Chrome 83, the latest release of Google’s popular web browser, will encrypt Domain Name System (DNS) requests by default in a landmark move. Chrome has followed in the footsteps of Firefox by making DNS-over-HTTPS (DoH) the default DNS setting for users, locking down website look-ups for increased user privacy.
The new encryption technology will be applied by default if users’ existing DNS providers support the service, or will offer manual configuration options for others, including using Cloudflare. Some ISPs currently do not offer the service, but BT is said to be experimenting with the technology.
Snooping on web activity
Whilst most browsers secure connections to websites with HTTPS technology (the padlock that you see next to the web address in your browser), ISPs, public WiFi networks such as hotels and airports, and government agencies are still able to access users’ web searches.
DNS-over-HTTPS (DoH) has been designed to prevent external ‘snooping’ on web activity. Whilst this level of encryption was once reserved for sensitive communications, it is now important for accessing all areas of our lives online, especially due to the rise in cyber crime.
Each time a browser loads a website, it has to look up the numeric address for the website name. That lookup technology is called DNS, or Domain Name System. As normal DNS lookups aren’t encrypted, they can reveal a lot about what users are looking at online.
Usually a resolver will tell each DNS server which domain is being searched for. This request sometimes includes the full IP address or at least part of it, which can be easily combined with other information to work out a user’s identity.
Google Chrome’s new Secure DNS feature uses DoH to encrypt DNS communication, preventing attackers or external sources looking at users’ web activity. Chrome communicates with the DNS service provider over the HTTPS protocol in an encrypted channel, meaning that attackers would no longer be able to rely on DNS to observe which websites users are visiting over a shared connection (Public WiFi for instance).
With DoH Chrome can verify that a website is authentic, that it is communicating with the intended DNS service provider, and verify that the response that it received hasn’t been tampered with, making users’ more resilient against phishing attacks.
Some critics have warned that the widespread adoption of DoH by major browsers could disrupt the ability to block certain websites or track users’ internet activity. These two elements are also very important facets of online security, especially when it comes to any nefarious web activity that needs to be monitored or accessed by government departments or law enforcement.
The technology also remains controversial because some individuals and organisations expect less privacy in certain scenarios, especially if their business model depends on accessing that data. ISPs may track users’ web activity for data collection purposes, as well as Facebook and Google using it for online advertising.
DoH does have the potential to close one of the largest privacy gaps on the internet, but does that have a detrimental effect too? You can read more about Google’s updated security and privacy controls in the latest update here.
Do you think DoH is an important security measure? Or could it stop law enforcement following online criminal activity? Let us know your thoughts @Hyve!