[HTTPS-Everywhere] The DuckDuckGo search engine supplying HTTPS links

Fri May 3 08:35:02 PDT 2013

Hey there,

Our current implementation does use the HTTPS Everywhere rulesets. Here's the
announcement: https://duck.co/topic/more-https-links-on-duckduckgo. HTTPS Everywhere
aside, there are many links that will use the HTTPS protocol simply because that's what we are given
by our result sources [1] (e.g. Yahoo, Yandex, etc.). Some links, such as "Official Site" links
come from Wikipedia, so if it is HTTPS there, it will be HTTPS for us. The same thing goes
for !bangs [2] that are submitted; if they are submitted as HTTPS, we will use HTTPS. All of
this happens whether or not there is an HTTPS Everywhere ruleset.

As an additional note, we do have a "skip_domains.txt" file that contains domains that we do
not want to be transformed by the HTTPS Everywhere rules. This is generally because the browser
won't load a CSS file because it is not loaded via HTTPS. There are currently less than 10 domains
in there right now.

[1] http://help.duckduckgo.com/customer/portal/articles/216399-sources
[2] http://help.duckduckgo.com/customer/portal/articles/215625--bangs

Let me know if you have any questions!

Robert Picard

---- On Thu, 02 May 2013 17:11:48 -0500 Seth David Schoen<schoen at eff.org> wrote ---- 

mezzanine at Safe-mail.net writes: 

> It appears that the DuckDuckGo search engine features HTTPS hyperlinks for 
> certain sites in its search results. This includes at least one site which 
> does not have an HTTPS Everywhere ruleset--searching for "sutter health" 
> leads to https://myhealthonline.sutterhealth.org/ among the search results, 
> so it is not clear as to whether the underlying mechanism used by the 
> DuckDuckGo search is based on HTTPS Everywhere rulesets or merely includes 
> mappings from HTTPS Everywhere rulesets among other sources or is completely 
> unrelated. In some respects, for search engines to automatically supply HTTPS 
> links could be useful for increasing the usage of HTTPS by users who do not 
> have HTTPS Everywhere or similar plugins installed. (Perhaps the Google 
> search engine could do things along these lines if they don't already do so.) 

I think DuckDuckGo was using our rulesets at one time. Perhaps they also 
have another source of rulesets or heuristics that they could share. 

I don't think Google is likely to do this in the general case, but I'll 
bring it up with them. (They could certainly do it in the case of the 
sites on the Chromium HSTS preload list, if they aren't already doing so.) 

-- 
Seth Schoen <schoen at eff.org> 
Senior Staff Technologist https://www.eff.org/ 
Electronic Frontier Foundation https://www.eff.org/join 
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20130503/e0907ea4/attachment.html>