The way we access websites is about to change. As a result, crisis talks have now been scheduled between the U.K. government and the internet industry to discuss the risks. The primary concern is a proposed but as yet unconfirmed update to Google’s popular Chrome web browser, one that would hit many of the techniques used to monitor internet content for both safety and snooping. It isn’t just Google that will change. But the market-leading position of its Chrome browser has focused governmental minds.
These days, almost everyone is familiar with the concept of internet domain names and the fact that memorable, human-readable addresses are translated into machine-readable IP addresses. But most people have likely never heard of DNS over HTTPS or DOH, and so will be unaware of a planned change to how all this works.
However, DOH is now being fast-tracked, and it has agitated U.K. child safety and intelligence agencies enough to convene a crisis meeting on 8 May, citing child safety, cybersecurity and even terrorism as concerns.
DOH will encrypt the addresses of the websites we visit, potentially bypassing local Internet Service Providers (ISPs), and connecting directly to central nameservers that could well be managed by the companies behind the browsers themselves. This means that many of the filtering and protection tools in place today, usually administered by ISPs, would no longer work.
The new approach brings definite security advantages, notwithstanding that we’ll be entrusting Google and its peers with even more data on us. If the addresses of the websites you want to visit can’t be seen, they can’t be filtered or policed. And campaigners claim that this has implications for the fights against terrorism and extremism, as well as for child safety.
Coming at a time when the monitoring of online content has never been more in the news, and when cybersecurity breaches are reported weekly, the clear need to improve online security is driving welcome change. But the unintended consequences of those changes are apparently now a major concern.
The Internet’s Domain Name System (DNS) is one of its greatest strengths and also one of its greatest weaknesses. The internet is easy to use, but that comes with the risk of the manipulation of DNS names, with snooping on open traffic, and, in many parts of the world, with local monitoring and filtering. So it’s little surprise that the Internet Engineering Task Force (IETF) has been working on a revised approach.
As open traffic, your IP address and browsing activities can be profiled and your requests can potentially be intercepted and manipulated. Who you are and what you’re looking at can be monitored. But with more and more of what is done online being encrypted, the very act of accessing specific websites can be encrypted as well. This is what DNS over HTTPS is all about, bypassing locally held DNS nameservers, sending encrypted traffic to a central server instead.
The change would see web browsers (or other central services) handling domain queries, transparently to users, rather than fielding these as open internet traffic through the ISP. More secure and less open to interception, yes, because all of this would be encrypted HTTPS traffic, but it means that you would be serviced from a central location and not by an operator under your country’s legislative control. Think of it as a built-in, always-on VPN.
A presentation from BT on the ‘Potential ISP Challenges with DNS over HTTPS’ earlier this month, acknowledged that “DOH could be a game changer in operator/application dynamics” with fast-tracked standards bringing potentially adverse implications on cybersecurity and on safety from online harms. BT cited a reduced ability to derive cybersecurity intelligence from malware activity and DNS insight, significant new attack opportunities for hackers, and the inability to fulfill government mandated regulation or court orders as potential concerns.
Online responses to the ‘crisis’ suggested that this latter point, the impact on government snooping, was much more of a concern for the authorities than any impact on online safety filters.
Crisis meeting scheduled
According to the Sunday Times, a crisis meeting has now been convened for 8 May to bring together the country’s major ISPs, including BT, Virgin, Sky and TalkTalk, with the country’s National Cyber Security Centre (NCSC) to discuss the implications. The primary concern is that it will be impossible for the country’s ISPs to filter out illegal or inappropriate material. This could have implications for terrorism, extremism, child safety and, of course, password-protecting the U.K.’s countrywide porn habits from July 15, as announced last week.
Because DOH is expected to be largely centralized, and (at least initially) managed by the major browsers, this is where Google comes in. Chrome is the U.K.’s most popular browsing application. With DNS queries not being serviced by an ISP’s nameservers, the ISPs would have no way of tracking, filtering or policing browsing. It would invalidate child safety locks and render useless the planned porn filter. For the ISPs, it could also mandate a rethink in the ways content is cached through efficient and cost-effective content delivery networks.
The well-populated databases of dangerous sites held by ISPs would be bypassed. But, it would also make government online snooping much more difficult. According to the Sunday Times, “BT, which has 9m broadband customers, said in a statement that parental controls, the first line of defense for millions of households, could be rendered ‘ineffective’ by the new system. It added that it could ‘hamper our ability to protect customers from online harms’.”
A spokesperson for the U.K.’s Internet Services Providers’ Association, the trade association representing more than 200 ISPs, including BT, Sky and Virgin, told me that “U.K. broadband providers are actively involved at a national and international level in ensuring that encrypted DNS is implemented in a way that does not break existing protections provided to U.K. internet users. If internet browser manufacturers switch on DNS encryption by default, they will put users at serious risk by allowing harmful online content to go unchecked. Internet browser companies must ensure that parental controls and cybersecurity protections offered by broadband companies continue to work and protect users. We would expect internet browsers to provide the same protections, uphold the same standards and follow the same laws as U.K. ISPs currently do.”
