A more private internet: Encryption standards hit new milestones

Today, most people don’t fully realize that their behavior online reveals details about them, even when they think it’s protected. While secure HTTP (HTTPS) encrypts the content of our web browsing, the domain names of the sites we visit are visible to network observers like cellular carriers, Wi-Fi providers, and bad actors. This unencrypted domain data can be weaponized for profiling, extortion, or targeted attacks, especially against vulnerable individuals or high-profile targets like government officials. Beyond privacy, the leaked data also poses security risks, enabling redirects to malicious sites or preventing access to legitimate ones.

The dangers of this leaked data continue to grow: it can now be processed at scale to generate detailed user profiles, as I witnessed firsthand. I conducted a personal experiment, collecting the domain names of the websites I visited. With data from less than an hour of web surfing, I was able to generate a list of domains that strongly suggested my location, employer, affiliations, interests and more.

Examples of what domain names can reveal about you

At Google, we believe everyone deserves privacy and security online, which is why our team at Jigsaw has invested in improving core internet protocols that can be used by any provider. We’ve helped tackle the two primary leakage points for domain names by 1) promoting an existing protocol that an estimated one billion people worldwide, and 2) contributing to the development of a new standard that is set to be approved for publication by the primary body creating internet standards, (IETF), unlocking broader adoption. Together, these two standards will close critical domain name leakage points, solving significant privacy and security risks on the modern web.

Back to basics: How your online behavior is exposed when browsing the web

When a person accesses a web page using HTTPS, their browser or app does a series of back and forth exchanges, which expose the domain names in two places:

Steps to access a website

1. Exposed — DNS Lookup: The browser or app queries the Domain Name System (DNS) to get the IP address of the website. This lookup query has historically been sent unencrypted, exposing the domain names to network observers.
2. Exposed — TLS ClientHello: The browser or app uses the IP address to connect to the website server and sends a message (“ClientHello”) with Transport Layer Security (TLS) encryption parameters. This message has the domain name unencrypted, because encryption is not established yet. The server responds (“ServerHello”), establishing the encryption parameters.
3. Private — Content Exchange: With the encryption parameters established, all further content exchanged is encrypted and therefore private.

How have domain names leaked through these two points for so long? For years, the technical community recognized these privacy gaps, but progress stalled due to two “chicken and egg” problems:

• DNS Lookup vs. TLS ClientHello: It’s hard to be motivated to fix one leak if the other remains. Fixing DNS wouldn’t be fully effective without fixing the TLS ClientHello, and vice-versa, leading to inertia.
• Client vs. Server: Without clients (like browsers or operating systems) supporting encrypted DNS, server operators had little incentive to offer it. And without servers offering it, clients couldn’t use it.

To help break these deadlocks, Google adopted a comprehensive strategy, focusing on DNS first.

Advancing a cross-industry effort to adopt DNS encryption

Google and Jigsaw helped by identifying where the industry can join forces to make the web fundamentally more private and secure. At IETF, we co-founded to increase collaboration for the development of encrypted DNS protocols. To advance adoption, we added encrypted DNS to , , and created Jigsaw’s . Through Google’s and other’s work — including Cloudflare, Mozilla Firefox, Quad9, and more — encrypted DNS is now protecting more than one billion users worldwide.

It’s not just the tech industry behind this effort; governments are also addressing this encryption gap due to national security concerns. The U.S. Office of Management and Budget’s (OMB) the use of encrypted DNS across federal agencies by the end of 2024 to “reinforce the Government’s defenses.” In Europe, DNS security has also been a focus. The ’s Implementing Regulation the “application of best practices for DNS security.”

Closing the encryption gap with ECH

With substantial progress on DNS privacy, Google joined others in addressing the second major leak. Encrypting the domain name in the TLS ClientHello has long been an IETF goal. At IETF, we convened stakeholders to revive and advance the Encrypted Client Hello (ECH) standard. We also created a supporting standard for the delivery of ECH encryption keys that also speeds up secure connections.

To accelerate adoption, we added ECH support to and our cryptographic library, which enables apps. Chrome also collaborated with partners like Cloudflare to validate interoperability.

Now that the ECH standard is finalized and approved to be published by the IETF in the coming weeks, we expect development and deployment to accelerate towards closing this long-standing privacy gap.

Developing responsibly alongside compliance needs

While increased encryption makes the internet safer for everyone, it may require network operators (ISPs, schools, businesses) to take steps to meet their compliance obligations.

We’ve carefully considered those requirements in our implementations. For instance, Google’s Secure DNS implementations in Android and Chrome can be controlled with enterprise policies, and respect chosen service providers.

Importantly, these protocols secure the communication channel while keeping the endpoints in control. This means that parents can continue to enable parental controls and malware protection can still be effective — either through client-side applications or by the network-provided DNS service — and online platforms can continue to moderate content. The US Cybersecurity and Infrastructure Security Agency (CISA) provides on achieving privacy while achieving these objectives.

Next steps in making the web more private for everyone

We are encouraged by the renewed focus on encryption, especially with rising AI-enabled threats. We believe that through organizations like IETF, cross-industry collaboration, and government agencies prioritizing protecting critical national intelligence, we can make the internet more secure and private for billions of users. At Google, we are committed to continuing to invest in standards like encrypted DNS and ECH to help the industry realize these shared goals.

By Vinicius Fortuna, Engineering Manager, Jigsaw