Is the HTTPS option broken?

[Old Forum rafaelluik] anonymous
Created: 6 years and 5 months ago
I use DDG at HTTP version and the setting is set to HTTPS Off but the sites on the results are opening in the HTTPS version (like a result on Wikipedia for example), is that intentional?

I don't use HTTPS because it's much slower in my network...

This forum has been archived

Thank you all for the many comments, questions and suggestions. Particular thanks go to user x.15a2 for constantly monitoring, replying and helping so many users here. To continue these discussions, please head over to the DuckDuckGo subreddit.


anonymous
Duckduckgo doesn't control whether HTTPS is used on the links they index. I guess for some reason their algorithm has ranked HTTPS wikipedia pages higher than the non-ranked ones.
posted by [Old Forum guest] • 6 years and 5 months ago Link
anonymous
Actually DDG does enable https for some results like wikipedia, when https is enabled :)
posted by [Old Forum guest] • 6 years and 5 months ago Link
anonymous
We started experimenting with upgrading those results to https all the time when possible, though the connection to us would still be in HTTP if the HTTPS setting is off. The HTTPS setting was more about forcing our search form submission to be encrypted and therefore protect your search term from man in the middle attacks or ISP snooping.
posted by [Old Forum guest] • 6 years and 5 months ago Link
yegg
THat last reply was me.
posted by yegg Staff6 years and 5 months ago Link
zdanevich
Why option screen have option to disable HTTPS if this option is ignoring? I don't need security - I need speed.
posted by zdanevich 3 years and 8 months ago Link
anonymous
But then I can't expect a setting or something?
posted by [Old Forum rafaelluik] • 6 years and 5 months ago Link
anonymous
I'm still interested in this subject.
posted by [Old Forum rafaelluik] • 6 years and 5 months ago Link
yegg
We're still monitoring, but generally we haven't found it to be much of a problem. Wikipedia SSL has gotten much better.
posted by yegg Staff6 years and 5 months ago Link
anonymous
It's that it's still a problem for me.
And I'm redirected to the HTTPS versions of other sites too.
posted by [Old Forum rafaelluik] • 6 years and 5 months ago Link
anonymous
Is the problem it is non-functional for some reason or just slower?
posted by [Old Forum guest] • 6 years and 5 months ago Link
anonymous
Just slower. I aways have to quickly stop and change it to http or all the links I follow in that page will also be in https.
I'm still looking into this. :/
posted by [Old Forum rafaelluik] • 6 years and 2 months ago Link
anonymous
This has been really ruining my experience by now...
I can't use !yt without having to stop the loading and erase that s from the address field.

I'm sorry to keep posting about this, while no one else seems to care, it's just it really affects my usage.


There could be a setting, or you should deliver the page depending on if the person is accessing it through https:// or http:// duckduckgo.com
posted by [Old Forum rafaelluik] • 6 years and 2 months ago Link
anonymous
I've discovered some not-so-edge cases where it does in fact become nonfunctional rather than a simple speed nuisance as noted by rafaelluik: mobile.

On a lot of Feature Phones or "Smart Devices" the trusted CAs are insanely limited with no facility to add new ones or whitelist specific certs for individual sites. Some devices aren't even able to access DDG over TLS at all(!) because of this. While they may be able to query DDG over clear-text, the list of TLS'd results are of no use and one must resort to Google PDA or their WML/WAP interfaces for clear-text results that you can actually follow through with. If you are having cert errors thrown at you, it certainly does not help with brand affinity either. It may even foster disdain.

While Smart Phones are definitely growing, they're still vastly outnumbered by their lower powered, feature limited siblings and will continue to be so into the foreseeable future.

So, what is in place now is a minor technical problem that is potentially alienating lots of users. It can be ignored and they just won't have much use for DDG or a hack can be devised for the manufactures' bugs. Given the plethora of mobile devices, the above mentioned philosophical and technical rationale for the use of outbound TLS, I have no clue what such a hack should be.

--Pierce
posted by [Old Forum guest] • 6 years and 2 months ago Link
zac
rafaelluik: can you give any more detail: Region? Browser? 

Guest^^^: can you let me know which phones you noticed this on? 
posted by zac Staff6 years and 1 month ago Link
anonymous
Brazil and Opera, none of which are going to change.
posted by [Old Forum rafaelluik] • 6 years and 1 month ago Link
yegg
I do understand the concern and we will continue to monitor, but it causes a lot of issues and isn't as simple as adding a setting or we would just do that. Doing https everywhere (and we may eventually move to just https ourselves) allows us to not maintain two seperate caches, which simplifies a lot of subsystems and allows us to do a lot more caching. This in turn speeds up the site a ton for people.

Can you add a rewrite plugin that auto changes the URLs? 
posted by yegg Staff6 years and 1 month ago Link
anonymous
zacbrannigan wrote:
 can you let me know which phones you noticed this on? 
A lot of them actually. Maybe some 30 odd devices or so that I've noticed recently. Mostly ones that run "UP.Browser" (openwave/myriad/whomever owns it now and whatever they call it) which is installed on something like 40-65% of that market. There have been other browsers, devices and their variants that behave the exact same way though. Their user-agents and menus frequently get rebranded by the OEM, distributor or carrier so it's hard to tell exactly what they are sometimes.

I can try to compile an actual list and shoot a mail with them if you wish.

--Pierce
posted by [Old Forum guest] • 6 years and 1 month ago Link
zac
We're looking into the issue with phones using Openwave. 
posted by zac Staff6 years and 1 month ago Link
zac
Pierce: I haven't gotten my hands on an openwave phone but I tested on a basic Samsung using NetFront. The only issue was a certificate warning but the site works. I'll update as soon as I can test on OpenWave. Thanks for the detail. 
posted by zac Staff6 years and 1 month ago Link
anonymous
Good to see the ACCESS devs are still sane. :c) You can grab a GSM or CDMA-2K burner phone with OpenWave on it for like $20 from almost any convenience store.

This is also strange because Equifax appears to be one of the trusted Root CAs. Not sure in what capacity they are ever actually utilized in these things though.

--Pierce
posted by [Old Forum guest] • 6 years and 1 month ago Link