Re: [T(A)ILS-dev] search engine

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The T\(A\)ILS public development discussion list
Subject: Re: [T(A)ILS-dev] search engine
Hi,

tim smy wrote (15 Jan 2011 18:35:50 GMT) :
> I would to suggest duckduckgo.com as the default search engine it
> has a tor page and has good privacy panel


We already had a TODO item about this[0] in the todo/discuss state.
Thanks for the heads up!

[0] https://amnesia.boum.org/todo/DuckDuckGo/

> Privacy
> Google tracks you. We don't.


T(A)ILS shall not rely on such good-willing promises
=> T(A)ILS shall protect users from DuckDuckGo as much as from
Scroogle or anyone else.

> SSL version w/ HTTPS everywhere.


Scroogle also has a SSL version, which is used in T(A)ILS.

> HTML & Lite (non-JS) versions.


Scroogle has no JS or non-Lite versions :)

> Tor hidden service (about).


What would be the advantage in T(A)ILS?

> POST/Refcontrol settings.


> Privacy Settings
> For more info on these privacy settings, check out the Privacy Policy.
> Redirect:


>      If On it prevents sharing of your search with sites you click
>      on.


This hides to the clicked websites:

  - the fact the user is coming from DuckDuckGo
  - the search that was performed, in case GET is used -> see the
    second "privacy" setting


On the other hand, I wonder how this is implemented without telling
DuckDuckGo what site the user is going to visit... which would be
pretty bad privacy-wise.

> Address bar:    
>      If On, searches will appear in your address bar (GET vs POST
>      requests).


I fail to understand the privacy enhancement this brings. Could
someone explain? I can clearly see the privacy downside in case
referrers are not disabled.

> HTTPS:    
>      If On, searches on the site will always go to the encrypted
>      version.


This would be a great thing to have.

> they are on by default.


According to the settings page I just visited the HTTPS setting is Off
by default.

Worried about how the default settings could be changed, I have had a
quick look to their website and it seems this can be done using [URL
parameters](https://duckduckgo.com/params.html) rather than cookies,
which is probably desirable in T(A)ILS context. We should be careful
about this though: using a non-default set of URL parameters would
help DuckDuckGo fingerprint T(A)ILS users.

Bye,
--
intrigeri <intrigeri@???>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| So what?