
PRISM fears give private search engine DuckDuckGo its best week ever - denzil_correa
http://venturebeat.com/2013/06/13/prism-fears-give-private-search-engine-duckduckgo-its-best-week-ever/
======
paulsutter
It's not safe to assume the NSA doesn't log DDG searches. Look at the PRISM
logo - it's a beam splitter. Read the slide, look at the "Upstream" portion.

[http://commons.wikimedia.org/wiki/File:Upstream_slide_of_the...](http://commons.wikimedia.org/wiki/File:Upstream_slide_of_the_PRISM_presentation.jpg)

They're logging all your URLs and headers. How much are you willing to bet
they can't decrypt https? I dont understand all the hubbub _is focused solely_
on direct server access (the bottom half of the slide), when "Upstream" access
is just as big a concern.

EDIT: rephrased my concern about direct vs upstream

~~~
jerf
"How much are you willing to bet they can't decrypt https?"

I'd bet quite a bit, though not "my life", that they do not have a generalized
"read everything" ability for all forms of SSL. They may have what
cryptographers would call "a crack", but that's a low bar, and doesn't prove
they have a practical attack.

However, DDG is currently using 128-bit RC4, which is very weak. [1] I
wouldn't care to bet anything that the NSA doesn't have an RC4 cipher crack
that is practical to run on wide swathes of traffic.

RC4 is very popular, which I believe is because some people claimed it was a
defense against the BEAST attack. I researched this for work, and I couldn't
find anyone whom I _trusted_ saying that was a good mitigation. The people I
_trusted_ merely observed that RC4 was not vulnerable, but never said you
should switch to it. Only secondary sources ever suggested that. My conclusion
was that there was a reason for the primary sources never suggesting that; in
response to a theoretical break of the rest of SSL, the correct move was not
to move to a solution that had much more practical attacks already known than
what BEAST demonstrated. But now it's even sillier; BEAST has been either
entirely or almost entirely mitigated in browsers (there's no _server_ -side
defense against BEAST, but there's a client-side one you can use, and browsers
now have it). As far as I can tell, RC4 should be abandoned and we should
resume using stronger ciphers for SSL. Anyone still concerned about BEAST
should update their browser.

[1]: [http://nakedsecurity.sophos.com/2013/03/16/has-https-
finally...](http://nakedsecurity.sophos.com/2013/03/16/has-https-finally-been-
cracked/)

~~~
icebraining
OTOH, if they can get a CA - _any_ CA - to cooperate, they can MITM anyone
without having to break SSL.

~~~
lessnonymous
Do they need to MITM? If they have a copy of the private key, can't they just
use it to decrypt the data .. even old data for which they've only just
acquired the key?

~~~
soitgoes
Having the root CA's private key doesn't give them access to the end entity's
private keys. When you ask a CA for a cert, you only provide them with your
public key (in the form of a CSR) for them to sign. The CSR does not contain
the private key.

~~~
mtrimpe
But getting an employee to hand over the private key and giving him a gag
order afterwards is an option of course.

~~~
pilsetnieks
[https://en.wikipedia.org/wiki/Perfect_forward_secrecy](https://en.wikipedia.org/wiki/Perfect_forward_secrecy)

[https://en.wikipedia.org/wiki/ECDHE](https://en.wikipedia.org/wiki/ECDHE)

Google is using it, a few other sites, too, though they are in the minority.
OpenSSL supports it since version 1.0.0 that was released in March 2010.

------
oinksoft
I ceased using Google search except as a last resort when this story broke,
and I had no idea what I had been missing out on with DDG: _Excellent keyboard
navigation_. Also, DDG's results compared to a year ago are night-and-day. It
seems to listen to my keywords better than Google did too, a growing annoyance
I had. If you haven't, you really should try out DDG for a week.

~~~
jpdoctor
> Also, DDG's results compared to a year ago are night-and-day.

Still looks 2nd rate. I replicated one of my last searches (learning rails):
rails find if element is in array

First hit on google is the stackexchange answer with .include? (which I was
spacing-out on)

DDG yields the Array docs, which is correct but is a helluva lot of info when
I'm looking for a concise answer.

~~~
boomzilla
This is most likely that Google has more user behavior data than DDG. If
enough people use DDG and click on the StackExchange link for that query (or
similar queries), DDG will be able to get that to the top.

On the other hand, did DDG just use Bing API, and only Blekko crawls the web?
Or do I get my search engines mixed up?

~~~
greglindahl
That's correct, blekko does have our own multi-billion page crawl and index.
And we're private, too.

Every web search engine depends on one of these indexes: google, bing, blekko,
yandex, baidu.

