User topics

Article topics

Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT

Google released Chrome 83 on Tuesday after skipping version 82 entirely due to coronavirus-related challenges, bringing with it security for DNS queries, a revised extension interface that developers dislike, and a few other features. The latest iteration of Google's browser implements DNS-over-HTTPS (DoH), a way to prevent …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Wednesday 20th May 2020 07:23 GMT tip pc

Can no longer Easily see what extensions are installed

“ Chrome no longer pins extensions to the toolbar by default”

I assume extensions can’t be silently installed etc etc, what if I use someone else’s pc briefly, do I have to check their extensions list before I use their browser?

Having an obvious place for running extensions to show by default looks like an obvious safety thing to do.

23 0 Reply
1. Thursday 21st May 2020 00:00 GMT LovesTha
  
  Re: Can no longer Easily see what extensions are installed
  
  Was the requirement to unpin an extension really the thing stopping people from installing malicious plugins on other people's computers?
  
  0 0 Reply
2. Thursday 21st May 2020 03:33 GMT TG2.2
  
  Re: Can no longer Easily see what extensions are installed
  
  The better option would be a quick link to plugins/extensions, vs having to grab the 3 bars -> More Tools -> Extensions.
  
  Every browser has this issue, quick access to toolbars, but the counter to these buttons is that there a sh*t ton of them sometimes, which makes it harder to review a URL at a glance when the buttons shrink the bar too far.
  
  Having a bookmarks bar and Add-ons / Extensions bar would also be a good choice ..
  
  but of course this is a mega corporation and despite user choice, mega corporations know best.. right? (insert eye roll here)
  
  3 2 Reply
  1. Thursday 21st May 2020 09:28 GMT Anonymous Coward
    
    Re: Can no longer Easily see what extensions are installed
    
    “Every browser has this issue“
    
    Erm, no. Never heard of one called Firefox?
    
    2 0 Reply
3. Thursday 21st May 2020 05:52 GMT TheMeerkat
  
  Re: Can no longer Easily see what extensions are installed
  
  If you are using someone else’s computer, the extensions is the least of your worry. You should never assume there is any privacy or security if you don’t control your computer fully.
  
  5 0 Reply
Wednesday 20th May 2020 07:30 GMT tip pc

DoH

Will chrome tell me I’m using DoH or will it silently work in the background.

What about my local dns filtering, will it bypass my pi-hole in favour of its own DoH, maybe not today but what about in the future if my isp decides to do DoH?

I’ve blocked all port 53 traffic out and in and have a DoH proxy running internally, if chrome decide to silently use DoH in addition to my OS’s DNS I will never know, unless I now also use a proxy and inspect, TLS decrypt - inspect - encrypt, everything. With my tin foil hat I can see how that benefits state actors.

13 0 Reply
1. Wednesday 20th May 2020 07:46 GMT chris 143
  
  Re: DoH
  
  The way you'll know is all the adverts start loading again.
  
  20 0 Reply
  1. Wednesday 20th May 2020 10:09 GMT Stuart 22
    
    Re: DoH
    
    I converted to Vivaldi long ago - so when I reverted to Chrome/Chromium on new Linux/Android devices I was shocked to see adverts re-appearing despite having a pi-holed network. It was sneakily checking 8.8.8.8
    
    Result - Vivaldi quickly installed alongside our old friend Firebird - in case Vivaldi becomes similary 'infected'. The claim the Google is trying to enforce it on me for my own good is a little suspect methinks.
    
    This is a good move to lose the love of Chrome/Chromium. They thought that as the No1 browser it is invincible. Will hubris (and bloat) rather than ad-blockers be their eventual nemesis?
    
    15 0 Reply
    1. Wednesday 20th May 2020 22:12 GMT mmccul
      
      Re: DoH
      
      Just checked current vivaldi (vivaldi://flags) and it is hidden, but doable to ensure the DoH protocol is disabled, at least according to options. Without something like burpsuite, hard to know if it is actually honored (and I'm not yet ready to waste a demo on just this test.)
      
      0 0 Reply
2. Wednesday 20th May 2020 09:32 GMT lkm
  
  Re: DoH
  
  Nope, Chrome will only upgrade your DNS if your current DNS provider supports DoH. I.e. if you are using 8.8.8.8 currently, it will use DoH to talk to 8.8.8.8. Nothing will change if you have something custom setup. See https://www.chromium.org/developers/dns-over-https for the list of supported DoH providers - which is really small still.
  
