Has anyone had experience of the DDG app? (https://f-droid.org/packages/com.duckduckgo.mobile.android/) What browser is this based on? Presumably based on Firefox/Geko, but can’t find any documentation on it. It seems to work out of the box better than icecat. Any drawbacks privacy/security wise?
I have no experience with this app, but use the search engine DuckDuckGo, it is for sure the best search machine for technical searches. One possible issue: it is hosted on Amazon’s cloud server (see here: Cloud Firewall: Block G%§$e, Amazon, Facebbok, Microsoft, Apple & Cloudflare )
Also this browser app seems to be hosted on a non-free server.
I use DDG browser as a primary on one of my Google-free/microG-free ROMs. The browser is webview-based. I realized that on another ROM when I was messing around and had no working webview installed. It and any other app that uses webview would crash.
So yeah, it’s not based on any Mozilla/Firefox/Gecko browser. I believe /e/'s webview is Bromite’s which is preferable to Google’s or the standard Android one due to included privacy features.
I’d like to warn DDG Browser users.
This DuckDuckGo Browser leaked every visited domain to a server.
People freaked out about it and they had every right to do so.
It looked it was a server belonging to Microsoft, which was used for that favicon feature. I read some not so good things about duckduckgo. This case made me think it’s better to avoid them.
The CEO assured they’re solving this:
I like DDG!
I hope it’s not another thing to avoid on an already long list.
Duckduckgo is not good enough for me, that’s for sure.
I think there are doubts about every tool we all use, from private search engines to instant messaging applications, and of course if you listen to all the articles published on the internet, then there is only one thing to do: go offline and don’t use computers or phones anymore.
Some time ago I accidentally read some articles published by an investigative journalist (Yasha Levine) about the origin of the Tor network and also about OpenWhispers (Signal), and honestly I got scared because it makes me realize that there isn’t really a totally private and safe way to communicate on the internet.
In short, I don’t have the effective tools to decide who is or who is not respectful of Privacy, so I must also rely on those who at least for now are recognized as safe and private … otherwise guys, there’s no way out!!!
I don’t really pay much attention to this type of highly opinionated websites. A lot of the complaints are not even about DDG itself but about the services it relies on which are known, and doesn’t necessarily mean they’re “privacy abusers”. Even privacy-focused ROM like GrapheneOS are based on Google’s AOSP; Ungoogled Chrome is based on Google’s Chromium and services like NewPipe or invidio.us depend directly on Youtube.
Heck, they are even complaining about privacy without serving their site through HTTPS. This is very easy to implement and free!
I fully agree with what this comment from HN says:
They (DDG) started a fire through mild negligence, denied the fire existed, and only put out the fire when the entire neighborhood started yelling.
It was a forgivable-but-negligent decision to write/approve that code in the first place. It was a sign of a bad process that a reported security vulnerability was not escalated to people security-conscious enough to immediately identify this as a major problem.
I don’t agree with the outrage. Anyone who has followed DDG knows they’re legit. They just need to do a bit better. They probably will.
Their main feature is privacy. They should be at least as sensitive to privacy vulnerabilities as their most aware users.
DDG should announce that they now pay out privacy-related vulnerabilities like this and send the reporter $5k. It would be good honest PR and well worth the expense.
The issue was fixed one day later which is why I still use DDG. This also highlights the importance of open source projects, is not that they’re perfect but issues like this can be noticed, and if the management is good they’ll get fixed. It shouldn’t have been a whole year so I’ll keep an eye on them from now on…
I lost my trust and don’t use duckduckgo anymore. I try to avoid US based services anyway. Learning from news articles of the past there is a high probability that anything US related is compromised in a way or other.
Sometimes services emphasize “we don’t collect any personal information” and I just wonder: “Ok, that might be true, but what if someone else is doing that, because it was made possible.” If someone looks closer at this DDG Browser issue, puts together the pieces with the microsoft server, favicon feature, etc., it looks strange. Very strange. But it’s a free choice, if someone still prefers that company, I’m not the one to make someone to stop to use its services.
Yeah I was sort of thinking the same… What do they have to say about security…