• @mipadaitu
    link
    English
    907 months ago

    The ISP can see every domain, but not every page. That’s what HTTPS everywhere was all about.

    • Björn Tantau
      link
      fedilink
      157 months ago

      And hopefully in the future they won’t even he able to see the domain. I wonder why they never considered giving out certificates for IPs to solve this problem. Seemed like the easiest solution to me.

      • magic_lobster_party
        link
        fedilink
        187 months ago

        They need the IP address to know where to forward the packet to. Hard to avoid that without VPN or TOR.

        • @[email protected]
          link
          fedilink
          27 months ago

          There was a demo for a technology put out recently that circumvents this. I don’t remember the exact mechanisms, but it obscured DNS such that your ISP couldn’t see the DNS record you requested, and then used a proxy to route traffic before it hit the final endpoint eliminating exposing the IP to your ISP. It worked very similar to a VPN, but without the encrypted connection, and had some speed focused optimizations including the proxy being proximate to your ISP. It was pretty interesting.

      • @mipadaitu
        link
        English
        107 months ago

        It doesn’t really help. The ISP needs to route you somewhere to get the data, so they’ll need to know who you want to talk to. Even if they don’t see the DNS name (like if you used a third party DNS server) they can still associate the IP address with someone.

        There’s things like TOR and VPNs that can route your information through other third parties first, but that impacts performance pretty significantly.

        • @[email protected]
          link
          fedilink
          English
          47 months ago

          Depending on where you’re going even IP addresses are getting to the point that they aren’t helpful. IP addresses are likely to belong to a cloud provider, and unless they are hosting email or a service that requires a reverse record, all you’d get is the cloud provider’s information.

      • @[email protected]
        link
        fedilink
        English
        17 months ago

        How does that help? You can tell any computer it’s Google.com or IP 8.8.8.8. you can tell your device that the other computer is correct, and middle man yourself

        Except, we have one key to rule them all, one key to bind them. There’s literally a group of people who split the root key among themselves, and scattered it across the world (when they went home). They get together ever year or two, and on a blessed air-gapped computer, unite the key to sign the top level domains again. Those domains sign intermediate domains, and down the chain they sell and sign domains.

        If any of these root domains fall to evil, these brave guardians can speed walk to the nearest airport and establish a new order

        (I think we actually just started installing all the root and some trusted intermediate domains on every device directly, so I’m not sure if they still bother, but it’s a better story)

        The solution you’re looking for is DNSS, where we encrypt the DNS request too so they can’t see any of the url. Granted, they can still look at you destination and usually put the pieces together, but it’s still a good idea

        Ultimately, packets have to get routed, all we can do is do our best to make sure no one can see enough of the picture to matter. There’s more exotic solutions that crank that up to 11, but the trade offs are pretty extreme

            • Björn Tantau
              link
              fedilink
              17 months ago

              Yeah, that’s what I meant originally. But I still don’t know how to enable that in my Apache. My Google-Fu isn’t good enough. All I see is ads for CDNs and conflicting information about whether it’s supported in Apache or not.

      • silly goose meekah
        link
        197 months ago

        Are you sure? The file path after the domain would not be necessary for an ISP to see, only the domain. I’m not sure how all that works, but it’s definitely not a technical requirement thay they can see the complete URL.

        • TimeSquirrel
          link
          fedilink
          87 months ago

          After more research, you might be right. I could have sworn I saw full URLs in my router logs on encrypted sites though. I’ll have to check again.

      • @mipadaitu
        link
        English
        147 months ago

        It’s actually more secure than that.

        https://blog.mozilla.org/en/products/firefox/https-protect/

        They’d see the URL, but not the specific page.

        They’d also theoretically see the size of the URL, and the size of the page, along with the transport type. So they can infer a lot of information from the exchange, but they couldn’t say for sure what you were viewing on a specific website.