Ask DuckDuckGo to add its .onion into HTTPS certificate and change schema in the search plugin to HTTPS
Because .onions are not self-authenticating (it can be a backdoor by Tor developers), anyone with enough computational power can make MiTM. The temporary solution is to use HTTPS even on .onions.
DDG allows you to connect via HTTPS to their .onion, though they don't have .onion name in their HTTPS certificate, which causes ssl_error_bad_cert_domain errors.