Here is my own Brave setup for anyone interested, as of April 9th, 2022. Brave 1.37.111 (desktop version). This setup is meant to strike a good balance between privacy and usability, and tries to debloat the browser.
This in an update to my post from December 11th, 2020 ( https://www.ghacks.net/2020/11/17/brave-browser-gets-cname-based-adblocking-support/#comment-4480402 ) and reflects some changes I’ve made since them (designated with “NEWâ€). Brave usually does privacy improvement in the background that are already covered with the Shield settings set to “Aggressiveâ€, so that no new configuring is required at all.
Why do I use Brave? Basically, because Brave removes unsolicited requests to Google from Chromium, the only times it contacts Google by itself it to update extensions (if you have any) or Google SafeBrowsing (unless you disable it) and Push notifications (unless you disable them), and even then the connections are proxied (anonymized towards Google). This is far superior to Chrome or vanilla Chromium. You can read about the things the Brave team removed here:
https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
It is the only Chromium-based browser with credible fingerprinting protections:
https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
It is the only Chromium-based browser that can do CNAME uncloaking (see: https://www.ghacks.net/2020/11/17/brave-browser-gets-cname-based-adblocking-support/ ). Brave’s internal adblocker will also continue to work as it does no uninterrupted. It won’t be affected by Google’s decision to cripple adblockers with Manifest V3. Brave’s adblocker is not an extension, but rather implemented natively, and thus isn’t under extension restrictions, like e.g. uBlock Origin would be.
MY BRAVE SETTINGS:
Brave adblock lists:
– Go to brave://adblock/ (hamburger menu –> Brave adblocker) and enable the lists there, the more the merrier. I recommend the list that fits your native language and the following lists: Easylist-Cookie List – Filter Obtrusive Cookie Notices, Fanboy Annoyances List, Fanboy Social List, uBlock Annoyances List, Schacks Adblock Plus
NEW: I also recommend the following adblock lists as I find them most useful, you can add the URLs:
-> Fuck Fuckadblock (circumvents websites locking you out if you have an adblocker): https://raw.githubusercontent.com/bogachenko/fuckfuckadblock/master/fuckfuckadblock.txt
-> I don’t care about cookies (most effective list against annoying EU cookie notices): https://www.i-dont-care-about-cookies.eu/abp/
-> Frogeye’s block list of first-party trackers (against sneaky CNAME cloaking): https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts.txt
Good resource for adblock lists, depending on your needs:
Brave’s settings menu (hamburger menu –> Settings): https://filterlists.com/
1) brave://settings/appearance
– Brave suggestions in the address bar –> Disabled
– Hide Brave Rewards Button –> Enabled
– Always show full URL –> Enabled (might help in spotting phishing attempts)
2) brave://settings/newTab (Customize menu on the New Tab Page, bottom right of the NTP)
– If you prefer, set this to show an empty page, if not:
– Sponsored Images, Brave Rewards, Binance, Crypto.com, FTX, Brave Talk –> Disabled
NEW: Brave News –> Disabled
3) brave://settings/shields
– Show number of blocked elements on Shield icon –> Enabled
– Default view –> Advanced view
– Trackers & ads blocking –> “Aggressive†(this will block 1st party ads as well as 3rd party ads, “Standard†would only block 3rd party ads – there is no reason we would want to see 1st party ads, so “Aggressive†is fine)
– Upgrade connections to HTTPS –> Enabled (equivalent of the HTTPS Everywhere extension, which is why you don’t need it in Brave)
– Block Scripts –> Disabled (blocking scripts in general breaks too many websites, if you want to do it, use an extension like uMatrix or NoScript that can provide more granular control than the Brave setting)
– Cookie blocking –> Only block cross-site cookies (blocking 1st party cookies break too many websites, we’ll take care of them later on with Cookie AutoDelete)
– Fingerprinting blocking –> Aggressive (if it breaks any website, play around with the “Standard†setting, “Aggressive†has worked for me so far)
4) brave://settings/rewards
NEW: Tips –> Disabled (no Brave Rewards buttons on Reddit, GitHub, Twitter)
5) brave://settings/socialBlocking
– Disable all the settings there, unless you have and use a Google / Facebook / Twitter / Linkedin account, in this case leave the setting that matches your account enabled
6) brave://settings/privacy
– Use prediction service to help complete searches and URLs (= URL speculative autocomplete) –> Disabled
– WebRTC IP handling policy –> Disabled Non-Proxied UDP (will prevent WebRTC IP address leak)
– Use Google services for Push notifications –> Disabled (unless you want notifications from the browser, e.g. for chats, in this case leave it at “Enabledâ€)
– Allow privacy-preserving product analytics (P3A) = telemetry crap –> Disabled
NEW: Automatically send daily usage ping to Brave = counting installations –> Disabled
– Help improve Brave’s features and performance = crash reporter –> Disabled
7) brave://settings/clearBrowserData
– Set it to delete cookies and cache upon closing the browser
8) brave://settings/cookies
– Block 3rd party cookies, set to delete cookies upon closing the browser
– “Do not track†–> Disabled (only raises entropy, ironically making you more easy to track, and this setting is not respected by most websites anyway)
9) brave://settings/security
– Google SafeBrowsing –> No protection = Disabled (double-edged sword somewhat, Google SafeBrowsing improves security while lowering privacy – but usually your operating system does defend against known malware as well – choose at your own discretion)
NEW: Always use secure connections –> Enabled (forces HTTPS where possible, you may set exceptions for HTTP websites at your own discretion)
NEW: Use secure DNS –> Disabled (DNS over HTTPS / DoH, I don’t want my DNS data leaked to providers I don’t trust – however, you may also choose a DNS provider you trust at your own discretion via the “Custom†setting, I have heard good things about Quad9 for example, more info here: https://www.privacyguides.org/dns/ )
10) brave://settings/content
NEW: Leave as is, you are being asked for your permission when websites want to access your camera, microphone, location etc. I see no reason to generally deny this as the browser asks before permission is granted anyway.
