Yesterday, Brave announced that they are testing out an agentic AI browsing mode in Brave Nightly - the official testing build of their browser. Users can now test out this feature before it is implemented into regular releases.
Hopefully they don’t mainstream this feature, or at least make it non-default if for some reason this feature gets released.
I personally don’t understand why people would like to browse the Web using AI if we have hands (or feet) and common sense to browse the Web as we do everyday, since the existence of the Internet.
I cases like people with disabilities, there are better, secure and private ways to browse the Web like using text to speech, for example. I don’t see the use of AI navigation on browsers even if they may help disabled people or the AI models used may have an obviously non-perfect prompt injection protection.
Because humans are, like all living things, fundamentally lazy. The reason we’ve been fine browsing the web in its current state isn’t because it is the “best” way to do it. It has simply been the easiest way so far. If presented with a shortcut, most people will take it as long as it gets them a good enough result. Whether that “good enough” is actually good though is not something a lot of people seem to care about.
Take for example this conversation I had with someone last night. They heard on a podcast about a strange Roman execution method. Thinking it sounded improbable, and knowing that I’ve read a quite bit about Rome, they asked if I’d heard about it. I said no, it sounds very unlikely so it it’s probably made up. They then asked an AI-bot the same question and got the same answer. Good enough, case closed.
They did not wonder—like I did—what the bot’s sources were. The bot gave them the answer they were looking for and they judged that it seemed true since it confirmed what both they and I thought. Me arguing that the bot’s answer is useless unless you check the sources just fell on deaf ears. They were not “writing a university paper”, so what does it matter what the bot’s sources were? They just wanted a simple answer to their question. If they could get it without having to put in any effort? All the better.
Like it as not, AI-bots are here to stay because most people like and want them.
Anyway, thanks for coming to my TED-talk. If you’ll excuse me, I’m going to go yell at some clouds now.
Its called Path of least resistance (Path of least resistance - Wikipedia)
This agentic browsing is not meant for you to have AI browser for but for it to do things on your behalf instead. To act as your agent in your stead for an activity.
isn’t prompt injection an inherent vulnerability of LLMs because models lack a built‑in separation of instructions and data? https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection
also, doesn’t isolation still not stop the ai from misinterpreting actions? also wouldn’t prompt injection still influence the agent’s planning phase?
iirc alignment checkers can’t ensure that the LLM’s actions are what the user wanted to do.
prompt injection stuff can leak data through side channels, right?
overall, in my opinion, this is a bad idea. brave shouldn’t be making experiments that compromise their browser’s security.
That’s exactly Brave is trying to accomplish and doing it right and better than any other player in the industry. Brave is privacy and security conscious. So, if people are going to want to use agentic browsing, I’d rather them use Brave’s (once it is a lot more mature that is).
you did not address anything in my reply except restate “brave’s agentic browsing is secure”.
I addressed what I could/wanted to. And I am not saying Brave’s is secure. It is what they are trying to do and ensure. It may eventually be but I am not an authority on this.
if they are really trying to be private and secure, they wouldn’t try to make a feature which increases attack surface.
Are you speaking from a point of an authority on the matter?
Also, what I meant was they seem to be doing this in such a manner that it doesn’t necessarily increase an attack surface. And even if it does, there are safeguards built in. This is a developing feature. I don’t exactly know how it’s all going to be or look like.
no, I’m not, i just pointed out rather well-established security risks of ai agents. any agent that can read untrusted web content and then plan or act based on it inherently expands the attack surface.
please see my earlier reply for more explanation on what my standpoint is.
experimentation is fine, but from a security standpoint the default position should be skepticism until brave’s mitigations are demonstrated against advanced methods. it shouldn’t be inferred from brave’s reputation nor should it be from their intentions.
The agentic AI sits behind a feature flag, has to be invoked manually by the user and opens in a new profile so I don’t think that creates any additional attack surface.
Knowing Brave they will probably keep the Chrome flag to disable the feature completely if you so choose.
Well that’s the state of the (IT) world, if you want 100% security you have to live in a cabin in the woods far far away from any electronics.
Since everything can be exploited given enough time and resources the only thing that matters for most people is that a feature is secure enough so that it doesn’t make sense economically to exploit it on common people, pretty much the same as Chrome 0-days worth $millions are not used on just everyone.
Brave also stated that they deliberately chose a “careful approach to releasing AI browsing in the Brave browser and [are] soliciting input from security researchers”.
Personally I am fine with this approach, the ability to turn it off etc.
Asking for AI browsing to be kept from a browser completely is unreasonable IMHO as this can be a very useful feature for the user and the majority of users probably do want this in their browser.
i didn’t say anything about 100% security. my point was that agentic browsing inherently increases attack surface and therefore needs skepticism. please do not use strawmans.
“everything can be exploited” it appears you misunderstood me. security work is about comparing risks, not denying that risk exists. the question is whether a new feature introduces new classes of vulnerability or makes certain failures easier or more likely, and agentic browsing does the former.
high-value browser exploits (like chrome) are expensive because they target hardened, low-level stuff. many agentic failures do not require a traditional exploit at all, because prompt injection, misalignment, and induced misbehavior can be cheap, scalable, and effective without needing to find some complicated sandbox bypass or some way to create memory corruption.
brave explicitly said that agentic browsing is inherently dangerous, that prompt injection is unsolved, and that safeguards reduce but do not eliminate the risk. they acknowledged that it increases risk.
once more, my point was that experimentation is fine, but security shouldn’t come from a browser”s intention, reputation, or popularity.
In your opinion, would having the agentic browsing feature in Brave but disabled (or rather not enabled via opt-in) add any significant attack surface to the browser?
i mean, from a formal security standpoint, i would say some attack surface. the code exists, is compiled, and ships with the browser. and for example, any vulnerability that allows the attacker to enable the flag, or memory corruption that enables it could, in principle, make that code reachable. that’s why security engineers still count non-enabled features as attack surface, even if the risk is low.