- The Tor mode in Brave is reportedly leaking the real IP address of those visiting onion sites.
- The ISP knows which sites these users are visiting and could share that data with the authorities.
- This is definitely a big blunder by Brave, and users who wish to remain anonymous should use the Tor browser.
There’s a discussion in the privacy-minded community about using Brave browser’s Tor mode and whether that would be safe for those who wish to remain anonymous. Apparently, users discovered that all requests made for onion domains to the DNS server and the ISP are tagged with the real IP address of the requester, so essentially, the ID of the subscriber is leaked. This defeats the purpose of accessing an anonymous network like the Tor network, but it is actually not anything that Brave hasn’t already warned its users about.
As clearly mentioned in the relevant support page of Brave, using Tor mode won’t guarantee your privacy, and Brave cannot protect you from IP-discovery systems that may be in place. Of course, this doesn’t sound like “we’re not going to even bother,” but it clearly makes the case about the Tor mode being there just for convenience, not for anonymity.
If you’re looking for the latter, you’d better use the Tor browser directly. Even then, nothing is guaranteed, but you will be using a tool that’s at least more focused on the fulfillment of the crucial ID-masking role.
Of course, if you’re using a VPN, which we would suggest that you do when visiting Tor sites, Brave will leak that IP, so there’s still a way to protect your anonymity while using Brave’s Tor mode. However, if the VPN tool you’re using is leaking your real IP address, tough luck.
The researcher who first discovered and reported this was treated somewhat aggressively by Reddit mods who cited reliability issues, even accusing him of potentially faking the screenshots. Since then, many more people have tested their DNS traffic and confirmed the problem, so there’s no doubt about that.
We have seen no statements from Brave yet, and judging from their responses in the past, we won’t be surprised if they decide to rework their DNS resolver and stop the leakage. Brave is a privacy-conscious project and wouldn’t just let people’s IP addresses become prey to ISPs or the authorities.
It’s just against all that they stand for, and we believe that this is just a bit that slipped their attention. Of course, they should have known and done better, and this is unquestionably disappointing for their otherwise growing userbase.