Edit: (Since this is gaining traction elsewhere.) I'm not trying to shit on Brave. I'm just wanting to help protect end-users who may use Brave for it's Tor feature to do stuff over Tor that should only be done with the actual Tor browser. If you're using Brave you probably use it because you expect a certain level of privacy/anonymity. Piping .onion requests through DNS where your ISP or DNS provider can see that you made a request for an .onion site defeats that purpose.

I'm also no NetSec expert but you don't have to be to replicate this. I'm just a dude with some websites and projects and I'm not certain I would have taken notice of this if it wasn't reported to me by a partner on another project who witnessed this behavior when monitoring his local requests leaving his network. He'll be doing his own write-up and is more equipped to discuss this in length than me.

Testing out something that was noted a week or so ago, and wanting to replicate it for the purpose of this post.

Some of you know I'm working on an ad, tracker, and other BS blocking VPN service for an unrelated project to this site. Go to /f/incoghost (website) for more because I try to keep these things separated.

Anyhow, it was reported by a partner that Brave was leaking DNS requests for onion sites and I was able to confirm it at the time. Decided to spin up a VM with Brave and test with this site's Onion service (though it will do this for any .onion)

Example:

 Feb 18 12:02:25: query[A] rambleeeqrhty6s5jgefdfdtc6tfgg4jj6svr4jpgk4wjtg3qshwbaad.onion from 104.244.xx.xxx

What this entry shows (simply) is that the request made for the domain rambleeeqrhty6s5jgefdfdtc6tfgg4jj6svr4jpgk4wjtg3qshwbaad.onion made it to the DNS server and is tagged with the IP of the requester, which in this case is just the test / dev VPN. This shouldn't happen. There isn't any reason for Brave to attempt to resolve a .onion domain through traditional means as it would with a regular clearnet site.

This is especially worrisome for those of you who use Brave browser from your normal residential IP and (for whatever reason) use the Tor feature built into the browser to access Tor sites. Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP. With Brave, your ISP would know that you accessed somesketchyonionsite.onion .

TL;DR: If you're going to use Tor, use the Tor Browser and not Brave. The Tor browser itself doesn't leak these requests like Brave does.

Edit: To clarify, the VPN service we're working on is no-logging but during this dev and testing period we're logging DNS requests while we work out the kinks in the blocklists. This has also allowed us to witness .onions being passed through which is a fault of Brave.

Edit 2: Screenshot: https://images2.imgbox.com/98/46/1i084PbC_o.png

That was me loading duckduckgo in a different container, with brave, while live fetching DNS requests made to the DNS server. I blurred out the non-onion requests. (Different VPN test location than in the above example so 209.x.x.x IP instead of the 104.x.x.x one in the original example.

EDIT 2: The mods of /r/privacy won't let this be posted. They say:

While we (vastly) prefer the Tor Browser over the Brave one, you'll need a better source than the one you found. Can you find something from a more widely recognized NetSec expert? Something along the lines of Bruce Schneier's blog or something at that level of credibility?

and

The problem with screenshots is that they can be faked, trivially. There are also a host of approaches that credible writers/reporters do in the NetSec space do before a line of text appears in print. It's this kind of journalism that we have to trust, since we humble Mods don't have the time or resources to vet. So, we'll need something better sourced. Sorry!

and

There are new posts everyday "warning" people of things that aren't legitimate, hence the caution. This is not a "security" subreddit. A moderator's job is to ensure that the subreddit doesn't devolve into conspiracy theories and misinformation. Security announcements should be vetted and confirmed, not independent claims that the mods have no time to independently verify.

I can post the steps on how to easily replicate this by using pi-hole on their local networks. Anyone is capable of verifying this.

Great. Please do so on r/brave, r/netsec, r/infosec, and other places where this is both directly relevant and appropriate to seek others confirmation. Once vetted by the community (and republished by professionals), you're welcome to post those official responses.

/r/brave is private, invite only. I posted on netsec and infosec so we'll see. I guess /r/privacy must love Brave and not allow anything against it since it's so god damned easy to verify this...

All you have to do to VERIFY that this is happening is A.) Use Brave B.) Go to an Onion site C.) Observe DNS traffic. Install Pi-Hole on a Raspberry Pi or in a Virtual Machine on your desktop and run your DNS requests through it for ease of use and you can verify it. Not sure why they're so hesitant to inform their subscribers of this.

