2

I noticed that the default behavior of Tor browser is to use POST method for all DuckDuckGo searches even when that's not the default DuckDuckGo setting. At first I thought it'd be to protect the search query from the exit node believing that TLS doesn't encrypt the HTTP header but, I was wrong. I found that HTTP Headers are encrypted if the site uses TLS certificates which DDG does and it's equally difficult for exit node to figure the query string no matter which method is used.

So what's the concern that Tor is trying to address by switching to POST?

If it helps, I've captured images of both, GET and POST request headers on DDG.

GET

enter image description here

POST

enter image description here

7_R3X
  • 626
  • 3
  • 12
  • 25
  • 1
    Similar to https://security.stackexchange.com/questions/23479/use-http-post-for-google-search-queries and https://security.stackexchange.com/questions/33837/get-vs-post-which-is-more-secure – mti2935 Oct 12 '20 at 10:51

1 Answers1

5

With POST the actual search is not part of the URL. It will thus not be visible in the Referer header to a potential remote side and it will also not be part of the local history. See also this comment in the Tor issuer tracker about the setup of DuckDuckGo in the Tor browser:

You should probably do a POST request here as the value of the searchTerms parameter will be leaked as part of the Referer header.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434