And hopefully in the future they won’t even he able to see the domain. I wonder why they never considered giving out certificates for IPs to solve this problem. Seemed like the easiest solution to me.
There was a demo for a technology put out recently that circumvents this. I don’t remember the exact mechanisms, but it obscured DNS such that your ISP couldn’t see the DNS record you requested, and then used a proxy to route traffic before it hit the final endpoint eliminating exposing the IP to your ISP. It worked very similar to a VPN, but without the encrypted connection, and had some speed focused optimizations including the proxy being proximate to your ISP. It was pretty interesting.
It doesn’t really help. The ISP needs to route you somewhere to get the data, so they’ll need to know who you want to talk to. Even if they don’t see the DNS name (like if you used a third party DNS server) they can still associate the IP address with someone.
There’s things like TOR and VPNs that can route your information through other third parties first, but that impacts performance pretty significantly.
Yeah, but often enough multiple sites share a single IP. It would already be better if the ISP (and everyone in between) didn’t know whether I wanted pink-fluffy-unicorns.com or hardcore-midget-bdsm.com.
Depending on where you’re going even IP addresses are getting to the point that they aren’t helpful. IP addresses are likely to belong to a cloud provider, and unless they are hosting email or a service that requires a reverse record, all you’d get is the cloud provider’s information.
Are you sure? The file path after the domain would not be necessary for an ISP to see, only the domain. I’m not sure how all that works, but it’s definitely not a technical requirement thay they can see the complete URL.
They’d also theoretically see the size of the URL, and the size of the page, along with the transport type. So they can infer a lot of information from the exchange, but they couldn’t say for sure what you were viewing on a specific website.
The ISP can see every domain, but not every page. That’s what HTTPS everywhere was all about.
And hopefully in the future they won’t even he able to see the domain. I wonder why they never considered giving out certificates for IPs to solve this problem. Seemed like the easiest solution to me.
They need the IP address to know where to forward the packet to. Hard to avoid that without VPN or TOR.
There was a demo for a technology put out recently that circumvents this. I don’t remember the exact mechanisms, but it obscured DNS such that your ISP couldn’t see the DNS record you requested, and then used a proxy to route traffic before it hit the final endpoint eliminating exposing the IP to your ISP. It worked very similar to a VPN, but without the encrypted connection, and had some speed focused optimizations including the proxy being proximate to your ISP. It was pretty interesting.
The future is now, old man.
SNI says no.
ECH/ESNI says yes
It doesn’t really help. The ISP needs to route you somewhere to get the data, so they’ll need to know who you want to talk to. Even if they don’t see the DNS name (like if you used a third party DNS server) they can still associate the IP address with someone.
There’s things like TOR and VPNs that can route your information through other third parties first, but that impacts performance pretty significantly.
Yeah, but often enough multiple sites share a single IP. It would already be better if the ISP (and everyone in between) didn’t know whether I wanted pink-fluffy-unicorns.com or hardcore-midget-bdsm.com.
Depending on where you’re going even IP addresses are getting to the point that they aren’t helpful. IP addresses are likely to belong to a cloud provider, and unless they are hosting email or a service that requires a reverse record, all you’d get is the cloud provider’s information.
They can see the entire URL, not just the domain. They just can’t see the contents themselves. But they can still see “dudesfuckingfurniture.com/gettingfreakywithadresser.mpeg”
Are you sure? The file path after the domain would not be necessary for an ISP to see, only the domain. I’m not sure how all that works, but it’s definitely not a technical requirement thay they can see the complete URL.
After more research, you might be right. I could have sworn I saw full URLs in my router logs on encrypted sites though. I’ll have to check again.
The example link doesn’t work :'(
I was ready to go down a rabbit hole there
When it comes to HTTPS, this is just plain wrong on a technical level.
I’m not sure if that’s a real website. I’m not checking.
As always on the Internet, rule 34 applies.
Narrator : Vej definitely did in fact check.
It’s actually more secure than that.
https://blog.mozilla.org/en/products/firefox/https-protect/
They’d see the URL, but not the specific page.
They’d also theoretically see the size of the URL, and the size of the page, along with the transport type. So they can infer a lot of information from the exchange, but they couldn’t say for sure what you were viewing on a specific website.