  2 1 Reply
  1. Wednesday 20th May 2020 12:00 GMT Yet Another Anonymous coward
    
    Re: DoH
    
    You can then configure pi-hole to do doh so you still get ad blocking without your ISP selling all your site visits
    
    1 2 Reply
3. Thursday 21st May 2020 09:32 GMT Cave-Homme
  
  Re: DoH
  
  Excuse my ignorance but what’s blocking port 53 all about?
  
  0 0 Reply
Wednesday 20th May 2020 07:38 GMT djvrs

DoH

Can anyone seen a 'doh' coming when it goes wrong?

7 0 Reply
1. Wednesday 20th May 2020 20:12 GMT Stubbly Dude
  
  Re: DoH
  
  I can;t read any of this without going doh! all the time!
  
  4 0 Reply
Wednesday 20th May 2020 07:47 GMT Anonymous Coward

DoH

So we already deploy client-side certificates for our Sophos XG firewalls so we can do HTTPS/SSL inspection and decryption anyway... will this include DoH traffic?

1 0 Reply
1. Wednesday 20th May 2020 13:22 GMT Toe Knee
  
  Re: DoH
  
  Probably. DoH requests are HTTPS, so they’re easy to pick apart by looking at the requests (if you have the certs).
  
  0 0 Reply
2. Wednesday 20th May 2020 13:47 GMT Anonymous Coward
  
  Re: DoH
  
  You'd probably be using an internal DNS in an organisation anyway, so that you can use internal domains. I'm not sure it therefore makes any difference if set up correctly.
  
  1 0 Reply
3. Wednesday 20th May 2020 14:52 GMT big_D
  
  Re: DoH
  
  I have set up rules to block DoH at the firewall. The browsers and smartphones just drop back to using my internal DNS server (DNS over TLS with DNSSEC to Quad9). The internal DNS server blacklists around 2.5 million sites (most of them tracking and known malware flingers). However it will be a moving target as more and more DoH servers come on line.
  
  I worked out that DoH was being used on my tablet when it suddenly started showing Facebook in the new tab list - I had blocked over 2,500 Facebook domains in DNS. I quickly set up additional rules to block DoH to known providers.
  
  0 3 Reply
  1. Wednesday 20th May 2020 15:28 GMT tip pc
    
    Re: DoH
    
    good luck with that whack a mole.
    
    you'll need to start proxying everything and blocking at the proxy.
    
    6 0 Reply
  2. Wednesday 20th May 2020 18:04 GMT Qumefox
    
    Re: DoH
    
    The thing about DoH is that it can't be (easily) blocked though. Without decrypting and inspecting every packet (which, if this was easy, https would be pointless) , it all just looks like https traffic. This is why network admins don't like it and would prefer DoL, which is easily blockable.
    
    I guess you could block 80 and 443 to the IP of known DNS resolvers, however that would be a buttload of manual firewall rule entries, and you can't just block those ports globally without breaking the entire internet for yourself.
    
    2 0 Reply
    1. Thursday 21st May 2020 07:37 GMT big_D
      
      Re: DoH
      
      On my firewall, it is 1 rule, but with a group of IP addresses. At the moment, it is a relatively small list. The firewall can also act as a DoH provider, using my main DNS server as its source.
      
      0 0 Reply
4. Wednesday 20th May 2020 15:35 GMT Dourscot
  
  Re: DoH
  
  Chrome allows you to set enterprise policies in managed mode.
  
  1 0 Reply
Wednesday 20th May 2020 10:05 GMT Jason Bloomberg

Nanny statism strikes again

"Chrome will disable DoH in managed environments that declare relevant enterprise policies"

Why can't it just be a checkbox which anyone can turn on or off as best suits them?

The one with the "do as we say" motivational poster in the pocket ->

14 0 Reply
1. Wednesday 20th May 2020 12:02 GMT Yet Another Anonymous coward
  
  Re: Nanny statism strikes again
  
  Because they want it on for everyone so they are the only ones who can sell your data to advertisers.
  
  But they don't want to be banned in the financial industry that is required to check your traders aren't logging into libor-rigging.org from their work machines
  
  17 0 Reply
  1. Thursday 21st May 2020 09:41 GMT Cave-Homme
    
    Re: Nanny statism strikes again
    
    Do smart people and organizations still use Google Chrome, or anything Google for that matter? Mine does, but it’ll all be gone by the end of the month.
    
    1 0 Reply
2. Thursday 21st May 2020 00:58 GMT Roland6
  
  Re: Nanny statism strikes again
  
  >"Chrome will disable DoH in managed environments that declare relevant enterprise policies"
  
  And has any one found a reference that explains just what exactly these policies are - a quick Google fails to return anything.
  
