Privacy Pass Authentication for Kagi Search

I love that Kagi now uses Privacy Pass, and they look like a cool company in general.<p>That being said, they essentially took the IETF draft I worked on for a while [1] and also my Rust implementation [2]. They built a thin wrapper [3] around my implementation and now call it &quot;Kagi’s implementation of Privacy Pass&quot;. I think giving me some credit would have been in order. IETF work and work on open-source software is mostly voluntary, unpaid, and often happens outside of working hours. It&#x27;s not motivating to be treated like that. Kagi, you can do better.<p>[1] <a href="https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;draft-ietf-privacypass-batched-tokens&#x2F;" rel="nofollow">https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;draft-ietf-privacypass-batc...</a> [2] <a href="https:&#x2F;&#x2F;github.com&#x2F;raphaelrobert&#x2F;privacypass">https:&#x2F;&#x2F;github.com&#x2F;raphaelrobert&#x2F;privacypass</a> [3] <a href="https:&#x2F;&#x2F;github.com&#x2F;kagisearch&#x2F;privacypass-lib&#x2F;blob&#x2F;e4d6b354dd2a39e7f9e43a5164cd79da3e563446&#x2F;src&#x2F;core&#x2F;Cargo.toml#L36">https:&#x2F;&#x2F;github.com&#x2F;kagisearch&#x2F;privacypass-lib&#x2F;blob&#x2F;e4d6b354d...</a>

Neat! It&#x27;s rare to see that a service you use actually does something that benefits the user rather that itself. An unexpected, but a really pleasant surprise.<p>I wish this extension would integrate better with the browser by automatically understanding the context. That is, if I&#x27;m in a &quot;regular&quot; mode it&#x27;ll use my session, but if I&#x27;m in a &quot;private browsing&quot; mode (`browser.extension.inIncognitoContext`) it&#x27;ll use Privacy Pass to authenticate me, without me having to explicitly do anything about it.<p>(I don&#x27;t use Orion, as there&#x27;s no GNU&#x2F;Linux version.)

The post hints at this, but having a shop where one can buy a privacy pass without an account makes sense.<p>Should support some crypto currency (probably monero), and something like GNU Taler if that technology ever becomes usable.

So....is this privacy through assumed lack of logging? Not trying to be a dick, just legit don&#x27;t understand a part of this.<p>User A asks kagi for tokens. Kagi says &quot;sure, here&#x27;s 500 tokens&quot;. If kagi then logs the 500 tokens it just gave to user A, it now will know if any of those tokens is redeemed at a later date, that they&#x27;re assigned to user A?<p>Of course if Kagi just doesn&#x27;t retain this data, then yeah all is good because the token itself is only marked as valid, not valid and given to user A on date Y, but....that&#x27;s it right? Or am I misunderstanding something?

The biggest flaw I always saw in Kagi has now been addressed by this. Thank you for listening and working to make the product appealing to (almost) everyone!

One of the biggest complaints about Kagi from people who have not yet adopted it is their privacy concerns around having to login and have payment information.<p>I&#x27;m not one of the people that has been concerned about that, but I&#x27;m curious to what extent this alleviates those concerns among those that have had them.

What&#x27;s to stop someone on the Kagi side from just adding a new column to the token table that has the user (with their SessionCookie) who generated the token next to it? I don&#x27;t see how this can&#x27;t be trivially connected to the original token generator.

Does this actually work, though? The token can only be redeemed once, which means that, realistically, the client is going to be in a loop generating and redeeming tokens in a given search session, which makes the pairs trivial to correlate. The article even states it:<p>&gt; For this reason, it is highly recommended to separate token generation and redemption in time, or “in space” (by using an anonymizing service such as Tor when redeeming tokens, see below).<p>Sure, Tor will random the space. But what about the time? I then went to &quot;see below&quot; and didn&#x27;t see anything relevant. Or is the idea that, with sufficient request volume, clients mask each other in time?<p>Also, Tor will only randomize the space insofar as you keep re-establishing a session; the loop remains static for the duration of a session afaik. And re-establishing a session takes like 10 seconds. So is it really randomizing the space?

