26
8
Is it possible for my ISP to see the passwords that I enter on websites and in chat programs? And what about SSL websites that start with https, do they encrypt my username and password before reaching the ISP?
Gohary
Posted 2011-01-11T22:11:27.300
Reputation: 263
25
If you start at an https:// address, everything is encrypted between your computer and the remote server, so your ISP can't intercept any of your data†*. Your ISP could easily view any non-ssl (http://) connections though.
Note that the firesheep firefox plugin exposed a hole in this mechanism last year. Many websites use https just for your initial login and then switch back to http for the rest of the traffic. In this case your ISP could intercept your traffic after you logged in. Someone else on your local network could also run the firesheep plugin and hijack your session with say facebook and impersonate you.
Most large websites are now transitioning to https all the time to fix this hole. It's not really something you need to worry about on your home network too much, but you should be aware of how this works.
† Assuming you're not ignoring certificate warnings, and your computer/browser has not been compromised.
* It can also see the hostname you're requesting from a possibly shared host. Since TLS1.0 the hostname is transmitted in plaintext (SNI)
Phil Hollenback
Posted 2011-01-11T22:11:27.300
Reputation: 503
Is the URI of the request also encrypted? – anuj_io – 2014-12-04T20:15:30.263
How about the DNS request for https://www.somesite.com? Can't the ISP know that you tried to access this website, although the content of your communication is encrypted? – Ari – 2014-12-10T23:58:18.083
Yes, your isp can generally see all your dns requests. I see that there is a solution to encrypt your dns traffic but that is something you would have to set up yourself. Another option is to use a third party vpn service like IPVanish to encrypt all your traffic, including your dns requests.
– Phil Hollenback – 2014-12-30T19:40:36.600@PhilHollenback, However, if the malicious ISP can spoof and hijack your IP packets, wouldn't it be able to crack your TLS ? – Pacerier – 2016-12-28T14:42:24.547
@Arjan - with that edit this answer is much better. Cheers. – Rory Alsop – 2011-01-13T13:52:57.210
Also, should note that other protocols (i.e.: telnet) are cleartext-only. YMMV with chat protocols. – Iszi – 2011-01-13T15:43:08.283
Yes the warning about chat programs is a good one, as they may use different protocols. – Phil Hollenback – 2011-01-13T21:53:33.300
@Iszi Nobody uses telnet, I assume? I only ever used such things for fun (sic). – Camilo Martin – 2013-05-27T01:38:06.623
@CamiloMartin You'd be surprised. The first examples that come to mind are MUDs. I'm sure there's others. – Iszi – 2013-05-28T15:21:18.673
@Iszi Never played those, but it still is "for fun", in a weird way. Now, I do hope that there aren't people logging in into legacy systems from telnet or anything other that is sensitive... – Camilo Martin – 2013-05-28T23:09:09.570
9
I think you might wanna watch the following video from 27th Chaos Communication Congress (CCC):
"How the Internet sees you: demonstrating what activities most ISPs see you doing on the Internet"
labmice
Posted 2011-01-11T22:11:27.300
Reputation: 306
4
Philiph is right for "If you start at an https:// address, everything is encrypted between your computer and the remote server" with one caveat: all you know with HTTPS is that everything is encrypted between your computer and somewhere else.
There is a risk that your communications could be tampered with at the ISP using a man in the middle attack — and if you think that that can't happen, see the news about Tunisia which shows what can happen if a malicious agent has access at ISP level.
This can only be avoided if:
https:// URL.Otherwise, an ISP could tamper with the connection in a way a non-tech savvy user may not notice.
Rory Alsop
Posted 2011-01-11T22:11:27.300
Reputation: 3 168
Okay, cleaning up then. (What about using the Markdown source for better formatting and linking?)
– Arjan – 2011-01-13T15:19:29.6131I deleted some comments, now orphaning @weeheavy's comment a bit, in which "wrong" was directed towards me, not towards the answer: those appliances can only work in corporate environments, where the browser has been set up to accept fake certificates. – Arjan – 2011-01-13T15:22:27.660
0
Sure, your ISP (or someone else using their equipment without permission, which is a serious risk in and of itself) could read unencrypted data that goes through their network. Typically, unencrypted traffic includes e-mail, web, and FTP traffic unless specifically encrypted using SSL or TLS, as in the HTTPS protocol.
Also typically, your ISP would prefer that at the very least, the passwords you send over the internet (in particular, for their e-mail accounts) are encrypted, so as to prevent attackers from compromising a router somewhere - like your wireless router with the default password - and gaining access to their servers. While the government could force an ISP to listen to your traffic for their purposes, a much greater threat to you exists from people who would love to steal your private information and/or money.
Ernie Dunbar
Posted 2011-01-11T22:11:27.300
Reputation: 679
Does TLS block the case whereby "government could force an ISP" to hack you? – Pacerier – 2016-12-28T14:44:17.317
0
Not directly an answer to your question, but passwords are more often stolen using either a keylogger (software illicitly installed on your PC that records all your keystrokes) or social engineering, such as phishing. (Phishing is sending email that tricks you into logging into a "fake version" of Facebook or whatever, thus revealing your password to the phishers, and then redirecting you to the real one. Most victims don't even realize at first what has happened.)
CarlF
Posted 2011-01-11T22:11:27.300
Reputation: 8 576
3Is it possible? Yes for non SSL stuff (which isn't foolproof, but I'm trying to keep this short and practical). Is it likely? Not so much. – Rob Moir – 2011-01-11T22:35:46.727
1
Related: Can my ISP monitor me?
– Arjan – 2011-01-13T13:19:23.563