DuckDuckGo Smarter Encryption Enforces HTTPS Routing via @martinibuster
DuckDuckGo announced Smarter Encryption, an effort to restrict users to HTTPS connections. The system uses a whitelist of encrypted sites in order to route users to the encrypted versions of those URLs.
What is DuckDuckGo Smarter Encryption
Smarter Encryption is essentially a white list of websites that are verified to be secure. A white list is the opposite of a black list. So rather than creating a list of sites to exclude (black list), Duck Duck Go is using the white list approach of creating a list of approved sites to include.
This is how Duck Duck Go described their white list:
“At the center of DuckDuckGo Smarter Encryption is a large list of websites that we know have encrypted (HTTPS) versions of their websites, which we use to ensure that you only interact with these encrypted versions.”
This is a method for ensuring that users are on the secure HTTPS protocol when it is available.
How is the Smarter Encryption List Created?
Duck Duck Go crawls the Internet and notes which sites are or are not encrypted. Duck Duck Go checks websites that serve both an insecure HTTP and a secure HTTPS version to verify if the URL upgrades to HTTPS.
Duck Duck Go tests URLs across the site to ensure that the site is indeed secure and that it is not serving mixed secure/insecure content. Sites that serve insecure content will not be allowed into the list of secure sites.
Smarter Encryption Actively Routes Traffic
DDG Smarter Encryption will automatically route users to secure versions of web pages for sites that are on the white list and serve both secure and insecure versions.
Normally, when someone creates a link using an insecure HTTP protocol when linking to an HTTPS site, the website host will redirect the user to the secure HTTPS version. According to Duck Duck Go, this causes some information to leak through.
DDG Smarter Encryption will proactively upgrade HTTP links to existing HTTPS URLs if a user clicks an insecure version of a URL to a secure site. This is just for HTTPS websites.
This is how Duck Duck Go explains it:
“…many websites offer both an encrypted (HTTPS) and an unencrypted (HTTP) version of their website, but unfortunately do not route you their encrypted version automatically. …even if a website offers HTTPS and does automatically navigate you there when you go to one of their web addresses, that first attempt you make is still unencrypted, leaking your browsing behavior.
…DuckDuckGo Smarter Encryption takes care of this scenario too (for websites on our list) by adding an ‘s’ to unencrypted http:// web addresses, making them https:// web addresses and therefore encrypted.”
Pinterest is Using Smarter Encryption
This feature isn’t just for Duck Duck Go users. Smarter Encryption is open sourced and any site or service is free to use it. Pinterest is now using it to send users to HTTPS versions of sites when they exist.
Publishing content on an insecure protocol will increasingly result in less and less traffic. Google is giving a ranking boost to secure sites. Chrome will soon begin discouraging visits to insecure websites.
Now, through the use of Smarter Encryption, users of Duck Duck Go and Pinterest an increasing number of users may become more aware of the importance of a secure browsing environment.
It used to be that secure protocols were just for eCommerce sites that processed sensitive information like credit cards and addresses. That’s no longer true.
Insecure websites may increasingly see their web traffic diminish as Chrome actively discourages visits to those sites and Smarter Encryption helps create a negative perception of insecure websites.
There are no longer valid excuses for publishing content on insecure protocols.