Does a Duckduckgo privacy equivalent exist for DNS servers?

On 2015-06-14, David W. Hodgins wrote:
On Sun, 14 Jun 2015 12:23:38 -0400, John Hasler wrote:

There are better choices for a caching-only server than BIND, though.

If you only want a caching only name server, that's true. I also want
to be able to use the name server for dns within my lan. It took a
while to learn how to configure bind to do that, but it works. I did
provide a list earlier in this thread of other name servers, most of
which are caching only servers, not suitable for setting up dns within
a lan.

Dnsproxy does that too, It'll also serve all the names in /etc/hosts
to the lan, and possibly also the names announced in DHCP requests.

--
umop apisdn

Jasen Betts writes:
it's have all the top level domains you've used recently.

It'll have all the domains anyone who uses it has used recently.
--
John Hasler

Dancing Horse Hill
Elmwood, WI USA

On Sun, 14 Jun 2015 22:07:54 -0300, Shadow wrote:

The "firewall" is also meant to block access to pedophile sites /and/ to
sites that name certain pedophiles.

That's rough. I guess you've never heard of Tony Blair, then ?
He is certainly certain.

I don't get it; probably the language barrier... (?)

--
s|b

On Mon, 15 Jun 2015 19:41:37 +0200, "s|b" wrote:

On Sun, 14 Jun 2015 22:07:54 -0300, Shadow wrote:

The "firewall" is also meant to block access to pedophile sites /and/ to
sites that name certain pedophiles.

That's rough. I guess you've never heard of Tony Blair, then ?
He is certainly certain.

I don't get it; probably the language barrier... (?)

No, a censorship barrier.
Put this in Google:

"Tony Blair arrested twice public toilets"
If you look hard enough, you will recognize him from the
pictures they took when he was booked.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012

On Sun, 14 Jun 2015 02:20:20 +0000 (UTC), Werner Obermeier
wrote:

"Mayayana" wrote in :

OpenDNS
Also, 4.4.4.2 is not Google. It's Level3.

Is this correct yet for the recommended DNS servers:
8.8.8.8 (Google - but they probably remember forever)
4.4.4.2 (Level3 - who knows what they remember?)

This may have been corrected in a later post, but the Level 3 servers are
4.2.2.1 thru 4.2.2.6.


208.67.222.222 (OpenDNS - who knows what they remember?)
208.67.220.220 (OpenDNS - who knows what they remember?)

--

Char Jackson

| This may have been corrected in a later post, but the Level 3 servers are
| 4.2.2.1 thru 4.2.2.6.
|

It's easy enough to check these things:

http://www.ip-adress.com/whois/4.4.4.2

IP addresses held by a company are not
necessarily contiguous. The report for 8.8.8.8
also lists Level3 as the registrant but then lists
Google as the "ISP". I don't know what that
means. I guess that maybe Google owns the
address but Level3 manages the low-level,
technical issues for them.

| Google track to where you navigated from their search results by making
| the clickable links into refs links. The link actually goes to Google
| with parameters that specifies the target site from the search result on
| which you click. That way, they could track how many users were going
| to the same site.
|
| For example, on a Google search on "window air conditioner", one of the
| search results (and not a sponsored one) was for Walmart. When you
| hover the mouse over the link using IE, its status bar makes you think
| that link goes directly to Walmart at:
|
| http://www.walmart.com/c/kp/window-air-conditioners
|
| Nope, instead the actual href for the A HTML tag for the link goes to:
|
|
http://www.google.com/url?sa=t&rct=j...95515949,d.cWc

Presumably you've enabled javascript. That's one
of the many good reasons not to enable it. It's
allowing Google to lie to you about what they're
doing by hacking the status bar content. They can't
do that with script disabled. I see the whole, sorry
mess when I hover over a link.

I started seeing Google's tracking redirect some
time ago. I guess probably at least a couple of
years ago. I also don't normally allow cookies. I
don't know whether they bother with the redirect
if one does allow cookies. It seems to function as
basically a cookie substitute. That's one reason I
switched to duckduckgo -- it's tedious to pick out
the real URL in order to thwart Google tracking.

There's also a redirect from the landing page that
most people won't see. I don't remember offhand
which setting made me see that. I think it's
"accessibility.blockautorefresh", which I set to true
to stop two problems: 1) Sites that set meta refresh
to 0 and thus cause an endless loop. (A spiteful action
for blocking script? I don''t know. The only legitimate
use of that technique I know of is for use in an index
page to make indexing of a server folder difficult.)
2) News sites that think it's clever to erase the page
you're reading every few minutes and replace it with
an "updated" one.

