8

If I am visiting a https url say https://www.youtube.com/watch?v=7HKoqNJtMTQ. What exactly my ISP will see ?

Esha Sharma
  • 107
  • 1
  • 1
  • 3

2 Answers2

11

You can always install Wireshark and see what's going out of your Internet-facing network interface for yourself.

This Stack Overflow post gives you specific details. The destination host you are connecting to will be known, as it's part of the certificate involved in the SSL setup. That's the "www.youtube.com" part of the URL. The rest of the specific URL isn't visible to your ISP, but if you are using your ISP's DNS servers, your ISP will be able to know you at least made a DNS lookup to that site. A DNS lookup cannot be tracked back to a specific URL but keep in mind some sites put different types of content on different servers (such as Bing putting all explicit content on its own domain) and that could implicate you. Use a non-ISP DNS such as OpenDNS if you can.

This is assuming you've verified that the certificate presented by the server is the one you are expecting. SSL proxies (i.e. "man-in-the-middle") are possible but they will substitute a different certificate - which is on you to check for, especially if the substituted certificate is part of the plethora of "trusted root certificates" recognized by most browsers.

Community
  • 1
LawrenceC
  • 73,030
  • 15
  • 129
  • 214
  • thanks for the reply, could you plz explain "but if you are using your ISP's DNS servers, your ISP will be able to know you at least made a DNS lookup to that site." – Esha Sharma Mar 10 '13 at 22:58
  • Each URL requires a DNS lookup to translate the domain name into an IP address, i.e. if you type http://superuser.com into a browser, the browser must translate the "superuser.com" into an IP and it issues a DNS lookup to do that. This causes a small UDP-based query to go to the IP's listed as your DNS server, which may be given to you via DHCP by your provider. So if you want to trust your ISP the least possible you'd want to avoid using your ISP's DNS server. – LawrenceC Mar 10 '13 at 23:15
  • How to know what DNS server my browser looks up? – Esha Sharma Mar 11 '13 at 01:30
  • Also, even if I am using ISP's DNS server, they will only know the destination host not the complete url. correct ? – Esha Sharma Mar 11 '13 at 02:08
  • Your browser uses whatever DNS server your network adapter is set to (Windows) or whatever's in /etc/resolv.conf (Linux and maybe OS X). And yes, they'll only know the destination host not the complete url. – LawrenceC Mar 11 '13 at 02:36
  • It's worth noting that if an ISP did somehow manage to create an ssl certificate for a domain they didn't own, that certificate authority would be dropped by all browsers when/if it comes to light - like in the case of DigiNotar. – Isaac Oct 18 '18 at 09:38
1

wildcard attack

If the ssl certificate of the destination site is compromised, e.g. by a wildcard certificate owned by a 3rd party, the confidentiality can be compromised on the way to the destination side. (e.g. see this article)

company use case

If your ISP is your company, all your traffic may become visible for the company.

Think about a setup, there an additional root certificate owned by the company is deployed to the browser key store. Using this certificate the attack described is easily possible.

In this case a ssl enabled reverse proxy like squid can be used to crack up your encrypted connection.
This is under some circumstances a valid setup, because it allows the use of security systems (e.g. malware scanner) also for ssl encrypted traffic.
The use of such a setup depends on legal restriction in the specific county. In Germany the "Betriebsrat" (employees representatives) have to acknowledge this.