  Personally, the out-of-the-box action (for Windows) should be to simply detect active domain membership and network type (Public/Work) and play nicely with the Domain provided DNS server. Obviously, the user is free - until Chrome Group Policy settings prevent it - to change the settings for themselves.
  
  1 0 Reply
Wednesday 20th May 2020 10:20 GMT Pascal Monett

"We understand this concern"

And we don't give a flying fuck about it.

Typical behavior these days. We want it this way, so you can wave goodbye to every habit you have because this is how we roll.

I absolutely hate web developers that believe they have the right change people's habits. Once upon a time, before the Internet was a thing, Microsoft had put out a document where it set down the rules for making a proper UI. Rules that it shat upon liberally when it created its PlaySkool interface called Metro, but I digress.

I really would like to get my hands on that document. I remember reading it and thinking to myself : "this is very sensible". Yes, I know, a Microsoft document about UI that was sensible. What can I say ? It was before Y2K.

Things have changed since.

Get off my lawn.

11 1 Reply
1. Wednesday 20th May 2020 12:03 GMT Jamie Jones
  
  Re: "We understand this concern"
  
  Remember when the "settings" page was actually useful?
  
  And now chrome doesn't let me manually edit urls in the url bar (which is how i like to roll) unless I jump through hoops each time... No option to revert it..
  
  Yes, completrly fed up of software writers in general dumbing everything down against our will.
  
  14 1 Reply
  1. Wednesday 20th May 2020 13:48 GMT Anonymous Coward
    
    Re: "We understand this concern"
    
    Why can't you edit URLs? Works fine for me.
    
    2 0 Reply
    1. Wednesday 20th May 2020 14:32 GMT Jamie Jones
      
      Re: "We understand this concern"
      
      It disrupts the flow by making you have to click a pencil icon each time:
      
      https://android.gadgethacks.com/how-to/edit-url-with-chromes-new-address-bar-android-0207043/
      
      And: https://www.reddit.com/r/chrome/comments/dp2a76/editing_url_in_new_version_of_chrome_previous/../ looks like I have a fix for my rooted boxes, at least.
      
      6 1 Reply
      1. Wednesday 20th May 2020 18:19 GMT Anonymous Coward
        
        Re: "We understand this concern"
        
        Ah, right so this is Chrome on Android not just Chrome.
        
        However I guess having to click one icon to edit isn't a major deal when most people will probably be clicking the bar to do a new search or type a new URL.
        
        0 1 Reply
        
        Wednesday 20th May 2020 20:57 GMT Jamie Jones
        
        Re: "We understand this concern"
        
        Oh, didn't realise it was just android.
        
        The point is, there was originally an option to revert to previous behaviour.... Now they've removed it.
        
        I agree most people would use it that way; I'm ok with them changing the default. I'm not ok that they *had* an opt out option, and then removed it.
        
        9 2 Reply
Wednesday 20th May 2020 10:27 GMT BenDwire

Power grab

If DoH catches on as anticipated, then the potential for serving targetted ads gets swept away from carriers and ISPs, and over to the Chocolate Factory. I suspect that any improved privacy for users is just a side effect.

Oh, your DNS isn't DoH capable? Let me check 8.8.8.8 to "protect you"

12 0 Reply
1. Wednesday 20th May 2020 15:26 GMT DemeterLast
  
  Re: Power grab
  
  Exactly. Firefox started using Cloudflare's DoH by default and suddenly people inside my network couldn't see internal Web servers. Oh, and Firefox's "opt-out" dialog is basically "Do you want to be secure, or do you want to douse yourself in kerosene and light off fireworks like a moron?"
  
  No, I am not going to run DoH on my internal network, plain old NSD over UDP is all I want to use. No, I do not want Cloudflare collecting DNS queries from my users.
  
  I'm all for secure by default, but I am not for making a handful of corporations the de facto backbone of the Internet.
  
  15 0 Reply
  1. Wednesday 20th May 2020 18:33 GMT katrinab
    
    Re: Power grab
    
    My setup is:
    
    DHCP server gives the clients the Windows Domain Controllers as the DNS servers.
    
    The Domain Controllers have a pair of pi-holes as the upstream DNS servers
    
    The Pi-holes have Cloudflare DOH as their upstream servers.
    
    So, if it is an internal resource, the domain controllers will return the local IP address
    
    If it is an advertising site, the pi-hole will return a block page
    
    If it is anything else, Cloudflare DOH will return the result.
    
    I updated Chrome to v83. Locally hosted websites still work, so presumably it doesn't think 192.168.0.2 & 192.168.0.3 are supported DNS services.
    
