[zodzedzi]

I use DDG as my default search engine, along with NoScript in the browser. Often when I visit a new website, I peruse the (long) list of domains that the site is trying to pull javascripts from.

I keep most of those source sites in UNTRUSTED status (including some of the big names in search/ads/etc). But I've always had DDG in the TRUSTED category because I had only seen its javascript before on the main DDG website.

(Unfortunately NoScript has a limitation that you can't tell it to "only TRUST javascript from example.com when I'm visiting example.com").

But recently I started noticing some websites pulling javascript from DDG (I don't remember which sites).

So now I was wondering if DDG is getting into the tracking business, since they're now having their javascripts load from third party sites.

Obviously this is anecdotal. But does anyone know if they are indeed beginning to track?

[mormegil]

> (Unfortunately NoScript has a limitation that you can't tell it to "only TRUST javascript from example.com when I'm visiting example.com").

uMatrix (which I'm using in desktop Firefox) works exactly like this. Plus it allows you to forbid/allow cookies, styles, images, scripts, media, XHR, and iframes separately (for each origin/domain).

[mrob]

uBlock Origin in advanced mode also supports this (although only scripts/frames/images, not the full uMatrix list).

[zodzedzi]

Ok I'll set it up sometime soon and give it a try. Thanks.

[moehm]

It's officially deprecated, but it still works.

https://github.com/gorhill/uMatrix

[stereoradonc]

Any alternative to uMatrix?

[mattl]

Isn’t that non-origin?

[vulcan01]

The origin/non-origin difference only applies to uBlock Origin, not uMatrix.

[mattl]

Ahh, good to know. Thanks.

[account42]

uMatrix really is the best dead extension. I still hope someone will revive or recreate it (or add the same interface to uBlock or one that is just as good).

[freedomben]

I run uMatrix and have noticed some DDG showing up on other sites as well. The sites in question appeared to be (at least ostensibly) using it as a "can I reach the internet" sort of check. If I blocked requests, it would say something to the effect of "no connection detected." I wish I could remember which sites they were, but I do remember seeing at least one call to improving.duckduckgo.com from a 3rd party.

[zodzedzi]

Ok interesting. I'll try to find those sites I encountered again and check it out with uMatrix.

[Havoc]

Isn't umatrix dead/unsupported since like a year or so ago?

[account42]

Unsupported, yes but so far there is no adequate replacement and it remains the best we have.

[z3c0]

> Unfortunately NoScript has a limitation that you can't tell it to "only TRUST javascript from example.com when I'm visiting example.com"

I was under the impression that the custom option allowed this. Am I misunderstanding the point of this option?

[zodzedzi]

I see "Custom" allowing you to choose which elements (frame, fonts, etc.) to allow/block for the domain you're configuring.

But it doesn't offer the ability to say "apply these settings to the domain example.com only when I'm visiting example.com, and not when I'm visiting anotherexample.com which happens to load JS from example.com".

[z3c0]

Maybe I'm still misunderstanding, but when configuring the domain in the custom settings, it does allow you to limit the custom rules to only the site you're currently on, via the "Enable these capabilities when top page matches" dropdown. The default is "ANY SITE".

[zodzedzi]

I don't see any of these options in my plugin. I have NoScript 10, and it looks like there is a NoScript 11 out there; is that what you have? Maybe the feature was introduced in 11 and I'm missing that update; checking their changelog now...

Edit: Correction - I do have NoScript 11; but don't see those options.

[z3c0]

I think you nailed it - I am indeed on 11. So good news! It looks like NoScript is attentive to user needs.

Edit: seeing your edit - the plot thickens. I'm on 11.4.4 - any difference there?

[zodzedzi]

I had 11.2.11.

And you're right, according to their changelog [1], they added it in 11.3.

>> v 11.3rc1 + Contextual policies (different capabilities for the same origin, depending on the top-level domain) configurable in the CUSTOM panel (thanks NLnet for financial support)

Woohoo!

Thanks for following up and making me look, I now have a better setup!

[1] https://noscript.net/changelog/

[stjohnswarts]

Can you give us a list (or partial list) of sites that are pulling scripts from duckduckgo? We can look at what they're trying to do.

