How to stop autoupdate of brave?

[luixxiul]

From support

is there a way i can stop autoupdate of brave?

Related: #10863 - Throttling autoupdate

[bbondy]

for security reasons, no I don't think we should do this.

[johnmarzan]

i have an old computer. at least make it an option to turn the autoupdate on or off.

[bbondy]

@johnmarzan why is the old computer not capable of getting updates? Or why are the updates unwanted there?

[ghost]

I think if a user decides to stay for some time with a special version for some reasons, it should be possible for them doing so. Taking away that control from a user is in my opinion not a good thing at all.

[luixxiul]

In this case at least something like EOL should be added/displayed, making sure that it's the user who are responsible for an incident. I myself am not for it though

[ghost]

Today's software is taking more and more decisions away from the user's control. Even if some think it is a bad idea to give user's certain choices, this could make the difference if the user is using a software or not.

Most people do know what they are doing and why they are doing it. Especially advanced users have their reasons why doing something.

[luixxiul]

From support:

Im fine to update when Im home. When Im in the field on 3G getting 348kbps or less Im not keen to wait for your download to complete before I can get my work done.

It is worth reconsidering or not?

[luixxiul]

From community: https://community.brave.com/t/closed-allow-user-to-disable-auto-updates-on-brave/108/7

[bbondy]

I'd suggest a new issue for adding options for throttling or only do updates in certain connection types, but not disabling.

[stanleyxu2005]

As this is an open source software, I believe people can disable the update check and rebuild the software. If the official channel provides such an option to do this, this will be very easy for all of us.

[luixxiul]

As this is an open source software, I believe people can disable the update check and rebuild the software.

+1, and that's why the official channel won't provide the option.

[cnst]

This is an important issue that should be addressed, especially in something like Brave, which aims to cater to the privacy- and security-conscious individuals.

If folks want software that does not belong to them, and does whatever the hell it wants, there are already "good" options for that -- Chrome is the best for being out-of-control, for that matter.

Doing an autoupdate without the possibility to disable may as well be another attack vector for vulnerable individuals, as some recent stories have shown that malware was spread using compromised autoupdate systems. (Not to mention the bill-shock for the regular folk that may have tried using a bit of tethering to read an email or two.) Not to mention the extra attack vector on the whole system by randomly popping up requests for password in order to modify /Applications, a pretty neat way to sneak out an attack and replace the binary with a compromised version.

Please provide the possibility to, (0), clearly disable downloading on any updates, (1), clearly disable any sort of pingback mechanism, (2), possibly provide a standalone updater for extra security.

Forcing a blanket autoupdate upon everyone is simply an irresponsible behaviour for a company like Brave, and is very unlike the rationale for Brave's existence in the first place. If someone wants self-modifying and uncontrollable code, many alternatives already exist for that.

[cnst]

P.S. Ironically: https://brendaneich.com/2014/01/trust-but-verify/ via https://brave.com/faq/#spyware. How am I supposed to verify the binary if it gets downloaded day and night behind my back, and cries like a child asking permissions to modify itself?

[luixxiul]

the extra attack vector on the whole system by randomly popping up requests for password in order to modify /Applications

It would be appreciated if you have a PoC. That will help us to fix that issue, while I personally think it has been prevented. CC @diracdeltas

[kevinlawler]

@cnst It cuts both ways. Auto-update functionality is an attack vector, but manual updates are an attack vector as well: un-updated software has known, unfixed bugs that can be exploited. The correct way to handle this is to secure the update mechanism as best you can. The other way is to depend on users to manually update when bugs become known. And the possibility that the update process has been compromised remains.

[cnst]

@kevinlawler yes, you are absolutely correct. The best solution would be to have it easily enabled by default (possibly with an educated prompt explaining why it's highly recommended before the first update is downloaded), but still have an option to have it disabled (and there is a whole bunch of diverse use-cases for this).

[bbondy]

BRAVE_UPDATE_HOST is an environment variable that can be used to change your update host. It could be used to set an invalid host too.

I don't recommend using an alternate update channel unless you are sure frequent updates will be available that updates the browser and chromium base. Otherwise you will be subject to lots of known security issues over time and you put yourself at risk. We don't plan on adding in UI to disable updates, but users can easily adjust environment variables if they really want to put themselves at risk. We are open to providing options for throttling updates in general and throttling on connection types in a different issue.

It's fine to not want new features and be happy with the browser as it was, but you don't get only that when you disable updates. You get "known" security problems. And those build over time. For example, a potential security problem could allow an attacker to escape the sandbox and with a product that allows arbitrary sites to execute arbitrary code in a sandbox, that's a big risk. So don't use the above info and keep updates enabled.

[luixxiul]

I opened a new issue for discussion about throttling updates: #10863

[jonathansampson]

I receive requests from users fairly often who woul dlike to completely disable auto-updates. I think we should support this, but require a great deal of friction to follow through with it.

If we allow the user to disable auto-updates, it should be a multi-step process that involves discoverability issues and more. No user should ever accidentally opt-out, or be beguiled into opting out.

Modifying BRAVE_UPDATE_HOST may be the solution here. Though we'd want a way for the user to opt-in at a later time, without having to hunt down the original value.

