DuckDuckGo Search Engine Erects Tor Hidden Service 87
An anonymous reader writes "Viewable with Tor installed, search engine DuckDuckGo has erected a hidden service for secure, encrypted searches through the Tor network. While past attempts at hidden service search engines failed due to uptime or quality issues, DuckDuckGo marks the first time a real company operating a public search engine has offered a solid search engine as a hidden service for Tor users."
Re: (Score:2)
Hee hee... "erect!"
Beavis & Butthead (Score:4, Funny)
Hidden erection ... hurr hurr hurr
Re: (Score:2)
GoodLuckWithThat (Score:3, Interesting)
How long until it's going to be shut down because you can find nasty bits with it?
Re:GoodLuckWithThat (Score:4, Funny)
Re: (Score:2)
"Nasty bits"? Do you mean 1s or 0s?
Those are the other bits in the same mask as the evil bit - they are just less significant.
Re: (Score:1)
Re: (Score:2)
"Nasty bits"? Do you mean 1s or 0s?
1s into 0s
Re: (Score:1)
Re: (Score:2)
More like 2s
I mean, that's just unnatural.
Nastier (Score:2)
More like 1.5, and you don't want those bits on your computer... ever.
Re:GoodLuckWithThat (Score:5, Informative)
Clown Porn [google.com]
Dolphin Sex [google.com]
Live goat porn [google.com]
Smurf Sex [google.com]
iranian leader Ahmadinejad gets a dirty sanchez [google.com]... DOH! You have failed me, Google! Go now and think about what you've done!
So you see, you don't need Tor to find some nasty shit on the Internet. You just need one of those pink things between your ears.
Comment removed (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
*Applaus*
Congratulations, that was one of the funniest debunks I've seen in a while here. LOL..
Re: (Score:2)
I noticed you said regular search engine, then just used google.
Is that the only regular search engine?
Re: (Score:2)
How long until it's going to be shut down because you can find nasty bits with it?
How would somebody go about shutting it down?
Re: (Score:1)
That's how.
Re: (Score:3, Interesting)
Well, unlike other TOR servers, where anonymity hides the server's location, it's pretty obvious who's hosting this server. The Government would just be like "Hey...stop it."
That's how.
And all they have to do is leak their database and TOR configuration files, and suddenly anyone can run it, and seamlessly for anyone using the TOR service URL. And as long as they lay the groundwork in advance, they can even deny having done it: an appropriate rootkit on their server should suffice to cast doubt on any evid
Re: (Score:2)
DuckDuckGo is located in the USA, not in Europe.
So who is really behind this search engine? (Score:1, Funny)
Which is it?
NSA?
CIA?
FBI?
All of the above?
Which of the social policing groups (with some Acronym name) do we have to thank for this search engine service?
Re: (Score:3, Insightful)
Re: (Score:2)
Those are far more interested in tor exit nodes.
1. They think those are the people who look up material that illegal
2. Running a sniffer on a tor exit node gives all kind of traffic that is anonymous, but not encrypted.
Re: (Score:2)
Running a sniffer on a tor exit node gives all kind of traffic that is anonymous, but not encrypted.
Doesn't HTTPS work over Tor? Oh wait, plenty of hobbyist sites don't have a TLS certificate to begin with, and a lot of sites (such as Slashdot) save CPU time by redirecting all HTTPS URLs to the corresponding HTTP URL except for payment pages.
tor exit node mitm attacks. (Score:2)
Even when they do:
A exit node can pretend to be the real site, and do a MITM attack. For simple joes you would just send the data unencrypted to the tos user and hope he does not notice it is an unencrypted page. (THIS HAS BEEN OBSERVED IN THE WILD!!!)
3 letter agencies have their own root certificates and can reencrypt data that would be accepted by the browser as trusted. Only careful examinition of the certificate would show that is was issued by a differt CA.
The whole point of TOR is that you cannot trus
Re: (Score:1)
Fail. (Score:4, Interesting)
"This site requires JavaScript"
How stupid is that, for a Tor hidden service? Sure, it may well provide "secure, encrypted searches", but there's going to be no guarantee of privacy for so long as it demands script active to function.
How is this better than using any other search engine via Tor? At least Google/Scroogle/Ixquick/[many others] don't require script to perform such a very basic task, so at least with those I can feel confident about retaining my privacy, in addition to performing similarly secure, encrypted searches.
Re: (Score:2)
Re: (Score:2, Funny)
You're an idiot. Stop posting.
Re: (Score:3, Insightful)
Why is that? Because you don't get why a Turing-complete language with internet access could be a security threat?
Re: (Score:2)
Why is that? Because you don't get why a Turing-complete language with internet access could be a security threat?
