The new Duck Duck Go Browser application offers privacy-enhanced features, but is it worth the risk?
Duck Duck Go Browser premiered on macOS in late-2022, and in June 2023 a Windows version was released with extensive security features. However, Duck Duck Go is still a niche browser offering that lacks the funding of major browser applications such as Chrome, Firefox, Safari, or Edge.
So what are the trade-offs of using Duck Duck Go, or another alternative browser... and can they compete on security? Today, we explore alternative browsers that make big security claims, demystify the degree of security offered, and outline the tradeoffs of switching to a non-mainstream option.
The true degree of security offered by small market share browsers remains a bit of a black box. Here are the most-used niche browsers with significant security claims:
The Duck Duck Go developers have touted the release as '"best-in-class privacy protections" which offer fundamental security features that users have come to expect such as built-in secure password management, ad and tracker blocking, and enforcing HTTPS to ensure connections are encrypted. DuckDuckGo uses the open-source Webkit engine used by Apple's Safari browser rather than the Chromium engine used by Edge, Opera, and Brave.
However, the new browser also includes some novel features to entice users such as:
YouTube Ad Blocking: "Duck Player", a YouTube ad blocker, prevents most YouTube ads from loading and implements Google's strictest privacy settings to prevent personalized ads and user fingerprinting
Bandwidth saving ad blocker: Duck Duck Go claims their ad and tracker blocking reduces bandwidth usage by up to 60%
Automatic Cookie Authorization: Another attractive feature is Duck Duck Go's promise of automatically completing "cookie permission requests" that are required under the EU's GDPR privacy schema. In 2023, many Internet users report being fatigued by consistent pop-ups, so having the browser auto-fill them on our behalf would be a welcome relief.
The Onion Routing (Tor) browser is based on the open-source Mozilla Firefox browser but has its own development team to manage updates and security patches. One of the biggest concerns is that updates could lag far behind the main Firefox stream, leaving critical vulnerabilities exposed. However, in the case of CVE-2019-11707, a vulnerability that was found to be actively exploited in the wild; the Tor browser released security updates only one day after Firefox released its own patch for CVE-2019-11707 demonstrating that the Tor development team can stay on top of current security risks.
However, Tor's fundamental security claim, of user privacy has significant security flaws. Security researchers have uncovered attacks that can de-anonymize users using network traffic analysis or leverage Tor endpoints (also known as exit relays) showing that user's Tor connections are susceptible to MitM attacks, especially when the destination server does not properly implement SSL/TLS. Exit relays represent a potential weak point where traffic can be intercepted or manipulated.
Although the Tor Project itself acknowledges the problem of both misconfigured and malicious use of exit nodes and promises to increase security, the Tor network unquestionably exposes a connection's data to multiple untrusted parties as it is bounced from node to node to "anonymize" it and overall this means using the Tor browser represents significant security risk that cannot be mitigated without forgoing the sole purpose of using the Tor browser - connecting to the Tor Network for anonymity.
Brave Browser is also based on the open-source Chromium project, which also serves as the foundation for Google Chrome. Brave Browser's primary claim to security is a feature called "Privacy Shield" that prevents websites from tracking users using third-party cookies to enhance privacy and prevents cross-site tracking. However, this feature is already available for Chrome and enabled by default in Firefox, Safari, and Microsoft Edge.
Brave browser also acts as a shortcut to enabling Brave's VPN which can be quickly installed via browser to provide full-tunnel VPN for up to 5 total devices per account, and similar to Duck Duck Go, Brave also manages its own search engine and claims to not "track you, your queries, or your clicks". If you are absolutely terrified of Google knowing your search history, perhaps Brave is a good choice for this reason.
Finally, Brave sports its own form of crypto-coin incentivization for viewing privacy-enhanced ads called "Brave Rewards." Also, to be fair to Brave, they seem to keep pace with vulnerabilities discovered in the Chromium web engine, often patching them at the same time as Chrome and Microsoft Edge - a feat many niche browsers cannot claim.
If you are absolutely set on delving into the world of niche browsers, there is no shortage of options. These include, but aren't limited to:
Waterfox: Waterfox is a privacy-focused browser based on Firefox that claims to provide enhanced privacy by disabling telemetry and removing certain data collection features. However, Waterfox has been noted for being slow to patch security bugs
Pale Moon: Pale Moon is an open-source browser based on older Firefox code. It emphasizes customization and privacy by offering options to disable tracking and telemetry. It also continues to support some types of add-ons and plugins that are no longer supported by Firefox, including NPAPI plugins such as Adobe Flash Player, as well as legacy Firefox extensions
If your organization is considering an alternative browser, it's important to evaluate the potential security risks posed by small market share browsers. Here are some concerns to get an assessment started:
Limited security resources and features: Niche browsers may have smaller development teams and fewer resources compared to mainstream browsers. This can result in delayed security updates or a slower response to newly discovered vulnerabilities. With limited resources for security audits and testing, niche browsers might be more prone to security issues
Reduced community review: Mainstream browsers benefit from a large user base and a vast community of developers and security researchers who actively scrutinize the codebase for vulnerabilities. Niche browsers may not receive the same level of scrutiny, potentially resulting in undetected security flaws
Malicious third-party plugins: Niche browsers may have a smaller selection of plugins and extensions available compared to mainstream browsers. Users who rely on niche browsers may be tempted to install third-party plugins from untrusted sources, increasing the risk of installing malicious or poorly coded plugins that can compromise security
Long-term support risks: When considering a niche browser, it is important to evaluate the long-term support commitment of the development team or organization behind it. Assess factors such as their track record of releasing updates, responsiveness to security vulnerabilities, engagement with the user community, and plans for future development and support
Lack of support for new productivity plugins and features: Niche browsers may have a smaller or even non-existent ecosystem of plugins, extensions, and themes compared to mainstream browsers. This can result in limited plugin support and fewer options for users to enhance their browsing experience or address specific needs. Over time, this could lead to users seeking alternative browsers with better plugin ecosystems
It's worth considering the security claims of alternative browsers and whether they are truly worth the associated risks. While browsers such as Duck Duck Go, Tor, and Brave certainly but a marketing focus on security features like privacy-enhanced ads, third-party cookie blocking, and secure password management these are not necessarily features you can't get from major browsers such as Chrome, Firefox, Safari, or Edge.
Perhaps the most stark example is how the Tor Browser is vulnerable to attacks due to its use of Tor network architecture. Other potential risks are that the developers of niche browsers have limited resources, reduced community review, and a higher risk of allowing malicious third-party plugins... including the notorious Adobe Flash Player.
Looking to learn more about alternative browsers and their security features? Sign up for our free, zero-obligation newsletter today to stay up to date on industry news.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.