Edit 3: Tested on both a Debian 10 and Ubuntu desktop. I'm not esteemed NetSec researcher and I'm not setting up a 100 different scenarios.

Comments

You must log in or register to comment.

Rambler OP wrote on February 18, 2021 at 10:27 PM

/r/privacy on reddit won't allow this post because:

While we (vastly) prefer the Tor Browser over the Brave one, you'll need a better source than the one you found. Can you find something from a more widely recognized NetSec expert? Something along the lines of Bruce Schneier's blog or something at that level of credibility?

Does anyone else wish to replicate this to confirm?

____ wrote on February 18, 2021 at 10:35 PM

Don't even bother. Post it on Reddit alternatives like Ruqqus, Poal, Phuks, Notabug, etc. instead. Don't support sites that have heavy censorship.

smartypants wrote on February 19, 2021 at 7:40 AM (edited on February 19, 2021 at 7:48 AM)

Poal.co censors far far too much in Feb 2021 : two examples in my prior post.

but I agree that Rambler need to post this asking for confirmation on all the following sites , and even other less censoring subreddits on Reddit.

The top 29 known mostly Free Speech social sites, unranked :

https://boards.4chan.org/pol/
https://archive.4plebs.org/pol/ (legible nondeletable 4chan)
https://www.16chan.xyz/pol/
https://8kun.top (current 2020 8Chan, tor onion link : jthnx5wyvjvzsxtu.onion)
https://8kun.top/pnd/ (8Chan pol)
https://forum.searchvoat.co/viewforum.php?f=31 (never censors legal speech)
https://www.dailystormer.name (https://dailystormer.su/)
https://endchan.org
https://notabug.io/t/all
https://9chan.tw/bestpol/
https://phuks.co/ [server down Oct 2020, up again]
https://poal.co/ (censors speech often, proof https://files.catbox.moe/iuncm1.jpg)
https://ramble.pw/ (not famous yet)
https://wearethene.ws/ (2021 very active 8Chan Q stuff, more legible)
https://Greatawakening.win/ (Q related)
https://raddle.me/ (Raddle)
https://vnnforum.com/
https://patriots.win/ (claims to be free speech, CENSORS discussions of jews, guns, race IQ, etc)
https://ruqqus.com/+MAGA (2% of the old thedonald.win users went here, despite ruqqus censorship)
https://dstormer6em3i4km.onion.link/ [http://dstormer6em3i4km.onion/] (emergency tor onion for https://dailystormer.su/)
https://www.whitedate.net/whitedate-forums/
https://endchan.net/qanonresearch/
https://ruqqus.com/ (claims to be free speech, has leftists control a lot of it)
https://saidit.net/ (censors, but not as bad as reddit)
https://communities.win/ (censors, but not as bad as reddit)

RandomlyGeneratedUsername wrote on February 19, 2021 at 4:32 PM

https://ramble.pw/ (not famous yet)

This is my favorite.

Rambler OP wrote on February 18, 2021 at 11:12 PM

I don't have accounts at those. Well I think I may have an old Ruqqus account or something.

Feel free to share yourself. Helps this site AND more importantly, helps protect the privacy of Brave users.

Rambler OP wrote on February 19, 2021 at 1:43 AM

I created a Ruqqus account and posted in +Privacy but it's not showing up so it's probably either because my account is new. I created a Poal account and posted it there and it appears to me. May not if I log out. Not sure.

smartypants wrote on February 19, 2021 at 7:58 AM (edited on February 19, 2021 at 7:58 AM)

Thanks for your research, keep posting to all the 29 or so free speech sites... too bad Poal shadowbans, censors , deletes, and is a god damned dumpster fire.

I posted proof of two popular user upvoated topics totally censored by Poal admins this last week : https://ramble.pw/f/privacy/2387/-/comment/2901

LIST OF PLACES for you to consider posting your research and revelations!:

https://ramble.pw/f/privacy/2387/-/comment/2902

Save that list!

Also , be sure to add "on my OS, on my machine, conditionals as well" to not trigger people demanding you try it on 3 ISPS on 3 machines. Ask for confirmation at top and bottom of your post to not trigger the Brave fanboy nazis thinking you are a enemy shill.