No need to panic?
The encryption of DNS name traffic is not the issue. The central management of the system, bypassing local controls, is the issue. There’s no reason that the new ecosystem cannot work in the existing framework. But it won’t start out that way, and it puts significant control in the hands of the device browsers. Theoretically, there could be device- or even application-specific DOH datasets accessed. And any user filtering would need to be at a device level instead of relying on the ISP. These changes need to be fully communicated and documented in how-to guides before being made.
For their part, Google has confirmed that an encrypted version of Chrome is already available but is not yet included as standard. In a statement, the company said that “Google has not made any changes to the default behavior of Chrome.”
Google’s latest Chrome update delivers ‘largest performance gain in years’
Google is wrapping up 2020 with what it claims are major performance enhancements to the company’s Google Chrome browser. “This month’s update represents the largest gain in Chrome performance in years,” Matt Waddell, Chrome’s director of product, wrote in a blog post. Sounds pretty exciting on the surface, no? Waddell says a slew of under-the-hood changes and optimizations have led to boosts to Chrome on several fronts.
But even opening Chrome should feel faster. The browser now launches 25 percent faster — hopefully to where you’ll notice the difference. It loads pages up to 7 percent faster, “and does all of this using less power and RAM than before.”
Google is also adding tab search, which is exactly what it sounds like and could be a godsend for those of us buried under an avalanche of them. “You’ll now be able to see a list of your open tabs — regardless of the window they’re in — then quickly type to find the one you need.” This feature is debuting on Chromebooks first and then expanding to other desktop versions of Chrome.
The address bar is getting a bit more useful with something Google calls Chrome Actions, “a faster way to get things done with just a few keystrokes.”
For example: when you type “edit passwords,” or “delete history,” you can now take action directly from the bar. Our first set of actions — available initially on desktop — focuses on privacy and security, so you can increase your peace of mind in a few clicks.
And last, you might soon notice “cards” when you open a new tab in Chrome.
To help you jump back into activities like planning a meal, researching a holiday gift, or winding down with a video, we’ll soon add cards to your new tab page in Chrome. Clicking on them will take you to recently-visited and related content on the web, and save you time in the process.”
For now, cards will only appear “for some users” beneath the shortcuts area; Google says it’s planning to add entertainment-focused cards in 2021.
All these things together add up to a significant update for the world’s most popular web browser. And they come on the very day that Apple is being lauded for the speed and efficiency of its new M1 Mac computers. Speaking of which, Chrome for macOS also gets a new icon that’s a better fit for the latest Big Sur release. But if the optimizations actually meet Google’s claims, I’m way more excited about the improved efficiency. The update to Chrome 87 is rolling out beginning today.
Facebook and Instagram are getting Vanish Mode in chats
Ten days ago WhatsApp got Disappearing Messages and now the other two apps with messaging abilities in the Facebook family are adopting it. Both Messenger and Instagram will get Vanish Mode which will delete messages upon closing the conversation window.
Vanish Mode is activated with a swipe from the bottom of the chat. Once a message is sent, it will stay on the screen until it is turned off or the app is switched. Of course, you can always screenshot the message before it disappears.
The new feature will work both in group chats and personal conversations. While they are instantly disappearing, Facebook revealed conversations can be reported, meaning they will remain in the system for up to 14 days, so they are not instantly deleted.
Such features aren’t entirely new in the Facebook universe – there still is “Secret Conversation” for Messenger but it is rather tedious to set up and use and nobody has the time for that. Instagram also has something of a disappearing feature – currently, photos can be sent and set up to disappear once seen but nothing on messages unless you Unsend them.
YouTube went down around the world, but it’s now fixed
YouTube has recovered from a seemingly worldwide outage that prevented videos from loading for roughly an hour. During the outage, many Verge staffers were unable to watch videos, and YouTube confirmed at 7:23PM ET that something was going on:
The issue appeared to affect other services that use the YouTube infrastructure too, including YouTube TV and the movies and TV shows you’d purchase through Google TV (formerly known as Google Play Movies & TV). We couldn’t load them.
Early in the outage, the YouTube website itself seemed to load just fine, but videos themselves would continuously show the loading wheel. One Verge staffer got a video to load after about a minute. As of about 8:00PM ET, though, we saw error screens like this whenever we tried to watch a video:
At 9:13 PM ET, YouTube gave the all-clear:
Things seemed to be back as early as 8:30PM ET, but you might have hit a few quirks. At that point, videos played on YouTube’s website seemed to be working as they normally do. On the mobile app, one Verge staffer saw a few error messages, but those would clear with a refresh. YouTube TV worked on mobile for another Verge staffer at that point after he force closed the app.
DownDetector showed a truly tremendous number of user reports of problems with YouTube, indicating the problem was widespread — the DownDetector graph peaked with more than 280,000 user reports in less than an hour. Numerous users on Twitter reported that YouTube wasn’t working for them, either, and searches spiked for “is YouTube down.”
When reached for comment, YouTube pointed us to the tweet we included in this story.