Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] entering a url or domain name opens a http connection not https #4293

Closed
PJVervoorn opened this issue Mar 13, 2024 · 5 comments
Closed

Comments

@PJVervoorn
Copy link

Describe the bug

When I enter a url (or domain name) in the address/search bar, it opens a connection via port 80.
This is a security (and privacy) issue.
Most sites will automatically redirect to https, but that is possibly too late...
Since i have blocked port 80 on the firewall, duckduckgo browser can’t load the page.

How to Reproduce

Enter a domain name (without protocol), i.e. netscape.com

Expected behavior

Expected is that https is the default protocol; it should be tried first (or only?)

Environment

- DDG App Version: 5.192.2
- Device: Motorola Edge Ultra, Realme pad.
- OS: Android, MacOS (it happens with DuckDuckGo browser on MacOS too.)
Copy link
Contributor

Thank you for opening an Issue in our Repository.
The issue has been forwarded to the team and we'll follow up as soon as we have time to investigate.
As stated in our Contribution Guidelines, requests for feedback should be addressed via the Feedback section in the Android app.

@karlenDimla
Copy link
Contributor

Hello! Thanks for your report.

This feature is actually working as intended as we also don't want to increase site breakages by assuming https option always exists. For more information, you can also read through https://spreadprivacy.com/duckduckgo-smarter-encryption/.

@PJVervoorn
Copy link
Author

I disagree..
When I enter "netscape.com" (so without protocol) in ddg browser, it tries to open "http://netscape.com".
The firewall in my network rejects that, otherwise the provider could hijack that connection and show ads.
I think ddg browser should either default to https and use http as fallback, or -as your link seems to suggest- verify ddg's database and use the appropriate protocol.

@marcosholgado
Copy link
Contributor

@PJVervoorn we already check with our smarter encryption db. If you believe netscape.com or other domains are missing from the db you can open an issue in https://github.com/duckduckgo/smarter-encryption although I see netscape.com redirects to aol which loads with https.

@PJVervoorn
Copy link
Author

@marcosholgado I have done a bit of testing.
It happens when you enter a domainname/url without protocol and 'enter' before the search results appear.
One of the domains I see it happening with often, is nu.nl (a Dutch news site). The domain name is very short, so I usually just type it instead of going via favourites/bookmarks.
Even if I wait for the search results to appear, but press 'enter' instead of clicking a search resuilt, it opens the site via http.
As my firewall blocks port 80 (to prevent hijacking) it is not a risk for me, but for others it might be...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants