0

I've been using VPN lately which I configured on Ubuntu machine in Germany, and I do not feel comfortable using it because of high latency. So I found DNScrypt. Since I only want to keep my browsing activity mine.

If I am visiting only SSL protected websites (these days sites that have SSL are rapidly increasing) and using DNScrypt (which protects my DNS lookups from being spoofed), is there any way my ISP can determine web addresses I am visiting?

unor
  • 1,769
  • 1
  • 19
  • 38
Luka
  • 103
  • 5
  • Actually DNScrypt protects DNS from being _observed or_ altered; the older and much more widespread (but still decidely not universal) DNSSEC is sufficient to protect against alteration. – dave_thompson_085 Aug 07 '17 at 06:35
  • 1
    Mostly dupe https://security.stackexchange.com/questions/2914/can-my-company-see-what-https-sites and https://security.stackexchange.com/questions/4388/are-urls-viewed-during-https-transactions-to-one-or-more-websites and https://security.stackexchange.com/questions/33738/are-secret-urls-secure-over-https and https://security.stackexchange.com/questions/117536/is-https-url-in-plain-text and https://security.stackexchange.com/questions/107941/privacy-which-parts-of-url-is-protected-by-https and https://security.stackexchange.com/questions/71975/how-much-does-a-get-request-over-https-reveal – dave_thompson_085 Aug 07 '17 at 07:06

1 Answers1

4

DNSCrypt only protects the DNS lookup. The HTTPS connection is still made to the original target which thus reveals the target IP address to the ISP. And, if deep packet inspection is done the target hostname can also be extracted from the TLS handshake (SNI extension in ClientHello). This means the ISP can see which sites you visit but not the exact URL on this site. Although in case of well known public resources on the site traffic pattern might reveal too which of these resources you have accessed.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I'd like to add that if you want to hide the domain you are visiting from your ISP, you should use a VPN or a proxy. – Ninja_Coder Aug 07 '17 at 06:39
  • 1
    @Ninja_Coder: a proxy does not necessarily hide the domain, it depends on the specific application and usage. Especially just using an external HTTP or Socks proxy will not hide the domain because these proxy protocols add no encryption by themselves. And, as can be seen from the question, the OP is well aware of VPN but does not like the overhead. – Steffen Ullrich Aug 07 '17 at 06:46
  • You're right! I should have read better. Also didn't realize SOCKS did no encryption. – Ninja_Coder Aug 07 '17 at 06:54
  • @Ninja_Coder: [Is SOCKS secure?](https://security.stackexchange.com/questions/719/is-socks-secure), [SOCKS proxy security concerns](https://security.stackexchange.com/questions/19678/socks-proxy-security-concerns) ... – Steffen Ullrich Aug 07 '17 at 08:12
  • SNI only reports HOSTNAME of the server as I understood. So if domain is jordan.com and server hostname is aurora.hosting.com ISP is going to see only hostname. Maybe with reverse IP lookup they can see sites hosted there but cant be sure which site i visited. – Luka Aug 07 '17 at 10:33
  • 1
    @Luka: SNI contains the FQDN (fully qualified domain name). Thus the ISP can see the site visited (`www.example.com`) but not the exact URL (page) with full path (`http://www.example.com/secret/`) at this site. – Steffen Ullrich Aug 07 '17 at 11:03