I know I’m getting a bit off-topic here, but @Kresimir, just to clarify, are you saying that one could use FF’s password manager without sync, thus only local storage of logins and no Internet access/storage, and it would be approximately as secure as using KeepassXC local/KeepassXC-browser? Maybe even more so, since it would eliminate an additional extension in FF, or is there a flaw in FF’s password manager itself? I’d like to be as secure as possible without giving up too much convenience.
Hello community 
I use LibreWolf
configured in one compact line
with an expandable tab bar (up to 3 lines, then a scroller)
also have the Vimium C extension to work without mouse
3 Likes
That’s not correct, the private key is stored on the device. The QR code doesn’t matter. You can print out a thousand copies of the QR code and hang them up all over town if you’d like, it won’t make that account any less secure.
This seems like a non-issue. When someone is using one of these applications, they are trying to prove their identity on purpose to the service. This concern that they will be able to identify you seems unfounded.
If I want to sign in to Microsoft[dot]com and I use Microsoft’s proprietary TOTP app to verify my identity, why on earth would I care if the app can “call home” to tell Microsoft that I used the app to sign in? They obviously already know I have signed in. They also already know my identity because I have purposefully told them what it is, and proven it as well.
That’s awesome! I’ll have to check that out. Also, welcome to the community. 
Are you sure TOTP works like the private key on your device?
In my experience, TOTP does not use asymmetric key-method (public & private key), but it is like symmetric key (public key = private key) , because the server generates its own random OR code or text code as a public key and shares it to you as client.
Anyone can copy this code as the public key to create the same TOTP on any device. This code can also be backed up if you don’t lose the same TOTP.
I switched from KeepassXC to Pass few years ago, no application running in the background, never had a problem with the extension. You can import your passwords with pass-import and if you prefer a TUI or a GUI for managing them, you can install ripasso-cursive or qtpass.
2 Likes
I apologize, I need to stand corrected. I have done a little more reading and TOTP apps don’t work like I thought–I must have gotten the wrong idea in my head somehow. (https://www.descope.com/learn/post/totp, https://www.freecodecamp.org/news/how-time-based-one-time-passwords-work-and-why-you-should-use-them-in-your-app-fdd2b9ed43c3/).
This means–like you say–the QR code (or the actual key) represents a security risk if lost or stolen. So: don’t print them out and hang them all over town. 
1 Like
@nicknick I would not consider privacytests.org to be a trustworthy source for information because the whole thing is run by a Brave employee. This is from the about page:
This website and the browser privacy tests are an independent project by me, Arthur Edelstein. I have developed this project on my own time and on my own initiative. Several months after first publishing the website, I became an employee of Brave, where I contribute to Brave’s browser privacy engineering efforts.
2 Likes
I could understand that the fact the person running the project is an employee of Brave may give reasons to be concerned. However this may or may not be relevant as the code base for the test is open and can be found here:
I am not expressing any opinion pro or contra this project but I think for any opinion to contribute to the accumulated common knowledge, it should be based on objective grounds and facts.
I admit I am not code-savvy to audit the code base for this test but perhaps other knowlegable users on this forum may find time or interest to do so.
1 Like
Omg, really??? Thank you very much for informing me of this, I really didn’t know about this.
I’m not saying that Brave is a bad web browser, but I found it strange that all the Brave checks were green.
I’m not saying they cheat, but I prefer the tests to be done by people who don’t belong to any company or web browser brand.
This was my favorite (and only) website to compare web browsers. Now I won’t have anywhere else to go.
Anyway, I’m going to continue using Firefox/Librewolf/Tor xD.
I hadn’t seen your post. So, should we trust this website or not? I mean, I don’t know if there is another way to compare web browsers.
I don’t know. As I said above, I am not code savvy to audit the code to see how the tests are carried out.
Without an evaluation of the code, I find the fact that the person running the project is an employee of Brave is irrelevant and not a compelling argument to disregard the whole test.
Even if an audit were to determine that those tests were carried out in an objectively fair way, who is to say those tests are the correct tests? It is so even to manipulate data that it is problem.
It may not even be malicious or deliberate.
