[minitech]

> We require an open proxy in some form to protect our users' privacy

Which feature relies on this?

[yegg]

Currently all the features that showcase third-party content on DuckDuckGo, the biggest being image and audio instant answers.

[provost]

Thanks for the update and follow-up answers.

Could you comment on the "Reported in March 2017, emailed them 9 times about the issue since then. Still unfixed as of now." claim, as it seems imperative to the discussion?

Is there something that can be improved here? Perhaps that inbox not as actively monitored as it could be?

[yegg]

We have real-time monitoring for that inbox and a 24/7 ops team. We have corresponded many times about this issue, and have made many changes over that period.

It's not as simple as just shutting down the open proxy because we need an open proxy to adequately protect users' privacy on our site. It just needs to be more locked down and more obvious it is a proxy, which we are doing right now (half done already).

[minitech]

Content-Type whitelist, CSP, and a separate domain for proxying please? I don’t feel safe using DuckDuckGo now.

[yegg]

CSP has already been rolled out and we're working on another domain now; we will do a proxy.duckduckgo.com in the interim.