Your ISP can always know what your initial connection is to (web, mail, file transfer, IM).
Most likely you use their DNS services too so they know any hostname you query on.
Given the long list of certificate roots (trust anchors, whatever you want to call them) that Microsoft, Firefox, Apple, Mozilla, and Opera trust it is possible for your ISP to see all your traffic, be it in an SSL tunnel or not. This is because they can setup a transparent proxy and you will most likely trust the cert they offer up. It is possible to detect this but most users don't know how and the browser makers don't make it easy.
Sorry :(
==
@DanielB @zamnuts I'm afraid you're mistaken. Take a look at your root list in whatever off the shelf browser you use; you will note a wide variety of countries and companies are in there. Many of those countries and companies are extremely susceptible to influence by national entities; many have issued certificates errantly and many would issue bogus certificates to the right requestor (your favorite intelligence, military agency in the case of western countries and the drug cartels in the case of central and south american countries and business). These are simple facts. What is to stop a "patriotic" or corruptible CA from issuing a certificate to yourbank.com? Sure some users after seeing the golden padlock will double check that the issuing authority and root have not changed since last they visited - but not most. Even someone like wells fargo who uses the certificates that give a green address bar (meaning ID not just domain name was validated by the issuing authority) are not immune since most users don't know what the green bar means and will never notice that it's no longer green so long as the padlock is still there. BTW ask your tech ignorant relatives what the padlock is and they won't even know that.
9With HTTPS, per the current standard, only the IP address is known: TCP packets are sent to an IP address, but the contents of HTTPS, including the header which includes the method (e.g.
GET
) and the domain (i.e.Host: domain.tld
), are always encrypted. This isn't to say that the ISP could infer the domain via an unencrypted DNS query that was requested milliseconds prior (if it was a local cache miss). – zamnuts – 2014-10-13T20:52:33.1331@zamnuts reverse-IP is also a likely candidate for inferring the domain name of a given IP address. – Thebluefish – 2014-10-13T21:46:04.407
@Thebluefish you are correct, although this is not always accurate in the case of virtual hosts that share an IP address. A reverse IP also assumes that a PTR (or equiv) DNS record is registered and/or the lookup table is comprehensive enough and up-to-date. Granted, if an ISP is known for hosting unicorn sites, one could lookup whois or do the reverse DNS and infer that user X was most likely browsing unicorns. – zamnuts – 2014-10-13T22:10:13.563
In fact, both the source and the destination of the traffic is available to any network device along the route. Similar to how the postal service can look at a piece of mail to see where it's from and where it's going at any point in its journey, although they may not know what's in the package. – Oran D. Lord – 2014-10-13T23:04:19.957
2With HTTPS they could simply connect to the IP and read the cert to gain the domain. Can't multi-host HTTPS except by wildcard cert. – Joshua – 2014-10-13T23:37:56.310
2
@Joshua: Unless the server uses SNI.
– josh3736 – 2014-10-14T00:51:46.513