Why bother asking DDG itself when traffic can be intercepted and logged at their...

siddboots · on June 19, 2013

That's why you should https everywhere.

https://www.eff.org/https-everywhere

JimJames · on June 19, 2013

IIRC HTTPS would encrypt your data from your ISP.

wcchandler · on June 19, 2013

Until PRISM subpoenas DDG and gets their private keys -- after which they can decrypt the SSL traffic.

JoshTriplett · on June 19, 2013

Not necessarily possible even with the private keys. If you use an SSL cipher with ephemeral keys, such as the DHE_* or ECDHE_* family of ciphers, then an eavesdropper with a recorded but not MITMed conversation cannot decrypt it even with the server's private SSL key.

See http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-se... for example.

thrownaway2424 · on June 19, 2013

Which of course they do not. Google uses ECDHE_RSA. DDG uses RSA. ixquick, "the world's most private search engine", uses RSA. Bing does not even offer https.

jonknee · on June 19, 2013

Google does pin their keys in Chrome though, so they know if there is a MITM (and they have, Chrome's certificate pinning led to DigiNotar's downfall). It's a non-scalable hack, but definitely a good one for the largest search engine and a leading email provider to be able to provide.

faddotio · on June 19, 2013

What's preventing the government from coercing DDG to start log collections at their end, and then sealing it with a gag order?

betterunix · on June 19, 2013

Your ISP probably has these installed on every one of their racks:

http://www.wired.com/threatlevel/2010/03/packet-forensics/