Re: Duckduckgo Privacy Essentials
Emerald Shilts
DuckDuckGo Privacy Essentials is a browser extension that allows users to browse the internet privately. The extension is available for all leading web browsers, including Chrome, Firefox, Microsoft Edge, Opera, and Safari.
However, DuckDuckGo Privacy Essentials doesn't let third-party scripts (i.e. trackers) from Google, Facebook, and other companies load, preventing those companies from collecting your IP address or any other type of identifier.
Smartphone users can download the DuckDuckGo Privacy Browser on their devices to search and browse privately. Android users can download DuckDuckGo Privacy browser from GooglePlay, and iPhone users should visit App Store to download it.
The first-party trackers, which enable the site owners to track users, are helpful to both users and website owners. This is because first-party trackers help site owners improve the user-friendliness of websites.
However, third-party trackers, which belong to services other than the websites your visit, are creepy. These trackers collect your personal data for multiple reasons, such as analytics, advertising, social media, and more.
In short, third-party trackers are like someone who makes notes on what you do when you visit somewhere. Would you let anyone do that in real life? If not, why do we let them get away with it online?
Safari does well when it comes to privacy as it has many essential features to enhance privacy. Users have options to block cross-site (i.e. third-party) tracking and hide IP addresses. Safari also allows users to make DuckDuckGo Search a default search engine.
DuckDuckGo Privacy Essentials browser extension will enhance Safari's tracking protections on sites you visit. And it will allow you to access the DuckDuckGo Privacy Board within the Safari browser.
This privacy board will let you know the Privacy Grade and other privacy metrics of the websites you visit. The Privacy Rating Grade goes from A to F. The Privacy Grade "A" means the websites you are visiting are excellent at protecting your privacy. And the Privacy Grade "F" represents the poor performance of websites in terms of protecting visitors' privacy.
In a nutshell, DuckDuckGo Privacy Essentials makes privacy simplified on Safari. Two private tools, Safari and DuckDuckGo Privacy Essentials, working in tandem, can better protect your online identity.
Close the Safari browser, and open the App Store on your Mac. Search for "DuckDuckGo Privacy for Safari". Click on the DuckDuckGo Privacy for Safari app, then click on the Get button.
Click on Install. Your Mac will ask you to either use your Touch ID to authenticate or type your password, depending on your Mac's settings. Once the authentication is done, the installation process will commence and finish quickly.
Open Safari, and go to the Settings menu. Click on the Search tab, and make DuckDuckGo your default search engine to search privately if you haven't done that already. You can get faster results in DuckDuckGo with search operators.
Open the Safari browser and visit any website. You will see the Privacy Grade of the website in the Safari browser itself. Click on the Privacy Grade of the website you have visited. The Privacy Dashboard will open to show you details about how DuckDuckGo privacy essentials is enhancing your privacy.
So what if you decide it's not for you? You can easily uninstall DuckDuckGo Privacy essentials too. Go to Safari's Settings menu, and click on the Extensions tab. Uncheck Privacy Dashboard and Privacy Protection in the left sidebar. Then close the Settings window.
Along with Safari's in-built privacy protection (as well as the privacy controls other browsers offer), this easy-to-add browser extension will offer you reliable privacy. Consider using a reputed Virtual Private Network (VPN) on your device to improve online privacy and security further. You can also explore other anonymous browsers like Tor for private browsing.
A few months ago I looked into the inner workings of DuckDuckGo Privacy Essentials, a popular browser extension meant to protect the privacy of its users. I found some of the typical issues (mostly resolved since) but also two actual security vulnerabilities. First of all, the extension used insecure communication channels for some internal communication, which, quite ironically, caused some data leakage across domain boundaries. The second vulnerability gave a DuckDuckGo server way more privileges than intended: a Cross-site Scripting (XSS) vulnerability in the extension allowed this server to execute arbitrary JavaScript code on any domain.
Both issues are resolved in DuckDuckGo Privacy Essentials 2021.2.3 and above. At the time of writing, this version is only available for Google Chrome however. Two releases have been skipped for Mozilla Firefox and Microsoft Edge for some reason, so that the latest version available here only fixes the first issue (insecure internal communication). Update (2021-03-16): An extension version with the fix is now available for both Firefox and Edge.
