When using HTTPS, which part of domain is revealed to ISP?

Question

Let's say you are visiting https://57vdyr6tyuibgyoihp.blogspot.com. Does the ISP only see the blogspot.com part, or the entire 57vdyr6tyuibgyoihp.blogspot.com?

Answer 1

I think you are referring to the hostname as given in clear text in the SNI extension in the ClientHello message as part of the TLS handshake. Since this extension is used to tell the server what certificate to provide as part of the TLS handshake and the server might have different certificates for different subdomains, the SNI extension must contain the full hostname like foo.bar.example.org and not only part of it like example.org.

Answer 2

As Steffen says, the SNI extension will contain the full hostname. The other way your ISP (or anybody else in a position to monitor traffic on the wire) might deduce the full domain you're going to is by looking at the DNS request. Different subdomains can (and often do) have different IP addresses, so a DNS query needs to contain the full domain name. DNS requests (and responses) are almost always transmitted in plain text.

A less-reliable way is to do a reverse DNS lookup on the IP address you're connecting to. Even if you don't do a DNS query that the ISP sees (maybe you have it locally cached, or configured in a HOSTS file, or something), the ISP sees whatever IP you're connecting to, and can query the domain name system for what names map to that IP address (known as a "reverse DNS" lookup). This is less precise than the other methods, because a given IP address might serve a large number of domain names, so for example they might be able to tell if you're going to abc.example.com, xyz.example.com, or example-site.com (assuming all those domains were served from the same IP address, as may well be the case), but at a minimum they can usually tell who owns the site you're connecting to, and often a given IP address has only one (externally meaningful) domain name.