0

I was under the impression all images were https. Not really a computer person. So I don’t really understand how this works. I was also under the impression that isps can see all images and searches despite having https. Wouldn’t that be beneficial in some cases? I get nervous searching health info as I know google and isps can sell your info

Sally
  • 21
  • 1
  • 1
  • 4

2 Answers2

2

I was under the impression all images were https.

This is not true. While the images shown in the Google Images Search are served by Google using https they can refer to images which are plain http, i.e. once you click the link you get the image as plain http.

I was also under the impression that isps can see all images and searches despite having https.

This is not true either. Unless SSL interception is done (which needs changes to your computer in order to be not cause warnings or errors) the ISP can see what sites you visit but not the exact content of the request or response, like which search terms and which results.

I get nervous searching health info as I know google and isps can sell your info

Google can definitely see your search terms given since otherwise they could not provide you with the results of your search.

ISPs can as I said not see the exact searches but they can detect the sites you visit and at which time and order. This is often enough to create interesting personal profiles which they could sell if there is no law or legal terms to forbid this. And even if laws prevent selling such information, the ISP might have its own advertisement business (like Google does) or even their own insurance business and might use these information there without selling it to third parties.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • So if I went to google and typed/searched for horses in the images section. My isp wouldn’t know what I searched for? And those images shown on the google image page would be in https but if i clicked on the image it would be in http? Would they have a record of the results or images loaded? So they can’t see what I specifically search for? Isn’t all off google https?? – Sally Jun 21 '19 at 23:18
  • @Sally: The ISP cannot see what exactly you search for. The ISP cannot see the images which are shown in the image preview of the search. The ISP could in theory see the images you click on **if** these are served with HTTP but many are actually served with HTTPS. But even with HTTPS your ISP could in theory see what site the images is loaded from, which might reveal what kind of images you view (like related to some illness or so). – Steffen Ullrich Jun 22 '19 at 05:22
  • So the https doesn’t matter? – Sally Jun 22 '19 at 23:36
  • ISPs can as I said not see the exact searches but they can detect the sites you visit and at which time and order.... so they can see the google results page for images and webpages...this they can know what you searched for? Or they can see a website you click on from the search? – Sally Jun 23 '19 at 04:01
  • @Sally: for what an ISP can see with HTTPS see [Are URLs viewed during HTTPS transactions to one or more websites from a single IP distinguishable?](https://security.stackexchange.com/questions/4388/are-urls-viewed-during-https-transactions-to-one-or-more-websites-from-a-single). As for HTTP: as far as I know google make sure that the Referer header does not contain you specific search terms but other search engines might behave differently here as did Google did in the past. In such cases the ISP might see in HTTP (not HTTPS) what you've searched for. – Steffen Ullrich Jun 23 '19 at 06:27
  • Oh. So they can’t see google searches? – Sally Jun 25 '19 at 10:34
  • @Sally: again, they can *"not see the exact searches but ...."* - see my comment from a few days ago. – Steffen Ullrich Jun 25 '19 at 10:43
  • Right. You’re saying google automatically puts all image results and results into https? – Sally Jun 26 '19 at 03:48
  • @Sally: yes, to cite myself: *"... while __the images shown in the Google Images Search are served by Google using https__ they can refer to images which are plain http, i.e. once you click ...."*. – Steffen Ullrich Jun 26 '19 at 06:06
  • So referring to what you said earlier how can they in theory see what site the images are from. Can isps just decode your https? – Sally Jun 27 '19 at 01:43
  • @Sally: *"... referring to what you said earlier..." - I have no idea what specifically you refer to. But as I said - ISP can see what sites you visit (domain only, not full URL) since these information are part of the TLS handshake (SNI) and can be detected by tracking DNS requests too. They can also see the size and timing of data transferred which allows limited reasoning about the kind of data transferred, even though the data itself are encrypted. – Steffen Ullrich Jun 27 '19 at 05:09
  • What about when you enter something in the search bar right before it connects to google. Can an isp see that? – – Sally Aug 10 '19 at 23:10
  • @Sally: *"... before it connects to google ...."* - you essentially ask if the ISP can have a look at your desktop or if something will be send apart from sending the query to Google and if this one is unprotected. The answer is "no" in both cases. – Steffen Ullrich Aug 11 '19 at 03:01
  • Confused by your answer...? So it’s a no? – Sally Aug 11 '19 at 19:54
  • @Sally: confused by your question. What part of *"The answer is "no" in both cases."* is too hard to understand? – Steffen Ullrich Aug 11 '19 at 19:56
  • Both cases? ........... – Sally Aug 11 '19 at 19:58
  • @Sally: to cite myself: *"... __IF__ the ISP can have a look at your desktop **OR** if something will be send apart from sending the query to Google and if this one is unprotected"* - aren't these __two__ cases? – Steffen Ullrich Aug 11 '19 at 20:03
0

In a default architecture, an ISP cannot read your data for https website. However, there are few modifications that enabler attacker or legitimate ISP to view or sniff data. This includes performing man in the middle attack through SSL deciphering or performing less reliable attacks like sslStrip etc

If you want to be sure that your data is being viewed or not, please have a look at Certificate chain for the https website in browser.

user11619027
  • 1