[zodzedzi]

I don't remember the sites; I'll try to find them again, and will share here if I do.

I remember seeing 3 sites within an hour, and deciding to change the DDG setting to TEMP:TRUSTED afterwards.

[autoexec]

The nice thing about DDG is that if you're willing to sacrifice some functionality it can still be used without JS at all (which is how I use it)

[zionic]

> So now I was wondering if DDG is getting into the tracking business

Anecdotal of course, but I've been seeing more and more DDG billboards. Those things aren't cheap, and my trust in them has declined the more I see them advertise in the traditional market.

[brewdad]

So where does one from here for everyday search? Google is out. Bing has many of the same problems as Google. Startpage blocks my VPN. Brave has always felt just a little "off" to me, but maybe they're worth a try. Any others I've missed that are worth looking into?

[californical]

I found Kagi[0] from somewhere on HN -- they make pretty strong privacy claims, and are in a closed Beta stage right now (you can give them your email, and they'll send you a signup link within a week or two). They're planning to charge a fixed rate for their search engine once they're out of beta later this year.

So far, it seems to be working really well for me! Results are pretty excellent, and they support the DDG bang queries (like `!g`) if you ever need it

[0] https://kagi.com/

[amelius]

How do we know these privacy claims are true? What if Kagi was Chinese or Russian, would you still trust it and why? And how do we know Kagi doesn't end up the same way as DDG?

[freediver]

(Kagi dev here)

Kagi is privately owned US corporation.

> And how do we know Kagi doesn't end up the same way as DDG?

Being a paid service means Kagi's incentives are very different. Instead of selling your data or profiting from feeding into ad-tech food chain, we are interested in selling you a subscription. This changes everything as the number one thing in Kagi's universe becomes what the users want, different to DDG, Google and other ad-supported search engines.

> How do we know these privacy claims are true?

Sadly I can not think of a way to verify them (let me know if you have one). But most plainly, we have no incentive or reason to do otherwise. Note that the only private information Kagi asks of the user is an email address, need to create an account, and those concerned can use whatever email they want.

[amelius]

Thanks for the explanation.

> But most plainly, we have no incentive or reason to do otherwise.

One reason is: to improve your services. Other reasons could appear over time.

> Sadly I can not think of a way to verify them (let me know if you have one).

The privacy claims could be verified by recurring external audits.

[gwinsyth]

One way for Kagi to have more incentives for privacy of their users would be moving to EU where there laws much more stricter.

[pessimizer]

I trust Yandex more than I trust Google, because Yandex doesn't give a shit about me. I'd certainly use an English-language Chinese search engine.

[wand3r]

I second this. I use this full time now. A helpful HN user told me about hyperweb for iOS which I use to make Kagi my fulltime search engine on iOS. I have been VERY happy

[user_7832]

> they'll send you a signup link within a week or two

Is it though? I think I've been on the wait list for a few months now.

[stereoradonc]

$10 per month (last heard), if they plan to start charing.

[ColinHayhurst]

I'm biased so here's an independent take on your options: https://seirdy.one/2021/03/10/search-engines-with-own-indexe...

[3np]

Set up searx and aggregate results from the ones you want (e.g. startpage you can route through a different proxy or vpn). Lets you clean out the crap and rewrite redirect urls to the original ones, etc.

[Sunspark]

Yandex is pretty good for image searches.

[zodzedzi]

If they stick with billboards for advertising, I personally don't mind it. The issue to me is with tracking-based advertising(/anything).

[pessimizer]

I actually noticed that the quality of the search dropped (from pretty much parity with google sans-cookies), then noticed the new billboards and radio ads afterwards. I've seen tv commercials since.

[nonrandomstring]

Suck Suck Blow has many redeeming features. One that's GOLD imho;

duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/

Running a hidden service is just so jolly gentlemanly. And it works in the total absence of JavaScript and no matter what utter lies I tell it about my randomised-per-request UA, and cookie black holes. The obvious dark side is that it's closely connected to Amazon.

[yegg]

We don't use third-party scripts on our site and I don't know of any sites using our scripts either.

[asojfdowgh]

ublock doesn't correctly show beacons and pings

beacons and pings fired upon activating a link, happen after the document change, so ublock associates them with the new document, even though they are initiated by the old document