How private is HTTPs to an ISP?
For example, Can my ISP know the entire URL (Not only the domain) while connecting to a website with HTTPs? Can my ISP see images loaded through a website connected to HTTPs? Would my ISP know the subdomain I'm visiting through HTTPS?
12 Answers
Can my ISP know the entire URL (Not only the domain) while connecting to a website with HTTPs?
- They will know/be able to log what IP you are accessing by virtue of TCP/IP packets traversing through the ISP. The contents of the URL are encrypted, query strings and anything after the cannot be seen.
- If you used your ISP's DNS servers to resovle the domain name in question, they are able to view/log this directly.
- If you used an third-party non-ISP DNS provider to resolve the domain name, they are able to view/log this in transit as standard DNS is not encrypted. Some ISPs implement transparent proxying on standard DNS ports to prevent you from using a third-party DNS.
Can my ISP see images loaded through a website connected to HTTPs?
No. However, if the images are hosted on a separate domain, they can see the domain being accessed and the above applies.
Would my ISP know the subdomain I'm visiting through HTTPS?
It's trivial to reverse-resolve an IP into the full domain name.
2There are many types of VPNs available, and even SSL varies in strength, so there is no clear way to do an apples-to-apples comparison. Some advertised VPNs are just an SSL tunnel anyway, but others are not. I don't believe SSL is a particularly strong tool against an ISP or nation-state level actor.
The URL is a Layer 7 construct, so it would be hidden from the ISP when using HTTPS (a layer 4 protocol), presuming they haven’t compromised the secured tunnel, which they are capable of doing.
A layer 2 or 3 VPN (IPSEC/L2TP) will send the entire DNS datagram through the tunnel, so presumably the ISP would not see it, as long as you are not using the ISP DNS servers.