Interview with the Engineer of Uruky, a Private Search Engine

Thanks for the links.

fria:

I can’t list Kagi as a source for their own feature

Yes? That’s not because we distrust “primary sources”, but (hopefully it is obvious why) they are not the most unbiased source about themselves.

There’s expectation team members not rely solely on primary sources.

How does Privacy Guides make recommendations?

here at Privacy Guides people don’t need to trust the team to be the experts themselves on every topic that we publish recommendations on, but people are trusting the team to weigh all the discussions we see and make recommendations accordingly

fria:

not sure what counts as “marketing material” to you

To me? Some of the editorial in security audits by Cure53 (see), for an example relevant to these forums, are marketing.

fria:

Source: RFC 9576 from the IETF outlining the Privacy Pass architecture

My question was, how does Kagi’s deployment of Privacy Pass cryptographically guarantee unlinkability, like we hope it does? Not what the RFCs say Kagi must do, but what Kagi infact actually allows.

From elsewhere:

The downside of this is that if you are not on a larger network, the IP address will probably deanonymise you. Kagi knows you are logged in, and if you open a private browsing window to do a spicy search, they could link the searches. Fast switching between modes is undesirable.

In fact, we’ve also discussed this on these forums before: Kagi (Search Engine) - #93 by ignoramous

Kagi (Search Engine)

Since the extension requires you to be signed in to the browser in order to obtain the tokens, it makes using it privately a lot tricker. If these tokens were portable (can purchase with an account on one device/browser and add it to another device/browser where I’ve never signed in with Kagi) that could also be more useful I’d imagine.

Applied cryptography (like Privacy Pass / Trusted Computing / HE etc) is very hard & very expensive, in practice, like @brn politely points out above (that it is one thing Apple does it, and another for an upstart to pursue it, and yet another for upstarts to mis-market it). We should hold any firm making cryptographic guarantees to a very high standard (for example, see @maqp on private messaging).

/meta