One great trend for Internet users' privacy and security has been that search engines — among other popular sites — are making their services available in a secure HTTPS form.

But users can still run into a privacy problem when they click on search results: the destination page could be unencrypted, potentially revealing lots of information to eavesdroppers about a user's interests and activities. For instance, suppose you search for [coronary artery disease] on a search engine, and you click on the search engine's outbound result link to Wikipedia's page at http://en.wikipedia.org/wiki/Coronary_artery_disease. Even if your connection to the search engine was protected by HTTPS, your connection to Wikipedia won't be!

But it could have been protected — after all, Wikipedia has a partially HTTPS-protected version at the alternative address https://secure.wikimedia.org/wikipedia/en/wiki/Coronary_artery_disease. The search engine would just have to know to send you to that link instead of the insecure link. (Or you could use EFF's HTTPS Everywhere software to rewrite the link inside your browser; but currently it's only available for Firefox and doesn't come with browsers by default.) Wouldn't it be great if search engines results preferred the secure form of web sites?

This week the developer of the search engine Duck Duck Go let us know that Duck Duck Go is doing exactly that, using EFF's HTTPS Everywhere rules to automatically generate secure outbound links where possible. (For example, Duck Duck Go is rewriting not only links to Wikipedia but also links to sites like Twitter and Facebook into HTTPS.)

This is a great step toward making HTTPS use much more routine and ubiquitous. We were also thrilled to discover that StartPage, a pioneer in search privacy, is also generating secure outbound Wikipedia links. Hopefully more search engines will adopt this practice soon!