~~~
boyter
Don't forget Gigablast, Procog, Yioop and Samuru which also have their own
crawled index.

~~~
greglindahl
If you think those are viable sources of results, then by all means include
them.

~~~
boyter
Personally I don't, but it should be noted that there are other indexes
besides what you have mentioned. That said Samuru and Procog are pretty
interesting.

------
aacook
This is great news for DuckDuckGo and I'm all for it, however, DuckDuckGo
isn't completely private right? From what I see, DuckDuckGo obtains much of
its data from 3rd parties, such as Bing/Microsoft and Yahoo.
[http://help.duckduckgo.com/customer/portal/articles/216399-s...](http://help.duckduckgo.com/customer/portal/articles/216399-sources)

"While our indexes are getting bigger, we do not expect to be wholly
independent from third-parties. Bing and Google each spend hundreds of
millions of dollars a year crawling and indexing the deep Web. It costs so
much that even big companies like Yahoo and Ask are giving up general crawling
and indexing. Therefore, it seems silly to compete on crawling and, besides,
we do not have the money to do so. Instead, we've focused on building a better
search engine by concentrating on what we think are long-term value-adds --
having way more instant answers, way less spam, real privacy and a better
overall search experience."

~~~
jaryd
While we do use 3rd parties to fulfill some of our organic results we always
make those calls from _our_ machines. We never pass along IP addresses. This
means that while our other sources might see your queries, they are not tied
with PII (personally identifiable information).

~~~
aacook
I misunderstood. Excellent.

------
jpdoctor
Why would anyone believe that DuckDuckGo isn't already penetrated?

~~~
marshray
Why would anyone believe his own computer isn't already penetrated?

~~~
kostya-kow
Because I am running GNU/Linux.

~~~
bigiain
Why do you trust any binaries you've got? Where did your first-
use/bootstrapping compiler come from?

And even if you wrote your own OS and compiler from the ground up - who wrote
your BIOS? Your network card firmware? Your disk controller software? Your CPU
microcode?

We _all_ abdicate our trust-chain _somewhere_

~~~
brvs
This is why it's important to look at PRISM as a political issue and not
merely a technical one, like I see a ton of people doing now. The best
solution to government spying isn't to tell everyone to use Linux and
DuckDuckGo, it's to change the spying itself.

~~~
dredmorbius
There's no reason you can't apply both tactics.

Shifting use away from, as Bruce Schneier puts it, feudal architectures, both
puts the Government on notice that its methods aren't appreciated, and creates
a damaged class (the SAAS feudal lords: Google, Facebook, AWS, Apple,
Salesforce, and others) who can petition the government to lay off the tactics
as it's hurting business.
[https://www.schneier.com/blog/archives/2013/06/more_on_feuda...](https://www.schneier.com/blog/archives/2013/06/more_on_feudal.html)

Hell, push this hard enough and a sufficiently feasible decentralized VOIP
might become sufficiently common enough to put the WiFi carriers out of the
voice business, relegated to carrying encrypted bits. They might know your
handset location, your data usage, and the Tor entry point you're using, but
that's it. It's something I've been giving though to.

------
josteink
Things like PRISM makes me completely want to back out of the Google
ecosystem.

Part of that would be replacing Gmail. That can be done, but what good (free)
options exists for a webmail solution?

I'd also love this instant to cut gtalk (or "hangouts" which it is called now.
hopeless), but Google just declared hate on XMPP, so setting up your own node
will land you on your own tiny island.

The trend is clear though: Google is stuffing the exit-holes while the US
government is requiring more and more of Google's data.

If you haven't started moving out yet, you better get started. And for the
love of God, ditch Chrome. Support someone who supports the open web and
respects your privacy.

------
rosser
An observation: Ghostery blocked _22 trackers_ on this article.

Does it somehow make tracking my every move online okay if it's done for
profit?

EDIT: phrasing.

~~~
devindotcom
I know, it's ridiculous. But people do want to see how many likes the story
has, and cross-service comments are pretty next-wave, so you have to have
widgets now for 5 social sites, 7 comment systems, global analytics, live
analytics, sitewide ad, contextual ad, site cookie and maybe add two more
because I haven't thought of them... that's 19 right there!

We really need something better than having these MASSIVE amounts of callouts.
It's like those pictures of Internet Explorer totally taken over by toolbars,
except it's a different set on every single site on the web. Bah!

~~~
gohrt
It turns out that if you block all the trackers and 3rd part widgets, the
website continues to function as the use desires, and nothing of value is
lost.

