated profile.
Let's highlight the major privacy & security features:

• Brave Shield - protection against online tracking, fingerprinting, phishing, optional connection update to HTTPS.
• Open in private window with Tor - very useful to break censorship
• Fast adblocker written in Rust - several times faster than popular adblockers.
• Language and fonts privacy - the browser traces can be helpful for deanonymization.
• Ephemeral third-party site storage.
• De-AMP: cut out Google control and enhance privacy.
• Google services proxy designed to keep users data away from Google:
• Safe Browsing
• Geolocation
• Plugin updates
• Certificate revocation
• Spellcheck
• Devtools requests
• And more
• Removed services from privacy/security reasons:
  • Google accounts integration
  • All features that send data to Google
  • DNS prefetch
  • Chrome Google URL Tracker
  • Hyperlink ping attribute
  • Google Cloud Messaging
  • Firebase Cloud Messaging
  • Motion Sensors
  • NFC
  • Federated Learning of Cohorts (FLoC)
  • Network Information API
  • and more

Brave setup

Most of the options below will work for Chrome, Edge and Chromium-based browsers.

• Fingerprint.
  Deanonymization using WebGL object rendering or even background audio playback. Navigate to Shields → Block fingerprinting and choose Strict. There's a warning about breaking sites, but we recommend Strict anyway 'cause of good experience. Canvas fingerprint can be disabled with --disable-reading-from-canvas flag on Chrome-based browsers. There's good fingerprinting test made by EFF, heavily recommend.

• Shields.
  Very useful Brave tool. Enable "Auto-redirect AMP" to connect publisher websites without Google front, "Block Trackers > Aggressive", update connections to HTTPS and finally, very important - block cross-site (third-party) cookies. This should be enabled by default, but worth to check again. Why it's so important? Every widget/button/script can leave a cookie and then when you'll open another website they will compare the cookie and Game-Set-Match: tracking is set now.

  Local content filtering is also very useful: go wipe a button or a gigantic privacy policy widget you don't like. Subscription to a regional filter list will potentially save you a lot of time.

• Social media blocking.
  This blocking not social media like facebook.com, but their widgets, buttons, comments, login widgets. Heavily recommends enabling it all - websites will be cleaner and less info sent to Facebook or Twitter is always a positive moment!

• Ephemeral browser cache.
  The cache is critical for security and can be cleaned from time to time.
  With the --disk-cache-dir flag, the cache location can be changes to a temporal directory:

  $ brave --disk-cache-dir="$XDG_RUNTIME_DIR/chromium-cache"
  

  Make sure to check read access rights, cause browser cache shouldn't be available to read for all users. Cache in the RAM will also increase browser performance.

• Blank new page.
  Wallpapers and widgets are cool, but can leave some traces hitting external APIs. Available in Settings → Net Tab Page → Blank page.

• Disable JIT - warning: performance hit.
  Disabling Just-In-Time JS compilation to native code costs some browser performance and heavily increases security at the same moment, 'cause JIT-related security issues are very popular. How to disable: $ brave --js-flags=--jitless.

• WebRTC.
  Really great protocol and lifesaver for many video and audio chat applications, just with one small issue: IP address and machine ID leak is very possible.
  Navigate to Settings → Advanced → Privacy and Security → WebRTC IP Handling Policy and choose Disable Non-Proxied UDP. This will prevent IP leaks. Completely disabling WebRTC now possible only with third-party extensions like "WebRTC Control". There's a good online test for WebRTC made by Browserleaks.

• Do Not Track.
  Navigate to Privacy and Security → Cookies and other site data -> Send a "Do Not Track" and enable it. It works super easy - sent requests with a message like "I don't want to be tracked!", but many websites just ignore it.

• Safe browsing.
  Check website safety in special list and uncover browser history a bit. Recommend enabling it for non-power users.
  Available in Privacy and security → Security → Safe browsing.

• Web discovery project.
  Search -> Disable web discovery project. Send anonymous data for better search - please, don't.

• Use External Password Store.
  Must have for saving passwords and Safe Storage key for cookies. Browser should automatically detect it, but you can enforce a store you'd like to use with a flag like --password-store=gnome.

• Secure DNS.
  Should be enabled too, encrypted DNS is definitely better than non-encrypted. Available in Privacy and security → Security → Use secure DNS. Any DoH (DNS-over-HTTPS) service can be used; here's the list of public services. DoH is probably the most privacy-orientated DNS, 'cause its traffic looks for ISP like a general web surfing. Recommend next services: free LibreDNS or free with paid options CleanBrowsing.

Unstable features

Available in brave://flags and can be enabled on your own risk. Worth to mention here, 'cause some of them are very interesting and probably will be moved to stable soon.

• Enable CNAME uncloaking - root domain name extraction, so website can't be hidden from blocking and cosmetic filters under CNAME domains. For example, CNAME souloflight.com points to stupid.porn.advertiser.com and now filtering can be applied to both websites.

• Enable cosmetic filtering.
  For hiding page elements without blocking by domain name.

• Reduce User-Agent request header.
  Very useful for privacy, literally cut your User Agent output and browser version. The details are here.

• Enable debouncing.
  This will fight against automated redirects to tracking websites, like website → redirect to tracker → another redirect to origin website.

• Enable Ephemeral Storage.
  This will block third-party frames local storage like Facebook or LinkedIn.

• Enable support for blocking domains with an interstitial page - this is related to domain blocking with first web page like Captcha, "Privacy check" from Cloudflare etc.

• Enable domain blocking using First Party Ephemeral Storage.
  Brave will wipe localStorage and cookies on blocked domains and enable ephemeral storage only if this website had no stored data before. This is like a parachute for websites in blocked domain list.

• Enable extension network blocking.
  Will isolate browser extensions from Internet.

• Ephemeral Storage Keep Alive.
  This option will wipe ephemeral storage after closed tabs plus a defined timeout, useful for not breaking recent logins & local data.

• Enable Brave Sync v2.
  Enable integration with Chromium with enforced client site encryption, theoretically, this will allow users to host their own sync server.

• File System Access API.
  File System Access API allows using local filesystem for websites and extensions. Warning: you should avoid this as long as possible.

• Enable navigator.connection attribute.
  This API will give more information about user connection and local network, avoid it.

• Strict-Origin-Isolation.
  Experimental policy for better website isolation, this will ignore CSP (Content Security Policy) and enforce resources from main hosts. Will probably break many websites, use with care.

• Rework password change flow.
  This will enforce new password if any password saved in a browser was leaked. Note: better use offline not-in-browser offline password manager.

Just install Firefox for privacy?

Well, probably not the best time:

• Constantly falling market share: currently 3.3%
• Mozilla fired 250 employees
• CEO salary increased, again: from $2.5M to $3M+
• No new major features, re-selling Mullvad VPN is great, but... are we talking about the IE killer?
• Deal with Google with Google; Firefox sent user data to Google even after first start.

Safari note

Safari is the last real Chrome competitor by market share, works only on Apple devices, also locked down and the extensions available not too far ago. Classic security through obscurity. Apple, like Brave, actively use privacy & security for marketing, but after Pegasus and the massive iDevices hacks it's a bit hard to believe.

Stay safe!