27 Apr

Preventing a Potential Leak in Encrypted Autocomplete

We received a report about a general vulnerability to autocomplete services in search engines. The report states that it's possible for an attacker to listen to a user's encrypted autocomplete requests and make an educated guess at the beginning of a query.

In theory, the attack uses packet size and order to try and classify what the user typed, using known sizes from previous queries. If you'd like further technical details on the attack theory, check out this paper.

Even though the practicality of this attack is currently unclear, we take every potential privacy and security risk very seriously, and have therefore deployed a fix. The packet sizes of our encrypted autocomplete requests are no longer predictable. We believe this change mitigates the risk to our users. However, if you have evidence to the contrary, please let us know at privacy@duckduckgo.com! We'd love to evaluate and address it.

3 Tweet

This blog has been archived

Thank you for reading and contributing lively discussion to our blog! Read more posts about online privacy on our new blog at spreadprivacy.com.

Is it finish or in dev ?

posted by BurkettAuclair • 1 year and 11 months ago Link

Great post :)

posted by NicolasCollin • 1 year and 11 months ago Link

Nice !

posted by ClementLucas • 2 years and 1 month ago Link