11) brave://settings/search
NEW: Brave now uses Brave Search as default, this is a privacy-friendly search engine already, the following are also privacy-friendly:
– DuckDuckGo, StartPage, Qwant are privacy-respecting, however, I know that Google tends to have better results. Use whatever works for you. I myself tend to prefer StartPage since it anonymously fetches its results from Google
NEW: Web Discovery Project –> Disabled (already set to “Disabled†by default, no need to change, here we get rid of unnecessary search telemetry)
NEW: Index other search engines –> Enabled (you can leave this at “Disabled†if you are satisfied with the included search engines, I let Brave pick up other search engines because I am using Searx instances that are not included by default, I believe those to be the most private search engines)
12) brave://settings/extensions
– Allow Google login for extensions –> Disabled
– Hangouts –> Disabled
– Media Router –> Disabled (unless you want to use Chromecast, in which case one should leave it at “Enabledâ€)
NEW: Method to resolve Unstoppable Domains –> None
NEW: Method to resolve Ethereum Name Service –> None
– Private Window with Tor –> Enabled (handy if you want to hide your IP address, do not consider it a real Tor Browser replacement though, as Brave doesn’t have Tor’s common fingerprint)
– Automatically redirect to .onion websites –> Disabled (you can still do it if necessary, Brave will offer the option to you, though I really recommend the Tor Browser Bundle for any such action)
– WebTorrent –> Disabled
– Widevine –> Disabled (unless you use any commercial streaming service like Amazon Prime / Netflix / Spotify or whatever in the browser, if you use any of those leave it at “Enabledâ€)
13) brave://settings/wallet
NEW: Default cryptocurrency wallet –> None
NEW: Show Brave Wallet icon on toolbar –> Disabled
14) brave://settings/ipfs
NEW: Method to resolve IPFS resources –> Disabled / None
You can also disable the other settings there, but the first one should already do the trick.
BRAVE’S ADVANCED SETTINGS
15) brave://settings/passwords
NEW: Disable all settings you see there.
16) brave://settings/payments
– Disable all settings you see there.
17) brave://settings/addresses
– Disable all settings you see there.
Extensions I use in Brave, all downloaded from the Chrome Web Store… All of these extensions are long-standing free and open source software and do not collect any kind of data themselves:
NEW: I dropped uBlock Origin, reason being that Brave now supports custom adblock lists, I also want to keep the number of my extensions and resource usage at a minimum.
1) ClearURLs = primarily filters tracking elements from URLs, meaning you will be using clean links. Also other minor stuff.
– Allow domain blocking –> Enabled
– Prevent tracking via the History API –> Enabled
– Allow Referral marketing –> Disabled
– Filter eTags –> Enabled
2) LocalCDN = websites load libraries from third party sources, the providers of those libraries know which websites you’ve visited and can potentially profile you. LocalCDN provides these libraries locally for websites, intercepting requests to third party sources. Has the side effect of slightly speeding up the loading process of websites. I use LocalCDN instead of the similar Decentraleyes because the development of the latter has slowed down, and because LocalCDN supports a wider spectrum of libraries at this stage.
– You can leave everything at the default settings here. However, I recommend to disable the update notification in the settings of the extension as it’s quite annoying – the extension gets updated quite regularly.
3) Cookie AutoDelete = Gets rid of cookies and other kinds of local data websites store upon your computer upon closing the tab or changing the domain.
– Automatic cleaning –> Enabled
– Enable Cleanup of Discarded / Unloaded Tabs –> Enabled
– Enable Cleanup on Domain Change –> Enabled (Depends on the convenience level you want to maintain, if you are logged into an account, then change the website entirely, and then return to the website you’ve been logged into, all within the same tab, you’ll get logged out as the cookies will be removed upon domain change – normally Cookie AutoDelete would only clean cookies upon actually closing a tab).
– Clean Cookies from Open tabs on Startup –> Enabled
– Clean all Expired Cookies –> Enabled
– Enable Cache Cleanup –> Enabled
– Enable IndexedDB Cleanup –> Enabled
– Enable LocalStorage Cleanup –> Enabled
– Enable Plugin Data Cleanup –> Enabled
– Enable Service Workers Cleanup –> Enabled (may break chat notifications if you need those, so be careful if you use chats)
—–
I hope this info was helpful for any interested party. I always appreciate corrections or criticism where applicable.
Discussion about this post