2

Assuming the website I visit uses HTTPS, which parts of the URL is protected from the eyes of my ISP?

eg; https://subdomain.domain.com/path/file.php?param=value

I know that domain.com (and probably subdomain?) is known by my ISP. What about the path, file and params?

jonjaq
  • 29
  • 1
  • 2
  • Duplicate of [Is HTTPS URL in plain text at first connection?](https://security.stackexchange.com/questions/117536/is-https-url-in-plain-text-at-first-connection/117544) – rugk Mar 20 '16 at 15:40
  • http://www.securityweek.com/hackers-can-intercept-https-urls-proxy-attacks – Tom Jul 29 '16 at 14:41

2 Answers2

2

Your ISP and your DNS provider are able to see that you are connecting to subdomain.domain.com, but neither are able to see the entire URL that you are requesting.

The first thing that happens is that your DNS provider will see that you are requesting the IP address that subdomain.domain.com points to. So, if you are using your ISP's DNS service, your ISP will see that.

Next, your ISP will then see that you are connecting to the web server at the IP address that subdomain.domain.com points to.

Neither your ISP nor your DNS provider will see the entire URL that you are pointing your browser to. The entire URL is sent to the web server only after the SSL/TLS connection to subdomain.domain.com is established.

Note: Even if you use a DNS service other than your ISP's, your ISP is still likely to be able to determine the hostname (but not the entire URL) of the web server that you are connecting to. Many IP addresses used by web servers reverse to the same hostname that forwards to this IP, so your ISP could conceivably do a reverse DNS lookup (for the PTR record) of the IP address that it sees that you are connecting to, and this would reveal the hostname associated with this IP address (subdomain.domain.com). In cases where one web server is hosting many SSL web sites on the same IP, (which can be done if the web server is running SNI), your ISP could still be able to see the hostname that you are connecting to, because this is transmitted from your web browser to the server in clear text before the SSL/TLS handshake.

mti2935
  • 19,868
  • 2
  • 45
  • 64
0

Probably a duplicate of this one: https://stackoverflow.com/questions/499591/are-https-urls-encrypted

In short, yes it's all encrypted but putting sensitive information in a URL is always a bad idea. DNS queries will still reveal which domains you are visiting.

So can your ISP see the URL you are visiting in a HTTPS request. Not directly but it can indirectly obtain a lot of information. For instance, it needs to know to which IP address to route the request. The IP address can be used for a reverse DNS lookup to obtain more information.

Why do you need to know? What information do you want to protect?

Silver
  • 1,824
  • 11
  • 23
  • 1
    You aren't trying to make the [nothing to hide argument](https://security.stackexchange.com/questions/95751/when-do-honest-people-need-privacy-or-anonymity-e-g-they-have-nothing-to-hide) with your last sentence, do you? Also, when you think the question is a duplicate, please do not answer it. Flag it as a duplicate, read the answers of the duplicate and post an answer there when you think there is something which still needs to be said. – Philipp Dec 12 '15 at 17:10
  • No, I would like to know where the sensitive information can be found in the URL to better answer the question. People told me to include a summary when posting a link. – Silver Dec 12 '15 at 22:28
  • "Include a summary when posting a link" is the rule when you are linking to another website. When you link within the same stackexchange, you can just flag as a duplicate. – Philipp Dec 13 '15 at 02:08