The DuckDuckGo browser’s phishing and malware protection helps keep you safe while browsing online. Other browsers like Chrome, Firefox, and Safari rely on Google’s Safe Browsing Service to provide these phishing warnings, which involves sending information to Google. We don’t. We built our own anonymous solution that doesn’t send data to any third parties.
Why is phishing and malware protection necessary?
Phishing and malware are two of the most common online security threats. Cybercriminals use phishing to trick people into giving them personal information, such as usernames, passwords, and credit card numbers. They also try to get people to download malware that can infect phones or computers to cause damage or extract personal information. Phishing and malware protection is designed to alert you to sites that have been flagged for making phishing attempts or hosting malware. You can disable this feature in the DuckDuckGo browser settings menu.
How does phishing and malware protection work anonymously in DuckDuckGo browsers?
To start, your browser needs to know which websites have been flagged for phishing or malware. This list of sites is provided to us by our partner, Netcraft, and we store the list on our servers. Your browser downloads a version of this list from DuckDuckGo so it’s available locally on your device. When you navigate to a site, your browser first checks the site against the list stored on your device. If the site is on the list, your browser shows a warning message that gives you the option to navigate away safely or to continue to the site at your own risk.
For uncommon threats, an extra, anonymous verification step that checks websites against a larger and more comprehensive database on DuckDuckGo servers is needed (as explained below); however, this process is also anonymous and at no time does your device communicate with any other third parties as part of the threat verification process.
Here’s how it works technically:
-
Initial List Setup
- Periodically, the browser receives a list of known malicious websites from a DuckDuckGo server. This list isn’t human readable. Instead, each domain is represented by the first 8 characters of its SHA256 hash, also known as a “hash prefix.”
- If you were to look at this list, you’d see something like
[d4c9d902, 133066d1, ...]instead of[website1, website2, ...] - For details on how hashes work, see Hash Function and SHA-2.
- If you were to look at this list, you’d see something like
- The DuckDuckGo server also provides a detailed list of the most common threats, sorted by their similarity to commonly visited sites.
- For example,
[{"regex": "(?i)^https?\\:\\/\\/bad-third-party\\.site(?:\\:(?:80|443))?\\/security\\/badware\\/phishing\\.html$", "hash": "e4753ddad954dafd4ff4ef67f82b3c1a2db6ef4a51bda43513260170e558bd13"}, ...]
- For example,
- Periodically, the browser receives a list of known malicious websites from a DuckDuckGo server. This list isn’t human readable. Instead, each domain is represented by the first 8 characters of its SHA256 hash, also known as a “hash prefix.”
-
Local Threat Detection
- When you navigate around the web, your browser generates the SHA256 hash of domains you’re about to visit and checks them against the SHA256 hashes in the list of known malicious sites and against the list of common threats.
- If the site matches any entry in both lists, the browser warns you about the potential danger.
- Most of the time this on-device threat verification process is sufficient to determine if the site is dangerous.
-
Handling Uncommon Threats
- If your browser can’t find the domain you’re about to visit in the list of common threats but does find a match in the hash prefixes of known malicious sites, further verification against a larger and more comprehensive dataset is needed to ensure the site in question is known to be malicious.
- In these cases, the browser sends the first 4 characters of the domain’s SHA256 hash to DuckDuckGo servers for further verification.
- The extra step to generate a 4-character hash prefix ensures your browsing history can’t be tied back to you.
- In fact, we chose a 4-character hash prefix because it represents up to 65,536 values, and with hundreds of millions of potential domains online, many will share the same 4-character prefix, making it virtually impossible to associate any hash sent to DuckDuckGo with any specific domain.
- This request data is never logged or stored anywhere on our servers and is only used to return matching data from DuckDuckGo’s database.
- The DuckDuckGo server responds by sending a refined list of possible matches back to the browser. Your browser can then compare the URL you’re about to visit against this new list of known malicious sites and make a final decision based on information received.
To be clear, this means that your searches and browsing history are still completely anonymous.
Prior versions on GitHub.