Opened 7 months ago

Last modified 7 months ago

#33878 new enhancement

Make URL DuckDuckGo search use POST method (in Safest security level)

Reported by: kromek Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently if you search DDG using the URL bar, it stores the query in the URL. In the resulting results page however, if you search directly with their search bar, it now uses the more secure POST method. I believe browser's built-in engine should also use the POST method for enhanced security and, theoretically, higher resistance to behavior analysis by DDG or other engines.

Child Tickets

Change History (8)

comment:1 Changed 7 months ago by arma

Neat idea. Do you know if anybody has designed a "one-click search" for DDG that does it the way you suggest?

I think we just inherit it from Firefox, and the only difference is that we make the DDG one the default, whereas Firefox makes Google the default.

And if that is so, the best fix is to get it fixed in Firefox, and then Tor Browser will automatically switch to the better one when we start using that Firefox version.

comment:2 Changed 7 months ago by kromek

That makes sense. I opened a bug report on Bugzilla, let's see what happens.
https://bugzilla.mozilla.org/show_bug.cgi?id=1629377

comment:3 Changed 7 months ago by boklm

Version: Tor: unspecified

Hmm, I can't reproduce this. If I search something using the URL bar, then the URL becomes https://duckduckgo.com/?ia=news, so the query is sent by POST. However if I use the search box inside the ddg page, then the query is part of the URL.

comment:4 Changed 7 months ago by boklm

Status: newneeds_information

Currently if you search DDG using the URL bar, it stores the query in the URL. In the resulting results page however, if you search directly with their search bar, it now uses the more secure POST method.

I have exactly the opposite in my tor browser: search from URL bar is using POST requests, while search from the search box on duckduckgo.com is using GET requests.

comment:5 in reply to:  4 Changed 7 months ago by sysrqb

Replying to boklm:

Currently if you search DDG using the URL bar, it stores the query in the URL. In the resulting results page however, if you search directly with their search bar, it now uses the more secure POST method.

I have exactly the opposite in my tor browser: search from URL bar is using POST requests, while search from the search box on duckduckgo.com is using GET requests.

Tor Browser only has control over the initial query, but the behavior boklm describes is consistent with how Tor Browser should send DDG search queries: Tor Browser should send the query in a POST request, already.

https://gitweb.torproject.org/tor-browser.git/tree/browser/components/search/extensions/ddg/manifest.json?h=tor-browser-68.7.0esr-9.5-1-build2

comment:6 Changed 7 months ago by kromek

"I have exactly the opposite in my tor browser: search from URL bar is using POST requests, while search from the search box on duckduckgo.com is using GET requests."

Probably because I'm using no JavaScript. With it disabled, URL search redirects to HTML version which concatenates the query into URL. If I then use the HTML website's search, it now uses POST (the URL is: https://duckduckgo.com/html/)

comment:7 Changed 7 months ago by boklm

Summary: Make URL DuckDuckGo search use POST methodMake URL DuckDuckGo search use POST method (in Safest security level)

comment:8 Changed 7 months ago by boklm

Status: needs_informationnew

I can reproduce that in the Safest security level. So we are doing a POST query to duckduckgo, which detects that javascript is disabled and redirect us to a non-javascript version of the page, but the redirect is done with a GET request.

Note: See TracTickets for help on using tickets.