This is sick, fantastic work.<p>I have built blind signature authentication stuff before (similar to privacy pass) and one thing I’m curious about is how you (will) handle multi device access?<p>I understand you probably launched with only unlimited search users in order to mitigate the same user losing access to their tokens on a different device. But any ideas for long term plans here? When I built these systems in the past, I always had to couple it with E2EE sync. Not only can that be a pain for end users, but you can also start to correlate storage updates with blind search requests.<p>Either case, this is amazing and I’m gonna be even more excited to not just trust Kagi, but verify that I don’t need to trust y’all. Congrats.

Is this the same Privacy Pass that Cloudflare was using to allow clients to bypass CAPTCHAs? If so, this is a really neat application of that system; it never occurred to me that it could be used to anonymously authenticate to a paid service.

I&#x27;m not affiliated with the Tor Project organization, but I have some questions.<p>From Tor docs [0]:<p>&gt; Add-ons, extensions, and plugins are components that can be added to web browsers to give them new features. Tor Browser comes with one add-on installed: NoScript. You should not install any additional add-ons on Tor Browser because that can compromise some of its privacy features.<p>How does Kagi square this with Privacy Pass, which requires a browser extension rejected by Tor [1]? Did Kagi analyze whether it is possible to bucket users of Tor into two distinct groups depending on whether the extension is installed? Do I need to trust another organization other than the Tor project to keep the signing keys for the extension safe? Was there any outreach to the Tor community at all prior to releasing this feature?<p>It&#x27;s great that they&#x27;re Torifying the service, but depending on a 3rd party extension is not ideal.<p>[0] <a href="https:&#x2F;&#x2F;support.torproject.org&#x2F;glossary&#x2F;add-on-extension-or-plugin&#x2F;" rel="nofollow">https:&#x2F;&#x2F;support.torproject.org&#x2F;glossary&#x2F;add-on-extension-or-...</a><p>[1] <a href="https:&#x2F;&#x2F;gitlab.torproject.org&#x2F;tpo&#x2F;applications&#x2F;tor-browser&#x2F;-&#x2F;issues&#x2F;24321" rel="nofollow">https:&#x2F;&#x2F;gitlab.torproject.org&#x2F;tpo&#x2F;applications&#x2F;tor-browser&#x2F;-...</a>

I love this company and product. I noticed another great feature today: the ability to filter AI slop in image search! It&#x27;s the right-most filter: &quot;AI Images&quot;.

If account settings are not possible because you could fingerprint users, then client-side filtering or reordering might be a solution.<p>Safe-search or not, just transfer both result lists and make the client only show the one you want. The same could be done with languages, where you at least get the results for the bigger ones. Blacklists would hide your blocked crap sites. It may even be possible to implement the ranking adjustments to some extend.<p>Client-side filtering would put more load on the server and search sources, but I hope the cost increase is tolerable. Blacklisting and reordering could be virtually free. This could make Privacy Pass available to many more users who don&#x27;t have overly complex account rules.

I don’t really understand how the protocol can ensure that the server can’t identify the client.<p>As far as I understand, the client sends some information A to the server, the server applies some private key X and returns the output B to the client, which then generates tokens C from the output.<p>If the server uses a different X for every user and then when verifying just checks the X of every user to see which one is valid, couldn’t the server know who created the token?

Trying to understand Privacy Pass here.<p>My understanding is, it&#x27;s analogous to writing a note to your manager.<p>That note is a random number written in ink your manager can&#x27;t actually read; all they can do with that note is sign it. They ask God (used here to represent math itself) how to sign this note, and God gives them a unique signature that also theoretically cannot be used to calculate the number that&#x27;s written. This signature also proves what you&#x27;re authorized to do. And then your manager hands the note back to you.<p>The note&#x27;s sole function past that point is so you can point to the signature thereon and say &quot;this signature proves I can do this, that, etc.&quot;

Will the extension eventually be made available for Firefox on Android? Right now the Firefox extension link says that it&#x27;s not compatible.<p>P. S: I don&#x27;t use the Kagi app in Android.