In any case, I have to click to allow the redirection
in Pale Moon. This is the landing page after I run a
search:

https://www.google.com/search?hl=en&...ts=&gws_rd=ssl

This is the page Google redirects to:

https://www.google.com/search?q=air+...NeTHsZwvloL4Cw

Note that it's been tagged with what looks like a UUID, in
the parameter "sei", which seems to be a unique ID for that
page. That's not necessarily a bad thing. Such things can
be done for server-side tracking where that's necessary.
But duckduckgo doesn't do it, and their "Next" link at the
bottom of the page doesn't contain any unique ID in the
HREF code.

Also, if you allow permanent cookies or join any of Google's
functions like gmail, you're probably not only tracked but
also shown a personalized page. Knowing that sheds light
on another possibility with the sei parameter: Since the
Googlites try to customize what you see, the UUID makes
sense. If you click the link to look at ACs at Bloomingdales
they know to show you more upscale ads and links on the
next page, rather than Target links or ads. For the duration
of that search session Google can build a profile of you.

That's another problem with online spying that's not talked
about very much: The dubious "feature" of personalized pages.
If I search for an AC I want to know about ACs. I don't want
to just see what Google's formulae determine that I want to
know about ACs. I read recently that Facebook is even picking
what new items will surface in one's "feed", based on how much
time has been spent reading various articles. The idea is not
to help people reach their friends. It's simply to keep everyone
on Facebook as long as possible. So "feed" is actually a good
term. Like cows: Food goes in and salable milk comes out.

| True dat. And many Web sites, including my BrownMath.com and
| OakRoadSystems.com, have domain-specific Google searches.
|

It's not so hard to set up your own site search
using a local database. I use ksearch, and have for
years. Though I'm not sure whether ksearch is still
available and maintained. You also will need a decent
web host. The cheapo deals usually don't offer direct
control of the actual server config and only allow whatever
functionality comes with their cheapo hosting package.
Your Siteground host seems to be a Tucows reseller.
They may or may not provide the kind of access you'd
need to set up your own search.

Mayayana wrote:

| Google track to where you navigated from their search results by making
| the clickable links into refs links. The link actually goes to Google
| with parameters that specifies the target site from the search result on
| which you click. That way, they could track how many users were going
| to the same site.
|
| For example, on a Google search on "window air conditioner", one of the
| search results (and not a sponsored one) was for Walmart. When you
| hover the mouse over the link using IE, its status bar makes you think
| that link goes directly to Walmart at:
|
| http://www.walmart.com/c/kp/window-air-conditioners
|
| Nope, instead the actual href for the A HTML tag for the link goes to:
|
|
| http://www.google.com/url?sa=t&rct=j...95515949,d.cWc

Presumably you've enabled javascript. That's one
of the many good reasons not to enable it. It's
allowing Google to lie to you about what they're
doing by hacking the status bar content. They can't
do that with script disabled. I see the whole, sorry
mess when I hover over a link.

I started seeing Google's tracking redirect some
time ago. I guess probably at least a couple of
years ago. I also don't normally allow cookies. I
don't know whether they bother with the redirect
if one does allow cookies. It seems to function as
basically a cookie substitute. That's one reason I
switched to duckduckgo -- it's tedious to pick out
the real URL in order to thwart Google tracking.

There's also a redirect from the landing page that
most people won't see. I don't remember offhand
which setting made me see that. I think it's
"accessibility.blockautorefresh", which I set to true
to stop two problems: 1) Sites that set meta refresh
to 0 and thus cause an endless loop. (A spiteful action
for blocking script? I don''t know. The only legitimate
use of that technique I know of is for use in an index
page to make indexing of a server folder difficult.)
2) News sites that think it's clever to erase the page
you're reading every few minutes and replace it with
an "updated" one.

In any case, I have to click to allow the redirection
in Pale Moon. This is the landing page after I run a
search:

https://www.google.com/search?hl=en&...ts=&gws_rd=ssl

This is the page Google redirects to:

https://www.google.com/search?q=air+...NeTHsZwvloL4Cw

Note that it's been tagged with what looks like a UUID, in
the parameter "sei", which seems to be a unique ID for that
page. That's not necessarily a bad thing. Such things can
be done for server-side tracking where that's necessary.
But duckduckgo doesn't do it, and their "Next" link at the
bottom of the page doesn't contain any unique ID in the
HREF code.

