Why does Brave constantly phones back to Google on UDP 443?

I believe this to be odd because that URL is not found in Chromium or Brave’s source code. As such, these calls likely derive from something other than the browser’s internal code (e.g. a loaded page, extension).

In this case, the URL you provided (i.e. li-in-f113.1e100.net) has been reversed-mapped to google-analytics.com, based on some cursory searching. Brave blocks calls to google-analytics.com by default; if you’re seeing those, you must have lowered your shields, or something else is not working as intended within Brave.

We don’t presently offer a portable version of Brave. Did you download this build from portapps.io? Note that that build does some work to achieve a portable status; it disables encryption on Windows, and the generation of a machine id. I don’t see any tests associated with these commits, so it’s entirely possible that while these changes enable portability, they may break some of Brave’s third-party blocking logic.

Two final things to note: version 1.17.75 was released more than a month ago, on 03 December, 2020. Anytime you’re on an older build, there’s an increased chance that some things will not work as intended. In this case, you’re not terribly behind, so it is less likely that this would be the cause.

The last thing I would like to suggest is reviewing your need for The Great Suspender. That extension was recently the cause of much concern among users, after it moved to a new maintainer. Users report that after the extension was sold, remote code execution was added, which was responsible for fraudulent activities, and tracking.

Based on what we’ve covered here; I don’t believe this call originates from Brave’s code, or Chromium’s. Again, it’s not found in the source for either (see first paragraph) for links.

Because you are using an unsupported build, with little-to-no complimentary tests, there is a good chance something could be broken. You also happen to be using an extension which was recently found to have exchanged hands, engaged in remote-code execution, and tracking. I suspect the answer is within this last set of details.

The fact that that specific domain is not found in the source code is not a guarantee - the call can be done by IP or a range of IP’s, it’s just that firewall automatically resolves those IP’s to help the user make a decision. And IP’s don’t need to be hard-coded either, they can be received as a list on startup from some other network call.

Plus, as I mentioned, I’ve seen the same requests from all sorts of Chromium-based browsers, for example Vivaldi, so it’s not likely that it is caused by something else. Turning both extensions off in Brave didn’t solve the problem.

I will install a fresh latest build of Brave and will report if the problem persists or not.

By the way, some people on this forum regularly use Little Snitch (which I consider reliable) for macOS: nobody has reported this behavior.

Interesting. I will get back to you once I have the time to install the latest Brave and test it.

Another fact in support of the engine sending these requests, is that when I disabled QUIC in settings, those requests turned from UDP to TCP. This is a deeply-embedded setting in the Brave’s engine.

Unfortunately I cannot install fresh Brave right now as it seems Windows installer cannot download anything at the moment. And even simply opening one of the urls it tries to connect to - https://server-13-32-143-44.hel50.r.cloudfront.net for example - returns ERR_SSL_PROTOCOL_ERROR. Not sure if it’s a global or local problem…

Are there any Windows binaries I can download directly? I couldn’t find anything.

I tried with two new firewalls on Windows but they didn’t catch any connections to that host. I believe it’s an issue on your machine.

This is a weird issue. Why then it changed from UDP to TCP when I changed Brave settings? If it’s something on my machine, then it should send the same type of requests.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.