I have been a Kagi subscriber for a while now, but this new addition finally convinced me to start using Kagi in incognito mode! Thank you very much for adding this!

I still cannot get iOS to reliably use Kagi as my default search engine. I&#x27;ve tried the extension, etc. but nothing works reliably.<p>It&#x27;s madness - how is it market fairness when iOS literally forces you to use Google? I know Google is paying Apple to do exactly that, but it&#x27;s so beyond anti-consumer I can&#x27;t believe it.

That&#x27;s a cool idea! Seeing the screenshot I almost immediately figured this would be related to Chaum&#x27;s digital cash and blind signatures, and it seems to be cited in the linked paper. I had thought of using blind signatures for anonymous authorization, but I was not aware that there was an actual design for that application.<p>I think government issued digital identities should also use this.

Amazing! I used kagi at the very beginning, but my biggest concern was always this (that logging in is inherently less private than using something like duckduckgo, so I&#x27;m just forced to trust Kagi&#x27;s will). This is the kind of thing that will force me to take a second look again.

This is exactly what I&#x27;ve been waiting for to try Kagi.<p>I want better search results and willing to pay for it, but not at the cost of linking all my searches to my identity.<p>Also happy to see they&#x27;re adding tor support.<p>I feel like I might hit the default limit of 2000 searches per month, but it&#x27;s not far off.

This is very cool. I&#x27;m curious about why there is a limit on the number of tokens generated per month, when this is only currently offered to unlimited accounts. Since the tokens all expire at the end of the month, tokens can&#x27;t be horded to use Kagi after a subscription ends. Perhaps it is instead a resource issue where token generation is expensive. In that case though, I would think limiting tokens&#x2F;day would be more appropriate - there is already going to be a spike to generate new tokens on the first of the month, so if the server can handle that they can handle some users generating a batch of tokens each day.<p>This is not intended as criticism, just inquisitive.

Hope they can enable this in Safari so that I can use iCloud Private Relay with it.

Can someone make a case for Kagi? I&#x27;m using Google + Claude for all my websearch needs. I don&#x27;t feel like there&#x27;s a gap there, but maybe that&#x27;s because I&#x27;ve never experienced anything better and can&#x27;t imagine it?<p>I do value privacy, but I wouldn&#x27;t pay extra for more private search results. I might pay extra for __better__ search results, but that&#x27;s hard to measure.<p>Just curious if anyone has had a legitimately great experience with this product and can communicate its benefits. Bonus points if you&#x27;re in software dev.

I’m not insinuating for even a second that Kagi actually do this, but as a general rule, isn’t any privacy claim dubious at the moment given that more and more governments appear to be able to compel companies to identify their users (especially those searching for illegal content) and further forcefully insist they not disclose it?<p>It’s disheartening to think the great progress we’re making in this sector could be undermined in a few seconds against any companies efforts with a trivial backdoor.

This seems cool, but I still think the pricing of kagi is rather steep. It is $5&#x2F;mo for 300 searches a month, which is really going to get you under 10 a day... That&#x27;s insufficient. Then $10&#x2F;mo (or $108&#x2F;yr) for unlimited.<p>I&#x27;m curious if anyone knows, are companies like Google and Microsoft making more than $10&#x2F;mo&#x2F;user? We often talk about paying with our data, but it is always unclear how much that data is worth. Kagi does include some numbers, over here[0], but they seem a tad suspicious. The claim is Google makes $23&#x2F;mo&#x2F;user, and this would make their service a good value, but the calculation of $76bn US ad revenue (2023) and $277 per user annually gives 274m users. It&#x27;s close to 80% of the US population, but I though google search was about 90% of global. And I doubt that all ad revenue is coming from search. Does anyone know the real numbers? Googling I get inconsistent answers and also answers based on different conditions and aggregations. But what we&#x27;d be interested here is purely in Google &#x2F;search&#x2F; and not anything else.<p>[0] <a href="https:&#x2F;&#x2F;help.kagi.com&#x2F;kagi&#x2F;why-kagi&#x2F;why-pay-for-search.html" rel="nofollow">https:&#x2F;&#x2F;help.kagi.com&#x2F;kagi&#x2F;why-kagi&#x2F;why-pay-for-search.html</a>

This should placate any potential subscribers who worry that their searches could be logged. Another great feature from a product which keeps getting better all the time.