Also, if you allow permanent cookies or join any of Google's
functions like gmail, you're probably not only tracked but
also shown a personalized page. Knowing that sheds light
on another possibility with the sei parameter: Since the
Googlites try to customize what you see, the UUID makes
sense. If you click the link to look at ACs at Bloomingdales
they know to show you more upscale ads and links on the
next page, rather than Target links or ads. For the duration
of that search session Google can build a profile of you.

That's another problem with online spying that's not talked
about very much: The dubious "feature" of personalized pages.
If I search for an AC I want to know about ACs. I don't want
to just see what Google's formulae determine that I want to
know about ACs. I read recently that Facebook is even picking
what new items will surface in one's "feed", based on how much
time has been spent reading various articles. The idea is not
to help people reach their friends. It's simply to keep everyone
on Facebook as long as possible. So "feed" is actually a good
term. Like cows: Food goes in and salable milk comes out.

The redirection links don't solely rely on Javascript. The link takes
you to a Google server that will record time, date, IP address of user,
target site, and other logistics. The OP assumed DuckDuckGo was somehow
better than Google regarding tracking on what search results are click
on; however, they do the same thing as Google in using a redirection URL
for their links. Ixquick doesn't fake out the web brower's status bar
but they also use script events to do their tracking instead of relying
on redirection links. So Ixquick is probably the only out of the 3
where disabling scripting would thwart tracking.

I had mentioned how the script was lying about the target site for a
link when hovering over it with the mouse. That was for IE. I thought
Firefox had its own on-hover popup that showed the real target of a link
rather than rely on a status bar. Of course, if scripting is permitted
then the web browser may not see the real target until the script is run
to then have the web browser go there; i.e., the user would have to
click on the scripted link to run the events that actually build the URL
to the target site to where the web browser then visits.

So is there really a safe and anonymous search engine site? How would
it monitor its load, access from different regions, or provide other
logistics used to maintain and improve the site?

Firefox lets you disable meta-refresh. As I recall, it presents an
infobar telling you about the meta-refresh block and lets you opt if you
will allow it. Alas, I also recall that it did not tell you to where
the meta-refresh pointed. So you knew there was an interstitial page
but not to where it wanted to redirect you. Google's Chrome doesn't let
you disable meta-refresh hence it is less secure. Often users confuse
stability with security. For IE, and when visiting unknown or untrusted
sites, I use a shortcut that runs a .bat file that uses reg.exe to set
some options IE, like disabling meta-refresh, disable scripting, and
enables private mode. Of course, that means that I have to remember to
use that shortcut to safely visit an unknown site.

It took over a decade before Mozilla finally got around to implementing
the mixed-mode option that was long available in IE. If HTTPS is used
to visit a site then the expectation is tht the web page is secure. If
any content is delivered via HTTP when visiting an HTTPS page (mixed
content) then it is not secure. I configure IE to block mixed content
(prompt me about it and I choose). Even when Mozilla got around to
added their mixed content options, they chose to make 2 different
options. They assume that images via HTTP are safe. That means any
site that creates or modify an image to include your personal info
within the image, like an overlay, will divulge info over a non-secure
transport. So you have to change Mozilla's defaults. As I recall,
Mozilla only let you block the mixed content, not to alert you that it
did so.

So it's not only about finding a safe search site but also in
configuring your web browser away from its defaults to tweak it to be
secure (if possible since, as noted, meta-refresh cannot be disabled or
prompted in Chrome).

| The redirection links don't solely rely on Javascript.

That's not what I meant. I know the links themselves
don't use script. But hiding them in the status bar relies
on script. You said that you're seeing the normal link in
the IE status bar. That's not an IE thing. It's a browser
scripting hack. There used to be an option to block it in
FF options. These days one needs an extension just to
get control over script at all in the FF options window.
The status bar hack stopper is he

dom.disable_window_status_change

It's a standard part of the DOM: window.status

I don't know of any way that hack can be carried out
without script. So I gather that you (of all people!)
are travelling online using IE with script enabled. And
I suppose you're online through AOL, logged into
Facebook.... What did you do with the real VanguardLH?

| The OP assumed DuckDuckGo was somehow
| better than Google regarding tracking on what search results are click
| on; however, they do the same thing as Google in using a redirection URL
| for their links.

