is it true that my ISP can’t see what i am doing if the website i am using have HTTPS ?
your connection to https websites will be known to your internet service providers and anyone else who is watching your network. They won’t know what you’re writing or doing, but they’ll know that you’re using it.
DNS over HTTPS is the technology that encrypts the domain names and IP addresses that you’re connecting to in a similar way that https encrypts your web traffic.
Why it matters: With DNS over HTTPS, your internet service provider and anyone else listening to your internet connections won’t be able to know where you’re connecting to anymore.
In Firefox, visit Options > General > Network Settings and click “Enable DNS over HTTPS”. You can also search “DNS” in the “Find in Options” bar .
I believe they see the request to the site (the URL) but not what you are doing or accessing on the site.
Correct me if I am wrong - I am fairly certain that is correct though.
If they would be interested they see that you surf on youtube.com but they don’t see which video you are watching. Only the hostname is transmitted in the TLS handshake. Otherwise the webserver would not know which TLS certificate it needs to present to you.
They can see what server you are talking to because they forward this traffic between you and the server. They cannot see the data that you exchange with that server because this is encrypted. This encrypted data covers the particular page you requested to see and anything you up/download.
Like, in addition to the VPN?
Why, what are you doing?
“Why it matters: With DNS over HTTPS, your internet service provider and anyone else listening to your internet connections won’t be able to know where you’re connecting to anymore.”
This is not totally true. Yes, your ISP wont be able to read the host you connect to from DNS, but as part of the TLS negotiation that same hostname is sent in clear text as a property of the server certificate.
Though if your DNS provider is your ISP (as is default with most ISP routers) then I assume all this effort is in vein
they can still see ip addresses and perform a dns reverse lookup
Actually sni data leaks too if not protected by esni in the certificate exchange. Even with dns over https. It just protects the name server lookups not connection negotiation.
They cant see the URL from the HTTPs Data stream thats what DNS tells them. If HTTPs didn’t protect what domain your trying to visit Reverse Proxies would not have to handle SSL at all in some cases.
Tho without encrypted DNS querries they know what domain your visiting with 100% accuracy just not what your doing on said domain. (So they would know what porn site you like but not know what your watching.)
With Encrypted DNS they know the IPs and if a site is the only site on a given IP well they know your going to that site. If a lot of sites share IP they only know its those sites.
That’s not true. The HTTP request itself is sent AFTER the TLS handshake is done and the encrypted tunnel built. Nobody between browser and webserver can see plain HTTP requests containing that data. The only thing transmitted in the TLS handshake is the domain name (e.g. youtube.com).
Think about it. Why should your ISP be able to see HTTP GET but not HTTP POST?
This implies that you have to be doing something wrong or illegal to care about internet privacy.
What if you set your DNS as a private DNS? Does this negate, as you would provide IP addresses locally?
If a lot of sites share IP they only know its those sites.
Wrong. The hostname (e.g. youtube.com) is transmitted in the TLS handshake. Otherwise the webserver would not know which TLS certificate to present to you. This feature is called server name identification or short SNI.
Yeah, I was responding in the assumption that DNS is not encrypted
Assuming the ISP doesn’t have some kind of proxy in the middle which with many companies I wouldn’t doubt it
Subdomains are also visible. Right?
Private DNS will stay in your network. That means the communication for querying the IP for the domain stays inside the network.
The external network can’t see you want to access “www.example.com”, but once you have the IP address, you will anyway use the external network to browse that.
They can, technically, still reverse engineer to get the website belonging to that IP. You can use a VPN for this, but again, they will know the VPN’s IP. That is why people use OpenVPN, which just travels on a 443 port (same as HTTPS) and the IPs are just people’s computers, so they are hard to analyze.
Would be glad to find other ways to hide the sites you are connecting to from ISP or local network.