33

Vlad The DDG onion address is https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion you can open it with a Browser supporting Tor, for example the Tor Browser https://www.torproject.org/download/

There are ways to automatically redirect a user accessing the page (kagi.com) with the Tor browser to the .onion address with a tag on the page. https://tor.stackexchange.com/questions/15421/redirect-to-onion-if-site-was-accessed-from-tor

Besides the benefits i already listed these are additional benefits users get by accessing a .onion service instead of the clearnet address when browsing over Tor:

Using onion services mitigates attacks that can be executed by possibly-malicious “Tor Exit Nodes” — which, though rare, are not nonexistent — and also the fact that you are using a “.onion” address demands that the person is using a TorBrowser, thereby are also mitigating:

  • national web blocks
  • TLS-man-in-the-middle
  • SNI filters
  • DNS censorship and tracking (both upon the client side, and that potentially impacting exit nodes)
  • a lot of fundamental cookie-tracking and digital-fingerprinting issues
  • …and a bunch of other risks to which non-Tor-browsers are prone

Here you can find documentation on how to make a webservice available over Tor, looks pretty simple for normal infrastructure at least:
https://community.torproject.org/onion-services/setup/

KagiForMe It is def not perfect to login to services while using Tor from a anonymity perspective and should be avoided if you are not trusting the service you login to to reveal your identity to law enforcement for example, but this should be clear to Tor users if they try to be as private as possible.
I still think there are many benefits of using kagi over Tor as you can use kagi fully anonymous (private email + private payment and extra subscription for Tor only use for example) and have other Tor benefits of for example your government not seeing you accessing free information (if you life in China for example), or no risk of evil DNS, and better overall privacy when browsing through many webpages

    f321x_ Can you refer to DDG official documentation on the Tor support and onion link? Could it be that was created by user community?

      Vlad They seem to be pretty low key about their onion service. When searching "ddg tor" on ddg you see it as a search answer. They also redirect to the .onion service from their domain at https://ddg.gg/?q=!ddt

      Also found additional docs on the automatic redirect from clearnet page to onion page when using the Tor browser, it's called "Onion-Location": https://community.torproject.org/onion-services/advanced/onion-location/

      • Vlad replied to this.

        f321x_ Why would they be low key about this?

        How does one set this up from a technical perspective (I have close to zero knowledge about how tor/onion works)?

          Vlad
          TOR TL;DR:

          When the user wants to visit a website, they dont connect automatically to the website, but they encrypt and nest their data three times. Now the request is send over three different "nodes" run by volunteers through the network. Every time a node is passed, they decrypt one layer and forward it to the next node. Only the last node knows, where to send the data (and if using https not even the content). To the website, it is the last node who requests the data, not you with your personal IP.

          [The onion thing comes from the layered encryption, like an onion.]

          I think (but am no expert here, so please correct me!) that a so called onion service is not on the clear web. They have a different adress scheme (asdf.onion) and work this way:
          When the third server in the chain sees, that it is an onion link, they don't connect to a normal website, but they route the data through the volunteer run servers to the website, which is itself "hosted ont he network"(?).

            With that being said, I don't think hosting an onion service is that difficult after all. (There should be lots of documentation, and I don't think it's that hard.

            The main benefit of an onion service is, that the entire traffic is hidden in the Tor network, not just "your side".(again ?)

              Vlad I don't see a critical reason to be low key about providing a service also on Tor. Maybe they don't see it as necessary to make a big announcement as Tor users are mostly tech affine persons and providing an onion service is essentially just a different domain for another network but not a huge thing to announce. Also other popular services like facebook, reddit and X (twitter) also provide onion links.

              You can see how to make a service available on Tor (host an onion service) in these guides:
              https://riseup.net/ca/security/network-security/tor/onionservices-best-practices
              https://community.torproject.org/onion-services/setup/
              https://tor.stackexchange.com/questions/15421/redirect-to-onion-if-site-was-accessed-from-tor

              4 months later

              @Vlad after using Kagi for around 6 months now the missing of this feature still impacts me. I try to use the Tor Browser as much as possible to archive good privacy when browsing, unfortunately i can't use Kagi as most of the time i get a 403 response. This is really annoying and it would be great to be able to use Tor either directly with a onion link or at least make it possible to use the normal clearnet Kagi without getting a 403 😃

              • Vlad replied to this.

                f321x_ This is completely new to use and we do not know what this entails from a technology implementation perspective so we would ideally like to see more demand for this first.

                  11 days later

                  Vlad
                  There is a tool to create a onion mirror of a clearnet site https://tpo.pages.torproject.net/onion-services/onionspray/. It works as a reverse proxy to your site and is used among others by the BBC, The Intercept and Brave.

                  The main issue is that you block most of the Tor exits with a HTTP error 403
                  Error: Forbidden
                  Your client does not have permission to get URL / from this server.
                  If this is easier to fix please do it. That would make an onion service less needed.

