DuckDuckGo not that private?

.

That's Exactly how Scroogle worked too, but they kept getting banned by Google & in the end had to give up their nice service

So why is it that SP don't get ANY grief from Google ? Very strange !

@ 0strodamus

That's good to hear, but PL requires JavaScript to work

 

Your poor result is due to using firefox, please see the link I provided for actual scores not some random Firefox plugin.

PRISM covers a vast array of things including interception of data in transit. How that data is secured is important.

For the record I did recommend it to DDG, they responded with "thanks for the suggestion, it has been noted". Hopefully that's a good sign.

Your "privatelee" site (which I've never heard of) scores F... Just look at all the problems with the site, it doesn't support forward secrecy and it doesn't support TLS 1.1/1.2: https://www.ssllabs.com/ssltest/analyze.html?d=privatelee.qrobe.it&s=75.126.131.74

Please stick to reputable, tried and true, tested sources like Qualys. Not random firefox addons that are clearly incapable of proper testing. Not only that, but the Qualys test performs a test on ALL browsers, not just firefox, to see how secure you are using whichever browser you prefer.

Since firefox has no support for TLS 1.1/1.2 you will always have the worst scores.

 

Lately I have found that it has been easier to find what i'm looking for using Ixquick. In used Ixquick in the past, and then someone at wilders mentioned duckduckgo, and I had not heard of it so I tried it. I found duckduckgo returned more valid search results for what I was looking for. Now the tables have turned. I started using Ixquick again a couple months ago because I have had a hard time finding what i'm looking for anymore using duckduckgo. Does duckduckgo route it's search through Bing or Google? Seems like someone mentioned that duckduckgo routed it's searches through another search engine like Scroogle did.

 

Ixquick/startpage uses Google.
DuckDuckGo uses a combination of Bing and its own engine.

 

@ elapsed

Calomel shows us what we are Actually experiencing, rather than what "might" be available. I'm glad to be able to see what's Actually happening but i agree that it "might" not be all we could achieve !

FF has SSL3

And together even with TLS 1.0 isn't too shabby



https://en.wikipedia.org/wiki/Transport_Layer_Security

 

Duly noted. Thanks for the info!

 

I'm shocked that you of all people (a privacy advocate) would even say these words lol.

If it wasn't for the RC4 cipher, TLS 1.0 would currently be completely and utterly screwed. TLS 1.1 isn't vulnerable to the BEAST attack no matter what cipher is selected. TLS 1.2 fixes even more issues with TLS 1.0.

The BEAST attack has forced millions of websites to adopt the weak RC4 cypher because they haven't been bothered to perform the upgrades to support TLS 1.1/1.2, TLS 1.0 (and SSL 3 especially) is far from sufficient. It is simply our only choice currently for many websites. Seeing more and more sites adopt TLS 1.1/1.2 is awesome. Especially high ranking websites such as Facebook, PayPal and Google. Firefox's lack of support for TLS 1.1/1.2 is IMO disgraceful, and after the next version of Chrome which brings TLS 1.2 support, Firefox will be the only browser left behind.

 

Where do you get the "Website Protocol Support" table information?

 

Firefox won't be left behind for very long. Chrome and Firefox both share the same libraries for handing TLS, and the development versions of Firefox already support it, though it may not have merged completely yet. Either way, it won't be long.

Not that many sites use 1.2, of course. And certainly not to say that 1.1 is broken.

 

It's from the link directly under the picture, the "Applications and adoption" section.

One would hope...

Websites can't implement something that browsers don't support, someone needs to take the first step. No one here said TLS 1.1 is broken, though it is already redundant.

 

Websites can definitely implement 1.1/1.2 anytime they like, but there has to be cause. TLS 1.0 is not weak in a practical way, especially for a passive attack that is working on stored data, and not a live connection. But it's time for websites to start moving on as there are more potential (though unrealistic) attacks coming out that would be mitigated by 1.1 and 1.2.

 

Lol, are you satisfied with having twisted my words? Clearly the websites freedom to do whatever they want is relevant to this discussion. Obviously it has nothing to do with logic, like oh I don't know, implementing something that no one can use because no browser supports it. The browsers always make the first step, it's that simple. Why would anyone bother with implementing something no one can use.

I also like how you completely passed over my statement about RC4 being the only thread TLS 1.0 is hanging by. Smooth.

 

Or they could implement it because:

1) Someone has to do it first - why should browsers implement it when servers don't support it? Why should servers support it when it isn't implemented by browsers yet?

2) IE has supported it for some time now

I wasn't twisting your words, if I misunderstood that's all there is to it.

And I realize you said that, I'm just explaining that there's no fire under anyone's asses to get TLS 1.1/1.2 out the door ASAP because TLS 1.0 is not horribly broken. Like you said RC4 saves TLS 1.0, so I don't think it's so shameful that it's taken FF this long to get it out.

 

At least duckduckgo (DDG) isn't as bad as google when it comes to invading your privacy. So my I'll continue using it because out of two evils, I would certainly be choosing the lesser of the two evils. I say DDG is much less evil than Google.

 

Am I to suppose that Google had not the best of intent when it adopted as its motto - "Don't be Evil"? LOL J/K

My knee-jerk statement (above) was precipitated by the sheer irony of your post as it related to Google's motto - and, I just could not resist mentioning it. Apologies all!

-- Tom

 

No, ixquick doesn't, only Startpage.

 

I totally disagree. It seems you view this as a chicken and egg situation, I don't. To me it's more like writing software in a coding language that doesn't exist. Firstly you write/implement said language (platform), the you write programs to run on it. Similarly the web browser has now become the platform, and websites are the software that run on it. The same thing applies for HTML/JS/CSS coding standards as does with website related features such as TLS. I don't expect people to write their own browser with XYZ missing feature just to test features they want to implement on their servers.

Whilst I praise MS and Opera for supporting it for so long, it's irrelevant as it's off by default and as so doesn't apply to most of the IE using population.

I heard that IE11 finally enables TLS 1.1/1.2 by default though, which if true, is great news.

I disagree again. I view TLS 1.0 as being on life support (sustained by RC4, nothing other than luck), and I praise anyone taking measures to support TLS 1.2.

 

The specification had already existed. Browsers could write it at any time. With HTML/JS/CSS you can't fallback as easily, and you end up with annoying web prefixes like -webkit and it gets annoying to deal with. There's no such issue with implementing TLS. Browsers had just as much reason to add support as servers ie: not much.

I believe this is the case.

But support was there, servers had incentive to work on it at the very least.

It's nothing to do with luck. I think it's great that 1.1 and 1.2 are coming out, it's just not something massive. It's not as if at any moment 1.0 will break and we'll have attacks that translate it straight to cleartext, the only current attack on it with RC4 is completely impractical. Even BEAST only works for attacks that are active during a session.

I'm glad 1.1 and 1.2 are coming I just wouldn't call a site using 1.0 broken by any means. If DDG and startpage differ only in that way it's just not such a big deal. I certainly hope they do support 1.1/1.2 soon, of course, as they are improvements. Just not a big deal.