Rambler OP wrote on February 19, 2021 at 10:59 AM

Also , be sure to add "on my OS, on my machine, conditionals as well" to not trigger people demanding you try it on 3 ISPS on 3 machines. Ask for confirmation at top and bottom of your post to not trigger the Brave fanboy nazis thinking you are a enemy shill.

Yeah, good idea.

not_bob wrote on February 19, 2021 at 8:44 AM

.onion is a special tld that should never be sent to a DNS server to be resolved. Ever.

boobs wrote on February 21, 2021 at 2:15 PM

... unless you are using tor's transparent proxy feature.

____ wrote on February 18, 2021 at 10:26 PM

Definitely always just use Tor Browser on desktop, if only to prevent sites from fingerprinting you.

RandomlyGeneratedUsername wrote on February 19, 2021 at 4:21 PM (edited on February 19, 2021 at 4:24 PM)

Brave is developing fingerprinting defenses too.

https://brave.com/privacy-updates-4/

Of course, Tor Browser is a mature project and more reliable at this point. Let's hope Brave continues to strengthen its privacy and reliability.

div1337 wrote on February 18, 2021 at 10:14 PM

It's disappointing, I'm wondering if it has something to do with how Chromium works? Perhaps using Chromium as a base was a mistake.

Rambler OP wrote on February 19, 2021 at 1:37 AM

Could be. But anything that is advertised to do with Tor shouldn't make any activity known outside of the Tor network itself.

RandomlyGeneratedUsername wrote on February 19, 2021 at 4:30 PM

The only problem with Chromium is the lack of fingerprinting defenses. Brave is working on it.

https://brave.com/privacy-updates-4/

Although Tor Browser is more mature and reliable at this point.

RandomlyGeneratedUsername wrote on February 19, 2021 at 3:01 PM

Following the discussion on /r/netsec, Bruce Schneier is also a director of the Tor Project ;)

smartypants wrote on February 19, 2021 at 6:31 PM

Bruce Schneier is/was a NSA plant in 1993, proven by ME!

I EXPOSED HIM IN 1993 with actual proof on cyberpunks hangouts, such as usenet

Main proof, was his deliberate subverting of his Blowfish algorithm , that infected over 43 crypto library products!

https://en.wikipedia.org/wiki/Blowfish_(cipher)

His Blowfish source code was deliberately subverted in a clever way by him to collapse a crypto key of 256 bits to merely 32 bits if it was derived from user entered text passphrase and the letters typed by user had the high bit set (in ANSI, the high bit is UNDEFINED, not zero, but additionally, mac and pc users can trivially type countless symbols on keyboards that have the highest bit set.

That wiki page, and most people who are not crypto experts in the early 1990s, do NOT KNOW OF NSA connection to Bruce Schneier to spread backdoors in crypto libraries!!!!

wayback machines for usenet used to exist, and could have shown a direct URL to my research proving Bruce Schneier to be under NSA control. NSA uses cash to subvert crypto libraries. Large cash payments are how NSA got engineers at apple to subvert Apples own source code "accidental changes" to SSL code in iOS.

Bruce Schneier is a FUCKING SHILL for NSA!

Remember, Bruce Schneier ALGORITHM for Blowfish was OK, it was his backdoor exploit in the free source code that he widely distributed that has the exploit to collapse and nullify all keyspace.

The high bit got erroneously smeared to all lower bits in each byte of the passphrase. This fact and exploit is still unknown out side of my typing here to you now, and the very rarely archived usenet group I posted too in 1993, 1994. I generally never publish my countless exploits I discover in hardware or software, but I am not wrong and anyone with a copy of Bruce Schneiers widely used blowfish source code promoted in 1994 can trivially verify all I wrote using a ANSI C conformant compiler.

BEWARE Bruce Schneier!

His backdoors in source code , PROVEN, may have toppled governments, promoted fraud, got political dissidents executed, and more.

spc50 wrote on February 20, 2021 at 1:12 AM (edited on February 20, 2021 at 1:24 AM)

F-off to reddit and other control NAZIS (as opposed to my kosher friends - at least the genuine ones of faith).

This gatewaying of all information and only calling something valid when it is admitted by a head of pyramid is tired.

