Hacker News new | ask | show | jobs
by jqpabc123 1678 days ago
Haven't you heard? The CIA has gone open source. They don't need to own a company anymore.

They can just download the Searx source code; modify it as they see fit, and make it available on a server someplace.

Can you prove that searx.be isn't run by a "3 letter agency"? Can you prove that the source code running at searx.be is the same as on Github?

The point being --- unless you have full access to the server, open source means nothing with regard to privacy and security of any service. It actually means less than nothing --- it means it is super easy to build into a honeypot.
1 comments
marc_abonce 1678 days ago
Of course, there's no fool-proof solution to knowing what code is running in the server side, but https://searx.space at least shows if an instance modified their client-side code, which you can see in the HTMl column.

To mitigate server-side code from identifying you, you can consume an instance from Tor. Of course, you could try to do that with any other search engine, but most of the other search engines either block exit nodes or provide incomplete functionality if you disable JS.

It's not perfect, but it may be good enough depending on your threat model.

link
jqpabc123 1678 days ago
Note to the CIA --- don't modify the client side code when building your honeypots.

Personally, I just use a VPN with the "lite" version of DuckDuckGo --- no JS.

https://lite.duckduckgo.com/lite

link