Forgot your password?
typodupeerror
Privacy Encryption Networking Your Rights Online

DuckDuckGo Search Engine Erects Tor Hidden Service 87

Posted by timothy
from the what-does-anonymous-want-to-see dept.
An anonymous reader writes "Viewable with Tor installed, search engine DuckDuckGo has erected a hidden service for secure, encrypted searches through the Tor network. While past attempts at hidden service search engines failed due to uptime or quality issues, DuckDuckGo marks the first time a real company operating a public search engine has offered a solid search engine as a hidden service for Tor users."
This discussion has been archived. No new comments can be posted.

DuckDuckGo Search Engine Erects Tor Hidden Service

Comments Filter:
  • by KingAlanI (1270538) on Saturday September 25, 2010 @02:08AM (#33695200) Homepage Journal

    Hidden erection ... hurr hurr hurr

  • GoodLuckWithThat (Score:3, Interesting)

    by rrohbeck (944847) on Saturday September 25, 2010 @02:17AM (#33695214)

    How long until it's going to be shut down because you can find nasty bits with it?

  • by Anonymous Coward

    Which is it?

    NSA?
    CIA?
    FBI?

    All of the above?

    Which of the social policing groups (with some Acronym name) do we have to thank for this search engine service?

    • Re: (Score:3, Insightful)

      by joe_garage (1664999)
      nah - this smacks of the Ohio State Police
    • by leuk_he (194174)

      Those are far more interested in tor exit nodes.

      1. They think those are the people who look up material that illegal
      2. Running a sniffer on a tor exit node gives all kind of traffic that is anonymous, but not encrypted.

      • by tepples (727027)

        Running a sniffer on a tor exit node gives all kind of traffic that is anonymous, but not encrypted.

        Doesn't HTTPS work over Tor? Oh wait, plenty of hobbyist sites don't have a TLS certificate to begin with, and a lot of sites (such as Slashdot) save CPU time by redirecting all HTTPS URLs to the corresponding HTTP URL except for payment pages.

        • Even when they do:

          A exit node can pretend to be the real site, and do a MITM attack. For simple joes you would just send the data unencrypted to the tos user and hope he does not notice it is an unencrypted page. (THIS HAS BEEN OBSERVED IN THE WILD!!!)

          3 letter agencies have their own root certificates and can reencrypt data that would be accepted by the browser as trusted. Only careful examinition of the certificate would show that is was issued by a differt CA.

          The whole point of TOR is that you cannot trus

    • by yegg (1908960)
      I'm behind it: http://ye.gg/ [ye.gg]
  • Fail. (Score:4, Interesting)

    by Anonymous Coward on Saturday September 25, 2010 @02:34AM (#33695266)

    "This site requires JavaScript"

    How stupid is that, for a Tor hidden service? Sure, it may well provide "secure, encrypted searches", but there's going to be no guarantee of privacy for so long as it demands script active to function.

    How is this better than using any other search engine via Tor? At least Google/Scroogle/Ixquick/[many others] don't require script to perform such a very basic task, so at least with those I can feel confident about retaining my privacy, in addition to performing similarly secure, encrypted searches.

    • by jack2000 (1178961)
      They just want to discover your real ip, hence the javascript.
    • Re: (Score:2, Funny)

      by rve (4436)

      You're an idiot. Stop posting.

      • Re: (Score:3, Insightful)

        by CarpetShark (865376)

        Why is that? Because you don't get why a Turing-complete language with internet access could be a security threat?

        • by julesh (229690)

          Why is that? Because you don't get why a Turing-complete language with internet access could be a security threat?

          It's only a security threat if you can't trust the site that the programs are originating from. Sure, this search engine *may* be able to dump a tracking code into their output and therefore break the TOR privacy[1], but you have to ask how likely to happen is this? And my answer: very unlikely.

          [1] Doing so is, however, hard, an not even obviously possible: the identifying information javascri

          • the identifying information javascript can access is rather limited

            Unfortunately, this is entirely wrong. For example, JavaScript can get your browser version, list of installed plugins, and whether you have visited certain sites quite easily. There are also a number of other things that you can do with JS to aid tracking.

            You can get some of this information without JS, of course, for example by providing various object or embed tags and seeing which ones are fetched.

            Of course, just because it's possible doesn't mean that DDG does it. They don't even use tracking i

          • by arndawg (1468629)
            The internet is only insecure if you don't trust the internet. Come one everybody. Let's trust the internet and share the love.
          • by drinkypoo (153816)

            It's only a security threat if you can't trust the site that the programs are originating from.

