Secure Your Brave Browser Even More by Changing Some Settings
Many people are waking up to the fact that their privacy barely exists and big tech companies are selling their data. That said, I’ve seen data showing that apps and services like Brave Browser and DuckDuckGo are seeing huge upticks in users. This is a splendid start, and I congratulate you and taking some steps toward taking back your privacy! I thought that maybe, in this post, I can spend a few minutes helping you take the next steps in securing your Brave Browser experience even further.
Brave Browser’s Settings Aren’t Perfect By Default
Brave is a business, just like the rest of them. The difference is that they built their business around the idea of protecting your privacy, so even if you don’t dive into the settings, your privacy is still safer than if you were using the likes of Chrome, Edge, etc.
The thing is, Brave leaves some social media settings wide open. Some have speculated that they do this because of a contract between Brave and these social media companies. I guess that is possible. My best guess would be these settings are enabled by default so that your first experiences with Brave feel like your normal experience with Chrome. I mean, if you switched to Brave and nothing seemed to work, you’d likely switch back to your old browser. Still, they are a business, so I believe the social media companies may have some sort of business agreement with Brave to leave these settings enabled.
Apart from the social media settings, there are a handful of other settings you can change to further improve the privacy provided by Brave Browser. Again, I feel like their default state was likely chosen to make switching to Brave feel easier and more like your experience with Chrome. That’s understandable. At first glance, a few of these settings might not make sense. That’s fine, the tinfoil-hat-wearing super-geek is here to help!
Let’s dig into Brave’s settings!
Get Started
There’s not a lot in the Get Started section you NEED to do. Here you can import bookmarks from another browser, set Brave as your default browser, and do a couple of other very basic things. If you really want to tinfoil hat yourself, at the bottom of this section is the “On startup” option, which has 3 choices. Any choice other than the “Continue where you left off” choice will prevent someone with access to your machine from being able to open Brave and see what you were doing or looking at. If this is a concern, choose one of the other options.
Shields
I think one of the easiest privacy wins to be had by switching to Brave is the Shields which can be enabled and disabled on a per-site basis. The blocking of trackers is done with Shields, so by having them enabled, you are blocking lots of analytics services and trackers that would record your activity. These trackers aren’t always a bad thing. In fact, here on my site, you might notice that the Shields icon has the number “1” on it. I have Clicky analytics which Brave blocks by default. I chose Clicky because their analytics don’t give me anything that would expose your private information. Clicky merely gives me data like how many views a page is getting, what country my audience is from, what devices my site is being viewed from, etc. I barely get any activity on Clicky though, and I hope it is because most of you are already using Brave or another privacy-focused browser to block it!
Now there are plenty of sites that are abusing tracking scripts and cookies. Facebook is the easiest example of a company that plants tracking scripts and cookies into your browser so they can spy on everything you do, even when not on their site. Have you ever been searching for a product, signed onto Facebook, then noticed that you are receiving ads for that product? The trackers that Facebook stuck into your browser enable them to have these creeper moments. They are trying to find out what you want to buy so they can target their ads better. This is an outstanding example of something you should block!
My advice is to leave Sheilds on for most sites. Sometimes the Shields will block some basic functionality of a site, but there is an easy fix for this. If you just click on the Shields icon in the right side of the URL bar, it presents you with a simple menu containing some stats and a switch to turn the Shields off for the current site you are viewing. If you turn the Shields off, the site will reload with them disabled and Brave will remember that you want Shields disabled for the current site. Problem solved!
If you are the curious type, you can look at this Shields menu to see what trackers a site is using. There’s not a lot you can do with this info other than making yourself aware of the predatory practices a site is using. Below is a screenshot of my Shields settings, if you are interested in mirroring them for the best balance between privacy and usability.
Note that you can get more privacy by using the more aggressive settings for “Fingerprint blocking” and “Cookie blocking”, but making this change will probably break a lot of websites degrading your overall experience.
summary:
Trackers & ads blocking - “Standard”
Upgrade connections to HTTPS - on
Block scripts - off
Cookie blocking - “only cross-site”
Fingerprinting blocking - “Standard”
Social Media Blocking
This is another section where you can get some wins for your privacy while using Brave. These options are pretty self-explanatory. Do you want the “login with Google” option? Do you want to be able to log in with Facebook and allow embedded posts? Do you want to allow Twitter and LinkedIn embedded posts? Personally, I have ALL of these turned off. I see no real advantage to having them on unless you have signed up for a lot of accounts using the “sign up with Google/Facebook” options. If that’s the case, then you might enable the top 2 choices. Also, stop signing up for things this way and use an email and randomly generated password going forward!
summary:
Allow Google login buttons on third party sites - off
Allow Facebook logins and embedded posts - off
Allow Twitter embedded tweets - off
Allow LinkedIn embedded posts - off
Search Engine
There are only 2 choices here, and the first choice is the one we will focus on. What search engine do you want Brave to use by default? I recommend setting this to anything that isn’t Google or Bing! DuckDuckGo is growing in popularity and is better than Google or Bing as far as privacy is concerned, but recently I’ve stumbled across some information that convinced me to use another option instead. You can see in the screenshot that my default engine on my laptop is StartPage. I have this set to Qwant on my desktop. So far, my experience with both is fantastic and I urge you to give some of these lesser-known search engines a try for even more privacy!
summary:
- Search engine used in the address bar - anything but Google is fine
Extensions
There are a few settings to look at here in the Extensions section. For starters, the top option that says “Allow Google login for extensions” can be turned off if you don’t use Google’s apps like Keep or Calendar from your browser. When this is turned on, it will enable chrome.identity for these extensions so they can retrieve an OAuth token from Google to authenticate users. The OAuth token can retrieve personal information like email id, profile. You can read more about chrome.identity here: chrome.identity - Chrome Developers.
