-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/24/2013 10:00 PM, Mike Perry wrote: > Michael Carbone: >> On 06/24/2013 08:20 PM, Mike Perry wrote: >>> I've had a number of people tell me that they vouch for >>> DuckDuckGo. What does this even mean? Nobody seems to be >>> capable of rationally explaining it. >>> >>> Have you inspected their datacenter/server security? Have you >>> audited their logging mechanisms? >> >> The data center thing is a non-sequitur -- no third-party service >> has this type of the transparency. My understanding is that you >> don't need to trust these service providers to use them >> anonymously as they are friendly to Tor and no >> scripts/cookies/etc -- hence the difficulties you mention later >> on with Bing & Google. So it doesn't split either way between >> StartPage or DDG. They are equivalent in not allowing personal >> audits of their servers. > > I was questioning where the "vouching" comes from. "Vouch" is a > pretty strong word -- it typically suggests that you are laying > down your reputation on the line to support someone or something > else, either by oath or by evidence. > > My general point is that DuckDuckGo seems to have a lot of appeal > behind it, causing many people to endorse it in extreme ways > without any supporting evidence. > > I want to understand where that support is coming from. As you > point out, the two engines seem largely identical from the > perspective of third party "vouching"/audits wrt privacy. > >>> ** Sure, DuckDuckGo runs a hidden service, and also one of the >>> slowest Tor relays on the network (rate limited to 50KB/sec or >>> less), but it is quite debatable as to if either of these >>> things are actually helpful to Tor. In fact, such a slow Tor >>> relay probably harms Tor performance more than helps (in the >>> rare event that you actually happen to select it). >> >> The hidden service is a plus, no? They seem to be trying at >> least, does Ixquick have either? Maybe it'd be good to reach out >> to DDG about their relay. > > IxQuick has so far successfully negotiated with Google against > outright banning us. Google sees a spike in IxQuick traffic every > time we increase StartPage's prominence in TBB, and this does not > go unnoticed by Google. > > Unfortunately, Google's knee-jerk reaction to each increase so far > is to argue harder in favor of banning all Tor users from both > Startpage and Google, so we'll have to wait and see how this plays > out... > > Backchannel like that (and direct-channel refusals to work with > Tor) really makes you wonder about Google's commitment to privacy > and the freedom of access to information.
Very interesting. I don't know the backchannel relationships but I'd guess Google's decision to allow or not allow Tor users doesn't depend on the levels of traffic they get from StartPage from TBB front page. And if it does then that'd be pretty sad, as you note. >> Just trying to rationally explain it. > > I would not rationally use the hidden service version in lieu of > https by default. > > As I alluded to through my questioning of the https backend link to > Bing, the transit path from Tor to DDG is not the weakest link in > an already-https search engine. Okay, so this seems to be the sticking point? Using the !g bang syntax they route Google requests through DDG (so you can search Google if you want, even though they don't seem to rely on Google for their own index). Is that reroute different than what Ixquick does? I don't know. For the index itself, I wasn't able to find anything on the technical connection between DDG and their index sources. Apparently the founder of DDG is interested in getting an external audit, so this might be the type of issue that could solve? He was looking for external audit recommendations as of two days ago ( https://duck.co/topic/we-have-to-talk-about-ddgs-honesty#28469000001487421 ). I'd ping him @yegg or y...@alum.mit.edu with some recs. > Further, claims that the performance is the same or similar are > not rigorous. > > Hidden service circuits require ~4X as many Tor router traversals > as normal Tor exit circuits to set up, and unlike normal Tor exit > circuits, they are often *not* prebuilt. Once they are set up, they > still require 2X as many Tor router traversals end-to-end as normal > circuits. You could easily circle the globe several times to issue > a single search query. > > And all this is to use the Tor hidden service's 80bit-secure hash > instead of an https cert, along with all of the other issues with > Tor Hidden Services that have accumulated over the past decade due > to the lack of time for maintenance on Tor's part? I am not > convinced. This is good to know -- don't promote hidden service versions of websites (including DDG) when they have an https version, as hidden services are broken as of now. Michael - -- Michael Carbone Manager of Tech Policy & Programs Access | https://www.accessnow.org mich...@accessnow.org | PGP: 0x81B7A13E PGP Fingerprint: 25EC 1D0F 2D44 C4F4 5BEF EF83 C471 AD94 81B7 A13E -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJRySpAAAoJEDH9usG3Jz33+kIQAK9hPwNgcy8pvcgHmweKeaXr DpU3OTvtHv62oGwAB7zyjeej8Z0ykjJqaChUo1elwwg9bykMwueCGewUI0Hdikx0 +DmOsjEfiwNytpmNLqilvynF3lTP85aRXMyCsBx92jnO5EHOMOPYuskqfFQdxHx9 fx0hqt+1GbKvuVG2OyqAmgzHP/yc6pP21VNk7jL45p3B+M/hMEnf+sMALoyy3xDO OaCdZfyVIzco83LqLCdoCLSCaBPX0Fr5wrVNEHiuJXcX1U4z6/hg97yLFgna6AcH wbG39UutMwy1TGeEU3VbGt+WKACzg3Qrqm/mOgCdQqCNBZQKpDLVnluZaskGpg3p J+a59DxQlcZFb+g3QO1NFXEXrW24EWrIQT3rf9iF7OYrjFU91gTLa2tiXmlhlsy1 av28tx1aMAMSqESzfkalSj8vsvC+Y5cnrSNleCpc2VbYJfdJMNjJkzIJdIgd+Lh2 jT5jC2cTAOzphk4PNVfd+u+1m0aw+JxOLKLU3UOwIyAbDVQfpWXu6x5Rs3pPsMf/ JQC8cbGh29yq3VDmFyn3MQpthDesz3HZC0J/DDPNyHWgcADhKsCO7BzMJzenKPDc r5hNr+yNIveVviugMAWQUgERiQWs0NIXD15dKJrMPRZKE1l7Mp8YKlYAzupUtaJt o7ubBxKqWGhz//Y3dk2D =ypw2 -----END PGP SIGNATURE----- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
