Chrome Connecting To Random Domains On Start? Here Is Why!
If you are monitoring your network traffic closely you may have noticed that the Google Chrome web browser and its Open Source counterpart Chromium are both trying to connect to three random ten letter words on start up. For most users, it is not clear why the browser is making those connections, and some have even assumed that they were either made to send information privately to Google, for tracking purposes, or even caused by malware running on the system.
Mike West analyzed the part of the browser's source code that was responsible for making the connections. He discovered that Chrome and Chromium are making those connections to help the browser's Omnibox figure out user intents correctly.
The issue that Google aims to fix with these connections is easily explained. Some Internet Service Providers have started to intercept requests that do not resolve properly. If you enter ghacks for instance in the address bar and tap on the return key afterwards, Chrome needs to figure out if you want to search for the term ghacks, or if you want to visit the site http://ghacks/. Since it cannot do that, it displays an infobar if the word would resolve to an existing domain name giving the user the chance to open the domain with another click.
When ISPs intercept the lookups to display their own error pages, usually filled with advertisement and search options, then it appears to the browser as if the word would resolve just fine. This in turn would mean that users would see the infobox in the browser even for words that do not resolve.
To prevent this, Google is making these three initial lookups on start up to see if ISPs intercept requests that cannot be resolved. It compares the IP addresses of the pages that are returned, and turns the infobox off if they are identical (as this suggests an ISP is intercepting the look ups).
How can you find out if Chrome or Chromium are making those requests? You can use programs that monitor traffic on the system. One example would be the free tool Fiddler which can show you the connections the browser makes.
The three random connections are highlighted in the screenshot above.
The three connections are nothing that users need to worry about. Thanks Mike for finding that out for us.
Advertisement
Very interesting, and this is potentially causing issues with our Palo Alto Networks firewalls URL filtering service.
Nice info =) I also experience that.
Buit it does more than that… in my case, it connects to ve-in-f95.1e100.net and gru03s05-in-f16.1e100.net that are both google.
It seems to be an https connection (the data is not readable). And it seems to keep running for a while. Anybody knws what it is?
Very interesting the Fiddler, thanks.
Interesting, well done Google.
Now what would someone without Windows do to discover things since Fiddler is a Windows program?
Wireshark, which is cross-platform, would also get us that information.
Thanks for the information, it’s very curious !
Nice! I used to wonder about those entries but never got around to figuring out what they were. Incidentally, I use Privoxy to log and control http:// connections. One advantage of Privoxy is that it’s cross-platform.
This is a very interesting read, the way they approach and solve the omnibox issue. And thanks for sharing Fiddler with us too.