Hacker News new | past | comments | ask | show | jobs | submit login

Genuine question, if I configure DuckDuckGo as my default search engine, would my key strokes still be sent to Google?

Yes. URL prediction & malware blacklisting "services" send keystrokes regardless of chosen search engine.

This is incorrect from Malware blacklisting purposes. I don't know about URL prediction.

For Safe Browsing protection, here's how it works (in progress): https://chromium.googlesource.com/chromium/src/+/refs/change...

[Disclosure: I'm the Software Engineer on Chrome who wrote parts of this Safe Browsing code, and that incomplete documentation linked above.]

> malware blacklisting "services"

If you're thinking of Google Safe Browsing (used by both Chrome and Firefox), you're wrong.

It works the other way around: Google sends you the list of undesired domains, and your client prevents you from visiting domains found on that list.

Nothing needs to be shared with a third party for that functionality.

The full details are in https://www.google.com/chrome/privacy/whitepaper.html#malwar... , but the short summary is:

A hash prefix list gets downloaded locally; Chrome checks locally against the prefix list. If a URL hits, Chrome will send the hash prefix (not the full hash and not the URL) to the server, the server will send back all full hashes that match that prefix, and then the client will complete the check locally.

In theory, if the server had a small number of matching full hashes, it could guess about what URL a client might be hitting, but in practice the system is designed as much as possible to avoid ever leaking data about what you're visiting to Google servers.

It's a little bit in the middle.

Clients download a database of partial hashes of malware URLs. If they get a hit on one of those partial hashes, they make a request for the full list of hashes with that prefix.

Google knows when a client makes one of those requests, but the exact URLs (or hashes) they're looking up are never revealed. The partial hash is 32 bits long, so there's enough collisions that making a request isn't especially revealing.


I seem to recall reading it can be a mix of both, though generally the way you mentioned. A Bloom filter that filters locally, and if it's a hit then it sends over the URL to double-check. Would be nice if someone could confirm though.

Older versions were Bloom filters, but newer versions have moved away from that (and to a list of hash prefixes) because Bloom filters are hard to update.

Also check your DNS config for,, .... I’m not typing the IPv6.

Check it, then switch to; Cloudflare's service is free and excellent.

Can anyone explain the downvotes? Any issues with Cloudflare's DNS? (I'd prefer it over Google, and is just as easy to remember as

Or Quad9 (the easy to remember IPv4 address

If your concern about Google is at that level (mine is), it's probably best to just use Brave or Firefox.

Or safari. It's pretty good too

I miss safari for windows

They had safari for windows?

“A Windows version was available from 2007 to 2012.” [1]

[1]: https://en.m.wikipedia.org/wiki/Safari_(web_browser)

Was that what Steve Jobs called "a glass of ice water for people in hell"? Or was that iTunes on Windows?

Not sure but my expectation is that at least they are sending back the address for the search results page so they'll know what you searched anyways.

I might be wrong, but this is obe of the reasons I don't use Chrome so if anyone has links that proves something else I'm interested.

Your visited URLs are in general only sent to Google if you have opted into sync and have "History" as an enabled datatype.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact