██████╗  ██████╗ ███████╗████████╗███████╗
██████╔╝██║   ██║███████╗   ██║   ███████╗
██╔═══╝ ██║   ██║╚════██║   ██║   ╚════██║
██║     ╚██████╔╝███████║   ██║   ███████║
╚═╝      ╚═════╝ ╚══════╝   ╚═╝   ╚══════╝

Don't Trust Brave Search

16 Jul 2021

The new search engine from Brave Software, Inc recently went in to open beta testing with marketing claims such as being private, transparent and the biggest selling point being that it has its own completely independent web indexing, unlike many other privacy-oriented search engines. This allows users to completely separate themselves from the big, well-known tech corporations which are notorious for data harvesting and its analyzation.

However, I have some very large concerns regarding Brave Search, their claims and some other things which aren't as easy to spot. Please do note that Brave Search is still in Beta at the time of writing, so some things may even be addressed in the future (hopefully).

This post will mainly go over some suspicious things to keep an eye out for, some obscene marketing claims and some other things. But I won't be doing any direct search engine comparisons or reviews. Although that may be something for the future, I don't have any plans to do so at the moment.

Brave's Marketing

To start off, let's take look at what Brave tells us about their search engine and their claims. My main source for this will be Brave's announcement of the open beta testing.

In their announcement you can already see that in the first sentence they claim their search engine has "unmatched privacy". This is completely untrue and pure marketing crap. There are even far more private and secure alternatives. For example, a self-hosted instance of the meta search engine Searx would be by far the best option with the pure HTML version of DuckDuckGo being another viable alternative while also being default in the Tor Browser when having Javascript disabled.

Additionally, Brave also claims to be fully Transparent with "no secret methods or algorithms to bias results". However, if they wanted to be truly transparent they would release the source code. But for whatever reason they haven't mentioned it being open source once. Meaning we can't even verify their claims and if their product is truly private and secure.

Not only that but they also state that Brave Search is "the only independent search engine" which makes absolutely no sense and is completely wrong. They just decided to entirely disregard Google, Bing and Yandex which currently have the largest market shares and independent indexing.

Lastly, Brave asserts that its search engine "ensures fully anonymous search" which is even more untrue than the last statement. In this context, full anonymity could only be achieved with Tor since the IP address would be hidden and the browser fingerprint would look the same. With the IP Brave could easily find out your approximate location and use it to reidentify your machine.

Moreover, Brave Search also uses Javascript for analytics (which I will get into a bit later) while Searx and HTML-DDG don't even have Javascript integrated in the first place which prevents most conventional tracking methods and they're mostly open source.

One more point, which is a bit off-topic, is that I can't seem to find the business model of Brave Software Inc anywhere. And by the "Inc" in the name it's pretty safe to assume that the company is for-profit, meaning they actively look to seek profit and may not necessarily have the consumers interests in mind. However, the same could be said for Duck Duck Go, Inc.

Brave Search and its Analytics

To be fair, Brave Search is currently in beta testing, so it's no major surprise to see a bit of analytics. Regardless, the analytics are currently opt-out with only a very small disclaimer at the very bottom of the homepage telling you that data is being actively collected. This was even overlooked by me at first.

Not only that, but the analytics are being collected from the same domains used for content delivery and the search engine itself. So even if you opt-out of the analytics, there still isn't a fail-safe way of making sure nothing is being collected. You are completely trusting Brave to not collect any sort of metrics on you or how you use their service.

So what does Brave even collect?
Looking at this page we can see exactly that they check how often you visit the page, how many search queries are sent per day and the average length of your query. Additionally, they look at how often you click on a search result and how many people actually leave feedback.

For whatever reason, they even decided to check which operating system you use. For a search engine this seems completely unnecessary and unrelated to "improving" their product which very much doesn't depend on which OS you use. Adding to this, they also look at which browser you use which has its valid reasons but still could easily contribute to the re-identification of your machine.

With all of that being collected, Brave Search really doesn't live up to all the marketing claims, and most definitely doesn't make it "anonymous". They also say in the page linked above that the info collected will never identify the machine you've accessed it from. However, that could actually very well be the case since they have your IP, OS and browser type which can very easily reindentify you, especially if you use a lesser known or lesser used browser, OS and live in a smaller country.

For example, a combination of Linux, Firefox and an IP from Iceland would be much easier to identify than someone who uses Windows 10, Google Chrome and an IP from the USA.

The Certificate Problem

When you click on the lock symbol in your browser while on the Brave Search page and look at "Connection Secure" for Firefox or "Certificate" on chromium, you can clearly see Amazon behind the validation of the HTTPS connection.

So why is this important?
To understand this I will have to explain how HTTPS works. Let's say that the fictional character Bob wants to visit his favorite website at 4chan. Firstly, a TLS handshake is completed in which the server sends its certificate to you. This certificate is signed by a so-called Certificate Authority (CA), which states if a certificate is valid or not.

The browser then verifies if the certificate has been properly signed by checking it with the locally stored public CA keys. Every website can decide which CA they want to sign a certificate for them, in this case it's Amazon. But theres an issue, HTTPS is based heavily on layers of trust and if they wanted to, CA's could easily forge HTTPS certificates for any site they want and intercept all traffic.

This could be fixed by something called CAA which basically makes sure that CA's don't sign certificates they shouldn't. Which now leads us to the problem with Amazon being the CA.

Amazon is in full control of the verification process. Theoretically they could even purposefully claim that a connection is securely encrypted even though it actually isn't and is backdoored for their own advantage, such as data harvesting or even for law enforcement and mass-surveillance.

With Amazon's notorious reputation of its monopolistic and anti-consumer practices, extreme data harvesting and cooperation with law enforcement, I really wouldn't trust them in validating my encrypted connections to a "privacy-oriented search engine". For all we know, the encryption could be a complete lie and practically be as good as plain text.

A much better alternative would be something like Let's Encrypt as a Certificate Authority. They're a nonprofit organization funded purely by donations. Unlike the for-profit Amazon, they have no need for data collection or analytics.

For some reason Brave actually does use Let's Encrypt with their main website but seem to not do that with Brave Search which seems highly suspicious in my opinion. Overall just keep an out and consider not using Brave Search.

Thanks for reading my post, I hope you enjoyed it!
If you have any feedback or questions regarding this topic or post, feel free to contact me on Matrix, Discord or through Email.