Chrome devs tell world that DNS over HTTPS won’t open the floodgates of hell • DigitalMunition
Chrome devs have had a little rant about "misinformation", repeating that DNS-over-HTTPS (DoH) won't yet be introduced by default in upcoming builds of the browser.
In a blog post published last night, Google's Chrome product manager insisted it was not going to "force users to change their DNS provider" despite building the technology into Chrome 78, released last week.
The blurb comes as part of Google's effort to convince hostile police agencies and legislators around the world that DNS-over-HTTPS (DoH) won't result in ordinary people's internet usage being shielded from the ability of state agencies and ISPs to monitor and police them. In contrast, Mozilla, maker of Firefox, has vowed to press on and redirect users' DNS queries to its preferred host, Cloudflare.
Google said last night that Chrome's DoH feature will operate by checking whether the user's DNS provider – typically their ISP – is on a Google list of participating DoH providers. If so, the query is routed to the ISP's DoH servers, and if not then their DNS queries continue over an unencrypted connection, just as they do today.
"We are optimistic about the opportunities DoH offers for improving user privacy and security, but we also understand the importance of DNS and that there could be implementation concerns we haven't foreseen," simpered the Chocolate Factory in its blog post. It might as well have said: "Please, regulators, don't ban or bugger about with this."
In addition, to keep corporate admins sweet and not allow enterprise end-users to bypass carefully honed corporate web access policies, Google added: "Most managed Chrome deployments such as schools and enterprises are excluded from the experiment by default. We also offer policies for administrators to control the feature."
Paul Vixie, Farsight Security CEO and a contributor to the design of the DNS protocol, who last month warned DoH could limit network admins' autonomy, opined on Twitter last night that Mozilla should "do DoH in Firefox the way Google is doing it in Chrome".
DNS lookups essentially translate the domain name you type into your browser – say, theregister.co.uk – into a machine-readable format so internet servers can fetch you your IT news and daily fix of cat videos. At the moment those queries are unencrypted, and while this makes them theoretically vulnerable to eavesdropping, filtering, and tampering, in practice the world keeps turning without too many problems.
Countries such as the UK place great store on surveilling users' DNS queries. In the context of Google and Mozilla's DoH proposals, the most useful tool available to state agencies is the ability to order domestic DNS server operators to sinkhole certain results, such as those leading to child abuse material. This is how the Internet Watch Foundation's blacklist operates.
To head off the UK's notoriously technophobic civil service and government ministers, Mozilla agreed not to make DoH a default option for British users – though a few mouse clicks is all it takes to turn it on. Americans will eventually default to sending all their DNS queries to Cloudflare, however.
In addition to preventing users from accessing content that upsets local authorities, ISPs also use their own DNS servers to implement things like parental controls, antivirus and general online safety, helping keep users away from compromised websites. This is a useful thing at a time when increasingly large proportions of ISPs' userbases have no idea about basic online security precautions and don't really care enough to learn about them. ®
Sponsored:
Serverless Computing London - 6-8 Nov 2019
Gloss