            That's right. And I don't trust it. I only want to use a privacy network that works even if I don't trust all the participants.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      "How stupid is that, for a Tor hidden service?"

      relax, it's new. let's all provide feedback to the admin of the site with the suggestion of improving it by disabling javascript for the hidden service. the tor website has extensive documentation about hidden services if you don't know what they are, go read. irc for tor devs and users: irc.oftc.net #tor

      duckduckgo hidden service had a topic on the Tor mailinglist (or-talk) public may read and subscribe to these at Tor's website, click on "Docs" at the top, scr

      • Re: (Score:3, Informative)

        by TheRaven64 (641858)

        did you write to the duckduckgo admin?

        I've been using DDG as my main search engine for a few months, and this is well worth doing. I've used the feedback link a couple of times, to report cases where the search results are poor or there's a glitch in the UI, and both times I've had a speedy reply and the issue has been fixed.

        Of course, this might mean that I'm the only person using DDG, but I hope not. They have a very good privacy policy and a much better UI than any of the other search engines that I've tried.

        I used Clusty for a bit, be

    • by yegg (1908960)
      A non-JS version is imminent.
  • by Anonymous Coward

    Yeah, a new search engine... It doesn't search hidden services, it just operates as a hidden service. If you want it to...

    Oh, and as noted above [slashdot.org] it requires JavaScript to see any more results than the first few.

  • by SharpFang (651121) on Saturday September 25, 2010 @04:10AM (#33695498) Homepage Journal

    Infamous 4chan often plays various jokes on the users - like "wordfilters", you post one word, the post contains another. You write "moot", your post contains "doug" and so on. Over some time 4chan wordfiltered "loli" to "duck". The anonymous liked the joke so much that once it was removed, users kept posting "links to duck porn" and so on.

    I can't help but think there's a connection.

    • by Trepidity (597) <delirium-slashdo ... org minus author> on Saturday September 25, 2010 @04:52AM (#33695592)

      That was a SomethingAwful practice that 4chan later picked up, iirc. Possibly predates SA as well, but I think they popularized it on webforums, at least.

      • Nonsense, everything cool starts on 4chan, why they invented rickrolling, lolcats, fire, the wheel, penicillin, the theories of evolution and relativity and even putting videos up of your favourite songs along with shitty kids cartoons featuring stupefyingly wide swords. Youtube and the rest of the web just follow along centuries behind the times.

        Before the trolltards come a-flaming me about the accuracy of my post or lack thereof, consider the tone of irony that many lack basic understanding off these d
        • Re: (Score:3, Informative)

          by SharpFang (651121)

          rickroll was a variation of duckroll, which in turn came to life after 'loli'='duck' was removed, but in turn 'duck' was wordfiltered to 'egg'. thus eggroll-duckroll...

    • > 4chan

      Yeah, everything on the internet is connected to 4chan, right.

      Maybe you think to much about 4chan or loli or zoo sex. Huh, zoo sex? You haven't mentioned zoo sex in your post, at all.

      No, but you have set your fucking /. homepage link to your personal zoo sex / furry page!!! WTF!?

      WTF, dude!?

  • Tor is compromised (Score:5, Interesting)

    by Iamthecheese (1264298) on Saturday September 25, 2010 @08:46AM (#33696158)
    Tor is compromised by the US government. So go have fun on it but fon't get too cocky.
    linky (warning:.pdf) [colorado.edu]
    linky [wordpress.com]
    linky [slashdot.org]
    • by bmajik (96670) <matt@mattevans.org> on Saturday September 25, 2010 @01:13PM (#33697492) Homepage Journal

      Thanks for posting this. The Colorado paper is the key thing to read.

      Once I read that tor chose nodes according to an algorithm, and that the data used by that algorithm was not verified, and that this was done in the name of "performance", I could see where things were going in that paper. It was a "doh!" moment to be sure.

      It strikes me that for the things I'd want to use tor for, _really_ important things (i.e. not media piracy), high bandwidth and low latency are both unimportant. Privacy is more important. I don't want to download a dvd over tor, I want to send a short encrypted email to my conspirators.

      For such an application, I'd prefer onion routing that was buried in a covert channel.. something that didn't even look like a message at all. Something where the routing and the noise were both random, and the payload was simply lost in the mix. A factor of 10:1 or even 100:1 "Garbage" to "payload" would be fine for the average email or image.

  • by theskipper (461997) on Saturday September 25, 2010 @09:58AM (#33696468)

    I registered a domain a while back for an bike hobbyist site that I wanted to start. Nothing major, just swap tips and meetups to help out the community.