~~~
rosser
For some sites, yes. Space.com and Business Insider are two that I've noticed
tend not to work if some of their trackers are blocked.

------
arindone
Anyone going to say it? DuckDuckGo searches are still really low quality. I
WANT them to be a legitimate competitor in the space (in fact, I've been
having similar hopes for Bing for years) but it's just not there yet.

------
rednukleus
Glad to see them succeeding, but personally the privacy of my web searches
doesn't bother me - as long as they aren't being passed along with personally
identifying information. I'm far more worried about emails, messaging, video,
storage etc.

Can someone explain to me (or point me in the direction of something that
explains) what Google and Bing store in terms of tracking when you are not
logged in?

Obviously you can use VPNs or TOR to be really safe, but do you need to go
that far if you want an untracked search on Google and Bing?

~~~
elorant
TOR is not that safe. If the exit node is compromised you’re f*cked for good.

As for Google the thing is that they’re also an advertising network so
basically they track you all around the web.

~~~
icebraining
_If the exit node is compromised you’re f_ cked for good.*

It's not that simple, otherwise there wouldn't be any value in using an Onion
architecture. Assuming you're using HTTPS, which every decent search engine
supports, they either also need to create a fake but acceptable certificate
for the domain, or to also control entry nodes _and_ match the entering
requests with the exit ones.

The NSA might be able to do it, but it's not just a matter of controlling an
exit node.

------
mikemoka
I like DDG, but has it ever mentioned how this TRACKING data is used?

[http://duckduckgo.com/l/?kh=-1&uddg=http%3A%2F%2Fwww.dmv.org...](http://duckduckgo.com/l/?kh=-1&uddg=http%3A%2F%2Fwww.dmv.org%2Fpractice-
tests%2F) (every time you click on a search result you actually click on a
link like this,which redirects you to the actual page)

Is it just for pagerank?

~~~
boyter
It might be used internally for additional ranking signals. But the privacy
policy states it can never be tied back to you as an individual so nothing to
worry about.

From memory the main reason they do this is to allow downstream websites to
determine if a user was referred to them by DuckDuckGo without the actual
search term. IE you know they came from DDG but with no leakage.

I run searchcode.com (which provides a lot of the code doco and sample
results) and since this was done I can now determine how much referral traffic
actually comes from DDG but have no idea what you were searching for when you
click through.

------
dgesang
Here is a non-US-based alternative:
[https://startpage.com](https://startpage.com)

~~~
umsm
Just because they say they don't collect your info, it doesn't mean that
google doesn't get it.

Look at the source of a search page and you'll notice that they include
scripts directly from google.com...

~~~
babby
Google assuredly gets info, just not from the user. There aren't any google
requests from Firebug's net tab, either, so perhaps you are mistaken.

~~~
umsm
Google knows what you were searching for, when, and for how long...

------
WestCoastJustin
You can see the stats here:
[http://duckduckgo.com/traffic.html](http://duckduckgo.com/traffic.html)

------
beefsack
It's been around for a long time, but I really love the TTY mode of DDG:
[https://duckduckgo.com/tty/](https://duckduckgo.com/tty/)

------
mratzloff
Whenever I think about DDG, I think "Oh, you think Gabriel Weinberg suddenly
cares about your privacy after he sold a truckload of user information to
Classmates.com?"

------
lurkinggrue
Not that this is going to help. The NSA is probably tapping the fiber at the
ISP's backbone in front of Google.

Why do you think it is called PRISM? It's probably named for the way they are
splitting the fiber and recording everything.

~~~
adamtj
In the case of DDG, that would be difficult. DDG uses SSL. If you make a
mistake and type "duckduckgo.com" instead of
"[https://duckduckgo.com"](https://duckduckgo.com"), it will automatically
redirect you to the secure page. Unfortunately, that redirect gives a man-in-
the-middle and opportunity to hijack your connection, even with SSL; however,
that's tricky enough that its hard to imagine anyone pulling it off without
ever being noticed.

~~~
jackpirate
>Unfortunately, that redirect gives a man-in-the-middle and opportunity to
hijack your connection, even with SSL

As long as the SSL cert isn't compromised, I don't see how this is possible.

~~~
enoch_r
The initial request/redirect response is insecure. So a MITM can intercept the
redirect response and replace it with his own content. That content could be,
for example, a 200 response status and HTML pulled from the attacker's HTTPS
connection to the target site.

So rather than being redirected to a secure connection, I happily communicate
with the attacker instead.

