By Zak Doffman
Government crisis talks with the internet industry have been scheduled to discuss the risks of a proposed but as yet unconfirmed update to Google’s popular Chrome web browser, one that would hit many of the techniques used to monitor internet content for both online safety and official snooping.
These days, almost everyone is familiar with the concept of internet domain names and the fact that memorable, human-readable addresses are translated into machine-readable IP addresses. But most people have likely never heard of DNS over HTTPS or DOH, and so will be unaware of a planned change to how all this works.
However, DOH is now being fast-tracked, and it has agitated U.K. child safety and intelligence agencies enough to convene a crisis meeting on 8 May, citing child safety, cybersecurity and even terrorism as concerns.
DOH will encrypt the addresses of the websites we visit, potentially bypassing local Internet Service Providers (ISPs), and connecting directly to central nameservers that could well be managed by the companies behind the browsers themselves. This means that many of the filtering and protection tools in place today, usually administered by ISPs, would no longer work.
The new approach brings definite security advantages, notwithstanding that we’ll be entrusting Google and its peers with even more data on us. If the addresses of the websites you want to visit can’t be seen, they can’t be filtered or policed. And campaigners claim that this has implications for the fights against terrorism and extremism, as well as for child safety.
Coming at a time when the monitoring of online content has never been more in the news, and when cybersecurity breaches are reported weekly, the clear need to improve online security is driving welcome change. But the unintended consequences of those changes are apparently now a major concern.
The Internet’s Domain Name System (DNS) is one of its greatest strengths and also one of its greatest weaknesses. The internet is easy to use, but that comes with the risk of the manipulation of DNS names, with snooping on open traffic, and, in many parts of the world, with local monitoring and filtering. So it’s little surprise that the Internet Engineering Task Force (IETF) has been working on a revised approach.
As open traffic, your IP address and browsing activities can be profiled and your requests can potentially be intercepted and manipulated. Who you are and what you’re looking at can be monitored. But with more and more of what is done online being encrypted, the very act of accessing specific websites can be encrypted as well. This is what DNS over HTTPS is all about, bypassing locally held DNS nameservers, sending encrypted traffic to a central server instead.
The change would see web browsers (or other central services) handling domain queries, transparently to users, rather than fielding these as open internet traffic through the ISP. More secure and less open to interception, yes, because all of this would be encrypted HTTPS traffic, but it means that you would be serviced from a central location and not by an operator under your country’s legislative control. Think of it as a built-in, always-on VPN.
A presentation from BT on the ‘Potential ISP Challenges with DNS over HTTPS’ earlier this month, acknowledged that “DOH could be a game changer in operator/application dynamics” with fast-tracked standards bringing potentially adverse implications on cybersecurity and on safety from online harms. BT cited a reduced ability to derive cybersecurity intelligence from malware activity and DNS insight, significant new attack opportunities for hackers, and the inability to fulfill government mandated regulation or court orders as potential concerns.
Online responses to the ‘crisis’ suggested that this latter point, the impact on government snooping, was much more of a concern for the authorities than any impact on online safety filters.
Crisis meeting scheduled
According to the Sunday Times, a crisis meeting has now been convened for 8 May to bring together the country’s major ISPs, including BT, Virgin, Sky and TalkTalk, with the country’s National Cyber Security Centre (NCSC) to discuss the implications. The primary concern is that it will be impossible for the country’s ISPs to filter out illegal or inappropriate material. This could have implications for terrorism, extremism, child safety and, of course, password-protecting the U.K.’s countrywide porn habits from July 15, as announced last week.
Because DOH is expected to be largely centralized, and (at least initially) managed by the major browsers, this is where Google comes in. Chrome is the U.K.’s most popular browsing application. With DNS queries not being serviced by an ISP’s nameservers, the ISPs would have no way of tracking, filtering or policing browsing. It would invalidate child safety locks and render useless the planned porn filter. For the ISPs, it could also mandate a rethink in the ways content is cached through efficient and cost-effective content delivery networks.
The well-populated databases of dangerous sites held by ISPs would be bypassed. But, it would also make government online snooping much more difficult. According to the Sunday Times, “BT, which has 9m broadband customers, said in a statement that parental controls, the first line of defense for millions of households, could be rendered ‘ineffective’ by the new system. It added that it could ‘hamper our ability to protect customers from online harms’.”
No need to panic
The encryption of DNS name traffic is not the issue. The central management of the system, bypassing local controls, is the issue. There’s no reason that the new ecosystem cannot work in the existing framework. But it won’t start out that way, and it puts significant control in the hands of the device browsers. Theoretically, there could be device- or even application-specific DOH datasets accessed. And any user filtering would need to be at a device level instead of relying on the ISP. These changes need to be fully communicated and documented in how-to guides before being made.
For their part, Google has confirmed that an encrypted version of Chrome is already available but is not yet included as standard. In a statement, the company said that ”Google has not made any changes to the default behavior of Chrome.”