The “Hangouts” option can be turned off if you never plan to use Hangouts in Brave browser. Skip down a couple and you will see “Private window with Tor” and “Automatically redirect .onion sites'“. Turn both on. If you’ve never heard of Tor, what you need to know is that Tor is a network in which internet traffic is routed that strips the traffic of identifiable data. It slows things down a slight bit, but by the time you connect to a site, you have been COMPLETELY anonymized. Using Tor for your private windows makes a ton of sense to give you that extra layer of anonymity. Sites that are native to the Tor network end in .onion, so the second of these options will allow any site with a .onion version to be opened in a Tor window.
The rest of the options in this section just boil down to preference.
summary:
Allow Google login for extensions - off
Hangouts - off
Private window with Tor - on
Automatically redirect .onion sites - on
Additional settings
By default, you should be at the end of the options, but you’ll notice some text that says “Additional settings” with an arrow beside it. If you click that, a complete list of additional settings will expand, uncovering the “Privacy and security” section and many others. Expand that section as we have some changes to make in there too.
Privacy and security
With a name like “Privacy and security”, you should know that we are going to change a few things here! The easiest way to put it would be to switch every switch button off in this section.
To briefly go into further detail, the top option is about using autocomplete for searches and URLs. This seems harmless, but in reality, this is done by sending what you type in the URL bar or a search field to a server to come up with suggestions for autocompletion to happen. It is a lot of extra traffic and it is sending everything you type.
Two of these options are about sending analytics and crash logs to Brave. Honestly, it is probably fine to leave these on. I recommend turning them off for an extra little bit of privacy, but Brave states that the data sent here is completely private. If you want to help them out, maybe leave on the last option titled “Help improve Brave’s features and performance” as it just allows your browser to send crash logs to Brave so they can become more aware of possible bugs.
The third option has the title “Use Google services for push messaging”, and, if you haven’t figured it out yet, I’ll recommend you turn off anything with the word Google in it!
There is a section title “Cookies and other site data” that you’ll want to click on to expand. Here, you want to make sure that under “General settings” you have the option “Block third-party cookies” enabled. This prevents sites from looking at cookies in your browser from other sites. You also might want to turn on the option title “Send a “Do Not Track” request with your browsing traffic” as it will send a Do Not Track request which will stop some tracking, mainly personalized ads.
If you go down to the option titled “Security” and click it, a sub-menu will open with the security options. Here, you want to make sure that the “Safe browsing” section is set to “Standard protection” as this is a layer of protection against malicious sites and code. The “Use secure DNS” option is a little different as you should approach this one differently based on whether or not you are running something like a Pihole. If you don’t have a Pihole or any sort of device acting as your DNS server, I recommend turning it on and checking the second option titled “With” then changing the dropdown to Quad9 which is a free, encrypted DNS provider. If you have a Pihole or something similar, you can leave this alone as you should have your router pointed at your own DNS device/Pihole already. There is a caveat though! If the machine in question is a laptop and you connect to other networks, you will want to enable secure DNS when you are connected to other networks!
summary:
Autocomplete searches and URLs - off
Automatically send completely private product analytics to Brave - off
Use Google services for push messaging - off
Help improve Brave’s features and performance - off, but on is fine
Cookies and other site data
General settings - Block third-party cookies
Send a “Do Not Track” request with your browsing traffic - on
Security:
Safe browsing - “Standard protection”
Use secure DNS - on
With - Quad9
Autofill
This section only has 3 clickable areas to open sub-sections and all are about autofill.
For the top one, “Passwords”, I recommend expanding and disabling the top 2 options. These are “Offer to save passwords” and “Auto Sign-in”. Don’t do this in your browser! If you want passwords to be saved, use a password manager like KeePass or Bitwarden instead of letting the browser save your passwords. Password managers are generally more secure and allow you to easily access your passwords from any device where the corresponding app or extension can be installed.
Back into the main settings and under “Autofill” you will see options regarding the saving of payment information and addresses. It is very convenient to save this info, but it could be considered a security risk to do so too. I recommend disabling these as well, but I don’t think it is absolutely necessary if you prefer the convenience.
summary:
Passwords
Offer to save passwords - off
Auto Sign-in - off
System
There is only one option we are slightly concerned about here. I recommend turning off “Continue running background apps when Brave is closed” so you know that nothing in your browser is sending traffic when your browser is closed. This is one of those settings that could prevent a browser app or extension from working properly, so if you experience any weird behavior with this turned off, feel free to turn it back on.
summary:
- Continue running background apps when Brave is closed - off
Browse More Safely and Securely
If you made it this far, congrats! You’ve taken an already more private and secure browser and made it even more private and secure. By making these simple changes, you have ensured that your Brave Browser is not sending any unnecessary data in the background, is blocking some of the anti-consumer spying that companies like Google and Facebook are trying to do, and have made sure that Brave is not storing any data it has no business storing in the first place. Browse with confidence!