Opened 4 years ago

Closed 4 years ago

#19367 closed enhancement (wontfix)

Duckduckgo hidden service HTTPS

Reported by: mahomi12 Owned by: tbb-team
Priority: Low Milestone:
Component: Applications/Tor Browser Version:
Severity: Minor Keywords: HTTPS, Hidden Service, DuckDuckGo
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I'd like to propose that the Tor browsers uses the HTTPS version of the DuckDuckGo hidden service if DDG is the selected search engine. Whether the use of HTTPS adds anything to the security of a Tor hidden service is up for debate. This post may give some perspective on it's advantages. In the case of DuckDuckGo, the hidden service is most certainly located on a different machine than the webservice so the use of HTTPS may be especially useful here.

The problem here is that the certificate is only valid for *.duckduckgo.com so we need to add an exception for that. But "That approach would raise the political question though of which sites we should endorse in this way." Personally I think that's OK, since it's not just a random website but a search engine that was already built into the browser anyway.

Child Tickets

Change History (2)

comment:1 Changed 4 years ago by cypherpunks

Milestone: Tor: unspecified
Version: Tor: unspecified

This sounds similar to #18252, but uses a different method for resolving the certificate errors. IMO getting DuckDuckGo to add its hidden service address to its certificate as proposed in #18252 is the better approach.

comment:2 Changed 4 years ago by gk

Resolution: wontfix
Status: newclosed

I agree.

Note: See TracTickets for help on using tickets.