No, they don't. I don't know how you got that idea.
Try seaching for air conditioner at duckduckgo. When
you hover over the link you should see the normal
URL, even with script enabled. If you look at the source
code you'll see it's actually very clean and simple:

a rel="nofollow"
href="http://www.walmart.com/cp/air-conditioners-heaters-fans/133032"

The ad links at the top have involved links, but those
are just for the advertiser to know the click came from
duckduckgo. They don't try to hide that in the status
bar, either. In fact, the page I see seems to have no
script at all. There are no script tags and no "onclick"
or "onhover" inline script, while Google's page is *mostly*
obfuscated script.

| Ixquick doesn't fake out the web brower's status bar
| but they also use script events to do their tracking instead of relying
| on redirection links.

Ixquick has direct links and proxy links that are supposedly
more private. They do have a lot of script, but it seems unlikely
that they're tracking with it. That would be in opposition to their
whole business model.

| So Ixquick is probably the only out of the 3
| where disabling scripting would thwart tracking.

Are you serious? You're allowing any number of things
with script enabled. Sites get tremendous control over
the webpage. Some of that can be done without script.
For instance, many pages that use script for tracking
will use a NOSCRIPT tag to set a web beacon for non-script
browsers. (Which can be blocked through a HOSTS file.)

Here's an example:

noscriptiframe src="//www.googletagmanager.com/ns.html?id=GTM-K9RKM5"
height="0" width="0"
style="display:none;visibility:hidden"/iframe/noscript

The script on that page will do the same thing. But both
are blocked by having googletagmanager in one's HOSTS
file. (It also helps to block frames.)

With script enabled you're a sitting duck, plain and simple.
The status bar is a good example. It's crazy that that's even
part of the DOM. It dates to a more innocent time. With
script enabled the page is dynamically just about anything
they want it to be.

Then there are also the extra connections: If you don't
block IFRAME Facebook buttons, for instance, by blocking
frames and/or facebook.com, then you're letting Facebook
run cross-site scripting. If you use the NoScript extension
or other software that reports connections you'll quickly
see that many sites just keep reaching out. Their page links
to 3 other script sources, which then link to other script
sources. You can easily end up with a dozen companies
running unknown script in your browser. (You may even
load a dozen extra pages through IFRAMEs on many sites.
And each of those becomes a 1st-party page load that can
then run script.)

Mayayana wrote:
not going to bother with re-adding the attributions that Mayanana
omits

| The OP assumed DuckDuckGo was somehow
| better than Google regarding tracking on what search results are click
| on; however, they do the same thing as Google in using a redirection URL
| for their links.

No, they don't. I don't know how you got that idea.

I got the idea because that is what happens there. When I do a search
on "window air conditioner" and hover the mouse over the Walmart hit,
the web browser's status window shows the link should go directly to the
Walmart's site. However, the *real* URL at DuckDuckGo is:

http://r.duckduckgo.com/l/?kh=-1&udd...r-conditioners

Peculiar that you can't see that. If right-clicking on the Walmart hit
doesn't show you that the link actually takes you to r.duckduckgo.com
then use Fiddler to monitor your web traffic. Clear its display after
getting the search results. Then click on the Walmart link in their
results. Soon after hit F12 to stop Fiddler from tracking more traffic.
Then look at Fiddler's log. You'll see that right after clicking the
link that your web browser went to:

host = r.duckduckgo.com
URL = /l/?kh=-1&uddg=http%3A%2F%2Fwww.walmart.com%2Fc%2Fkp%2Fwin dow-air-conditioners

That's where Fiddler shows your web browser connected. You do go to the
Walmart site directly but DuckDuckGo is still tracking on what you
click.

| I got the idea because that is what happens there. When I do a search
| on "window air conditioner" and hover the mouse over the Walmart hit,
| the web browser's status window shows the link should go directly to the
| Walmart's site. However, the *real* URL at DuckDuckGo is:
|
|
http://r.duckduckgo.com/l/?kh=-1&udd...r-conditioners
|
| Peculiar that you can't see that.

There's an explanation he
https://duck.co/help/results/rduckduckgocom

They say it's part of their privacy function,
which you can disable if you like in the settings...
assuming you're allowing cookies and script so
that such settings work.

"r.duckduckgo.com" is in a .js file if the entire
webpage is downloaded. The page gets dynamically
written. I'm seeing a simplified version because
I'm not enabling script. There's no way I know of
for the redirect to happen without script because
my browser interprets the link. The click does not
go to DDG, of course. (If it could then URLs would
be meaningless.)

What I don't understand is why, if you're so
concerned about privacy, you're enabling script
by default. That's like watching nervously for
burglars while leaving your front door open.