Ironically, I couldn&#x27;t access this page while using Tor. Reading it from another device though, it seems like a great announcement, I love the idea.<p>I also would be interested in a service like this for attestation on other sites. Device attestation has chilling privacy implications, but if you could have a paid service with a presumably trusted entity like Kagi attest that you are a legitimate user (but hide your identity), maybe more of the Internet could be browsed anonymously, while still minimizing spam.<p>I get why many sites currently block Tor and VPN users, or even users in incognito or without a phone number, as the Internet is essentially unusable without anti-spam measures. That said, I do think anonymity has its place (especially for browsing, even if commenting weren&#x27;t allowed), and maybe ideas like this could allow for anonymity without the Internet being riddled with spam.

I am just thinking there might be other better ways to preserve user&#x27;s search privacy: using LLM embeddings (<a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Word_embedding" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Word_embedding</a>).<p>The browser creates embeddings of user query, then send the embeddings to the server.<p>To complete a search, the server is a machine and it does not really need text to understand what a user want. A series of numbers, like LLM embeddings, are totally fine (actually it might even be better, because embeddings map similar words closely, like Duck and Bird have similar embeddings).<p>On the privacy side, LLM embeddings are a bunch of numbers. Even the embeddings are associated with a user, other people cannot make meaning out of the embeddings. Therefore the user&#x27;s privacy is preserved.<p>What do you think?

It&#x27;s a shame that their $5 tier is only 300 searches&#x2F;month, or 10 searches per day. It&#x27;s kind of ridiculously low. I could burn through half of that in a single day of debugging<p>Also I just tried it and you can&#x27;t really search for porn

&gt;We are working on enabling this feature for Trial and Starter plans, which have access to a limited number of monthly searches. [...] and theoretically, users on this plan could redeem more tokens than the limit of searches allowed on their plan (again, we do not know who the user redeeming the tokens is, or what plan they are on).<p>This doesn&#x27;t make sense. Is this saying they&#x27;re worried about a user on a trial or starter plan using someone else&#x27;s tokens? That can still happen when tokens are disabled for trial and start plan users: the trial or starter plan user can use tokens generated by someone on an unlimited plan.

Cool feature, curious, does the bangs solution (! Language ! Region ! Safe search) to the inability to use your config not introduce the same privacy concerns?<p>&gt; allowing users to send a small configuration with every request (language, region, safe-search) to automatically customize your search experience to some extent. However, we currently believe this would quickly result in a significant loss of anonymity for you and for other users.<p>&gt; For manual search settings customization, you can always use bangs in your search query to enable basic settings for a specific query.

Wouldn&#x27;t this allow people to abuse and share token amount many users? People used to buy one subscription and share among friends e.g. Netflix but only shared amount family or friends - you wouldn&#x27;t want random people know what movies you like to watch. Similarly people would less likely share their chatgpt plus account because everyone can see history and change settings. But with such privacy pass those issues don&#x27;t exists I guess so more likely this can be abused.

In general I am a very happy Kagi subscriber, but I have noticed in the past month or so that sometimes my searches (via the Safari extension) just hang. Navigating it kagi.com also hangs.<p>When I&#x27;m in a rush this forces me to fall back to Google which often doesn&#x27;t provide good results for my queries, which is unfortunate<p>It generally resolves itself in under a minute, but it is still a mildly irritating availability issue that wasn&#x27;t present earlier. Maybe something to do with load balancing? No clue.

Pretty cool feature. The unstated downside is that any personalization settings like dark mode, translation, and lens settings are still seemingly tied to account login.

Privacy Pass is great for reducing friction, but it still relies on trust in the issuer. A ZK-based approach (e.g., using zk-SNARKs or anonymous credentials) could let users prove they’re paid subscribers without revealing their identity or even interacting with Kagi’s servers beyond the initial proof. This would remove the need for trust while keeping the experience just as seamless. Would love to see more services explore this direction.

