A flaw in the encryption mechanism used in the DuckDuckGo search engine could enable someone to identify the user's queries. Considering that DuckDuckGo is an internet search engine that focuses on protecting the user’s privacy, the discovery of this flaw has a substantial significance. The report comes from the vpnMentor team, which covered a recent hackathon in Israel that focused on anonymity on the web. So, during the hackathon, talented young hackers supported by experienced experts in infosec gathered and tried to crack sites and online services like DuckDuckGo.
The problem lies in the encryption mechanism of the “auto-suggest” system deployed in DuckDuckGo and helps the users get faster results. The researchers figured that accessing the leaked information through this channel was fairly easy, and the data they got wasn’t encrypted at all. This basically means that anyone who could be listening to the search traffic would be essentially capable of figuring out what the user is searching for. The search terms and the user input themselves are encrypted, but the auto-complete is giving away the letters that are typed, so the whole thing beats the purpose.
DuckDuckGo acknowledged the vulnerability, although it took them a whole week to do so. They actually pointed to a fix they had deployed two years ago when a team of French researchers warned them of the particular risk. Back then, the browser’s team considered the attack method to be impractical. However, they still tried to mitigate the associated risks by randomizing the packet sizes of the encrypted auto-complete requests. Based on the recent hackathon results, the issue wasn’t addressed in a definitive manner.
One detail concerning the winning team of the hackathon, which is the one that discovered the DuckDuckGo flaw, is that it included three female researchers. The participation of women in the hackathon event was limited to 15%, so having a different synthesis in the winning team was a delight to see.
As for the choices that you have when it comes to private search engines and alternatives to DuckDuckGo, thankfully, there are a few out there. Last November, we covered the news about the launch of the “Private.sh” service, which was created by ‘Private Internet Access’ and ‘GigaBlast.’ This search service uses encryption on the client-side, so there’s nothing sensitive ever reaching the service’s servers. Of course, the drawback of using all of these privacy-focused internet searching services is their relatively smaller index compared to Google, but that’s a fair price to pay for privacy.