    Over the next few months I started getting random emails from some users that my site was "infected" and "hacked", etc. The first thought was that their machines were infected so I didn't think much of it. But I checked to see if there was anything wrong with my server and everything looked ok.

    Next thought was that somehow I got stuck in one of the Google filters in the SERP (i.e. "visiting this site may harm your computer") . Again, no evidence that was the case.

    So I emailed back to a couple of the folks that reported the problem and asked for a screenshot of exactly they were seeing. Sure enough I get a browser screenshot back that has DuckDuckGo plastered all over it, warning about how my site was not to be trusted.

    After some more research, it turns out that anyone browsing with the Duck Duck Go toolbar is hooked into a database at ivegotafang.com (also maintained by the Duck Duck Go folks). It acts as a net nanny and filters out parking pages and other "unsavory" sites on the fly. Sure enough, since the domain I used had previously been parked, it was still flagged as evil.

    To get out of the database you're supposed to go to the site and basically beg to be removed. On principle there was no way I was going to stoop to this level so I just told my users the story and to uninstall the Duck Duck Go toolbar. Everything was fine after that.

    Of course there are very few people using the Duck Duck Go search engine, let alone the toolbar. But the bigger issue is whether this behavior should be encouraged. This isn't like a net-nanny filter for porn. It's for something as innocent as a parking page which lots of sites resolve to while being developed.

    With Google a parked page simply doesn't show up in the index and they reeevaluate periodically. Duck Duck Go says they also reevaluate but that obviously wasn't the case for my site. The warning page is essentially a manifestation of guilty until proven innocent.

    What if there were a hundred for-profit companies like Duck Duck Go, and for each one you were responsible for their erroneous results? And what if you were running a business and just one of your customers saw that screen and started spreading the word that my business can't be trusted because of a false positive on Duck Duck Go? Then you're on the hook for spending hours trying to undo the damage, not Duck Duck Go. Good luck with that.

    Soapbox off. Imho, the whole Duck Duck Go thing is nasty and should be avoided at all costs.

    • Re: (Score:1, Funny)

      by Anonymous Coward

      TL;DR: They tried to do something good for their users, implemented it slightly wrong which affected you in a minor way.

      Telling thousands of users that they are nasty and should be avoided sounds like an appropriate response.

    • by ukemike (956477)
      Would incorrectly listing a site as untrustworthy count as defamation?
    • by CSMatt (1175471)

      To get out of the database you're supposed to go to the site and basically beg to be removed. On principle there was no way I was going to stoop to this level so I just told my users the story and to uninstall the Duck Duck Go toolbar. Everything was fine after that.

      How exactly is telling Duck Duck Go that your site was incorrectly blocked such a bad thing? So they screwed up. Instead of telling them of the problem and at least giving them the benefit of the doubt that despite their best intentions the reevaluation did not work as advertised, and that they will genuinely try and fix it as well as ensure that their system doesn't allow this to happen again, you immediately tell your visitors that Duck Duck Go is crap*, and not even bother to try and sort out the matte

    • Re: (Score:2, Informative)

      by yegg (1908960)
      Thx for the feedback. That toolbar is no longer available. The sites it was flagging were parked pages. What happened was is that there was a delay between registration and when the bot could check it out, but it would have been removed automatically. I'm sorry for the inconvenience this caused you.
  • Can someone explain specifically what's special about this? How is this any better than using Tor yourself to search through any other search engine? Presumably, as long as you don't reveal personal information, your searches will be anonymous anyway. If that's the case, how does being able to point your browser to a *.onion domain to access a given service help - is it somehow more anonymous?

    (please don't read sarcasm into my question - I'm actually interested to know this).

    • I don't know what's special about it, either; Tor services are interesting, but in this case they don't make a lot of sense. Tor usually prevents the server (and others) from determining the identity of the client. Tor hidden services extend this protection to the server itself, ie. you can access a site in the onion domain (if it works) without having any reliable way to determine the site's IP. The client's IP is unknown in both cases, so no, it's not more anonymous in that respect. I don't see the point

    • Default Tor traffic, for normal websites like google.com, go through exitnodes. At the exitnodes, everything needs to be decrypted unless it's ssl or similarly encrypted at the application layer. Additionally the traffic is also directed to the REAL IP address. Combined with cleartext, it is quite a big risk actually.

      Basically, an exitnode needs the decrypted data for usual http / decrypted traffic, and is a heaven for snoopers and adversaries wanting to do man in the middle-attacks. Even SSL becomes insecu

Happiness is a positive cash flow.

Working...