SSL and web address

[R001]

Hi all.

 

I had this question in mind for a while and wants to ask you.

 

When you connect to a website through SSL and you are using Google DNS at the same time, what exactly is revealed to your ISP?

 

Do they see you what exact page on that site you are on or just that you are on that site ? For example, if I was on Facebook, do they see that I an on https://www.facebook.com/messages now? or just https://www.facebook.com

 

Thanks

 

[Ilumic]

they see everything seriously , its your isp everything goes through them in the end 

 

But its illegal for them to do anything with the information so don't worry  

[R001]

they see everything seriously , its your isp everything goes through them in the end 

 

But its illegal for them to do anything with the information so don't worry

 

What's the point of SSL then :unsure:

[Ilumic]

What's the point of SSL then :unsure:

to stop people like hackers and hosts of the websites seeing your data , and only thing isps dont see is passwords and encrypted data , SSL doesent encrypt everything  

[R001]

to stop people like hackers and hosts of the websites seeing your data , and only thing isps dont see is passwords and encrypted data , SSL doesent encrypt everything  

 

Oh ok the tunnel between me and the ISP is the secure part, I thought it is between me and the Bank for example or Facebook, I guess that's only in VPN

 

Thanks for your help!

[Ilumic]

Oh ok the tunnel between me and the ISP is the secure part, I thought it is between me and the Bank for example or Facebook, I guess that's only in VPN

 

Thanks for your help!

Yea vpn is the best way of protecting your data from the isp

[R001]

Yea vpn is the best way of protecting your data from the isp

 

If you can trust the VPN service :lol:  they are more dangerous than your ISP in my opinion.

[tom564]

they see everything seriously , its your isp everything goes through them in the end 

 

But its illegal for them to do anything with the information so don't worry

no the header is not encrypted but the payload is so without performing an attack on either the session key or replacing the SSL cert they can't see what you are doing on the website. 

 

Also you said the only thing SSL stops is the hackers and the hosts from seeing your data, well the only people who should be able to see everything in a  properly implemented HTTPS session is the client and the host. 

[tom564]

Oh ok the tunnel between me and the ISP is the secure part, I thought it is between me and the Bank for example or Facebook, I guess that's only in VPN

 

Thanks for your help!

Unless someone is performing an attack on the SSL implementation only you and the end host IE Facebook should be able to read the contents of the data all the ISP should be able to see is that you are communicating with Facebook. 

[R001]

Unless someone is performing an attack on the SSL implementation only you and the end host IE Facebook should be able to read the contents of the data all the ISP should be able to see is that you are communicating with Facebook. 

 

So they don't know what page of Facebook I am on? (the full address)

[tom564]

So they don't know what page of Facebook I am on? (the full address)

Don't quote me on this but i believe they can only see the host. 

[R001]

Don't quote me on this but i believe they can only see the host. 

 

Ok, thank you.

[lutzee]

Sigh, this is rather lost in what happens.

First, when you hit go in your web browser you browser sends a request to the DNS servers (in this case google), this is unencrypted, It has no need to be encrypted.

Googles DNS servers reply with the IP for the site you want to visit

You then request contact with the remote server

If the server wants SSL it will reply and the connection is remade over https (http over ssl)

If you have a plugin that forces ssl for all sites that accept it then of course the role is switched, you attempt an SSL connection then fall back to unencrypted

You then converse with the remote server on the encrypted channel, your ISP still sees what site you are going too though.

If you want to hide more from your ISP you need to be using a VPN or secure tunnel (SSH tunneling)

This sends all data encrypted to the virtual network or alternative server location

The ISP of the VPN/Server sees everything you request, but chances are this is a commercial ISP that doesn't care in the slightest.

You'll want to make sure all DNS requests are also being sent over the VPN/tunnel otherwise its still passing by your ISP.

[R001]

Sigh, this is rather lost in what happens.

First, when you hit go in your web browser you browser sends a request to the DNS servers (in this case google), this is unencrypted, It has no need to be encrypted.

Googles DNS servers reply with the IP for the site you want to visit

You then request contact with the remote server

If the server wants SSL it will reply and the connection is remade over https (http over ssl)

If you have a plugin that forces ssl for all sites that accept it then of course the role is switched, you attempt an SSL connection then fall back to unencrypted

You then converse with the remote server on the encrypted channel, your ISP still sees what site you are going too though.

If you want to hide more from your ISP you need to be using a VPN or secure tunnel (SSH tunneling)

This sends all data encrypted to the virtual network or alternative server location

The ISP of the VPN/Server sees everything you request, but chances are this is a commercial ISP that doesn't care in the slightest.

You'll want to make sure all DNS requests are also being sent over the VPN/tunnel otherwise its still passing by your ISP.

 

Thanks for the detailed info, very informative, I am not sure what you mean by "lost in what happens"

 

Regarding hiding the DNS, I think this would be important for someone who uses a VPN and don't want the ISP to know what sites he is visiting right? DNS job stops once the website IP is translated, inner pages of the site does not need DNS.

 

I am more concerned of a small details, when the ISP sees you are communicating with a website over SSL, does he see what pages you are on, can he fetch pages for you without knowing the page you want?