If you disable script you should see the very
clean and simple version of DDG, which still
provides an option to proxy through their server,
but the actual links just go exactly where they
say they do.

Fiddler sounded interesting but it seemed to
malfunction. First, their webpage was a mess
and I had to view it with no style. When I installed
it told me I needed .Net 2. (Bad sign.) As it turns
out I had to install .Net 2 for graphics, so that's
OK. But apparently it's not a late enough version
of .Net 2 for Fiddler. (I have no idea how that's
possible. It seems that 2 should mean 2.) In any
case, first it showed a .Net error involving a call
to a non-existent method deep within that .Net
muck, and then the program came up but didn't
work. I think I've seen enough of Fiddler. There's no
excuse for using .Net to write software.

Mayayana wrote:

| I got the idea because that is what happens there. When I do a search
| on "window air conditioner" and hover the mouse over the Walmart hit,
| the web browser's status window shows the link should go directly to the
| Walmart's site. However, the *real* URL at DuckDuckGo is:
|
|
http://r.duckduckgo.com/l/?kh=-1&udd...r-conditioners
|
| Peculiar that you can't see that.

There's an explanation he
https://duck.co/help/results/rduckduckgocom

They say it's part of their privacy function,
which you can disable if you like in the settings...
assuming you're allowing cookies and script so
that such settings work.

Read it again. It claims they prevent use of the HTTP header Referer
(yep, it's mispelled) from identifying you when clicking on their link
to the target site. That does not eliminate the use of of the window
object's title to carry that info but I doubt DDG is doing that if they
are eradicating the Referer header. Of course, if that is of concern to
you then you can not have your web browser use the Referer header. Just
be aware that some sites don't like direct navigation to some of their
web pages. Some of their web pages are supposed to be accessible only
by one of their parent pages so they check in their child page if the
Referer page was one of their parent pages, or they can use the window
object's title to convey that info, or they can use cookies, or they can
use local DOM storage on your computer.

Blocking cookies is trivial but it can result in navigational problems
at web sites. So use private mode and purging cookies on exit. Same
for blocking the Referer header: configure your web browser not to
include it but be aware some sites may malfunction. You assume DDG is
not using an identifying title for their window object in your web
browser that would identify your connection to the target site was from
DDG. You can disable DOM storage in your web browser but that will also
affect some web sites; for example, the crossword puzzle sites that I
visit download a table of the answers to the puzzle to verify my entries
as I make them instead of having to push the entry up to their server to
check each one. I've hit other sites, mostly my favorites, that also
require DOM storage be enabled. By purging this data on exit of the web
browser, I eliminate tracking between surf sessions but not during them.

"r.duckduckgo.com" is in a .js file if the entire
webpage is downloaded. The page gets dynamically
written. I'm seeing a simplified version because
I'm not enabling script. There's no way I know of
for the redirect to happen without script because
my browser interprets the link. The click does not
go to DDG, of course. (If it could then URLs would
be meaningless.)

Do you really believe that the prevalent majority of DDG visitors have
scripting disabled in their web browser? They're led into trusting DDG
to protect them so why would they be disabling scripting there?

What I don't understand is why, if you're so
concerned about privacy, you're enabling script
by default. That's like watching nervously for
burglars while leaving your front door open.

I've used Firefox with NoScript. I ended up having to whitelist all my
favorite/bookmark sites along with those I visit. So there was little
point in using FF+NoScript. Way too many sites rely on scripts for them
to render correctly that disabling scripting altogether would be a much
worse bane than leaving it enabled.

As I mentioned, I do NOT have scripting enabled when visiting unknown or
untrusted sites.

If you disable script you should see the very
clean and simple version of DDG, which still
provides an option to proxy through their server,
but the actual links just go exactly where they
say they do.

Fiddler sounded interesting but it seemed to
malfunction. First, their webpage was a mess
and I had to view it with no style. When I installed
it told me I needed .Net 2. (Bad sign.)

Yeah, versus C runtime libs included or updated in Windows. I always
smirk when someone thinks .Net Framework is so evil when all it is
is another framework of libraries. If you don't trust .Net then you
don't trust C runtimes which means the only programs you permit on your
computer are written in assembly.

There's no excuse for using .Net to write software.

