15

For example, when I enter this URL: https://www.google.com/search?q=example or http://www.google.com/search?q=example I can see the word example that I was searching on Google. Can the ISP see this URL and so maybe register it in their logs?

Anders
  • 64,406
  • 24
  • 178
  • 215
Frank
  • 427
  • 1
  • 4
  • 8
  • could you state your country? theoretically yes. do they? maybe? the law in the UK is coming in for ISPs to save this information, though I think I may misunderstand the question. – TheHidden Dec 02 '15 at 16:19
  • my country is Italy – Frank Dec 02 '15 at 16:29
  • A surplus of questionable Root CAs in your browser compromises your trust in the secure session and may allow an ISP or any intervening router to engage in a [MITM attack](http://security.stackexchange.com/a/105069/13857), thereby making all web traffic viewable. Solution is to remove unneeded and/or non-trustworthy Root Certificates. – Andrew Philips Dec 02 '15 at 17:21

4 Answers4

19

The ISP

  • can see GET and POST Parameters of websites that don't use SSL
  • can see DNS requests (-> which domains did you visit)

So in your example the ISP would not see the search request as GET Parameters are encrypted with SSL (ref).

Conclusion: the ISP would know THAT you searched on Google but it wouldn't know WHAT you searched for.

Community
  • 1
Skyküff
  • 534
  • 4
  • 7
  • thanks, and what about the `DNS` request if I use a software like `DNSCrypt` https://dnscrypt.org/ ? – Frank Dec 02 '15 at 16:31
  • 1
    @Frank They also see the IP you contact, and can do a reverse DNS lookup. – Peter Dec 02 '15 at 16:54
  • @Peter, are you answering to my question in comment here? In that case, so using `DNSCrypt` is not useful to mask the `URL` I'm visiting to my ISP? – Frank Dec 02 '15 at 18:29
  • 2
    just to clarify as one of your examples does not use SSL, in that case they can see everything that you send/receive, unless google redirects to an SSL encrypted connection and even then they'll get the initial request in full. – Rory McCune Dec 02 '15 at 18:30
  • @Frank As usual, it depends. DNSCrypt prevents them from seeing you asked someone "what IP is google.com?". DNSCrypt on its own does not prevent them from seeing the IP addresses of the servers you talk to. After all you pay them to send messages to the IPs you tell them, so they have to know an IP to do that. The protection against that is to use one of the many forms of a proxy. – Peter Dec 02 '15 at 19:00
  • *the ISP would know THAT you searched on Google*. To be precise, the ISP would know that you **accessed** `https://www.google.com/`. Anything after the third slash is encrypted. We can presume that this is `/search` but it is not an available information. – WoJ Dec 02 '15 at 20:20
  • Let's say I've made a Google search: `https://www.google.co.in/search?q=test`, you mean ISP won't be able to see that I searched for `test`? – Anand Sudhanaboina Dec 03 '15 at 05:59
  • Your ISP can't see what you googled for but assuming you actually click on a search result, they'd see DNS queries for Google, then DNS queries for the domain of the website you want to visit. It would not be hard to guess what your search query was in most circumstances. – lorenzog Dec 03 '15 at 09:52
  • In an https, no they would not see the example, because it is application data which is encrypted, they would know you accessed a specific Google server, that is they would know the IP address you accessed because this information is required below application data, namely in the IP header. – marshal craft Jan 13 '18 at 04:03
2

The best way to learn about this is to mirror the port from your ISP and analyse it with Wireshark, applying the filters you need for the traffic that concerns you. Wireshark 101 there you will see what they see, and it will give you a scope to take the precautions depending on the layer you need (vpn, dnscript, proxychains, etc)

Pang
  • 185
  • 6
Sarastro
  • 321
  • 2
  • 13
2

The short answer is: Everything. When traffic leaves your house, it's in your ISP's domain, and there's no way of getting around that.

The long answer is more complicated. If you use encryption wherever possible, payloads would not be viable to view (it may be possible to decrypt a packet, with enough time and processing power, but it's not a viable use of resources).

What they can most definitely see is the information of where it's going. IP address, port number and below are considered to be public, for all intents and purposes. They can see where you went, and when, but not what you did.

The mitigating factor here is where you introduce an additional step between you and your destination. A VPN, for example, encrypts all traffic and passes it as is to the VPN endpoint. From there, it acts as if you were browsing from that endpoint. The ISP for the next step would see that someone visited Google, but you're account is separated from it.

Jozef Woods
  • 1,247
  • 8
  • 7
-2

I would ask your ISP, and look further into any user agreements. Many ISP have recently been creating their own private subnets between your router and the WWW. Recently a ISP stated this is for IP4 addressing issues, such as running out. So, they have placed their private subnet right outside the router leased to customer. Which not to create a panic, this means they could technically monitor anything they want http or https. The average customer isn't looking for this. Just to point out, I would like to assume this is for safer traffic on the ISP or hosting companies infrastructure.

azsystems
  • 1