This is meaningless with a paid for service. Kagi can and will be required by court order to collect and track a subscribers use. It doesn&#x27;t matter if your tech is supposed to be “anonymous”, they have to make it happen. You must operate in a country that cant compel this and be willing to jump ship when your nsa equivalent gets upset.

I want to pay for Kagi, but it&#x27;s priced way too high (for me). Would love it if they implemented Purchasing Power Parity (PPP).

&gt; Privacy Pass does not rely on any blockchain technology.<p>Lovely!

The way I feel about Kagi reminds me of how I felt about Google circa 1999.<p>The cynic in me wants to stop myself from becoming a fanboy because we all know how the story of tech startups goes and it&#x27;s bound to repeat itself again; the optimist in me still wants to believe that there can be forces of good on the web.

I can&#x27;t explain this rationally, but my brain just rejects any other search engine. For example, in the case of Kagi, black links instead of blue feel off-putting. I guess years of using Google has hardwired into my brain how a search engine should look.

When does the API. become GA. I really want a reason to spend on a valuable search engine.

This is really cool. How does the cryptography work?<p>EDIT: Seems like it works via <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Blind_signature" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Blind_signature</a>

Do people have news articles of Microsoft, Google et al using search history to the searcher&#x27;s detriment? How frequently does this happen? I&#x27;m imagining it must be like one in a million.

I&#x27;ve read the post and saw the references, but can anyone easily explain how it works? Can the server not just store whatever is generated to link it back to the user using it?

I hope Protonmail picks up on privacy pass. It would be nice to fund anonymous Protonmail accounts with an anonymous “benefactor” account.

I think you could use zero knowledge proofs here to accomplish the same thing but without having to worry about renewing tokens etc

Alas, not compatible with Firefox for Android

I wonder how this affects gated features and search limits?

Just out of curiosity, how is Kagi(the company) financially going? And his fortune really is because google search sucks so hard? Genuine curiosity

This is a nice move. Now they just need to stop paying Yandex&#x2F;Russia and I&#x27;d be back...

I&#x27;m willing to bet they have not gotten this tested by security professionals

Seeing as I&#x27;m not getting any traction in the fediverse (<a href="https:&#x2F;&#x2F;tenforward.social&#x2F;@aspensmonster&#x2F;113999217587309328" rel="nofollow">https:&#x2F;&#x2F;tenforward.social&#x2F;@aspensmonster&#x2F;113999217587309328</a>), maybe I can ask here instead.<p>=================================<p>From their blog:<p>&gt;As standardized in [2 - 4], the Privacy Pass protocol is able to accommodate many “architectures.” Our deployment model follows the original architecture presented by Davidson et al. [1], called “Shared Origin, Attester, Issuer” in § 4 of [2].<p>From [2] RFC 9576 § 3.3 &quot;Privacy Goals and Threat Model&quot; :<p>&gt;Clients explicitly trust Attesters to perform attestation correctly and in a way that does not violate their privacy. In particular, this means that Attesters that may be privy to private information about Clients are trusted to not disclose this information to non-colluding parties. Colluding parties are assumed to have access to the same information; see Section 4 for more about different deployment models and non-collusion assumptions. However, Clients assume that Issuers and Origins are malicious.<p>And From [2] RFC 9576 § 4.1 &quot;Shared Origin, Attester, Issuer&quot; :<p>&gt;As a result, attestation mechanisms that can uniquely identify a Client, e.g., requiring that Clients authenticate with some type of application-layer account, are not appropriate, as they could lead to unlinkability violations.<p>Womp womp :(<p>This is not genuinely private in any meaningful sense of the term. Kagi plays the role of all three parties, and even relies on the very thing section 4.1 says is not appropriate: to use mechanisms that can uniquely identify a client. They utilize a client&#x27;s session token: &quot;In the case of Kagi’s users, this can be done by presenting their Kagi session cookie to the server.&quot;<p>Frankly, that blog post is disingenuous at best, and malicious at worst.<p>=================================<p>I <i>want</i> to be wrong here. Where am I wrong? What am I missing?

hekdaimon Al

[deleted by author]