DuckDuckGo Search Engine Erects Tor Hidden Service 87
An anonymous reader writes "Viewable with Tor installed, search engine DuckDuckGo has erected a hidden service for secure, encrypted searches through the Tor network. While past attempts at hidden service search engines failed due to uptime or quality issues, DuckDuckGo marks the first time a real company operating a public search engine has offered a solid search engine as a hidden service for Tor users."
GoodLuckWithThat (Score:3, Interesting)
How long until it's going to be shut down because you can find nasty bits with it?
Fail. (Score:4, Interesting)
"This site requires JavaScript"
How stupid is that, for a Tor hidden service? Sure, it may well provide "secure, encrypted searches", but there's going to be no guarantee of privacy for so long as it demands script active to function.
How is this better than using any other search engine via Tor? At least Google/Scroogle/Ixquick/[many others] don't require script to perform such a very basic task, so at least with those I can feel confident about retaining my privacy, in addition to performing similarly secure, encrypted searches.
Comment removed (Score:4, Interesting)
Re:GoodLuckWithThat (Score:3, Interesting)
Well, unlike other TOR servers, where anonymity hides the server's location, it's pretty obvious who's hosting this server. The Government would just be like "Hey...stop it."
That's how.
And all they have to do is leak their database and TOR configuration files, and suddenly anyone can run it, and seamlessly for anyone using the TOR service URL. And as long as they lay the groundwork in advance, they can even deny having done it: an appropriate rootkit on their server should suffice to cast doubt on any evidence against them.
Tor is compromised (Score:5, Interesting)
linky (warning:.pdf) [colorado.edu]
linky [wordpress.com]
linky [slashdot.org]
Duck Duck Go should be avoided - Here's why (Score:4, Interesting)
I registered a domain a while back for an bike hobbyist site that I wanted to start. Nothing major, just swap tips and meetups to help out the community.
Over the next few months I started getting random emails from some users that my site was "infected" and "hacked", etc. The first thought was that their machines were infected so I didn't think much of it. But I checked to see if there was anything wrong with my server and everything looked ok.
Next thought was that somehow I got stuck in one of the Google filters in the SERP (i.e. "visiting this site may harm your computer") . Again, no evidence that was the case.
So I emailed back to a couple of the folks that reported the problem and asked for a screenshot of exactly they were seeing. Sure enough I get a browser screenshot back that has DuckDuckGo plastered all over it, warning about how my site was not to be trusted.
After some more research, it turns out that anyone browsing with the Duck Duck Go toolbar is hooked into a database at ivegotafang.com (also maintained by the Duck Duck Go folks). It acts as a net nanny and filters out parking pages and other "unsavory" sites on the fly. Sure enough, since the domain I used had previously been parked, it was still flagged as evil.
To get out of the database you're supposed to go to the site and basically beg to be removed. On principle there was no way I was going to stoop to this level so I just told my users the story and to uninstall the Duck Duck Go toolbar. Everything was fine after that.
Of course there are very few people using the Duck Duck Go search engine, let alone the toolbar. But the bigger issue is whether this behavior should be encouraged. This isn't like a net-nanny filter for porn. It's for something as innocent as a parking page which lots of sites resolve to while being developed.
With Google a parked page simply doesn't show up in the index and they reeevaluate periodically. Duck Duck Go says they also reevaluate but that obviously wasn't the case for my site. The warning page is essentially a manifestation of guilty until proven innocent.
What if there were a hundred for-profit companies like Duck Duck Go, and for each one you were responsible for their erroneous results? And what if you were running a business and just one of your customers saw that screen and started spreading the word that my business can't be trusted because of a false positive on Duck Duck Go? Then you're on the hook for spending hours trying to undo the damage, not Duck Duck Go. Good luck with that.
Soapbox off. Imho, the whole Duck Duck Go thing is nasty and should be avoided at all costs.
Re:Tor is compromised (Score:4, Interesting)
Thanks for posting this. The Colorado paper is the key thing to read.
Once I read that tor chose nodes according to an algorithm, and that the data used by that algorithm was not verified, and that this was done in the name of "performance", I could see where things were going in that paper. It was a "doh!" moment to be sure.
It strikes me that for the things I'd want to use tor for, _really_ important things (i.e. not media piracy), high bandwidth and low latency are both unimportant. Privacy is more important. I don't want to download a dvd over tor, I want to send a short encrypted email to my conspirators.
For such an application, I'd prefer onion routing that was buried in a covert channel.. something that didn't even look like a message at all. Something where the routing and the noise were both random, and the payload was simply lost in the mix. A factor of 10:1 or even 100:1 "Garbage" to "payload" would be fine for the average email or image.