5
I am using Google Chrome in Windows 7 for Internet access. I am very curious to know if my ISP knows or not which sites I am visiting or what I am downloading. If it knows then to what extent (meaning what does it know about my browsing and downloading activity). I am not using any VPN services.
A. Prasad
Posted 2014-10-13T18:28:02.563
Reputation: 719
11
Yes. Even if you're visiting websites with HTTPS, your ISP knows which website you're visiting. We can try to hide what we are sending back and forth but the destination you're visiting is always available to your ISP.
Minot
Posted 2014-10-13T18:28:02.563
Reputation: 144
4
Logging says they do, even if the initial connect is to an SSL enabled server.
So if you connect directly to a proxy, they'll know that.
If you connect directly to a TOR node, they'll know that.
If you connect directly to a VPN provider, they'll know that as well.
Do they care? Probably not, unless you're in one of those "enlightened" countries. Or doing one of those "enlightened" activities.
Fiasco Labs
Posted 2014-10-13T18:28:02.563
Reputation: 6 368
0
Of course they do.
The only mitigating factor is if they actually care to have a look. Most people manage to stay under the radar, but if you're doing something you really shouldn't, they'll be logging it somewhere.
Tetsujin
Posted 2014-10-13T18:28:02.563
Reputation: 22 456
4
Well, even if you're doing nothing illegal, you could be brought to court.
– slhck – 2014-10-13T18:33:15.297Ouch, just ouch. Caught in possession of a typo :-( – Tetsujin – 2014-10-13T18:49:57.633
-3
Your ISP can always know what your initial connection is to (web, mail, file transfer, IM). Most likely you use their DNS services too so they know any hostname you query on. Given the long list of certificate roots (trust anchors, whatever you want to call them) that Microsoft, Firefox, Apple, Mozilla, and Opera trust it is possible for your ISP to see all your traffic, be it in an SSL tunnel or not. This is because they can setup a transparent proxy and you will most likely trust the cert they offer up. It is possible to detect this but most users don't know how and the browser makers don't make it easy. Sorry :(
== @DanielB @zamnuts I'm afraid you're mistaken. Take a look at your root list in whatever off the shelf browser you use; you will note a wide variety of countries and companies are in there. Many of those countries and companies are extremely susceptible to influence by national entities; many have issued certificates errantly and many would issue bogus certificates to the right requestor (your favorite intelligence, military agency in the case of western countries and the drug cartels in the case of central and south american countries and business). These are simple facts. What is to stop a "patriotic" or corruptible CA from issuing a certificate to yourbank.com? Sure some users after seeing the golden padlock will double check that the issuing authority and root have not changed since last they visited - but not most. Even someone like wells fargo who uses the certificates that give a green address bar (meaning ID not just domain name was validated by the issuing authority) are not immune since most users don't know what the green bar means and will never notice that it's no longer green so long as the padlock is still there. BTW ask your tech ignorant relatives what the padlock is and they won't even know that.
Ram
Posted 2014-10-13T18:28:02.563
Reputation: 977
2This is wrong. A regular ISP will never ever have access to the keys of any universally trusted root certificate authority. – Daniel B – 2014-10-13T19:09:58.603
1@DanielB, I think Ram is talking about swapping the cert, and the average user doesn't bother to check the legitimacy of the cert when browsing, albeit modern browsers now warn the user of these things. So it isn't necessarily that the ISP has access to the private keys of the trusted root. – zamnuts – 2014-10-13T21:04:57.557
@zamnuts - Even if they are, their answer is wrong, a user would have to accept those invalid certificates for his answer to even be remotely correct. By default a browser would indicate a problem with a certificate like he describes until a user decided to trust the certificate. – Ramhound – 2014-10-14T01:11:30.453
Well, it’s certainly good to raise questions about the overall state of the trust system. But what we have here is just conspiracy and paranoia. Your ISP will not have these keys. Some government agency might have them, sure. But if you worry about that you should be out on the street, fighting for your rights. – Daniel B – 2014-10-14T17:26:10.410
I was answering the question first and then correcting some of the mis-information others answers were putting forward in order to provide a more accurate picture. I don't believe it is common. The fact is that this has actually happened - a gmail certificate was issued and at around the same time an internet backbone routing attack occurred driving gmail traffic through very abnormal routes - perhaps a coincidence. Here's an article on the gmail cert in case you missed it. http://www.pcmag.com/article2/0,2817,2392063,00.asp
– Ram – 2014-10-14T18:15:04.397
9With HTTPS, per the current standard, only the IP address is known: TCP packets are sent to an IP address, but the contents of HTTPS, including the header which includes the method (e.g.
GET) and the domain (i.e.Host: domain.tld), are always encrypted. This isn't to say that the ISP could infer the domain via an unencrypted DNS query that was requested milliseconds prior (if it was a local cache miss). – zamnuts – 2014-10-13T20:52:33.1331@zamnuts reverse-IP is also a likely candidate for inferring the domain name of a given IP address. – Thebluefish – 2014-10-13T21:46:04.407
@Thebluefish you are correct, although this is not always accurate in the case of virtual hosts that share an IP address. A reverse IP also assumes that a PTR (or equiv) DNS record is registered and/or the lookup table is comprehensive enough and up-to-date. Granted, if an ISP is known for hosting unicorn sites, one could lookup whois or do the reverse DNS and infer that user X was most likely browsing unicorns. – zamnuts – 2014-10-13T22:10:13.563
In fact, both the source and the destination of the traffic is available to any network device along the route. Similar to how the postal service can look at a piece of mail to see where it's from and where it's going at any point in its journey, although they may not know what's in the package. – Oran D. Lord – 2014-10-13T23:04:19.957
2With HTTPS they could simply connect to the IP and read the cert to gain the domain. Can't multi-host HTTPS except by wildcard cert. – Joshua – 2014-10-13T23:37:56.310
2
@Joshua: Unless the server uses SNI.
– josh3736 – 2014-10-14T00:51:46.513