Is it possible for my ISP to see the passwords that I enter on websites and in chat programs? And what about SSL websites that start with https, do they encrypt my username and password before reaching the ISP?
Asked
Active
Viewed 4.1k times
27
-
3Is it *possible*? Yes for **non** SSL stuff (which isn't foolproof, but I'm trying to keep this short and practical). Is it likely? Not so much. – Rob Moir Jan 11 '11 at 22:35
-
1Related: [Can my ISP monitor me?](http://superuser.com/questions/23612/can-my-isp-monitor-me) – Arjan Jan 13 '11 at 13:19
5 Answers
27
If you start at an https:// address, everything is encrypted between your computer and the remote server, so your ISP can't intercept any of your data†*. Your ISP could easily view any non-ssl (http://) connections though.
Note that the firesheep firefox plugin exposed a hole in this mechanism last year. Many websites use https just for your initial login and then switch back to http for the rest of the traffic. In this case your ISP could intercept your traffic after you logged in. Someone else on your local network could also run the firesheep plugin and hijack your session with say facebook and impersonate you.
Most large websites are now transitioning to https all the time to fix this hole. It's not really something you need to worry about on your home network too much, but you should be aware of how this works.
† Assuming you're not ignoring certificate warnings, and your computer/browser has not been compromised.
* It can also see the hostname you're requesting from a possibly shared host. Since TLS1.0 the hostname is transmitted in plaintext (SNI)
Phil Hollenback
- 533
- 4
- 8
-
-
Also, should note that other protocols (i.e.: `telnet`) are cleartext-only. YMMV with chat protocols. – Iszi Jan 13 '11 at 15:43
-
Yes the warning about chat programs is a good one, as they may use different protocols. – Phil Hollenback Jan 13 '11 at 21:53
-
@Iszi Nobody uses `telnet`, I assume? I only ever used such things for fun (sic). – Camilo Martin May 27 '13 at 01:38
-
@CamiloMartin You'd be surprised. The first examples that come to mind are MUDs. I'm sure there's others. – Iszi May 28 '13 at 15:21
-
@Iszi Never played those, but it still is "for fun", in a weird way. Now, I do hope that there aren't people logging in into legacy systems from `telnet` or anything other that is sensitive... – Camilo Martin May 28 '13 at 23:09
-
-
How about the DNS request for `https://www.somesite.com`? Can't the ISP know that you tried to access this website, although the content of your communication is encrypted? – Ari Dec 10 '14 at 23:58
-
Yes, your isp can generally see all your dns requests. I see that there is a solution to [encrypt your dns traffic](https://www.opendns.com/about/innovations/dnscrypt/) but that is something you would have to set up yourself. Another option is to use a third party vpn service like [IPVanish](https://www.opendns.com/about/innovations/dnscrypt/) to encrypt all your traffic, including your dns requests. – Phil Hollenback Dec 30 '14 at 19:40
-
@PhilHollenback, However, if the malicious ISP can spoof and hijack your IP packets, wouldn't it be able to crack your TLS ? – Pacerier Dec 28 '16 at 14:42
4
Philiph is right for "If you start at an https:// address, everything is encrypted between your computer and the remote server" with one caveat: all you know with HTTPS is that everything is encrypted between your computer and somewhere else.
There is a risk that your communications could be tampered with at the ISP using a man in the middle attack — and if you think that that can't happen, see the news about Tunisia which shows what can happen if a malicious agent has access at ISP level.
This can only be avoided if:
- A user always uses the correct
https://URL. - A user does not ignore certificate warnings.
- The user is 100% sure their computer has not been tampered with.
Otherwise, an ISP could tamper with the connection in a way a non-tech savvy user may not notice.
Rory Alsop
- 3,337
- 21
- 31
-
Okay, cleaning up then. (What about using [the Markdown source](http://meta.stackoverflow.com/revisions/6c0ca044-da6d-4f8c-aaf3-bf2c54ea7892/view-source) for better formatting and linking?) – Arjan Jan 13 '11 at 15:19
-
1I deleted some comments, now orphaning @weeheavy's comment a bit, in which "wrong" was directed towards me, not towards the answer: those appliances can only work in corporate environments, where the browser has been set up to accept fake certificates. – Arjan Jan 13 '11 at 15:22
0
Sure, your ISP (or someone else using their equipment without permission, which is a serious risk in and of itself) could read unencrypted data that goes through their network. Typically, unencrypted traffic includes e-mail, web, and FTP traffic unless specifically encrypted using SSL or TLS, as in the HTTPS protocol.
Also typically, your ISP would prefer that at the very least, the passwords you send over the internet (in particular, for their e-mail accounts) are encrypted, so as to prevent attackers from compromising a router somewhere - like your wireless router with the default password - and gaining access to their servers. While the government could force an ISP to listen to your traffic for their purposes, a much greater threat to you exists from people who would love to steal your private information and/or money.
Ernie Dunbar
- 707
- 7
- 12
-
Does TLS block the case whereby "government could force an ISP" to hack you? – Pacerier Dec 28 '16 at 14:44
0
Not directly an answer to your question, but passwords are more often stolen using either a keylogger (software illicitly installed on your PC that records all your keystrokes) or social engineering, such as phishing. (Phishing is sending email that tricks you into logging into a "fake version" of Facebook or whatever, thus revealing your password to the phishers, and then redirecting you to the real one. Most victims don't even realize at first what has happened.)
CarlF
- 8,846
- 3
- 24
- 40