Google Rolls out DNS-over-HTTPS in Chrome 78 and Fixes 37 Vulnerabilities

Google has released Version 78 of Chrome, which includes fixes for 37 vulnerabilities in the browser and several new features, including DNS-over-HTTPS (DoH).

DoH is an experimental addition to the browser to test the new technology and comes a month after Firefox added DoH to its browser. DoH has already been implemented by several DNS providers to improve privacy and security. Essentially, DoH introduces the same security benefits that is achieved by HTTPS but applies this to DNS or the domain name system.

Whenever a connection to a website in attempted, a lookup must be performed with a DNS provider. That lookup is needed to identify the IP address associated with a particular domain name to allow that website to be found. HTTPS encrypts the connection between the website and the browser to prevent any information transferred between the browser and the website from being intercepted and viewed.

If a user is connected to a public Wi-Fi network, DoH would prevent other users of the Wi-Fi network from being able to see the websites visited. Following the Chrome update – and the Firefox update before it – a check is performed to make sure the DNS provider is in a list of DoH compatible providers. If that is the case, the browser will be updated to the version of DoH used by the DNS provider. This update only involves the protocol. No changes are made to the DNS service. That means that any controls that have been put in place by the DNS provider will stay active, such as controls to protect minors and anti-malware protections.

This experiment will test to see if Google’s implementation of DoH works and will evaluate the impact of the update on the performance of Chrome. The updates are being rolled out on all supported platforms, with the exception of iOS and Linux, for a percentage of Chrome users. In theory, the user experience will not change as a result of the upgrade. If for any reason the DoH update does not work, the user will be reverted to their DNS provider’s regular service.

Should users not wish to be part of this experiment they are able to opt out by checking the relevant DNS over HTTPS checkbox in Chrome. The rollout will not include most enterprise and education customers with managed Chrome deployments.

Chrome 78 also introduces a new feature called forced dark mode which, if enabled, forces a website to use darker tones. This feature is experimental at present, so it is not detailed in Chrome settings, but it can be enabled in Chrome Flags. Google has also added a new feature that allows users to easily check what website is open by hovering the mouse arrow over the tabs. When users have multiple tab open, they shrink in size and make it hard for the user to identify the website.

Chrome 78 also includes a new option in the web version of Google’s password manager, which will generate an alert if a user’s password has been compromised in a data breach to let the user know they need to change their password.

The security updates are a combination of fixes for flaws identified by Google and by third party researchers. Three of the addressed flaws have been rated high-severity. These are CVE-2019-13699, CVE-2019-13700, and CVE-2019-13701. The first is a use-after-free vulnerability in the media component, the second is a buffer overrun vulnerability in Blink, and the third is a URL spoofing vulnerability. The flaws were identified by Man Ye Mo of Semmle Security Research Team (1,2) and David Erceg (3).

The latest version of Chrome with DoH and the corrected flaws is 78.0.3904.70

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of