DDG & TOR: non-js redirection

[Old Forum narfnarf] anonymous
Created: 7 years and 4 days ago

It seems that when I use http://3g2upl4pq6kufc4m.onion with JavaScript disabled, I get redirected to https://duckduckgo.com/html instead of http://3g2upl4pq6kufc4m.onion/html.

Loading http://3g2upl4pq6kufc4m.onion with JS enabled, then disabling it while still on the DDG start page and performing a search gives a broken result page with "Meanings"-Box and info-text with non-onion link:
This page requires JavaScript. Get the non-JS version <a href="https://duckduckgo.com/html/?q=test">here</a>

I suppose there should be used http://3g2upl4pq6kufc4m.onion/html in both cases?

This forum has been archived

Thank you all for the many comments, questions and suggestions. Particular thanks go to user x.15a2 for constantly monitoring, replying and helping so many users here. To continue these discussions, please head over to the DuckDuckGo subreddit.

It would also be nice to have the "Add to firefox" button on the DDG-TOR site install a DDG-TOR search plugin that uses the TOR service, not duckduckgo.com. I think I cannot post attachments here, but the code is rather short, so here is an example

  1. <SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/" xmlns:os="http://a9.com/-/spec/opensearch/1.1/">
    <os:ShortName>DuckDuckGo (TOR)</os:ShortName>
    <os:Description>Search DuckDuckGo (TOR Service)</os:Description>
    <os:Image width="16" height="16">data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAANcNAADXDQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJyDsJmlk8pf6+v3s/v7+++zr/fcnIOyzJyDsgCcg7CYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnIOwBJyDscCcg7PZttJ7/7Pfs//////++xO7/S5GA/ycg7P8nIOz2JyDscCcg7AEAAAAAAAAAAAAAAAAnIOwBJyDstScg7P8nIOz/Y8p5/2fHZf9Yv0z/YcF2/1rBUv8nIOz/JyDs/ycg7P8nIOy1JyDsAQAAAAAAAAAAJyDscCcg7P8nIOz/JyDs/4jQoP/p9+n//////05X3v9LkYD/JyDs/ycg7P8nIOz/JyDs/ycg7HAAAAAAJyDsJicg7PYnIOz/JyDs/zUu7f/+/v////////////89N+7/JyDs/yUo7f8nIOz/JyDs/ycg7P8nIOz2JyDsJicg7IAnIOz/JyDs/ycg7P9hXPH////////////t/P//GIr2/wfD+/8Gyfz/DKv5/yM57/8nIOz/JyDs/ycg7H8nIOyzJyDs/ycg7P8nIOz/jov1////////////Otz9/w3G/P8cWfH/JSvt/ycg7P8nIOz/JyDs/ycg7P8nIOyzJyDs5icg7P8nIOz/JyDs/7u5+f///////////27l/v8E0v3/BNL9/wTQ/f8Oofn/IT7v/ycg7P8nIOz/JyDs5icg7OYnIOz/JyDs/ycg7P/p6P3/uWsC////////////5fr//6Po/f8Thfb/DKv5/w6f+f8nIOz/JyDs/ycg7OYnIOyzJyDs/ycg7P8nIOz/9/b+/////////////////7lrAv/V1Pv/JyDs/ycg7P8nIOz/JyDs/ycg7P8nIOyzJyDsgCcg7P8nIOz/JyDs/8/N+///////////////////////iIX1/ycg7P8nIOz/JyDs/ycg7P8nIOz/JyDsfycg7CYnIOz2JyDs/ycg7P9FP+7/q6n4/+7u/f/n5v3/fXn0/yoj7P8nIOz/JyDs/ycg7P8nIOz/JyDs9icg7CYAAAAAJyDscCcg7P8nIOz/wsD6/+no/f/Y1/z/eHTz/ycg7P8nIOz/JyDs/ycg7P8nIOz/JyDs/ycg7HAAAAAAAAAAACcg7AEnIOy1JyDs/ycg7P8nIOz/JyDs/ycg7P8nIOz/JyDs/ycg7P8nIOz/JyDs/ycg7LUnIOwBAAAAAAAAAAAAAAAAJyDsAScg7HAnIOz2JyDs/ycg7P8nIOz/JyDs/ycg7P8nIOz/JyDs9icg7HAnIOwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJyDsJicg7IAnIOyzJyDs5icg7OYnIOyzJyDsgCcg7CYAAAAAAAAAAAAAAAAAAAAA+B8AAPAPAADAAwAAwAMAAIABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABAACAAQAAwAMAAMADAADwDwAA+B8AAA==</os:Image>
    <os:Url type="text/html" method="GET" template="http://3g2upl4pq6kufc4m.onion/?q={searchTerms}">
posted by [Old Forum narfnarf] • 7 years and 2 days ago Link
/html/ exists on the Tor Hidden Service at, http://3g2upl4pq6kufc4m.onion/html/

Due to recent events and news you shouldn't be using Javascript at all on Tor.

Let Me DuckDuckGo That For You
posted by msyano 5 years and 5 months ago Link
Can you clarify? Which recent events and news?

posted by [Old Forum guest] • 5 years and 5 months ago Link
Several popular .onion sites were compromised with malicious javascript, which was able to leak identifiable user info. http://www.twitlonger.com/show/n_1rlo0uu
posted by crazedpsyc 5 years and 5 months ago Link
Ok, I see what you are talking about.

Personally I am glad that the guy was caught, but I see the point that it shows vulnerabilities in browsers that can circumvent Tor. I wasn't aware that it had been done with JavaScript, but honestly I hadn't thought about it much.

Even without a malicious payload, JavaScript can probably be used to identify you by looking at your browser settings like the fonts and plugins you have installed. That's probably not enough to get your address, but it is easily enough to correlate different visits to a website, so you are not really anonymous. TorBrowser makes some efforts to correct this.

posted by [Old Forum guest] • 5 years and 5 months ago Link
posted by msyano 5 years and 4 months ago Link
Check this one, more about...URL Redirection

posted by <hidden> • 2 years and 2 months ago Link