

DuckDuckGo privacy: A search engine that doesn’t track its users - rpm4321
http://www.slate.com/articles/health_and_science/new_scientist/2013/06/duckduckgo_privacy_a_search_engine_that_doesn_t_track_its_users.html

======
mortehu
Note that DuckDuckGo doesn't use Diffie-Hellman for its key exchange, so if
someone gets ahold of their private keys once, they can decrypt all previously
captured traffic as well as all future traffic. It seems they use the same
certificates for a year at a time.

~~~
isaacaggrey
> Note that DuckDuckGo doesn't use Diffie-Hellman for its key exchange,

Source?

~~~
mortehu
Open [https://duckduckgo.com/](https://duckduckgo.com/) in your web browser
and click on the green padlock. Note that the certificate is from 2012, and
that the key exchange method is RSA.

~~~
js4all
I never heard about that's a problem. I checked several popular sites, Google,
Amazon, Apple, Bank of America. They all use RSA.

Do you have examples for secure site (under this aspect) and background info?

~~~
mortehu
Are you sure? google.com uses ECDHE_RSA here.

 _eta:_ You also asked for background info. It's been discussed on Hacker News
recently:
[http://en.wikipedia.org/wiki/Perfect_forward_secrecy](http://en.wikipedia.org/wiki/Perfect_forward_secrecy)

~~~
js4all
> Are you sure? google.com uses ECDHE_RSA here.

You are right about google.com, the others still use RSA.

Thanks for the background info. Maybe SSLLabs should take this into account
when doing their tests. Until now they make no difference between DH and RSA.

------
salimmadjd
Has anyone independently verified their claim? What better way to identify
"people of interest" than to advertise a site that doesn't track you and then
see which people use it and then track them. Talk about solving finding the
needle in the hay, let people self-flag themselves.

~~~
m-r-a-m
Their main feature is privacy, so if news came out that they were actually
tracking users, it would pretty much destroy the business. Given that, it
would make @yegg really vulnerable to blackmail by employees.

~~~
salimmadjd
Again, I advertise I'm not sharing data and everyone buys up into it without
verifying. I have asked friends at Facebook about sharing data with NSA, their
response is FB is very transparent and someone would have seen it. So it's
very possible they share data and their employees don't know. I hate to use
this phrase, trust but verify

------
tomwilson
Every time I've thought about using ddg instead of google, I last about on day
because its not very good :(

------
parliament32
A search engine that _claims it_ doesn't track its users.

