DuckDuckGo SSL not secure enough

[Old Forum guest] anonymous
Created: 3 years and 8 months ago
While viewing search results on DuckDuckGo, the URL starts HTTPS which means it should be secure.  However, in light of recent news about the NSA and other governments monitoring communications, it seems the type of SSL certificate DuckDuckGo is not secure enough and could likely have all past and future HTTPS traffic decrypted, according to this recent article:

http://blogs.computerworld.com/encryption/22366/can-nsa-see-through-encrypted-web-pages-maybe-so

I am showing the DuckDuckGo HTTPS certificate shows "RC4_128" in Google Chrome.  According to the article you may want to upgrade the certificate or server software to support ECDHE_RSA or DHE_RSA.

This forum has been archived

Thank you all for the many comments, questions and suggestions. Particular thanks go to user x.15a2 for constantly monitoring, replying and helping so many users here. To continue these discussions, please head over to the DuckDuckGo subreddit.


anonymous
That was a nice read (maybe a little verbose). I hope DDG implements that soon, but I think it costs money... right?
posted by [Old Forum guest] • 3 years and 8 months ago Link
anonymous
Does not cost more, those cheap $10/year SSL certificates an do it, but the server must be setup correctly to support it.  Here is another good article on PFS

posted by [Old Forum guest] • 3 years and 8 months ago Link
zac
We're aware and are planning accordingly. Thanks for the heads up, though.


-Zac

DuckDuckGo
posted by zac Staff3 years and 8 months ago Link
anonymous
DuckDuckGo was mentioned to have this issue in the article, scarry

"DuckDuckGo, a search engine, has been prominent in the media since the start of the Snowden revelations due to its privacy policy which promotes anonymity. If the private key used by DuckDuckGo were ever compromised — for example if one of their servers were seized — all previous searches would be revealed where logged traffic is available. DuckDuckGo may be a particularly interesting target for the NSA due to its audience and the small volume of traffic (as compared to Google)."
posted by [Old Forum guest] • 3 years and 8 months ago Link
anonymous
Any comment on this? How is this even posible, if the searches are supposedly not saved anywhere?
posted by [Old Forum guest] • 3 years and 8 months ago Link
anonymous
Doesn't matter if they're not saved, Prism goes directly to every request URL and if it's not encrypted extremely well then they know...

--
Founder of http://www.dumbsearch.com/
Moderator of DuckDuckGo
posted by [Old Forum sean-anderson] • 3 years and 8 months ago Link
anonymous
This has now been changed:

https://twitter.com/duckduckgo/status/349948709418696706
We now support SSL forward secrecy for more secure encrypted connections: https://www.ssllabs.com/ssltest/analyze.html?d=duckduckgo.com&s=50.18.192.251



Moderator
posted by [Old Forum mithrandir] • 3 years and 8 months ago Link
anonymous
Good.
Judging from their Twitter page, this was really in demand!


That press article spread quickly, haha.
Glad DDG acted quickly.

--
Founder of http://www.dumbsearch.com/
Moderator of DuckDuckGo
posted by [Old Forum sean-anderson] • 3 years and 8 months ago Link