[diracdeltas]

i think if you just DNS sinkhole https://brave-laptop-updates.global.ssl.fastly.net (https://brave-download.global.ssl.fastly.net on windows) it'll block autoupdating

i feel that being able to figure out how to do this is a sufficiently high bar for users who want to turn off autoupdating (to prove they know what they're doing and understand the security implications)

[cnst]

Thanks for the pointers on the temporary workarounds for this.

TBH, I don't particularly like these workarounds. Both are quite intrusive to the whole system, and neither one sounds particularly straightforward, permanent or reliable, either:

• It's unclear where BRAVE_UPDATE_HOST would be specified in OS X (unless launching Brave from Terminal, although from the looks of it, this might not even be related to environ(7) anyways), and what should the most correct ‘invalid’ value be.
• Moreover, if doing the DNS hijacking, and using SOCKS (without local DNS leakage), then the local /etc/hosts is unlikely to have any effect by design, so, then it becomes a matter of too many variables. (Not to mention that overriding brave-download.global.ssl.fastly.net (as per BRAVE_WIN_UPDATE_HOST) to disable autoupdate on Windows sounds problematic for manual download of the updates as well.)

I don't understand your aversion to a simple setting for this, or why it must be extraordinarily difficult to disable updates. It's very clear that a significant number of users do claim to have use-cases for this, and are in your target market. Just because in the old days there was no update mechanism at all, is not a good reason to force people into mandatory updates today. Remember, it's called User-Agent; it's supposed to do what the user tells it to. And, as @jonathansampson attests above, the users clearly do want to have a choice in the matter.

Please don't be just like another Chrome. Mozilla does let you officially disable autoupdates, and it's a great feature to have, including for security reasons, too, depending on your threat model.

[diracdeltas]

@cnst i agree with you on giving users as much agency as possible. if you want to understand my aversion to adding it, i would say the following:

1. we are a finite team of developers with finite time, and we do have to prioritize the implementation of certain features over others
2. there is some design/language work and user research needed to make sure that the UX doesn't mislead users into turning off auto-updating without understanding the security risks. (keep in mind, most people don't know their own threat model.)
3. there is some additional per-release QA cost (either automated or manual) needed to make sure that this feature works and doesn't regress

having said that, we are an open source project so volunteers can submit PRs or otherwise work on any of the above.

all of the above, combined with the fact that this feature is already possible for a significant percentage of its intended audience via DNS settings, makes it low priority for me right now.

[fizzyfrosty]

After using Brave for some time and seeing the recent release of buggy versions in 19.X, I absolutely see a need for disabling auto updates. In 19.70, shift+ctrl+tab is broken, so as a power user, I cannot use my hotkeys to navigate Brave. This makes the product unusable for me. I've had to manually downgrade each time in order to "fix" the software accidentally autoupdating to a version with newly-introduced bugs. I am only doing this because I want to keep using Brave to test. Had the browser forced an auto-update on me without choice to decline, I would be forced to discard it completely until those issues were addressed.

[Leopere]

The upgrade function is far too noisy and broken every single time I hit the update button it closes my whole browser and restarts the whole thing and refuses to stop showing up every single time. I really don't want to have to block access for this thing to upgrade but if it can't upgrade itself silently in the background and wait for me to close it naturally call me when you fix it. I can't handle having decisions made for me especially if they include bugs that are forced on you.

[jonathansampson]

@Chamunks Can you share the contents of about:brave?

[petereit]

The 0.20.30 version of Brave is broken on Windows for me because of the proxy issue. I have to reinstall v0.20.27 to be able to use it. Every time it auto-updates to v0.20.30 I have to go back and reinstall v0.20.27. So now I'm faced with two options: continually reinstall v0.20.27 or just stop using Brave entirely until the Windows proxy issue gets fixed.

I understand the desire to force auto-update, but I believe it should be shelved until Brave goes to full 1.0 version release. As long as Brave is in beta, please allow us to turn off auto-update.

[bsclifton]

cc: @davidtemkin ^^

[diracdeltas]

@bsclifton @davidtemkin the proxy issue is covered in #12959

[Leopere]

I uninstalled Brave due to this problematic decision. Firefox Quantum is sufficient and faster.

[cnst]

I mostly stopped using and recommending Brave, too; very disappointing that Brave keeps shoving Google-inspired autoupdate malware down my throat; and with Firefox Quantum, the JavaScript bloatware is easily blocked, too (they call it Tracking Protection); all the fewer reasons to use Brave.

[erhhung]

I too have the proxy issue on Mac, and #12959 doesn't describe how to disable autoupdate on a Mac. It's ridiculous to have to reinstall a older version of Brave every morning (because it crashes consistently when I unplug external monitors from my MBP due to who knows how many other bugs) just to read a single page. And silly me for being stubborn and still trying to use Brave in the first place!

[jjiimm64]

I also am about to uninstall Brave permanently.. I do not want my browser updated unless I ask for it.

[bsclifton]

For folks wanting to disable updates, here's a quick hack you can do:
Open your hosts file in your editor of choice (C:\Windows\System32\drivers\etc\hosts on Windows or /etc/hosts on Linux/macOS) and add the following entry:
0.0.0.0 laptop-updates.brave.com

By making that hostname un-routable, you won't get updates unless you choose to download them from https://brave.com/download/

[dimqua]

I found that the current version uses go-updater.brave.com AND laptop-updates.brave.com hostnames for auto-update checks.

[Luomint]

I found that uninstall Brave after it completely and unexpectedly killed my internet connection until I found the auto update process running in the background solves this problem as well.