~~~
jackpirate
But a redirect would change the status bar, right? So presumably it would
still be pretty noticeable.

------
bpatrianakos
I have a private writing app and I can confirm that this NSA thing has been
good for me too and I'm betting lots of services concerned with privacy. I saw
a 5X increase in users in the past week and reviews in blogs are getting more
numerous.

I wonder though if now all services regardless of their real focus will start
marketing privacy as a feature and muddy the waters, making it hard for
consumers to discern who is really about privacy and who just uses it as a
marketing ploy.

------
cinquemb
Anyone else wondering if DDG will come out with their version of email? Maybe
something that uses end to end encryption (maybe working together with Mozilla
Foundation)?

~~~
lignuist
I would prefer if someone else did it. Not because I do not trust DDG, but
because I don't like the idea of one company providing everything (or too
much). Why step into the footsteps of the dinosaurs?

~~~
cinquemb
Fair enough.

> _Why step into the footsteps of the dinosaurs?_

I'd think adding E2EE to email would be like what pagerank did to the search
engine. Why build from the ground up when you can build on the shoulders of
the giants?

~~~
lignuist
If only someone solved the problem of bringing PGP to the masses. Maybe the
need has to reach a critical mass.

~~~
cinquemb
I agree, and that's why I was thinking that a company that is still growing
and is known for their privacy practices could be good (beach-head?) at doing
this (at least being able to advertise it on their own services to get some
traction and feedback).

It's not like google or anyone else is going to do it. And looking at DDG
traffic, it seems like it is a growing need. Then again, how to you monetize
encrypted emails? contextual encyrpted ads? ;)

------
suyash
And as far as browser is concerned, I would recommend go with Firefox vs
Google or Safari. Mozilla is a non profit and I feel I can trust it the most.

~~~
hkmurakami
I take it you mean Firefox over _Chrome_ or Safari?

(I agree. The only thing I use Chrome for is Facebook)

~~~
suyash
even better prefer to use Private Window in Firefox. Chrome is only good for
it's debugger so I rather prefer Canary.

------
codereflection
I've been using DDG for nearly a year now, and have rarely turned back to
Google. I only do so when I really cannot find what I'm looking for on DDG,
and I try to tell DDG about the bad results (which I've actually seen get
fixed). Getting bad results happens infrequently though, so the benefit of
using DDG really outweighs the occasional inconvenience.

------
Lyaserkiev
One thing that I prefer about DDG is that it doesn't try to guess what
language I want to search in other than by my input. It is ridiculous that
google forces me to go through worse results based solely on my location, it
shouldn't matter where you are from.

------
ausjke
I tried duckduckgo and it did not work as well as google, yet.

I especially dislike its name, it's odd and too long to type, and again, duck
'walks' slowly, not a good sign.

can this be renamed to something better, and shorter? sometimes name does
matter.

------
wnevets
if the NSA is intercepting the communications, why would switching sites
matter?

~~~
marshray
1\. The NSA isn't the only threat to privacy on the net.

2\. DDG is SSL, so there's some hope that the traffic is not visible to a
passive observer, even the NSA.

~~~
wnevets
Google is also SSL. There was a post on here a day or two ago with the theory
that PRISM is really about intercepting and cracking SSL certs

------
pschastain
DDG is has been my primary search engine for about a year now, and I do what I
can to proselytize for it. Their results aren't always as comprehensive as the
bigger engines, but I can usually find what I need.

------
isaacb
It really only took me about a week to get used to DuckDuckGo, and now using
Google just feels wrong.

------
tocomment
Is there a way to make ddg the default on the iPhone?

------
dmix
Chrome integration possible?

~~~
mmmelissa
this is a joke... right?

~~~
suyash
haha..I hope so..you need to use Firefox and not even Safari to be totally
safe..even better Private Window browsing mode in Firefox.

------
rasterizer
At least you can't blame them for missing a PR opportunity:
[https://plus.google.com/+JeffJarvis/posts/5X7nHcjijsC](https://plus.google.com/+JeffJarvis/posts/5X7nHcjijsC)

------
ninetenel
Somewhat related but I've been canceling my subscriptions (Office365 in my
case) to services I can't properly secure..

I'm also in the process of selling my surface pro and going back to a Linux
laptop (OneNote 2013 sucks with touch on the Desktop for me .. and Microsoft's
Windows8 version won't allow you to not use Skydrive)

Also, I pay Microsoft .. why won't they let me save my OneNote docs in a
secure way using their Windows8 apps?

