Brave wants to curb the practice of websites that track visitors – Ars Technica

Brave Browser will take action against websites that target visitors by browsing their web ports or accessing other web tools that can reveal personal information.

Starting in version 1.54, Brave automatically blocks website scanning, a practice that many strange sites were found to be doing a few years ago. According to the list created in 2021 by a researcher who goes by the handle G666g1e, 744 sites have analyzed the ports of visitors, most or all of them without providing information or asking for permission in advance. eBay, Chick-fil-A, Best Buy, Kroger, and Macy’s were among the sites affected.

Some websites use similar techniques in an attempt to fingerprint visitors so that they can be notified each time they visit, even after deleting browser cookies. By using scripts that use local features on social media, these sites can recognize unique features in the social media browser. Sometimes there are good reasons for a site to access local resources, such as identifying vulnerabilities or allowing developers to test their sites. However, there are often many reasons for being cruel or malicious.

The new version of Brave will stop this practice. By default, no website can find local content. Super users who want a particular site to have such access can add it to the whitelist. The interface will look like the image below.

Brave will continue to use the rules of the filter list to block posts and sites known to abuse local resources. In addition, the browser has included a whitelist that gives the green light to sites that are known to acquire home resources for profitable purposes.

“Brave has chosen to use the localhost permission in this way for a number of reasons,” the browser’s founders wrote. “Most importantly, we expect that the misuse of resources by local people is more common than the potential benefits, and we want to avoid exposing users to requests that we expect to cause harm.”

Port scanning and other activities that use local resources are done using JavaScript that is hosted on the website and runs within the visitor’s browser. An important Internet security principle known as the same-origin policy prevents JavaScript run by one Internet domain from accessing the data or resources of another domain. This prevents a malicious Site A from being able to access credentials or other personal information linked to Site B.

But there is no such restriction to prevent the slow domain from accessing the IP address of 127.0.0.1. This basic form of communication has been around for as long as the internet has existed. Although Brave said that Apple’s Safari browser has blocked certain types of access, it does not block all of them. Various browser extensions also prevent such access.

“As far as we know, Brave is the only browser that can block requests for geo-resources from both secure and insecure public websites, while maintaining the same criteria for sites that users trust (with negotiated permissions),” said Brave in a post.

The browser developer added:

Because of this old “accident”, a small but important program has been created waiting to be freely accessed by websites, often in ways that are invisible to users. And most of the uses are good. Examples include wallets for cryptocurrencies, security software provided by banks or security companies, and hardware devices that use third-party websites for transactions.

In some cases, browsers also allow public websites to access local resources to help developers test their software.

Unfortunately, many malicious, malicious programs exploit Internet access for malicious purposes. For example, fingerprints try to identify unique features in some software you’re using on your device to identify you, and some scripts try to identify vulnerable and vulnerable apps on the system and try to exploit them.