This is why people sit on 0 day exploits for years and drop things strategically. Because too many people out there in power positions are abusive and in denial that their sh!t stinks.

Brave is an ugly baby.

I went back and found I tagged Brave leaking to plain DNS back on February 6th. Was new to me. Working on other stuff involving Tor and had just spun up Brave to check it out. Wondered why strange stuff in my DNS logs (you log your DNS lookups, don't you? You should).

Now who can point me to all the bundled Brave releases? Cause they are all fronted to feed you latest one. I want to selectively install and test and see how many releases they've been outing .onion addresses and putting normies at risk.

spc50 wrote on February 20, 2021 at 4:15 AM (edited on February 20, 2021 at 4:53 AM)

We made mass media about this :) ZDNet on MSN.

https://www.msn.com/en-us/money/other/brave-browser-leaks-onion-addresses-in-dns-traffic/ar-BB1dPSnS

Brave browser leaks onion addresses in DNS traffic Catalin Cimpanu 11 hrs ago

Added in June 2018, Brave's Tor mode has allowed throughout the years access to increased privacy to Brave users when navigating the web, allowing them to access the .onion versions of legitimate websites like Facebook, Wikipedia, and major news portals.

But in research posted online this week, an anonymous security researcher claimed they found that Brave's Tor mode was sending queries for .onion domains to public internet DNS resolvers rather than Tor nodes.

While the researcher's findings were initially disputed, several prominent security researchers have, in the meantime, reproduced his findings, including James Kettle, Director of Research at PortSwigger Web Security, and Will Dormann, a vulnerability analyst for the CERT/CC team.

Furthermore, the issue was also reproduced and confirmed by a third source, who also tipped off ZDNet earlier today.

The risks from this DNS leak are major, as any leaks will create footprints in DNS server logs for the Tor traffic of Brave browser users.

While this may not be an issue in some western countries with healthy democracies, using Brave to browse Tor sites from inside oppressive regimes might be an issue for some of the browser's other users.

Brave Software, the company behind the Brave browser, has not returned a request for comment sent before this article's publication earlier today.

Over the past three years, the company has worked to build one of the most privacy-focused web browser products on the market today, second only to the Tor Browser itself.

Based on its history and dedication to user privacy, the issue discovered this week appears to be a bug, one the company will most likely hurry to address in the coming future.

Update: Minutes after this article went live, the Brave team announced a formal fix on Twitter. The patch was actually already live in The Brave Nightly version following a report more than two weeks ago, but after the public report this week, it will be pushed to the stable version for the next Brave browser update. The source of the bug was identified as Brave's internal ad blocker component, which was using DNS queries to discover sites attempting to bypass its ad-blocking capabilities, but had forgotten to exclude .onion domains from these checks.

spc50 wrote on February 20, 2021 at 5:01 AM (edited on February 20, 2021 at 6:02 AM)

So once again ads bite users in the rear.

Decoupling ad blocking from the browser would be darn smart (ublock origin is simply awesome - so far).

Ad blocking on browser layer should be done via plugins / addons.

Question is what is / was Brave shipping out - calling home - to check? Is Brave saying here is a domain that cleared in the browser, let's call home remotely to verify? That's what it appears.

That isn't a feature. That is Brave collecting lookups unknown to those running the browser. When I do a lookup I expect MY DNS SERVER to deal with it. I don't expect the browser to go talking behind my back.

Terrible 'feature' that should be removed. It is distributed intelligence and I understand that pursuit well. However, it is something people ought to opt into and be aware of.

So yes, Brave likely has been logging onion addresses also and internal domains and other private things they should never be seeing. What is being done with that data and where is note of handling and destruction thereof?

Funnier though is Brave should have seen these onion address lookups whenever 'bug' was introduced. Smart people know those don't belong there. Something isn't right about all of this. Doesn't pass sniff test.

It is up to Brave to prove what they are or aren't doing. I don't believe it until someone speaks and provides code and breaks it down for non coders.

MysteryRepeatsItself wrote on February 19, 2021 at 12:46 AM

Very interesting. Not that I know too much about what you posted, but I'm learning!

abuhussain wrote on February 19, 2021 at 5:44 PM

it's = it is. its = possessive. That's what you want to use.

Your articles are high-quality ones. Don't degrade them by following the example of millions of people on the internet who use them wrong, or even interchangeably.