A HUGE SECURITY BUG

[Old Forum guest] anonymous
Created: 4 years and 10 months ago
i just noticed that when i send a a search query the URL isnt encrypted!
this is a huge flaw in security and privacy that means that if someone is sniffin my network he can know what im searching! its a real issue that has to be taken care of fast.

the query i sent (both via address bar and via searchBox (both using Firefox(18.0.2) only):
https://duckduckgo.com/?q=%D7%9E%D7%A9%D7%90%D7%99%D7%AA+%D7%92%D7%96+%D7%A0%D7%90%D7%A6%D7%99%D7%AA

if you decode the URL you get the same search query , thats bad guys.

my suggestion is to make a plugin that encrypts it with a key that only duckdudckgo.com servers can decrypt that way its one way encryption and effectively closing the https (ssl) security hole.

also, it doesnt mean that the q get have to be gone, you can change it to like e(for encrypted) or just make a prefix for all encrypted querys.

if you didnt understood anything or have any questions ot need any help at anysubject, umlal@hushmail.com

This forum has been archived

Thank you all for the many comments, questions and suggestions. Particular thanks go to user x.15a2 for constantly monitoring, replying and helping so many users here. To continue these discussions, please head over to the DuckDuckGo subreddit.


crazedpsyc
I think you are completely misunderstanding how this works. When you use SSL, your entire request is encrypted. The only thing a sniffer could see is the source and destination addresses.
The "encoding" in that query string you pasted is standard URL encoding, which just takes care of transferring the non-latin characters.
posted by crazedpsyc 4 years and 10 months ago Link