In case of DuckDuckGo Privacy Essentials, the content script element-hiding.js used this to coordinate actions of different frames in a tab. When a new frame loaded, it sent a frameIdRequest message to the top frame. And the content script there would reply:
When extensions load content scripts dynamically, the tabs.executeScript() API allows them to specify the JavaScript code as string. Sadly, using this feature is sometimes unavoidable given how this API has no other way of passing configuration data to static script files. It requires special care however, there is no Content Security Policy here to save you if you embed data from untrusted sources into the code.
Note how agentSpoofer.getAgent() is inserted into this script without any escaping or sanitization. Is that data trusted? Sort of. The data used to decide about spoofing the user agent is downloaded from staticcdn.duckduckgo.com. So the good news are: the websites you visit cannot mess with it. The bad news: this data can be manipulated by DuckDuckGo, by Microsoft (hosting provider) or by anybody else who gains access to that server (hackers or government agency).
For those of us who don't speak programming languages and have no idea how Java works, and don't use browser extensions but instead just use websites, is DuckDuckGo actually private or not, and if not then why not?
For you, the important part is: both vulnerabilities have been fixed, fairly quickly as well. The remaining issue is that there has been no release on Firefox or Edge since January. But if you use Chrome then you are fine.
Thanks for responding Meenakshi. Here is a screenshot. This is happening with both Safari and Firefox/DuckDuckGo. I use Adobe Reader DC. My DuckDuckGo 'privacy essentials' shows dpm.demdex.net asthe only adblocker.
We are integrating the HubSpot tracking code into our SPA. While iterating in development, our workflow fires up a local environment with live reload, etc, and it all works using localhost. There does not appear to be a way to track page views for test users in HubSpot when the tracking code loads and fires events from localhost. Is there a way to do this?
My current workaround personally is a fake subdomain (dev.) in my local hosts file that points to localhost and that fake subdomain is configured within HubSpot's reporting advanced tracking as an external site domain, but we'd prefer to not change our current development workflow to accommodate that workaround.
There shouldn't be any setting preventing this by default; the only other thing that might interfere would be if you had the "Limit tracking to these domains" setting turned on, but I can see that you do not.
I actually spun up my local server and internally logged into your portal, and I was able to trigger some analytics page view info to appear with localhost info. Can you take a look at the contact record below and let me know if this is showing the data like you'd expect?
I can now confirm that I am seeing my page views when firing from localhost. I wish I could say with certainty what was preventing them in my earlier attempts, but I can point at a couple of improvements to my tracking code integration testing that developed along the way:
2. I had a Chrome extension intermittently causing trouble (DuckDuckGo privacy essentials) that I realized I was better off disabling to ensure the page view call to hubspot.com made it through every time.
I'm not sure I'm clear on the issue here. Is the problem that page views aren't registering in HubSpot? I set up a simple webserver that loads a page with the HubSpot tracking code, and it appears to work just fine. Is it possible that your office's IP address is being filtered from your analytics? (see below)
That's correct. When I run the web server in a local dev environment and visit the page via :8001 (we run on port 8001 in dev) the page views are not registering in HubSpot for an existing HubSpot contact. I add an 'identify' action to the tracking code queue with the corresponding email address. This all works when using a placeholder site domain. It does not reflect on the HubSpot contact activity when loading the tracking code while accessing the page on localhost.
Also, you mention that you're triggering an 'identify' function call, but that function actually just stores the identity information in the tracker. There needs to be a subsequent 'trackPageView' or 'trackEvent' call to actually push the data into HubSpot. Are you doing that as well?
Thanks for continuing to look - and apologies for not mentioning in my last reply that we are not applying any IP filtering at the moment. So unfortunately, I think we can rule that out as the culprit.
I should have also mentioned that we are making the `trackPageView` call within our SPA after each page change to ensure that we are tracking the desired user views within our front end. We fire the `trackPageView` explicitly after the initial js load and that page view has been tracked.
d3342ee215