The comments on this article mostly talk about the privacy benefits DDG brings. Yet, we've known since the Orange Book (TCSEC) that system integrity is a prerequisite for confidentiality/privacy. As in, the DDG servers and network need some strong security to ensure they're doing what the staff and users think they're doing esp with all the press it gets. Example attacks:
1. Root the search servers. Gradually leak out what people were doing in a way that looks like fake search results to attackers running "searches" that are actually commands to trigger leaks. The leaked data would be stored in memory temporarily.
2. Subvert the engine to send malicious JavaScript to users that leaks their search results to a specific location. Might reduce risk of detection by first determining browser configuration for common ways of spotting leaks. Then, don't send anything to those users.
I'd guess the boxes and setups were originally optimized for speed and cost rather than isolation. So, what's security like at DDG? A quick glance shows they run...
"DuckDuckGo is coded in Perl and JavaScript with the help of the YUI Library, served via nginx, FastCGI and memcached, running on FreeBSD and Ubuntu via daemontools. We both run our own servers and have servers on Amazon EC2 across the world."
Probably not that private once hackers are involved with Perl and Ubuntu. On nation-state level with EC2. The servers and cache at least get security updates regularly. So, safe assumption is private against passive collection and low-to-medium-strength attackers.
I imagine most people using DDG over Google for privacy reasons are concerned first with what Google does with the data it collects on them and only secondarily with the potential for other actors to get access to that data.
Entirely true. I bring it up since the article mentioned the Snowden leaks and data ending up in government's hands. The leaks, esp Core Secrets, also said they had a way to get the FBI to "compel" the backdooring. Others said TAO's hackers often made up for what passive collection couldn't do. If they're in the threat model, the DDG isn't likely the solution in and of itself unless their security has the same threat model.
Good for other threat models that majority of users are actually worried about, though. I did say that in original comment.
It's still better than most alternatives in other respects it seems to me. The fact that they go out of their way not to track IPs or store personally identifying information means there is less data available for a hacker to access if their security is compromised. Sure it's possible that a sophisticated attacker could add tracking of information that DDG do not intend to track but the situation is a lot better than with Google. They are also safer from other types of non hacking attacks like court orders by deliberately not tracking information that might be demanded.
Security can always be improved but they already seem to be a much better choice than most of the alternatives.
1. Root the search servers. Gradually leak out what people were doing in a way that looks like fake search results to attackers running "searches" that are actually commands to trigger leaks. The leaked data would be stored in memory temporarily.
2. Subvert the engine to send malicious JavaScript to users that leaks their search results to a specific location. Might reduce risk of detection by first determining browser configuration for common ways of spotting leaks. Then, don't send anything to those users.
I'd guess the boxes and setups were originally optimized for speed and cost rather than isolation. So, what's security like at DDG? A quick glance shows they run...
"DuckDuckGo is coded in Perl and JavaScript with the help of the YUI Library, served via nginx, FastCGI and memcached, running on FreeBSD and Ubuntu via daemontools. We both run our own servers and have servers on Amazon EC2 across the world."
Probably not that private once hackers are involved with Perl and Ubuntu. On nation-state level with EC2. The servers and cache at least get security updates regularly. So, safe assumption is private against passive collection and low-to-medium-strength attackers.