It's only a security threat if you can't trust the site that the programs are originating from. Sure, this search engine *may* be able to dump a tracking code into their output and therefore break the TOR privacy[1], but you have to ask how likely to happen is this? And my answer: very unlikely.
[1] Doing so is, however, hard, an not even obviously possible: the identifying information javascri
Re: (Score:2)
the identifying information javascript can access is rather limited
Unfortunately, this is entirely wrong. For example, JavaScript can get your browser version, list of installed plugins, and whether you have visited certain sites quite easily. There are also a number of other things that you can do with JS to aid tracking.
You can get some of this information without JS, of course, for example by providing various object or embed tags and seeing which ones are fetched.
Of course, just because it's possible doesn't mean that DDG does it. They don't even use tracking i
Re: (Score:1)
Re: (Score:2)
It's only a security threat if you can't trust the site that the programs are originating from.
That's right. And I don't trust it. I only want to use a privacy network that works even if I don't trust all the participants.
Re: (Score:1, Informative)
"How stupid is that, for a Tor hidden service?"
relax, it's new. let's all provide feedback to the admin of the site with the suggestion of improving it by disabling javascript for the hidden service. the tor website has extensive documentation about hidden services if you don't know what they are, go read. irc for tor devs and users: irc.oftc.net #tor
duckduckgo hidden service had a topic on the Tor mailinglist (or-talk) public may read and subscribe to these at Tor's website, click on "Docs" at the top, scr
Re: (Score:3, Informative)
did you write to the duckduckgo admin?
I've been using DDG as my main search engine for a few months, and this is well worth doing. I've used the feedback link a couple of times, to report cases where the search results are poor or there's a glitch in the UI, and both times I've had a speedy reply and the issue has been fixed.
Of course, this might mean that I'm the only person using DDG, but I hope not. They have a very good privacy policy and a much better UI than any of the other search engines that I've tried.
I used Clusty for a bit, be
Re: (Score:2)
Re: (Score:2)
I have the Autopager extension, which does the same for Google and a whole lot of other websites - and I don't need to give JS permissions to the website in question :)
Re: (Score:1)
Doesn't search hiddent Tor sites... (Score:1, Informative)
Yeah, a new search engine... It doesn't search hidden services, it just operates as a hidden service. If you want it to...
Oh, and as noted above [slashdot.org] it requires JavaScript to see any more results than the first few.
Re: (Score:2)
What would be the point of building a website people can't identify? ;)
Re: (Score:2)
Many sites have been shut down, despite claiming to do only what google does. A search index linking to leaked documents, for instance, would probably be under some pressure lately, especially if they couldn't identify the data sources, but only the index that people were finding them through. Hiding the search engine server would help protect them.
Re: (Score:3, Funny)
It's hiding in plain sight. Like ninjas.
What's in the name? (Score:5, Funny)
Infamous 4chan often plays various jokes on the users - like "wordfilters", you post one word, the post contains another. You write "moot", your post contains "doug" and so on. Over some time 4chan wordfiltered "loli" to "duck". The anonymous liked the joke so much that once it was removed, users kept posting "links to duck porn" and so on.
I can't help but think there's a connection.
Re:What's in the name? (Score:4, Informative)
That was a SomethingAwful practice that 4chan later picked up, iirc. Possibly predates SA as well, but I think they popularized it on webforums, at least.
Re: (Score:2)
Before the trolltards come a-flaming me about the accuracy of my post or lack thereof, consider the tone of irony that many lack basic understanding off these d
Re: (Score:3, Informative)
rickroll was a variation of duckroll, which in turn came to life after 'loli'='duck' was removed, but in turn 'duck' was wordfiltered to 'egg'. thus eggroll-duckroll...
Re: (Score:2)
http://en.wikipedia.org/wiki/Duck,_duck,_goose [wikipedia.org]
Re: (Score:2)
> 4chan
Yeah, everything on the internet is connected to 4chan, right.
Maybe you think to much about 4chan or loli or zoo sex. Huh, zoo sex? You haven't mentioned zoo sex in your post, at all.
No, but you have set your fucking /. homepage link to your personal zoo sex / furry page!!! WTF!?
WTF, dude!?
Tor is compromised (Score:5, Interesting)
linky (warning:.pdf) [colorado.edu]
linky [wordpress.com]
linky [slashdot.org]
Re:Tor is compromised (Score:4, Interesting)
Thanks for posting this. The Colorado paper is the key thing to read.
Once I read that tor chose nodes according to an algorithm, and that the data used by that algorithm was not verified, and that this was done in the name of "performance", I could see where things were going in that paper. It was a "doh!" moment to be sure.
It strikes me that for the things I'd want to use tor for, _really_ important things (i.e. not media piracy), high bandwidth and low latency are both unimportant. Privacy is more important. I don't want to download a dvd over tor, I want to send a short encrypted email to my conspirators.
