DuckDuckGo Restored in India, Responds to Favicon Concerns (portswigger.net) 13
DuckDuckGo made the news twice this week.
First its service was reinstated across India last Saturday, after being unreachable for nearly three days, for reasons which remain unclear. "We have contacted the Indian government but have not yet received a response," a DuckDuckGo spokesperson told The Verge. "We are bewildered on why the Indian government would instruct Indian ISPs to block DuckDuckGo, but are optimistic that this will be resolved soon."
But at roughly the same time the search engine faced another controversy about how DuckDuckGo fetches favicons, according to one cybersecurity blog: First submitted as an issue in July 2019, GitHub user Tritonio flagged the offending script, saying: "This seems to be leaking all(?) the domains that users visit to your servers." The script in the Android version of the DuckDuckGo application showed that favicon fetching was routed through DuckDuckGo systems, rather than made via direct website requests. Daniel "tagawa" Davis, communications manager at DuckDuckGo, said at the time that the "internal" favicon service was used to simplify the favicon location process, but as the service is rooted in DuckDuckGo's existing systems, the script adhered to the company's privacy policy which pledges not to collect or store any personal user information.
The case was then closed. However, when the issue became public on the GitHub tracker this week, this assurance was not enough for everyone. Some users requested that the case be re-examined, citing potential information leaks caused by the script choice, considered by some as an inherent 'design' flaw or human error. In response to the discussion concerning the favicon telemetry, founder and CEO Gabriel Weinberg said he was "happy to commit us to move to doing this locally in the browser" and will address it as a matter of priority.
He added that as DuckDuckGo's services are encrypted and "throw away PII [personally identifiable information] like IP addresses by design", no information was collected, stored, or leaked. The company's slogan is "Privacy Simplified". It is this concept, Weinberg told The Daily Swig, that led to the rapid decision in changing how favicons are managed. Weinberg acknowledged that there is an ongoing security debate concerning which option for fetching favicons is more secure, and arguments can be made for each choice — but added they both offer "basically a similar amount" of privacy... You can ask a browser to connect to a website and fetch the favicon — potentially making multiple requests in the process — or you can use the firm's encrypted service... "It's a known anonymous service," Weinberg told us. "You're already connected to DuckDuckGo because you're using the app. It's not that it is leaking any more information, because you conduct a search with us which has the favicons anyway."
DuckDuckGo's service is also faster and uses less bandwidth as the service is running server-side and favicons are cached, Weinberg says.
First its service was reinstated across India last Saturday, after being unreachable for nearly three days, for reasons which remain unclear. "We have contacted the Indian government but have not yet received a response," a DuckDuckGo spokesperson told The Verge. "We are bewildered on why the Indian government would instruct Indian ISPs to block DuckDuckGo, but are optimistic that this will be resolved soon."
But at roughly the same time the search engine faced another controversy about how DuckDuckGo fetches favicons, according to one cybersecurity blog: First submitted as an issue in July 2019, GitHub user Tritonio flagged the offending script, saying: "This seems to be leaking all(?) the domains that users visit to your servers." The script in the Android version of the DuckDuckGo application showed that favicon fetching was routed through DuckDuckGo systems, rather than made via direct website requests. Daniel "tagawa" Davis, communications manager at DuckDuckGo, said at the time that the "internal" favicon service was used to simplify the favicon location process, but as the service is rooted in DuckDuckGo's existing systems, the script adhered to the company's privacy policy which pledges not to collect or store any personal user information.
The case was then closed. However, when the issue became public on the GitHub tracker this week, this assurance was not enough for everyone. Some users requested that the case be re-examined, citing potential information leaks caused by the script choice, considered by some as an inherent 'design' flaw or human error. In response to the discussion concerning the favicon telemetry, founder and CEO Gabriel Weinberg said he was "happy to commit us to move to doing this locally in the browser" and will address it as a matter of priority.
He added that as DuckDuckGo's services are encrypted and "throw away PII [personally identifiable information] like IP addresses by design", no information was collected, stored, or leaked. The company's slogan is "Privacy Simplified". It is this concept, Weinberg told The Daily Swig, that led to the rapid decision in changing how favicons are managed. Weinberg acknowledged that there is an ongoing security debate concerning which option for fetching favicons is more secure, and arguments can be made for each choice — but added they both offer "basically a similar amount" of privacy... You can ask a browser to connect to a website and fetch the favicon — potentially making multiple requests in the process — or you can use the firm's encrypted service... "It's a known anonymous service," Weinberg told us. "You're already connected to DuckDuckGo because you're using the app. It's not that it is leaking any more information, because you conduct a search with us which has the favicons anyway."
DuckDuckGo's service is also faster and uses less bandwidth as the service is running server-side and favicons are cached, Weinberg says.
Please show (Score:1)
Getting favicons from Duck Duck Go better? (Score:5, Insightful)
Not sure why getting the favicons from sites directly, rather than via Duck Duck Go would be better?
In the latter the sites could likely work out how many times they appear in search results and game the system or use this as a vector for cookie injection? In comparison DDG has already made a commitment to privacy and I would like to believe they would extend that to the favicons?
Am I missing something?
Re: Getting favicons from Duck Duck Go better? (Score:2)
Re: Getting favicons from Duck Duck Go better? (Score:1)
Right. DDG proxying favicons the the best way.
You're missing something .. I think. (Score:3, Informative)
https://duckduckgo.com/app [duckduckgo.com]
I think this complaint is in regards to how the BROWSER goes to the DuckDuckGo servers for the favicon
My guess is this bit of server-side logic is the result of a code-base that has evolved from a "Search App" into a fully fledged web browser.
Re: You're missing something .. I think. (Score:1)
But that does not change the issue at hand.
Why are people asking to directly fetch favicons instead of retrieving them through DDG?
Maybe it's the name (Score:1)
Maybe they thought DuckDuckGo sounded Chinese. You know, like one of the billions of Chinese fauxbrands that have turned Amazon into crap. DuckDuckGo sounds like someone was using the same naming wordsmash convention as "brands" like gainwell and gotideal.
Re: (Score:3)
What a fowl trick!
Re: What a load of bullshit (Score:3)
Theyâ(TM)re fetching the icons of search results that they sent you in the first place. Please explain what knowledge theyâ(TM)re leaking.
instruct Indian ISPs to block DuckDuckGo (Score:1)
The ISP is the enemy, appeasing tyrants. We need to route around the damage
"It's a known anonymous service,"
HA! No such thing!
Need to distinguish (Score:2)
CASE 1:
Using any browser, I visit duckduckgo.com and search for "can i haz warez plz". The first hit is for warez.lol, and the site's favicon is used in the results list. This favicon comes from duckduckgo.com. That's actually a good thing and provides more privacy than downloading it from warez.lol.
There is nothing wrong with this.
CASE 2:
As the owner of warez.lol, I go to admin.warez.lol to use the site's administrative interface. This administrative interface is of course not indexed by any search engines