    2 0 Reply
    1. Thursday 21st May 2020 09:44 GMT DoctorPaul
      
      Re: Power grab
      
      "Pair of pi-holes" - absolutely!
      
      When I started with a single pi-hole, I would lose DNS after a few days - something seems to lock up a pi-hole at some point, which took out DNS completely.
      
      With a pair of them, I can see from the admin screens that one does most of the work for a number of days, then things flop over to the other one. Then back again and so on. Is this a common issue for other pi-holers?
      
      Are they reliable now? Let's just say that I recently realised that I hadn't done a remote connection and update on mine for over a year - "it just works".
      
      1 0 Reply
      1. Thursday 21st May 2020 13:15 GMT Anomalous Cowturd
        
        Re: Power grab
        
        Re: Are they reliable now?
        
        Just checked mine, and it was last restarted on May 12th, when I updated it to the latest version.
        
        Prior to that, it had been happily and faultlessly running for months. Had to reinstall about a year ago, when a cheap SD card failed. No problems since. Just have to remember to SSH into it occasionally to run "pihole -up"
        
        0 0 Reply
        
        Thursday 21st May 2020 17:29 GMT katrinab
        
        Re: Power grab
        
        crontab -e
        
        e
        
        30 3 * * * pinhole -up >/dev/null 2>&1
        
        [esc]
        
        :wq
        
        Then you don't need to remember to update it
        
        1 0 Reply
Wednesday 20th May 2020 10:40 GMT alain williams

Who do you want to hide from ?

DoH needs a server to answer DNS queries - that server gets to know a lot about you.

Use normal DNS and your ISP/company can see what you are trying to resolve. Even if you do not use its DNS servers it can sniff the packets as they go by.

If you live in a repressive regime (eg Egypt, China, ...) they can make your ISP hand over your DNS history or change stuff on the fly; so DoH might be good, although they can still see where your IP packets go to.

What about the DoH provider - what does it gain ? Knowledge of all the sites that you visit - good meat to the advertising machine for Google & pals - even when those sites do not run google analytics (or you have blocked the javascript). These DoH providers are subject to the Patriot Act or local equivalent - so, for some, the security is a fig leaf.

Oh - just because you do not think that your regime is repressive does not mean that your government is not snooping on you. DNS over TOR might be an interesting idea.

If you do run DoH then you might be visited by shady men and told to change your browser options - packet sniffing via your ISP will make it obvious if you have taken their 'advice'. So: will you make yourself a target for future visits ?

7 0 Reply
1. Wednesday 20th May 2020 15:34 GMT tip pc
  
  Re: Who do you want to hide from ?
  
  some CDN's will serve any site they CDN for on any of the IP's they resolve on.
  
  As an example, the reg & the pirate are on cloudflare. internally resolve the pirate to the IP of the reg and you can visit the pirate on https without your isp blocking.
  
  5 0 Reply
2. Wednesday 20th May 2020 19:51 GMT Anonymous Coward
  
  Re: Who do you want to hide from ?
  
  I don't see how they could target people for using DoH when it is the default in two widely used browsers, including now the most widely used.
  
  But if, hypothetically, they did, Google could have Chrome make some random lookups to the top 1000 sites using regular DNS, while it still uses DoH, as an option for people living under repressive regimes.
  
  0 0 Reply
  1. Thursday 21st May 2020 01:04 GMT Roland6
    
    Re: Who do you want to hide from ?
    
    > DoH when it is the default in two widely used browsers, including now the most widely used.
    
    Given New Edge is Chromium-based, expect MS to join the club later this year (or is it there already? - as not specifically looked for it).
    
    1 0 Reply
3. Thursday 21st May 2020 06:13 GMT Christian Berger
  
  Well the idea is...
  
  that there may be countries somewhere, where your ISP is less trustworthy than Cloudflare. Of course this doesn't apply to Europe where your ISP could easily get shut down if they were caught exploiting your DNS traffic, whereas Cloudflare only makes a non-enforcable "promise" that they won't mess with your queries.
  
  2 0 Reply
Wednesday 20th May 2020 11:04 GMT Peter Galbavy

Well, just updated and the flag is still there to turn it off - not checked if it's a null op though

0 0 Reply
Wednesday 20th May 2020 15:35 GMT Dourscot

Except Secure DNS doesn't appear as a flag on some UK downloads of Chrome, including the test beta (despite setting manual name server on the device and router, version 83.x),.

Interestingly, it works perfectly in the otherwise identical Edge browser. C'mon Google.

