40

While on a client's site using the corporate network, I see that only a few search engines are allowed. Google and Bing, possibly others; while my fav DuckDuckGo is blocked, and a few others that I've tried are also blocked. The search engines are being blocked by the proxy.

What benefit does blocking a search engine have in a large enterprise environment? This is a financial company, so they do need pretty good security, but it seems odd that search engines would be blocked unless they are whitelisted.

The guest wifi does not have such a blockage, only the corporate network.

I was able to find a page on the intranet explaining some of the proxy rules. As some of you surmised, there are certain categories, and some categories have whitelists and blacklists associated with them. Sometimes there are explanations, and some categories are obviously blocked for work reasons (ie porn). The search engine category doesn't have an explanation, but a few others mention possible data exfiltration as a reason for blocking. Yet others refer to the benefit of access during working hours, or the lack of any particular reason to block them.

A few more pieces of info I have gotten:

  • It seems there is TLS/SSL interception and monitoring by the company. Standard stuff for a security conscious network nowadays, but if a search provider doesn't allow that via HSTS, then maybe that's a reason to blacklist it?
  • While I said in a comment that they did not explain the reason, the person who responded did say that DuckDuckGo (specifically) was moved to the blacklist, but they did not know why.
  • Browsers are managed by the IT department, which is probably how Chrome can talk to Google while being intercepted and not complain about it.
schroeder
  • 123,438
  • 55
  • 284
  • 319
YetAnotherRandomUser
  • 2,290
  • 2
  • 14
  • 20
  • 3
    Good question. My first instinct would be to ask the client's IT department, if that was possible. –  Sep 27 '19 at 12:24
  • 2
    I did, and they didn't answer, simply saying that security said it was to be blocked. I didn't want to press the issue a 3rd time, so I'm asking here. – YetAnotherRandomUser Sep 27 '19 at 12:25
  • 5
    The IT department may simply not know in that case, and security may or may not have their reasons. I personally can't think of any. –  Sep 27 '19 at 12:26
  • 2
    Might also have gotten blocked for violating rule based filters while not being explicitly white listed as a search engine. (can be as simple as ppl looking for a place to have dinner returning pages that violate a "alcohol/gambling" filter rule, not necc 'nsfw' content.) – Affe Sep 27 '19 at 21:00
  • 9
    Sometimes the block is ideological (i.e.: Stack Exchange blocking LMGTFY for Stack Overflow). – Script Kid Sep 27 '19 at 22:05
  • 1
    Smells like white-listing. Anything not on it is blocked. The reason it's not on the white-list is either because they don't know about it, hasn't been deemed secure enough or they simply haven't gotten around to it. – Mast Sep 30 '19 at 08:32

4 Answers4

43

In many jurisdictions, school districts are legally required to have web filtering in place. Google & Bing are two examples of companies who's "Safe Search" API has been around and stable for some time now. While DuckDuckGo does have Safe Search abilities, your client's web filtering vendor may not have had the time/motivation to add it into their product.

No mater how innocent the service should be, School kids are very good at using alternate search engines, translation services, etc. to access what folks in power believe they should not...

tjd
  • 755
  • 4
  • 6
  • 22
    While Safe Search might be required for schools it might be favored by companies too in order to prevent accidental (or deliberate) NSFW search results. And they might also have minors (like trainees) employed which they are required to protect by law. – Steffen Ullrich Sep 27 '19 at 14:22
9

If the enterprise considers search engines which aren't Google and Bing "untrustworthy" for some reason (e.g., because they believe they are more likely to intentionally or unintentionally disclose search history to third parties), it makes sense to block them. Your search history at work can reveal internal information about the company, two ways off the top of my head:

  1. Your searches relate to what you are working on - if you are searching for different antivirus products, someone looking at the history could infer that your company is looking to change its enterprise antivirus product, and maybe guess which is picked.
  2. Since browsers automatically turn url queries into searches if they aren't a valid url, it's easy to accidentally search for internal sites or even accidentally include internal company information in searches. For example, you may accidentally type in "https://companyintranet.com ?account=johnson" (or have it saved in your history and accidentally hit a key before enter when selecting it, invalidating the url and prompting a search).
IllusiveBrian
  • 343
  • 1
  • 6
  • #2 is innocuous on its own (DNS misconfigurations can also leak internal hostnames) until you consider adware and other browser hijacks that are literally designed to exfiltrate those sensitive search requests to shady or malicious search aggregators. Hence...block all engines except those you trust. – Ivan Sep 28 '19 at 17:31
5

There's really no good reason to block them. Search engines only return content based on their algorithm. It could be that they are blocking on a predefined firewall vendor list by categories where DuckDuckGo is categorized differently.

There have been attacks where using SEO a malicious actor has put his site above a legitimate one in the search results, but this affects all search engines not DuckDuckGo in particular.

Raimonds Liepiņš
  • 994
  • 5
  • 9
  • 1
    It's not just DDG that has been singled out. I tried a few different search engines off of "privacy lists" – YetAnotherRandomUser Sep 27 '19 at 13:09
  • 2
    @YetAnotherRandomUser this doesn't change my answer. It's just a part of vendor category list that has been blocked and only those allowed have been whitelisted. – Raimonds Liepiņš Sep 27 '19 at 16:51
  • 2
    @YetAnotherRandomUser It takes much less work to block a category and make exceptions for the approved sites than blocking all the undesired sites. That requires being notified whenever a new search engine appears and assessing it. – Barmar Sep 27 '19 at 22:32
  • 1
    `There's really no good reason to block them` - Each time you type a key, that data is transferred to the search engine. This could very well be seen as a `good reason to block them` – mottek Dec 28 '19 at 08:49
4

That sounds like a typical case of "security by misunderstood protocol", which you encounter in lots of places. Especially that they don't know by themselves why they're doing it points to some policy somewhere stating something which - Chinese Whispers style - turned into a search engines block list.

There really isn't any serious security impact I can think of that would make you clamp down on search engines. Any such claim went right out the windows with allowing Google, which is openly in the business of using and selling your data.

What is possibly going on is that they are running a whitelisting approach on the proxy, essentially blocking everything unless it is whitelisted, and just no-one has bothered to whitelist DDG or other less common search engines, yet.

Using a whitelist approach is a security option that is rarely taken because of the sheer amount of effort it requires to maintain the whitelist. There are some services out there that will sell you whitelists. I do believe they would include DDG, however, as do most of the IP and URL reputation services around, so it doesn't smell of that.

Tom
  • 10,124
  • 18
  • 51