Feature #6059

Update DuckDuckGo

Added by Tails 2013-07-18 07:50:03 . Updated 2014-09-21 11:34:20 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

In Tails, DuckDuckGo comes as default in Iceweasel and you’ve also added DuckDuckGo (SSL). But since we use HTTPS Everywhere these two search plugins works the same.

This is fixed in devel branch already. Thank you for the heads up anyway!

I recommend you to delete them both but add these two search plugins:

https://dl.dropbox.com/u/57167529/searchplugins.zip

  1. DuckDuckGo (Onion): http://3g2upl4pq6kufc4m.onion/html/
  2. DuckDuckGo (SSL): https://www.duckduckgo.com/html/

The hidden service (onion) will be much more secure than the other.

Please elaborate why it would be much more secure.

There will be no exit nodes used, so no man-in-the-middle attack, the search queries or the connection cannot be assigned to any IP (exit nodes). And we no more have to trust them since Tor hidden services guarantee that. So yes, it’s not much more secure but better.

AFAIK impersonating a Tor hidden service is possible, given the relatively small (80 bits if I remember clearly) amount of identifying information conveyed by its hostname. Hence, it’s not clear to me that the .onion provides better protection against MitM than the (itself quite flawed) CA cartel way. Feel free to prove me wrong, though :)

If we’re using DuckDuckGo instead of Google, what’s more is to use DuckDuckGo Onion instead of DuckDuckGo. The only disadvantage is the speed.

Also another explanation would be if they created a hidden service there should be a good reason for that.

None that I was able to find an explanation to on their website. Anyway, we generally do not make decisions about Tails based on things like "there should be a good reason".

Both of them are the non-JS version of DuckDuckGo (/html/) so works when javascript is disabled (default won’t). Different from default, they’re using method="POST" and there are no queries shown in the url which is better for privacy.

The feature/better_duckduckgo branch installs the official SSL, non-JS, Lite, POST version search plugin.

Merged into devel branch.

done in Tails 0.11.

Why not installing the HTML version? The Lite version is designed for mobile and HTML is the "Light" version for PC and visually looks better. All other features stays same.

I agree and I made the switch in Git. Thanks for suggesting.


Subtasks


Related issues

Related to Tails - Feature #13599: Switch to the DuckDuckGo .onion by default Rejected 2017-08-06

History

#1 Updated by intrigeri 2013-07-19 01:25:45

  • Type of work set to Code

Type of work: Code

#2 Updated by broncospasm 2014-09-20 23:05:26

Does anyone have any thoughts about switching to the DuckDuckGo .onion by default? I was suprised this is not already the case.

Advantages:

  1. Traffic doesn’t travel over the Internet (HTTPS is not invulnerable).
  2. No added delay between exit node and DuckDuckGo, and no crowded exit nodes to get jammed up in.
  3. No worry about timing attacks on entry vs exit nodes by a well-funded attacker, because the request never leaves an exit node.

In prose: I can’t see major speed penalties coming from completing the entire request-response cycle inside the Tor network unless DuckDuckGo’s HS is DDoSed, and I do see a lot of anonymity improvements.

#3 Updated by broncospasm 2014-09-20 23:20:25

I don’t have the power to reopen this ticket, should I create a new one?

#4 Updated by BitingBird 2014-09-21 11:34:20

  • Description updated

You could open a new ticket about “Switch to the DuckDuckGo .onion by default”, type of work: discuss. It’s not the same issue, and this one has been solved, I won’t reopen the ticket.

#5 Updated by Anonymous 2018-01-19 10:32:16

  • related to Feature #13599: Switch to the DuckDuckGo .onion by default added