[lutzee]

Thanks for the detailed info, very informative, I am not sure what you mean by "lost in what happens"

 

Regarding hiding the DNS, I think this would be important for someone who uses a VPN and don't want the ISP to know what sites he is visiting right? DNS job stops once the website IP is translated, inner pages of the site does not need DNS.

 

I am more concerned of a small details, when the ISP sees you are communicating with a website over SSL, does he see what pages you are on, can he fetch pages for you without knowing the page you want?

Page requests go direct to the domain over the encrypted SSL TCP(the transfer protocol) which is what http and https use. So no your ISP does not see what pages you want to access.

 

I cannot however explain the inner workings of VPNs, its not something I use personally and 3rd party VPNs there is no true 100% trust link.

 

Personally I use a full PC wide SSH tunnel which grabs all outgoing connections and sends them over an encrypted tunnel to my VPS, this is 100% secure all the ISP sees is that I have an outgoing SSH connection to my server. This I can trust 100% because I know what  traffic goes through my VPS.

[R001]

Page requests go direct to the domain over the encrypted SSL TCP(the transfer protocol) which is what http and https use. So no your ISP does not see what pages you want to access.

 

I cannot however explain the inner workings of VPNs, its not something I use personally and 3rd party VPNs there is no true 100% trust link.

 

Personally I use a full PC wide SSH tunnel which grabs all outgoing connections and sends them over an encrypted tunnel to my VPS, this is 100% secure all the ISP sees is that I have an outgoing SSH connection to my server. This I can trust 100% because I know what  traffic goes through my VPS.

 

Good to know, it would be silly if the ISP can see what pages I am on in SSL, the address could have sensitive information.

 

From using different VPNs all I know about VPN is that there are many types, some include http only, some include all protocols, depends on the service and software, but I would not trust it to connect to my bank for example, just to hide what I am visiting.

 

I never heard SSH tunnel, I will try to read about that online.

 

Thank you very much for the help

[lutzee]

Good to know, it would be silly if the ISP can see what pages I am on in SSL, the address could have sensitive information.

 

From using different VPNs all I know about VPN is that there are many types, some include http only, some include all protocols, depends on the service and software, but I would not trust it to connect to my bank for example, just to hide what I am visiting.

 

I never heard SSH tunnel, I will try to read about that online.

 

Thank you very much for the help

 

In a windows environment its really not common, as generally SSH is to access the command line shell of another remote machine securely, as windows doesn't really have a native shell (command prompt does not count, its dos thats emulated and interpreted). In general for windows you would use remote desktop to control the remote machine.

 

In a unix environment its the main way to control a remote machine.

 

Now, what is great about SSH is that you can tell it that you are using it as a tunnel for another protocol, such as http/https, this takes all your http/https traffic and passes them over the secure connection to the remote machine, and then the remote machine just passes all traffic onto its destination.

 

So, why is it more difficult in windows? Well.. windows doesn't come with any ssh clients, most people use putty, some would advocate the use of mobaXterm. Both will do the job, but its still not the easiest thing to set up. And frankly its been way to long for me to remember.

 

Lastly you will need a user account on the remote server/machine and that machine needs to be running a unix environment with and ssh server running on it. And this is the catch, I pay for my VPS, but then I can trust it. Also as I run linux natively on all my PCs I also have access to a bash script that will construct a tunnel and send all my internet traffic over that tunnel, not just one protocol.

[R001]

In a windows environment its really not common, as generally SSH is to access the command line shell of another remote machine securely, as windows doesn't really have a native shell (command prompt does not count, its dos thats emulated and interpreted). In general for windows you would use remote desktop to control the remote machine.

 

In a unix environment its the main way to control a remote machine.

 

Now, what is great about SSH is that you can tell it that you are using it as a tunnel for another protocol, such as http/https, this takes all your http/https traffic and passes them over the secure connection to the remote machine, and then the remote machine just passes all traffic onto its destination.

 

So, why is it more difficult in windows? Well.. windows doesn't come with any ssh clients, most people use putty, some would advocate the use of mobaXterm. Both will do the job, but its still not the easiest thing to set up. And frankly its been way to long for me to remember.

 

Lastly you will need a user account on the remote server/machine and that machine needs to be running a unix environment with and ssh server running on it. And this is the catch, I pay for my VPS, but then I can trust it. Also as I run linux natively on all my PCs I also have access to a bash script that will construct a tunnel and send all my internet traffic over that tunnel, not just one protocol.

 

Wow this is more complicated than I thought, way over my head, specially the part where you need to rent a remote server and setup a unix, I am good like this :lol:

 

I never even used Linux other than few hours of testing, I guess you are using archlinux, I was looking at your signature, that's very fast, what's the best Linux for someone like me?

[lutzee]

Wow this is more complicated than I thought, way over my head, specially the part where you need to rent a remote server and setup a unix, I am good like this :lol:

 

I never even used Linux other than few hours of testing, I guess you are using archlinux, I was looking at your signature, that's very fast, what's the best Linux for someone like me?

Probably linux mint