3

The Privacy Policy of DuckDuckGo.com mentions using HTTPs and POSTs affects the privacy of the search requests.

Since HTTPS is disabled by default, and POSTs is enabled by default, how does this affect my default search security?

Should the defaults be changed?

Anders
  • 65,052
  • 24
  • 180
  • 218
makerofthings7
  • 50,488
  • 54
  • 253
  • 542
  • 1
    Yes. If you search through a secured connection ( https ) what information is forwarded on your behalf is reduced. – Ramhound Mar 01 '12 at 17:27
  • What do you mean by https is disabled by default? If you use use the https url it uses https, and if you use the http url, it uses http. – CodesInChaos Mar 01 '12 at 22:32
  • If you go to options, there isn't an automatic redirect from the http site to the https site.. – makerofthings7 Mar 01 '12 at 22:34
  • I'd avoid those redirects, since they require you to carefully check the url bar for ssl usage every time you enter the http url. And if you are that careful in the first place, why don't you just add the `s` yourself. – CodesInChaos Mar 01 '12 at 22:50

2 Answers2

2

What browser are you using? For example if you use firefox and set up DuckDuckGo as your main search engine it will use HTTPS by default. Firefox DuckDuckGo Plugin This are the instructions for firefox, chrome, opera & safari .

The great thing about DuckDuckGo, is that you customize it to your need (settings). You can specify there under Privacy Settings to use HTTPS by default. At the end it tells you how to keep the changes (Load/Reset Settings).

You could follow the same instructions on this answer and would increase DuckDuckGo security, but IMO it would be a bit overparanoid.

Post is generally faster, and since DuckDuckGo isn't as popular as Google they want to leave a good first impresion (assumption), thus fast and effecient results is the priority. User can add HTTPS later on as their default search option.

Edit HTTPS needs a initial handshake which can take some time, if most of the data is sent through the initial request, performance will not be that significant.

SSL may decrease performance, in a way; Search results can be large spaning pages (take in account duckduckgo provides scrolling rather than clicking on next page) this might burden the system to encrypt all of this.

Also take in account, not everyone need HTTPS, even though it is recommended to use HTTPS.

Community
  • 1
Rick Rhodes
  • 1,092
  • 7
  • 14
  • 1
    Is POST really generally faster? why? – Yoav Aner Mar 01 '12 at 21:48
  • 1
    Speaking of plugins, it is worth mentioning https://www.eff.org/https-everywhere which is available for Firefox and for Chrome (beta). The plugin should make every connection with duckduckgo default to HTTPS. – Moses Mar 01 '12 at 22:51
  • 2
    POST isn't any faster than GET. There may be marginal differences in request size due to different encodings, but that's about it. However, it looks nicer (since the search parameters don't show up in the URL), and those parameters aren't stored in your browser history either. The chance of them being stored in logfiles on intermediate hosts between you and ddg (routers and the like) is also smaller with POST, although this is not relevant if you're using HTTPS. The advantage of GET is that you can e-mail or bookmark the search URL. – tdammers Mar 02 '12 at 00:36
2

Use ddg.gg instead of duckduckgo.com; the ddg.gg shorthand URL--in addition to being quicker* and easier to remember--by default takes you to the HTTPS enabled version of the site.

*Quicker as in typing, not as in performance; an HTTPS connection will naturally be slower than an HTTP connection (all things being equal).

Moses
  • 2,157
  • 2
  • 20
  • 23
  • 1
    https://ddg.gg doesn't work. And redirect from http to https is vulnerable to attacks where the attacker redirects to http instead of https. So this method reduces security over going to https://duckduckgo.com directly. – CodesInChaos Mar 01 '12 at 22:26
  • @CodeInChaos If that attack were to take place, wouldn't the user be able to notice that the session is not held over the secured HTTPS? If I were at a page that I expected to be over SSL (TLS), and I didn't see the valid cert, I wouldn't submit my user info (or in this case, my search query) and instead simply leave the site. – Moses Mar 01 '12 at 22:44
  • If you are careful you can obviously notice it. But will you really verify it every single time you use it? The attacker might also redirect you to a site with a similar domain for which he has a certificate. I see no reason to open up such attacks, when you can just include the https in the url you enter. – CodesInChaos Mar 01 '12 at 22:48
  • @CodeInChaos - I just clicked ddg.gg and it redirected me to the https version, so works for me. Very good point about redirection. However, it reduces security only if you don't pay attention. I think it's probably easier to type in ddg.gg and then check the url than it is to type in https:// duckduckgo.com - and I know you can use bookmarks, but my typing is usually faster than finding a bookmark... – Yoav Aner Mar 02 '12 at 07:54
  • @YoavAner - the problem is CodeInChaos is trying to go to https://ddg.gg which won't work (port 443 for https at ddg.gg is non-responsive; probably they didn't get a certificate for it). Yes, going to `http://ddg.gg` will generate a `301 - Moved Permanently` response telling your browser to try again at `https://duckduckgo.com`. However, from a security (and speed) standpoint its better to just bookmark https://duckduckgo.com than rely on a http response to forward to the correct site using the secure protocol. – dr jimbob Mar 02 '12 at 19:02