Then there is no excuse for using C runtimes, VB runtimes, various APIs
in Windows, or anything except assembly to write software. Uh huh. Yet
I bet you have several open source products on your computer. How about
all those codecs (yep, code to encode and decode) on your computer from
unknown sources used in front-end multimedia apps? Just more FUD about
Net Framework.

|
| Read it again. It claims they prevent use of the HTTP header Referer
| (yep, it's mispelled) from identifying you when clicking on their link
| to the target site. That does not eliminate the use of of the window
| object's title to carry that info

Sheesh. You make things so complicated. How in the
world would the title string get sent to the target URL?
It would have to be packaged, by script, in the link,
or even more bizarre, sent as part of the GET request.
That just doesn't make sense.

Yes, I block referrers, and cookies, and script in Pale
Moon. (I allow some script, frames and session cookies in
Firefox for the rare cases where that's needed.) I don't
find that I have trouble at most sites. Having a server
reject my visit me because of no referrer is *very*
uncommon. There are many cases where there's naturally
no referrer.

| Do you really believe that the prevalent majority of DDG visitors have
| scripting disabled in their web browser? They're led into trusting DDG
| to protect them so why would they be disabling scripting there?
|

You're probably right. Even people using DDG for
privacy will probably, for the most part, fit the
ostrich model of online caution: People who want
better privacy and security, but only if they don't
have to lift a finger to get it. Anyone who enables
script routinely and thinks they're concerned about
privacy or security is fooling themselves.

But I
don't see why you're so distrustful of DDG. "Led
into trusting" sounds like you're accusing them of
tricking people -- pretending to focus on privacy
as a marketing tool to cover their spying! That
sounds very farfetched to me. I expect that if DDG
were anywhere near so nefarious then we would
have heard about it.

So it seems safe to assume that anyone using DDG
is probably improving their online privacy at least a bit,
even if they don't bother with any other efforts. (On
the other hand, most of them are probably logged into
gmail and facebook most of the time, being closely
watched by a half dozen companies as they travel
online, and thus getting little benefit from using DDG.
Google and Facebook taken together will be recording
just about anything a person writes or reads while online,
if one uses those sites.)


| I've used Firefox with NoScript. I ended up having to whitelist all my
| favorite/bookmark sites along with those I visit. So there was little
| point in using FF+NoScript. Way too many sites rely on scripts for them
| to render correctly that disabling scripting altogether would be a much
| worse bane than leaving it enabled.
|

You can also use it to disable script partially.
For instance, I was at a site this AM that I used
FF for, in order to allow remote images. As it turned
out I didn't need to enable script, but even if I
had I could have enabled only the local script and
blocked the 3 others coming from remote sources.
(Often one of the non-essential script sources is
Google's ubiquitous analytics spyware and/or other
ad/tracking companies.)

| There's no excuse for using .Net to write software.
|
| Then there is no excuse for using C runtimes, VB runtimes, various APIs
| in Windows, or anything except assembly to write software.

Not at all. That's like saying if you don't want to
eat McDonalds frankenfood then you have to hunt
game or forage for grasses and berries.

.Net is a massive wrapper designed for server-side,
corporate software. It was designed to compete with
java. Very little Windows software is written in .Net,
so there's little reason to install it. Microsoft didn't
pretend otherwise when .Net first came out:

http://web.archive.org/web/201011121...eliverspr.mspx

(They've removed the page from their own server.)
..Net was not meant for Windows software and is
poorly suited to Windows software, just as Java is.

..Net is slow, very big and superfluous. If someone is
writing actual Windows software in .Net there's a
good chance they don't know what they're doing.
It's not that it can't be done or that it's somehow
risky. It's just a poor choice of tools.

If you don't trust .Net then you don't trust C runtimes

That makes no sense. First, it has nothing to do with
trust. .Net is just a very high-level wrapper. People don't
need to know what they're doing to throw together
..Net muck. Second, VC++ runtimes, which I assume is
what you're talking about, are unrelated. (Though
they've also become more bloated in recent iterations.)
There's a difference between installing a few MB of
support libraries for Microsoft's main programming tools
and installing hundreds of MBs of libraries for an
unnecessary VM.

There's a great example of .Net muck in a program
called LessMSIerables. It's a program to unpack MSI
installer files. Microsoft provides a full API for that
in msi.dll. The API is documented and also has a
dispatch version for scripting. LessMSIerables is a
..Net program that uses Microsoft's Wix Windows
Installer libraries. Wix is also a superfluous wrapper,
around MSI itself. Something like 8 MB. So we're
talking about a wrapper of hundreds of MB, to use
another wrapper of 8 MB, to use the tiny msi.dll
API that's pre-installed on all Windows PCs.
LessMSIerables is OSS, but it contains very little
code! That one small program requires dozens or
hundreds of MB of dependency software to be installed,
simply because the author either couldn't be bothered
to do the job right or didn't know any better. Why
would I want to install all of that unnecessary stuff
if I don't need to? And why would I trust the .Net
developer to be the one writing the best software,
when there's a good chance they don't even have
basic familiarity with the Win32 API?

