30 May

HTTPS on by default

Since January, encrypted search (HTTPS/SSL) has been the default on DuckDuckGo. If you arrive at our homepage or search results unencrypted (HTTP), we redirect you to the encrypted version (HTTPS).

We already do not collect or share personal information. In other words, you search anonymously on DuckDuckGo. However, if you use an unencrypted connection to search, your personal information in the form of search terms could be captured by third parties with servers in between you and us and then tied back to you. For example, ISPs could be collecting search data and other profile information, packaging it up and selling it to others.[1]

This change isn't groundbreaking. Plenty of other major services (e.g. Facebook, Twitter) have had encryption by default for years. We hadn't made this change before January because making an encrypted connection is an initially slower experience, and speed is a primary concern for us. However, we made headway there and so thought we should try it. We didn't announce it then because it was an experiment, and after that quite frankly we forgot about (announcing) it.

Previously, on our encrypted version we tried to send you to the encrypted versions of links, if available (through use of the EFF's HTTPS Everywhere ruleset). For example, clicking on a Wikipedia link would direct you to the secure (HTTPS) version of Wikipedia. As our encrypted version is now the default, we stopped making that distinction and have opted to use encrypted (HTTPS) links on all our search results when available, whether you use HTTPS or HTTP DuckDuckGo.

Almost immediately, we started getting some complaints. HTTPS doesn't work on WebTV (yes, that WebTV); some HTTPS Everywhere sites were broken in certain cases; etc. We've fixed these edge cases incrementally over the last five months and we'd appreciate you alerting us to any we may have missed. We really do listen! We also tweaked our HTTPS setting (also available via the kh URL param) so you can still get unencrypted search if you want. We believe in settings and know that some people have good reasons for wanting them.

Recently we noticed a big unintended consequence of the change: no one knows we're sending them traffic anymore. As more services move to HTTPS on by default this issue is increasing. The HTTPS RFC calls for browsers to remove the HTTP referrer header when going from HTTPS to HTTP. Even though we try to use HTTPS links, the vast majority are still HTTP, and so this referrer header has been being removed a lot.

An interesting security hole (IMHO) is that it isn't stripped from HTTPS to HTTPS even if they are cross-domain. That hole doesn't effect DuckDuckGo, however. For a long time we've stripped search queries from referrer headers so third-parties don't track you. Nevertheless our root domain was in there so we still showed up in webmaster analytics.

Since January, the referrer header has been largely completely blank from DuckDuckGo. There are a few exceptions like when you open a link in a new window (e.g. ctrl/cmd+click) from our main site version. In that case, we send you through a Web server redirect to strip the referrer header, or otherwise the browser would leak the search query.

We've decided to expand this behavior to more links. Now when you click on a link in the main window you get immediately redirected to the end site. This allows us to preserve our domain in the referrer header without leaking your search data.[2] You can of course still turn off redirects using our redirect setting (and/or the kd URL param) if you like (as you could before).

In short, you now have more encryption (HTTPS) on DuckDuckGo, which we believe will further increase your security and privacy.

[1] Using our Address bar (POST) setting (and/or the associated kg URL param) makes that collection harder by putting those terms in the body instead of the header of the request, but it is still easy if you are trying to do it. In any case, using the encrypted connection is strongly preferred because it encrypts the header and the body so you don't have to use the Address bar (POST) setting, which has some major annoyances, like breaking the back button.

[2] The referrer header now looks something like this: 'http://duckduckgo.com/l/?kh=-1&uddg=http%3A%2F%2Fwww.gabrielweinberg.com%2Fblog%2F'. We also added the meta referrer tag using the origin policy.

5 Tweet

This blog has been archived

Thank you for reading and contributing lively discussion to our blog! Read more posts about online privacy on our new blog at spreadprivacy.com.

Hi Y'all,
Mike from Texas... don't know where this would catch interest on the site but, this is needs attention: Facebook users are 400m- Half are disgusted with lack of privacy and gov mining of private information. If someone were to make a PRIVATE social site, even create it with adds, it is sure to sweep the globe, just my thoughts. Exposure would be by the myriad blogs and magazines looking for the next tech challenger/startup with potential. GO FOR IT!

posted by <hidden> • 2 years and 4 months ago Link

Hey guys,

can you please integrate a cipher suite for:

TLS 1.2 + PFS (Perfect Forward Secrecy) + AES 256-bit


-> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA is missing!


posted by <hidden> • 5 years and 1 month ago Link

There's a [partial] solution to the problem of referers: http://smerity.com/articles/2013/where_did_all_the_http_referrers_go.html

posted by indeyets • 5 years and 6 months ago Link

ok. you already do this. I didn't notice cite-refs below the text

posted by indeyets • 5 years and 6 months ago Link

Yeah, we do that too, but as you referenced, it is only a partial solution (because it only works on certain browsers). As I understand it though it takes precedence so for those browsers it will show up as 'https://duckduckgo.com/';

posted by yegg Staff • 5 years and 6 months ago Link