They run Leta on diskless servers, just like the VPN:

>We run the Leta servers on STBooted RAM only servers, the same as our VPN servers. These servers run the latest Ubuntu LTS, with our own stripped down custom Mullvad VPN kernel which we tune in-house to remove anything unnecessary for the running system. > >The cached search results are stored in an in-memory Redis key / value store.

This is surprising given that they try to cache results for 30 days:

>Each search that has not already been cached is saved in RAM for 30 days. The idea is that the more searches performed, the larger and more substantial the cached results become, therefore aiding with privacy.

That's surprising because presumably they lose all results if they have to reboot the server.

With a VPN service, there's not much they have to store past the lifetime of the VPN session, but if they're storing search results for 30 days, I wonder how they deal with this? Maybe best effort is fine because they don't strictly need to cache the results, as it just provides marginal privacy improvements.

Previous discussions from the initial launch, 2 years ago:

https://news.ycombinator.com/item?id=36402162

https://news.ycombinator.com/item?id=35964397

Mullvad swinging for the fences suddenly. They have a billboard in South San Francisco, too. Did they get a cash infusion? Why all of the sudden are they expanding? Honestly, I'd have changed the name by now...

This thing has been advertised EVERYWHERE in London the last few weeks.

But the adverts didn’t make a lot of sense and I had no idea what the product actually did.

From the FAQ page (https://leta.mullvad.net/faq) :

> However, Leta is useless as a service if you use the perfect non-logging VPN, a privacy focussed DNS service, a web browser that resists fingerprinting, and correlation attacks from global actors. Leta is also useless if your browser blocks all cookies, tracking pixels and other tracking technologies.

In other words everyone can benefit from it. I don't know any browser (not talking about obscure browsers like lynx) who can completely resist fingerprinting.

Pretty much the only way to use google search as an HTML webpage instead of a JS web application these days. It's great. It reminds me of the scroogle.com proxy days.

I use it for all but my retro machines, which is a shame. I know Mullvad is a 'privacy' company but I really wish they'd acknowledge that HTTP+HTTPS is more robust to governments' censorship than centralized CA TLS only. HTTP+HTTPS would allow my non-bleeding edge TLS retro machines to search again.

So how do they make money? Are they hoping to convert users to their VPN service? Or are they just trying to stay under the free tier Google API limits?

Unfortunately, this is blocked at many places of work because of the domain, unlike DDG

These alternative search engines really feel like they're fighting the last war. Web content is so reader-hostile that you need a tool to extract the answer/information you're looking for and not just give you a link to the page.

Where does it say how it handles user information - what it collects, how long it's retained, what it's used for?

I would expect Mullvad to say they collect none, but is that said anywhere? Is there any privacy policy?

Edit: All it says is that they protect us from Google and Brave:

> When a search isn't in the cache, our server (leta.mullvad.net) queries the search engines on your behalf. Only the search query is sent; no personal data is shared.

and

> Returned search results contain only direct links to the final destination. All tracking elements and third-party content are removed to protect your privacy.

I'm sorry for being negative, but it feels to me just as a publicity stunt.

No serious product, just a proxy for Google, while it is interesting not a real solution.

But as a marketing tactic to promote your VPN it is an interesting move.

I wonder how well the caching works. The FAQ says 30 days, so you might be getting a pretty stale result. That combined with Google's "fun fact: 15% of all Google searches have never been searched before", makes me wonder how identifying these queries can be.

This isn't really privacy or security focused unless 'trust' is a component of security architecture.

Make no mistake, Mullvad Leta knows what you searched for and who you are.

/Theater/ has no place in privacy.

The right way to do it, short of FHE, is to encrypt the query client side, pass this to the proxy which does not pass the source IP, which passes this to the search engine for decryption. Search results are encrypted and pass thru in the reverse:

Client (encrypts) -> Proxy (passes thru no IP) -> Search engine (receives, decrypts, performs, and encrypts results) -> Proxy passes encrypted blob of results back to user -> Client privately reviews private search results.

Edit: private.sh tried this in the past but unfortunately was shuttered with the end of gigablast.

Why not embrace searxng^1. But sure I know brave and other would rate limit for it. What would be the difference from duckduckgo lite?

https://docs.searxng.org/

Awesome. Maybe it's just my imagination, but it seems like there is much less crap and the relevancy seems to be much higher even then I choose Google as the underlying engine.

Switched default search in my FF to this.

Fast, no ads, reasonable results. Well done!

I don't care much about that anymore because their VPN service has really gone bad. They are great in terms of privacy, but in every other aspect, they suck. Their VPN randomly disconnects again and again, once even without the killswitch being activated. They are getting blocked from websites much more often than other VPNs, making the service barely usable while costing a lot more. Plus, there are many other minor issues. I really hope they improve because I want to keep using them

Aren't these APIs absurdly expensive? How are they justifying these costs, or are they using "unofficial" APIs?

I'm using startpage.com, guess this is gonna replace it as soon as it matures a bit

I am extremely excited about this and thus far it seems to work well.

I don't understand why Google or Brave are cooperating with this, they don't earn anything. And if they're not, what prevents Google blocking Mullvad IPs?

Interesting solution to let the user pick which search engine to use. Sadly Bing is shutting down their API, it would have been great to be able to use that as well.

> Leta is also useless if your browser blocks all cookies, tracking pixels and other tracking technologies.

Err.. it would still be useful to mask your IP ?

I'm surprised this is created using NodeJS. Given how critical performance is in a proxy, and that RAM is precious running Redis.

I wish I could set Safari to use this as the search

Not sure why they limit the choice

A simple explanation of what this does, shown somewhere on the page, would go a long way.

If people search CSAM, do they serve it? Isn't that criminal?

This would've been a great product 10 years ago. I've unapologetically not had to use a search engine in almost a year (or at least can count on 1 hand having to use it) since GPT models have come out.

Did a search for 'test', says results are cached from 6 days ago.

When we've got LLMs with real-time search now this seems a bit... backward. Not that the results for that specific query would change much.

> Leta aims to present a reliable and trustworthy way of searching privately on the internet.

> Leta is also useless if your browser blocks all cookies, tracking pixels and other tracking technologies.

Huh? This needed better clarification because the two points seem to be at odds with each other.

Wait, Google doesn't have a Search API!

How does this compare to say, startpage.com?

This is incredible actually.

How is this different than using DDG with the “!g” ?

What is it?

Mods: Consider adding to the title: A privacy focused search engine

I quoted their FAQ; it's not editorializing: https://leta.mullvad.net/faq

Search engines are so hot rn. Reminds me of 1990s, 2000s.

AskJeeves, anyone?

\s

I jest, but the focus on privacy is important. I used to use DDG but ended up using (and paying for) Kagi.

> Did you make your own search engine from scratch?

> We did not, we made a front end to the Google and Brave Search APIs.

So this is pointless, and honestly kind of lazy?

I was dumb enough to buy more than 30 days worth of mullvad once. They changed their terms of service to remove port forwarding. Because I'd paid more than 30 days ago, they wouldn't refund me anything.

Screw mullvad. I'd have to be a damned fool to to ever trust them again.

I feel like the name "mullivad" might present challenges for user adoption.