If someone needs to write quickie front-ends for
corporate intranet applets then .Net is a good choice.
That's what it was made for. Used for Windows software
it belies probable ignorance and is unnecessary bloat.

Mayayana wrote:

Sheesh. You make things so complicated. How in the world would the
title string get sent to the target URL?

It's a trick that I've used when cookies might be disabled. In one page
you load, you can set the window object's title. Well, they call it the
title but name might be a better attribute descriptor. This is not the
title bar of the window but the name of the window object. Then when
you load another page, it can check what is the window object's title.
It's a sneaky trick during a web browser session to pass info to the
next page you load that can then check the object's attribute value.

Yep, I believe it requires Javascript. While you don't have scripting
enabled for that site, I really doubt that is the modus operandi of the
vast majority of those visiting DDG. As I recall (been awhile since I
looked into this), the next web page has to be loaded inside the same
window. That is, you replace the document rather than load a new one.
It's the [window.]document.title property. The window parent object
isn't really needed in the definition since it's the default object.

Yes, I block referrers, and cookies, and script in Pale Moon.

Referer blocking (omission) is possible by adding a site to the Trusted
Sites security zone; however, I'm not whitelisting every site that I've
put in my favorites list. It's been ages IE has blocked the Referer
header in an HTTPS page whether or not insecure HTTP content is
included: that is, for HTTPS pages, IE doesn't include the Referer
header: https://support.microsoft.com/en-us/kb/178066. Considering
later and more advanced local data caching (DOM storage), cookies and
Referer are pretty trivial and ancient tracking methods. It's like
worrying about stone chips used to repave a road possibly getting into
your tire treads and working its way in to puncture your tire when
straight ahead are tire spikes to ensure you'll get a flat. Referer
when used within a site to control or monitor navigation within a site
has purpose. The abuse of using it cross-domain is what worries most
users looking to plug a pinhole when other methods of tracking are more
effective, some of which you can't do anything about on your end.

I configure IE to prompt on mixed content. I want to know when a site
is mixing insecure content with secure content (anything insecure means
the page really is insecure despite using HTTPS). Firefox with a deeply
buried option (2 of them) lets me do the same but doesn't afford me a
prompt to let me choose. I might visit my banks site and find it has
mixed content but after checking I might determine it's okay so I have a
prompt to which I can Yes to allow the insecure HTTP delivered content
(and then send a complaint to my bank and/or their web author about the
poor design of mixing secure and insecure content). In Firefox, no such
prompt so you'd have to whitelist the site which would give it more
permissions that I want to grant all at once.

I only block (disable) scripting on-demand when visiting unknown or
untrusted sites. If I'm trusting a site that I've visited often (but
still want them in the Internet security zone to disable some unwanted
behaviors) then I'm going to allow scripting there. This is no
different than you using Firefox+NoScript and then whitelisting the good
site by adding exceptions in NoScript. I've used NoScript. It can
sometimes be a real pain in the ass to use.

Most users leave DOM storage enabled in their web browsers. They don't
know about the feature. It supplants cookies, window object title,
Referer, using a shared database (one site records your visit in a
database shared with other sites - so NOTHING you do in your web browser
will prevent that tracking, not even disabling Javascript). After
awhile of disabling DOM storage, I found too many sites that required
it. Typically the web programmer doesn't even test if DOM storage is
available and blindly starts assigning variables into DOM storage (which
fails and you can see the errors). Then their other script fails
because those variables are not defined (for those users that have
disabled DOM storage). I eventually changed to enabled DOM storage but
configure IE to purge it upon exit. The site can use it during a web
session but not across web sessions.

But I
don't see why you're so distrustful of DDG.

Not really distrustful. Just that users think DDG does nothing about
gathering logistics for their own use: load balancing, load tracking,
dead links, regional characteristics (geographical load), maintaining
their site, and so on. The claim was DDG does not track. Yes, it does,
but hopefully for their own purposes and without keeping anything
identifiable of you (although I would think they would need the IP
address for geolocation logistics but once tallied they could delete the
IP info).