                  • Vlad replied to this.

                    bauruine

                    you block most of the Tor exits with a HTTP error 403

                    It is not us, but our cloud provider{ GCP). I think this entire thread is in an effort to find a solution although it is not clear how would an onion address solve it, if the resources are still hosted on GCP?

                      8 days later

                      Hi, if it is not possible to fix Google's load balancer blocking Tor/VPNs, I would really like to see an onion domain for Kagi.

                      While I have used Tor for privacy/anonymity in the past, I am continuing to use it to contribute to the network - in simple terms, the more people use Tor for their day-to-day browsing, the safer any given user is.

                      I would have suggested the Enterprise Onion Toolkit, of which the aforementioned Onionspray seems to be a modern fork.

                      Vlad it is not clear how would an onion address solve it, if the resources are still hosted on GCP?

                      I'm not very familiar with GCP's services, but ideally if you run Onionspray next to your other services hosted on GCP, it would see you requesting the kagi.com domain rather than the Tor exit, so it wouldn't block the request.

                        a month later
                        25 days later

                        I would also love to see native Tor support. In addition to Duckduckgo, Startpage recently launched its onion service. As I regularly use the Tor Browser, this would be one of my top features. I don't think an onion service requires too much effort but I could be wrong.

                          21 days later

                          For me its really a show stopper now, can't really use Kagi in tor browser as most exit relays are blocked and other search engines like DDG work fine. Please consider users of Tor, would especially make sense for Kagi as the user has to sign up. So Tor would provide some privacy here.

                            6 days later

                            I use Tor Browser as one of my main browsers, and the fact that often kagi gives a 403 error is very annoying and makes me reconsider if kagi is the right option for me. Would be nice if either kagi finds a way so we can use the service over Tor.

                            If the onion address is set up contacting the kagi servers directly, without passing over the GCP http servers, it will give Tor users an option to bypass the blockade and be able to use the service.

                              a month later

                              This feature is also important to me for the same reasons that everybody has already stated. It's kinda unusable that Kagi is 403ing all the time when used from Tor

                                3 months later

                                Any updates on this? My yearly subscription is ending soon and i love Kagi, but this is crucial for me to be able to continue using it.

                                  2 months later

                                  Hi, new Kagi user here and I was super disappointed to find that Kagi (or the technology providers they choose to use) takes extra effort to block Tor users. Having a search engine that reportedly cares about privacy force people to hand over their home IP address is creepy. If our IP addresses aren't being correlated with any other data to track us, why force people to hand it over?

                                  A login is required to use Kagi, so there shouldn't be any concerns with abuse or attacks. If that happens, just handle them in the same manner as if they came from anywhere else: presumably by suspending the offending account and problem solved. There's really just no good reason to treat connections different based on what IP address they are coming from.

                                  GCP does not block Tor exit nodes unless you ask them to do so. Here's the documentation showing this: https://cloud.google.com/firewall/docs/firewall-policies-rule-details#threat-intelligence-fw-policy

                                  I hope someone at Kagi sees this and will remove the blocking of Tor exit nodes from your GCP firewall policy. It would only take a few minutes. It'd be minimal effort and a big public relations (PR) win. It'd really take some wind out of the sails of the Kagi critics. It would also be a big privacy win for your customers.

                                  Independent of blocking exit nodes, I also agree that an onion service would be desirable. That isn't difficult to set up, but it does require research, making some design and implementation decisions, some infrastructure changes, testing, and so forth. It's completely understandable why that would take a couple weeks to put together if it were a priority, and a couple months if it were lower priotity.

                                  I'd also like to address the question of how an onion service could help if it's still hosted on GCP and the GCP firewall is configured to block incoming connections from Tor exit nodes.

                                  The shortest answer is because the service running on GCP will be reaching out to a Tor entry node. This means the inbound firewall rules do not apply and even if they did, the service is not connecting to an exit node.

                                  To provide some more context, onion services use Tor to connect to a rendezvous point (RP). The client also uses Tor to connect to the RP. The RP matches the connections up and gets the requests and responses where they need to be (without being able to see the content of those requests & responses). It's called "hidden" because the users' ISPs don't see any DNS requests or network connections to kagi or even GCP. Meanwhile Google doesn't know who is connecting to the Kagi service either. All they see on the network is Kagi's service connecting to Tor entry nodes. So it's significantly more private. It also has the added bonus of undermining Google to the maximum extent possible (short of switching to a cloud provider that is not run by a competing search engine).

                                  All of this is very deep in the details of how Tor hidden services work internally. To implement it, you just configure the Tor service to make a TCP port available as a hidden service and it takes care of all of these details.

                                  Side note: If I were Google, I would absolutely be watching all the IP addresses that use Kagi and sending them targeted ads for privacy services and products to maximize profits. It's trivial for Google to map a home IP address to a physical address, the names of people who live there, and what they like/didlike. Just something for the business people at Kagi to keep in mind before investing further in GCP.