For such an application, I'd prefer onion routing that was buried in a covert channel.. something that didn't even look like a message at all. Something where the routing and the noise were both random, and the payload was simply lost in the mix. A factor of 10:1 or even 100:1 "Garbage" to "payload" would be fine for the average email or image.
Duck Duck Go should be avoided - Here's why (Score:4, Interesting)
I registered a domain a while back for an bike hobbyist site that I wanted to start. Nothing major, just swap tips and meetups to help out the community.
Over the next few months I started getting random emails from some users that my site was "infected" and "hacked", etc. The first thought was that their machines were infected so I didn't think much of it. But I checked to see if there was anything wrong with my server and everything looked ok.
Next thought was that somehow I got stuck in one of the Google filters in the SERP (i.e. "visiting this site may harm your computer") . Again, no evidence that was the case.
So I emailed back to a couple of the folks that reported the problem and asked for a screenshot of exactly they were seeing. Sure enough I get a browser screenshot back that has DuckDuckGo plastered all over it, warning about how my site was not to be trusted.
After some more research, it turns out that anyone browsing with the Duck Duck Go toolbar is hooked into a database at ivegotafang.com (also maintained by the Duck Duck Go folks). It acts as a net nanny and filters out parking pages and other "unsavory" sites on the fly. Sure enough, since the domain I used had previously been parked, it was still flagged as evil.
To get out of the database you're supposed to go to the site and basically beg to be removed. On principle there was no way I was going to stoop to this level so I just told my users the story and to uninstall the Duck Duck Go toolbar. Everything was fine after that.
Of course there are very few people using the Duck Duck Go search engine, let alone the toolbar. But the bigger issue is whether this behavior should be encouraged. This isn't like a net-nanny filter for porn. It's for something as innocent as a parking page which lots of sites resolve to while being developed.
With Google a parked page simply doesn't show up in the index and they reeevaluate periodically. Duck Duck Go says they also reevaluate but that obviously wasn't the case for my site. The warning page is essentially a manifestation of guilty until proven innocent.
What if there were a hundred for-profit companies like Duck Duck Go, and for each one you were responsible for their erroneous results? And what if you were running a business and just one of your customers saw that screen and started spreading the word that my business can't be trusted because of a false positive on Duck Duck Go? Then you're on the hook for spending hours trying to undo the damage, not Duck Duck Go. Good luck with that.
Soapbox off. Imho, the whole Duck Duck Go thing is nasty and should be avoided at all costs.
Re: (Score:1, Funny)
TL;DR: They tried to do something good for their users, implemented it slightly wrong which affected you in a minor way.
Telling thousands of users that they are nasty and should be avoided sounds like an appropriate response.
Re: (Score:2)
Re: (Score:2)
To get out of the database you're supposed to go to the site and basically beg to be removed. On principle there was no way I was going to stoop to this level so I just told my users the story and to uninstall the Duck Duck Go toolbar. Everything was fine after that.
How exactly is telling Duck Duck Go that your site was incorrectly blocked such a bad thing? So they screwed up. Instead of telling them of the problem and at least giving them the benefit of the doubt that despite their best intentions the reevaluation did not work as advertised, and that they will genuinely try and fix it as well as ensure that their system doesn't allow this to happen again, you immediately tell your visitors that Duck Duck Go is crap*, and not even bother to try and sort out the matte
Re: (Score:2, Informative)
Clarification? (Score:2)
Can someone explain specifically what's special about this? How is this any better than using Tor yourself to search through any other search engine? Presumably, as long as you don't reveal personal information, your searches will be anonymous anyway. If that's the case, how does being able to point your browser to a *.onion domain to access a given service help - is it somehow more anonymous?
(please don't read sarcasm into my question - I'm actually interested to know this).
Re: (Score:2)
I don't know what's special about it, either; Tor services are interesting, but in this case they don't make a lot of sense. Tor usually prevents the server (and others) from determining the identity of the client. Tor hidden services extend this protection to the server itself, ie. you can access a site in the onion domain (if it works) without having any reliable way to determine the site's IP. The client's IP is unknown in both cases, so no, it's not more anonymous in that respect. I don't see the point
Tor is nice, I2P is nicer (Score:2)
Default Tor traffic, for normal websites like google.com, go through exitnodes. At the exitnodes, everything needs to be decrypted unless it's ssl or similarly encrypted at the application layer. Additionally the traffic is also directed to the REAL IP address. Combined with cleartext, it is quite a big risk actually.
Basically, an exitnode needs the decrypted data for usual http / decrypted traffic, and is a heaven for snoopers and adversaries wanting to do man in the middle-attacks. Even SSL becomes insecu