Ixquick does tracking, too, for their own purposes. Of those two, I
don't know if I'd go with DDG or Ixquick, but either affords some
reduction of tracking of YOU, not what you did there.

| There's no excuse for using .Net to write software.
|
| Then there is no excuse for using C runtimes, VB runtimes, various APIs
| in Windows, or anything except assembly to write software.

Not at all. That's like saying if you don't want to
eat McDonalds frankenfood then you have to hunt
game or forage for grasses and berries.

.Net is a massive wrapper designed for server-side,
corporate software. It was designed to compete with
java.

Really? Server-side. Nope. It's a local library. Java is also not
running up on the server. Java applets get downloaded to your computer
and they run locally. That's why you must install a local interpreter
for Java. Perhaps you are confusing .Net with ASP. There are
interfaces within .Net to use ASP but that's an interface you choose to
use. You can use the web interface to build web-centric apps, yes.
That's a small part of the framework. There have been a host of tools
to perform a portion of the tools in .Net. Instead you get a framework
to rolls them all together and as such will occupy more disk space for
features you may never use. Of course, with all the other tools, you
have to waste disk space installing them and rolling them into your
project for distribution. .Net 4, I think, eats up 2 GB of disk space.
Well, yes, the C runtimes are much smaller (25 MB) but not after you
have to compile your own libraries to either roll into .exe or include
as DLLs to add all the functions you have to build versus them already
available in a programming framework. Just look at all the space you
would have to consume to install a plethora of SDKs.

https://en.wikipedia.org/wiki/.NET_Framework

Do you really think someone writing a clock program (display a clock,
replace the tray clock, etc) are bothering with the ASP interface in
..Net? Frameworks are not unique to Microsoft or Windows.

https://en.wikipedia.org/wiki/Software_framework

It is a pity that, as with C, VB, and other runtimes that Microsoft
doesn't encompass the old version rather than require multiple versions
be concurrently installed because some apps may not only require the old
version but check if it is available and not run if not. A customized
install of .Net where you get to pick what components you want to
install would be greatly appreciated but of value only to programmers or
those expert to know what parts of .Net an application actually uses.
Something like the Office install where you can configure components to
install on "first use". Rather than install the huge bloat of the
entire .Net package, install only what is needed. However, just where
would the rest of the .Net package come from if not installed when an
app needed some other component of .Net? A web installer? Yuck.
Digging through your discs to find the .Net installer CD? Oui vey.
Perhaps a compressed archive to reduce disk consumption so it was
already available when "first use" happened but it would still consume
disk space ad infinitum for components you may never use but might. Of
course, all the other runtimes consume more space than your apps will
need of the functions contained therein. Disk waste is an incumbent
artifact of all programs that don't bloat their .exe by carrying all
functions within that file rather than carrying along DLLs or relying on
system availibility of runtimes.

You do realize, right, that programmers have long had to find free or
payware libraries to include in their projects so they didn't have to
reinvent the wheel or someone figured out something they can't or don't
want to bother discovering anew. There are a huge number of libraries
out there to include in projects. No, .Net isn't going to replace all
of them but it sure covers a lot of features, so it's just another
library that you (programmer or user) don't have to pay for.

If someone is writing actual Windows software in .Net there's a good
chance they don't know what they're doing.

I've seen plenty of C, C++, VB, Python, Perl, and other code where that
same lambast applies. Bad programmers can code badly in whatever
language they use or whatever libraries are available to them.

It's not that it can't be done or that it's somehow
risky. It's just a poor choice of tools.

There are still some programmers proficient in assembly. Not too many
programs, especially end-user apps, are written using it. Too much
time, too much debugging, too much reinventing the wheel, and only code
execution speedup if carefully coded.

That makes no sense. First, it has nothing to do with
trust. .Net is just a very high-level wrapper.

A wrapper to WHAT? It doesn't call on the C runtimes. So what are the
runtimes that .Net requires in addition to its own installation?

There's a difference between installing a few MB of
support libraries for Microsoft's main programming tools
and installing hundreds of MBs of libraries for an
unnecessary VM.

Same is true when you install VideoLAN's VLC, Irfanview, XnView, and a
plethora of other video viewing or editing software. They will include
a ton of codecs that you will never use but some users might.

Of course, we are getting WAY off course here versus the original thread
where DDG was merely mentioned as a model of privacy that the user was
looking in DNS servers. So I think we should stop drilling farther off
topic. I'll let a rebuttal from you but won't reply since this
subthread is getting unrelated to the original topic. Been interesting,
though.