Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Phishing and Malware Protection Page v2 #366

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions _docs/privacy/phishing-and-malware-protection.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
title: Phishing and Malware Protection in DuckDuckGo Browsers
nav_title: Phishing and Malware Protection
description: DuckDuckGo browsers protect you from sites reported for phishing or malware by anonymously checking sites you visit against a list of known malicious websites.
category: Web Browsing Privacy
order: 700
---

The DuckDuckGo browser’s phishing and malware protection helps keep you safe while browsing online. Other browsers like Chrome, Firefox, and Safari rely on Google’s [Safe Browsing Service](https://support.google.com/chrome/answer/9890866){:target="\_blank"}{:rel="noopener noreferrer"} to provide these phishing warnings, which involves sending information to Google. We don’t. We built our own anonymous solution that doesn’t send data to any third parties.

## Why is phishing and malware protection necessary?

Phishing and malware are two of the most common online security threats. Cybercriminals use phishing to trick people into giving them personal information, such as usernames, passwords, and credit card numbers. They also try to get people to download malware that can infect phones or computers to cause damage or extract personal information. Phishing and malware protection is designed to alert you to sites that have been flagged for making phishing attempts or hosting malware. You can disable this feature in the DuckDuckGo browser settings menu.

## How does phishing and malware protection work anonymously in DuckDuckGo browsers?

To start, your browser needs to know which websites have been flagged for phishing or malware. This list of sites is provided to us by our partner, [Netcraft](https://www.netcraft.com/){:target="\_blank"}{:rel="noopener noreferrer"}, and we store the list on our servers. Your browser downloads a version of this list from DuckDuckGo so it’s available locally on your device. When you navigate to a site, your browser first checks the site against the list stored on your device. If the site is on the list, your browser shows a warning message that gives you the option to navigate away safely or to continue to the site at your own risk.

For uncommon threats, an extra, anonymous verification step that checks websites against a larger and more comprehensive database on DuckDuckGo servers is needed (as explained below); however, this process is also anonymous and at no time does your device communicate with any other third parties as part of the threat verification process.

Here’s how it works technically:

1. **Initial List Setup**

- Periodically, the browser receives a list of known malicious websites from a DuckDuckGo server. This list isn’t human readable. Instead, each domain is represented by the first 8 characters of its SHA256 hash, also known as a “hash prefix.”
- If you were to look at this list, you’d see something like `[d4c9d902, 133066d1, ...]` instead of `[website1, website2, ...]`
- For details on how hashes work, see [Hash Function](https://en.wikipedia.org/wiki/Hash_function){:target="\_blank"}{:rel="noopener noreferrer"} and [SHA-2](https://en.wikipedia.org/wiki/SHA-2){:target="\_blank"}{:rel="noopener noreferrer"}.
- The DuckDuckGo server also provides a detailed list of the most common threats, sorted by their similarity to commonly visited sites.
- For example, `[{"regex": "(?i)^https?\\:\\/\\/bad-third-party\\.site(?:\\:(?:80|443))?\\/security\\/badware\\/phishing\\.html$", "hash": "e4753ddad954dafd4ff4ef67f82b3c1a2db6ef4a51bda43513260170e558bd13"}, ...]`{:style="white-space: normal"}

2. **Local Threat Detection**

- When you navigate around the web, your browser generates the SHA256 hash of domains you’re about to visit and checks them against the SHA256 hashes in the list of known malicious sites and against the list of common threats.
- If the site matches any entry in both lists, the browser warns you about the potential danger.
- Most of the time this on-device threat verification process is sufficient to determine if the site is dangerous.

3. **Handling Uncommon Threats**

- If your browser can’t find the domain you’re about to visit in the list of common threats but does find a match in the hash prefixes of known malicious sites, further verification against a larger and more comprehensive dataset is needed to ensure the site in question is known to be malicious.
- In these cases, the browser sends the first 4 characters of the domain’s SHA256 hash to DuckDuckGo servers for further verification.
- The extra step to generate a 4-character hash prefix ensures your browsing history can’t be tied back to you.
- In fact, we chose a 4-character hash prefix because it represents up to 65,536 values, and with hundreds of millions of potential domains online, many will share the same 4-character prefix, making it virtually impossible to associate any hash sent to DuckDuckGo with any specific domain.
- This request data is never logged or stored anywhere on our servers and is only used to return matching data from DuckDuckGo’s database.
- The DuckDuckGo server responds by sending a refined list of possible matches back to the browser. Your browser can then compare the URL you’re about to visit against this new list of known malicious sites and make a final decision based on information received.

**To be clear, this means that your searches and browsing history are still completely anonymous.**