0 0 Reply
1. Thursday 21st May 2020 09:52 GMT Cave-Homme
  
  I wouldn’t call Edge Chrome identical to Google Chrome, there are several key differences especially when it comes to tracking options.
  
  0 0 Reply
Wednesday 20th May 2020 21:46 GMT tekHedd

So much for my router-level blocks

Because my older DD-WRT router only supports classic DNS and not the new protocol, this magically disables all of my ad- and malware-domain blocks until I hack hidden settings in each browser. Which I believe is its primary purpose.

Any privacy- or speech-enhancing purpose is secondary and IMO becomes a technical problem to thwart at the edge networking level if you want to ... well anyway we all know the boring arguments.

And, of course, as it is an anti-censorship tool, it is a real PITA to redirect these requests to my own DoH servers. I mean, either it can't be done, in which case the ad servers win, or it can be done, in which case it is a COMPLETE waste of effort and why did we do it? The ad servers win.

6 0 Reply
Wednesday 20th May 2020 22:08 GMT Justin Clements

As a system administrator of 25 years

1. Do I have to do anything?

|

|----> Yes. ----> Ain't happening.

|

|----> No. ---> Good. As you were.

2. There is no 2. I'm a system administrator, I have finely tuned nerves and if you're a mouth breather there's a good chance you're on them already.

3 2 Reply
1. Thursday 21st May 2020 10:01 GMT Anonymous Coward
  
  Re: As a system administrator of 25 years
  
  Too many sysadmins have Asparagus Syndrome, in fact, it seems to be a pre-requisite.
  
  0 0 Reply
Thursday 21st May 2020 11:44 GMT Blacklight

Nope

I have a setup I like, that does what I want.

I don't want errant things burrowing holes to get DNS via other methods.

Go away.

2 0 Reply
Thursday 21st May 2020 18:15 GMT Elledan

DoH is still stupid

The thing is that DoH doesn't add anything that DoT doesn't already do, while also making network security (as noted) impossible. How do you distinguish some spyware sneaking its HTTPS DNS queries along with other HTTPS traffic, after all?

DoH also doesn't solve the most important issues, that of validating whether a DNS record one obtained from the DNS server is genuine (requires DNSSEC), nor does it keep the details of your DNS query get shouted across the entire DNS network. This latter point requires the implementation of QNAME minimisation, also not a part of DoH.

At best, DoH is a red herring for internet security. At worst it's a trojan that enables the destruction of one's network and system security and privacy.

0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Topics

Special Features

Vendor Voice

Resources

COMMENTS

Can no longer Easily see what extensions are installed

Re: Can no longer Easily see what extensions are installed

Re: Can no longer Easily see what extensions are installed

Re: Can no longer Easily see what extensions are installed

Re: Can no longer Easily see what extensions are installed

DoH

Re: DoH

Re: DoH

Re: DoH

Re: DoH

Re: DoH

Re: DoH

DoH

Re: DoH

DoH

Re: DoH

Re: DoH

Re: DoH

Re: DoH

Re: DoH

Re: DoH

Re: DoH

Nanny statism strikes again

Re: Nanny statism strikes again

Re: Nanny statism strikes again

Re: Nanny statism strikes again

"We understand this concern"

Re: "We understand this concern"

Re: "We understand this concern"

Re: "We understand this concern"

Re: "We understand this concern"

Re: "We understand this concern"

Power grab

Re: Power grab

Re: Power grab

Re: Power grab

Re: Power grab

Re: Power grab

Who do you want to hide from ?

Re: Who do you want to hide from ?

Re: Who do you want to hide from ?

Re: Who do you want to hide from ?

Well the idea is...

So much for my router-level blocks

As a system administrator of 25 years

Re: As a system administrator of 25 years

Nope

DoH is still stupid

POST COMMENT House rules

Enter your comment

Add an icon

Other stories you might like

Chrome Enterprise Premium promises extra security – for a fee

Google will delete data collected from 'private' browsing

Microsoft's playdate in Google's Privacy Sandbox gets messy

Google Cloud chief is really psyched about this AI thing

YouTube now sabotages ad-blocking apps that stream its vids

Google bakes new cookie strategy that will leave crooks with a bad taste

US legislators propose American Privacy Rights Act - and it looks quite good

Google One VPN axed for everyone but Pixel loyalists ... for now

Google location tracking deal could be derailed by politics

Google joins the custom server CPU crowd with Arm-based Axion chips

96% of US hospital websites share visitor info with Meta, Google, data brokers

Academics probe Apple's privacy settings and get lost and confused

About Us

Our Websites

Your Privacy