Bug #12121

Switch to the DuckDuckGo .onion by default

Added by Kurtis 2017-01-08 12:13:47 . Updated 2020-03-16 11:31:03 .

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2017-01-08
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Browser
Deliverable for:

Description

A little bit of discussion about this can be found here: https://labs.riseup.net/code/issues/6059

The last Tails release seemed to have removed the DuckDuckGO onion service as secondary search option. Was there a security or other reason why it was removed and why the HTTPS version was used?


Subtasks


Related issues

Related to Tails - Feature #13599: Switch to the DuckDuckGo .onion by default Rejected 2017-08-06
Has duplicate Tails - Feature #15473: Consider pointing the DuckDuckgo TBB searchbox to the .onion address Duplicate 2018-03-29

History

#1 Updated by intrigeri 2017-01-09 10:44:08

  • Assignee set to anonym
  • QA Check set to Info Needed
  • Affected tool set to Browser

> The last Tails release seemed to have removed the DuckDuckGO onion service as secondary search option. Was there a security or other reason why it was removed and why the HTTPS version was used?

anonym, any idea?

I see a browser/locales/en-US/searchplugins/ddg-onion.xml file on the tor-browser-45.6.0esr-6.0-1 branch of https://git.torproject.org/tor-browser.git.

#2 Updated by anonym 2017-01-09 21:20:02

  • Assignee deleted (anonym)

Ah. So what happened was that when I wrote the code for generating our own localized DDG search plugins, I wanted to remove the ones Tor Browser ship. In the section where we do that, all entries have a glob, so when I copy-pasted an old one it turned into rm .../ddg*.xml, which will remove the ddg-onion.xml one as well.

It’d be trivial to also generate localized DDG onion search plugins, but “also” is not something I’m sure about. Is it a meaningul user choice, or does it just add to user confusion? I think the latter. So, either we don’t do anything, or we switch to the onion for DDG instead. Using the onion is nice, as the comment Feature #6059#note-2 presents a case for, but I’d like actual measurements here — it’d be sad to switch the default search to something that is any slower than it is now, imho.

#3 Updated by intrigeri 2017-01-25 13:32:09

  • Assignee set to anonym

> So, either we don’t do anything, or we switch to the onion for DDG instead.

ACK.

I see no reason to diverge from Tor Browser on this one, so let’s do the same as they do. That means using the Onion service, right?

#4 Updated by anonym 2017-02-17 13:06:00

  • Assignee changed from anonym to intrigeri

intrigeri wrote:
> > So, either we don’t do anything, or we switch to the onion for DDG instead.
>
> ACK.
>
> I see no reason to diverge from Tor Browser on this one

Well, both my suggestions diverge from the vanilla Tor Browser…

> so let’s do the same as they do.

… because they ship both DuckDuckGo and DuckDuckGoOnion…

> That means using the Onion service, right?

… with DuckDuckGo being the default.

In other words, the only way we currently diverge from vanilla Tor Browser is that we do not provide DuckDuckGoOnion.

My proposal is: we continue diverging from vanilla Tor Browser by only provide a single search engine plugin for DuckDuckGo. See my previous comment for the rationale.

If we decide to go with my proposal, what remains to be decided is: should we use the clearnet one (as we currently do) or switch to the onion (pro: e2e encryption + authentication, con: slower)?

Hope it’s crystal clear now!

#5 Updated by intrigeri 2017-02-17 16:23:31

  • Assignee changed from intrigeri to anonym

Hi!

> Well, both my suggestions diverge from the vanilla Tor Browser…
[…]
> … because they ship both DuckDuckGo and DuckDuckGoOnion…
[…]
> … with DuckDuckGo being the default.

> In other words, the only way we currently diverge from vanilla Tor Browser is that we do not provide DuckDuckGoOnion.

OK, thanks for clarifying! I was clearly not up-to-date wrt. the current state of things.

> My proposal is: we continue diverging from vanilla Tor Browser by only provide a single search engine plugin for DuckDuckGo. See my previous comment for the rationale.

I still agree :)

> If we decide to go with my proposal, what remains to be decided is: should we use the clearnet one (as we currently do) or switch to the onion (pro: e2e encryption + authentication, con: slower)?

I’ve looked into Tor’s Trac to try & understand why TB doesn’t default to the onion DDG. Here are my findings:

So I’m in favour of rejecting this ticket.

#6 Updated by anonym 2017-02-17 16:28:08

  • Status changed from New to Rejected
  • Assignee deleted (anonym)
  • QA Check deleted (Info Needed)

intrigeri wrote:
> So I’m in favour of rejecting this ticket.

Doing it!

#7 Updated by intrigeri 2017-09-01 13:16:34

  • related to Feature #13599: Switch to the DuckDuckGo .onion by default added

#8 Updated by intrigeri 2018-03-29 11:45:22

  • has duplicate Feature #15473: Consider pointing the DuckDuckgo TBB searchbox to the .onion address added

#9 Updated by sajolida 2019-06-02 10:12:43

If I understand correctly, both of Mike’s arguments against using the onion service in https://trac.torproject.org/projects/tor/ticket/19735#comment:1 depend on how it is implemented by DuckDuckGo. This was 3 years ago so maybe things have changed.

A next step could be to check if both arguments are still relevant today and otherwise reopen this ticket.

#10 Updated by intrigeri 2019-06-02 13:40:15

> A next step could be to check if both arguments are still relevant today and otherwise reopen this ticket.

If anyone wants to do this work, I’d rather see it happen upstream (trac.torproject.org) rather than in a Tails-specific place.

#11 Updated by kjuvle 2020-03-16 11:31:03

Looks like this is currently in progress upstream:

https://trac.torproject.org/projects/tor/ticket/21483