IMO, burying the information that you are associated with Brave on the about page in a non-prominent way is enough of an issue to make me distrust the information to begin with.
2 Likes
That’s exactly what initially struck me as odd, too. Brave somehow passes every test, but every other Chromium-based browser scores no better than Google Chrome? 
Just because something is open code doesn’t mean it’s trustworthy. I mean look at the Brave browser itself–the fact that is open source hasn’t stopped the Brave company from doing shady, dishonest things with it.
You can wait for someone to audit the code for you before you make an opinion if you want to, but I have no problem being skeptical of the project simply based on what it is on its face.
I thought viewing the code is a way to determine if those test are correct tests or not, what they measure and how or if they are biased or not.
Maybe I’ve got it wrong.
Isn’t that a common practice that the information about a website or service is oftentimes published under an “About” page?
I respect your opinion but only as such. The fact is that the information is there for the interested to see. The “About” link is by no means “buried” on the site. It is to be found at the very top of the page and one just need to scroll a bit to come to the “Full disclosure and transparency” part.
I didn’t say that.
What I said was that before establishing the fact that tests are wrong, biased or the data published is manipulated, we couldn’t “know” for certain if the site and the results published there are trustworthy or not.
Anything short of that are mere opinions and should be considered as such.
In my mindset being skeptical is something different than deducing the untrustworthiness of the site from the premise that the person running it is an employee of the Brave.
None of what has been said about the page, I would consider as “knowledge” as they seem to be based on mere opinions.
Dear fellow EOSer, can we stop arguing about the trustworthiness of Brave, please? They HAVE proven to do shady stuff, they DO advertise their crypto stuff, they are NOT trustworthy - period.
Well, you are arguing about the trustworthiness of Brave while asking people to stop arguing about the trustworthiness of Brave.
That said, I agree with you that Brave, given its history of doing some really inexcusable stuff (on the level of Canonical selling your desktop search queries to Amazon), is not trustworthy. I wouldn’t use it, just like I won’t be using Buntu or snapd any time soon, but in relative terms, I trust it much more than, say, Opera, Vivaldi, Chrome, or Edge 
1 Like
IMO, that would only tell you if they are correct. Determining if they are biased is not something a code audit can tell you. Bias is a complicated issue in general.
No. Absolutely not.
It is a site that tests browsers and gives an appearance of being objective. That information should be prominently displayed on the front page.
Further, it is buried on the about page near the bottom. Unless you take the time to read the entire about page you wouldn’t see it.
4 Likes
I beg to differ.
To me it is not “buried” as you choose to qualify it.
And it is not that the “About” page are several hundred lines of text.
Reading:
Full disclosure and transparency
(Updated June 2022)
This website and the browser privacy tests are an independent project by me, Arthur Edelstein. I have developed this project on my own time and on my own initiative. Several months after first publishing the website, I became an employee of Brave, where I contribute to Brave’s browser privacy engineering efforts. I continue to run this website independently of my employer, however. There is no connection with Brave marketing efforts whatsoever.
I am committed to maintaining this website’s accuracy and impartiality. It is my goal not to promote any browser here, but rather to offer objective test results for all browsers that encourages a general improvement in privacy across the industry.
By keeping this project fully open source, I endeavor to provide the maximum possible transparency and verifiability of the tests and results. Anyone who wishes to check the results can clone the git repository and run the browser tests independently. Ideas for additional tests, or code (pull requests) for additional tests that provide further insight into browser privacy, will be gratefully accepted.
I get the impression that the person running the site is quite open-minded and open for suggestions.
If the information being “buried” is the reason to come to the conclusion that the site is untrustworthy, non-objective or biased, perhaps you could make a suggestion to the developer?
As said before, I respect your opinion in this regard but only as such.
These results do seem correct to me, I don’t think they were falsified. However, they could have easily been cherry picked so that only the categories that Brave excels in are taken into consideration. But even with that, I don’t think anyone is disputing that Brave is a well-made privacy-focused browser and I don’t think it is at all surprising that its performance in such tests is impressive.
The problem with Brave is not with the browser’s capabilities, but with the trust that the company has violated on multiple occasions in the past (stuff like literally changing what you type in the address bar to take you to an affiliate link).
1 Like