<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta content="text/html;charset=UTF-8" http-equiv="Content-Type"></head><body ><div style='font-size:10pt;font-family:Verdana,Arial,Helvetica,sans-serif;'>Hey there,<br><br>Our current implementation does use the HTTPS Everywhere rulesets. Here's the<br>announcement: https://duck.co/topic/more-https-links-on-duckduckgo. HTTPS Everywhere<br>aside, there are many links that will use the HTTPS protocol simply because that's what we are given<br>by our result sources [1] (e.g. Yahoo, Yandex, etc.). Some links, such as "Official Site" links<br>come from Wikipedia, so if it is HTTPS there, it will be HTTPS for us. The same thing goes<br>for !bangs [2] that are submitted; if they are submitted as HTTPS, we will use HTTPS. All of<br>this happens whether or not there is an HTTPS Everywhere ruleset.<br><br>As an additional note, we do have a "skip_domains.txt" file that contains domains that we do<br>not want to be transformed by the HTTPS Everywhere rules. This is generally because the browser<br>won't load a CSS file because it is not loaded via HTTPS. There are currently less than 10 domains<br>in there right now.<br><br>[1] http://help.duckduckgo.com/customer/portal/articles/216399-sources<br>[2] http://help.duckduckgo.com/customer/portal/articles/215625--bangs<br><br>Let me know if you have any questions!<br><br><div id=""><font size="2">Robert</font> Picard<br></div><br><div id="1"><br>---- On Thu, 02 May 2013 17:11:48 -0500 <b>Seth David Schoen<schoen@eff.org></b> wrote ---- <br></div><br><blockquote style="border-left: 1px solid #0000FF; padding-left: 6px;"><a subj="" mailid="mezzanine%40Safe-mail.net" href="mailto:mezzanine@Safe-mail.net" target="_blank">mezzanine@Safe-mail.net</a> writes: <br> <br>> It appears that the DuckDuckGo search engine features HTTPS hyperlinks for <br>> certain sites in its search results. This includes at least one site which <br>> does not have an HTTPS Everywhere ruleset--searching for "sutter health" <br>> leads to <a href="https://myhealthonline.sutterhealth.org/" target="_blank">https://myhealthonline.sutterhealth.org/</a> among the search results, <br>> so it is not clear as to whether the underlying mechanism used by the <br>> DuckDuckGo search is based on HTTPS Everywhere rulesets or merely includes <br>> mappings from HTTPS Everywhere rulesets among other sources or is completely <br>> unrelated. In some respects, for search engines to automatically supply HTTPS <br>> links could be useful for increasing the usage of HTTPS by users who do not <br>> have HTTPS Everywhere or similar plugins installed. (Perhaps the Google <br>> search engine could do things along these lines if they don't already do so.) <br> <br>I think DuckDuckGo was using our rulesets at one time. Perhaps they also <br>have another source of rulesets or heuristics that they could share. <br> <br>I don't think Google is likely to do this in the general case, but I'll <br>bring it up with them. (They could certainly do it in the case of the <br>sites on the Chromium HSTS preload list, if they aren't already doing so.) <br> <br>-- <br>Seth Schoen <<a subj="" mailid="schoen%40eff.org" href="mailto:schoen@eff.org" target="_blank">schoen@eff.org</a>> <br>Senior Staff Technologist <a href="https://www.eff.org/" target="_blank">https://www.eff.org/</a> <br>Electronic Frontier Foundation <a href="https://www.eff.org/join" target="_blank">https://www.eff.org/join</a> <br>815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 <br></blockquote><br></div></body></html>