Kagi (Search Engine)

This entire thread underscores how little interest they have in implementing genuine privacy features. To be fair, though, their main customer base doesn’t prioritize these kinds of features either, as this suggestion isn’t among the most requested. We need to accept that Kagi simply targets a different audience than many here would prefer.

I think they have an interest, the Privacy Pass feature is insanely cool and something I want to see from more companies. It’s just really this one thing that’s sort of baffling to me. Any user signing up for the first time is going to think they need to put their real email in because it’s not communicated at all that you don’t need to.

I agree that it’s a decent feature, and it alleviates some concerns about logging or tracing users’ searches. And it shows that they do address some privacy concerns users may have. However, what I’m trying to convey is that it doesn’t significantly address Kagi’s relevant privacy issues. Perhaps my wording was unclear, but when I’m reading the thread you mentioned, I feel like they either don’t have an interest regarding this issue or they don’t fully understand it.

Looks like they not only announced privacy pass but also an onion variant of their site (installing an extension sounds like a bad idea…), hopefully someone familiar with the technology can verify their claims.

Privacy Pass + Onion service is a great privacy combo. I don’t understand the hate around here for the email signup requirement. You can always abandon an account and create a new one if you use a non-aliased email address for some reason. If you accidentally put in an email address that doesn’t belong to you, they also allow you to change it (though obviously, I wouldn’t use the “change” feature to try and obscure your identity as they probably have retained logs of your original email address and all variants you change to…just create a new account).

Anyway, basically anything one does on the internet requires some amount of knowledge and “work” to make private. Now that Kagi supports TOR and Privacy Pass, it seems like a great option for search for privacy-oriented people who want a great search experience from a company with a sustainable business model that’s ad-free.

EDIT: I also see that they’re considering allowing users to purchase Privacy Pass tokens directly without an account in the future (see the frequently asked questions at the bottom of the page): Introducing Privacy Pass authentication for Kagi Search | Kagi Blog

Definitely time to reconsider Kagi I think, all your searches being linked to your account was my main hangup and this solves that. The onion service is also really nice to see.

Currently they still don’t meet the requirements for being listed as a search engine, but their blog post mentions

Do you plan to allow purchasing privacy pass tokens without having an account?

Yes, this makes sense. This is possible because technically the extension does not care if you have an account or not. It just needs to be ‘loaded’ with valid tokens. And you can imagine a mechanism where you could also anonymously purchase them, eg. with monero, without ever creating an account at Kagi. Let us know here if you are excited about this, as it will help prioritize it.

If this was implemented then we could add Kagi I think without altering our requirements.

2 posts were merged into an existing topic: Orion Browser for macOS and iOS

No, privacy pass (issued against an underlying user-identifying credential) as implemented by Kagi (users can switch back and forth from using privacy pass tokens to their actual credential) doesn’t solve this.^[1] Though, per their announcement blogpost, it seems like they want to implement a more careful variant of it some time down the line.

The thing to understand about privacy pass is, it assumes an anonymizing transport layer, like Tor or Private Relay. And so, adding any form of user context (like IP address or settings / preferences or device/usage metadata) after authorization pretty much defeats the guarantees, imo, of the entire privacy pass ceremony.

Either way, Vlad at Kagi is slowly building things out & punching way above their weight, which makes it pretty likely they’ll eventually build out stuff around privacy pass like we’d expect them to.

1. The onus remains on the end user to not divulge any PII to Kagi at any stage of enrollment / signup, including payments and also when logging-in to access its web services without anonymizing transport, like Tor or Private Relay. ↩︎

So, if I understand you correctly, this issue would diminish if Kagi implements an accountless integration of Privacy Pass, as they announced in their blog post? I mean in combination with an anonymous payment method, such as XMR.

Oh, never mind, I see what you’re saying now that I have downloaded the extension myself

Since the extension requires you to be signed in to the browser in order to obtain the tokens, it makes using it privately a lot tricker. If these tokens were portable (can purchase with an account on one device/browser and add it to another device/browser where I’ve never signed in with Kagi) that could also be more useful I’d imagine.

Ultimately I do still think this implementation even in its current form does allow you to use Kagi completely privately if you want, but only if you are extremely careful with your opsec which most people probably will not be.

I don’t really understand why this browser extension doesn’t just let you authenticate within the extension itself, without needing to have been authenticated and have session cookies stored on kagi.com in the browser. That would also help with this issue, but maybe such sandboxing between the extension and the website in-browser isn’t possible(?)