How much information can my ISP see?

Is it possible for my ISP to see the passwords that I enter on websites and in chat programs? And what about SSL websites that start with https, do they encrypt my username and password before reaching the ISP?


Solution 1:

If you start at an https:// address, everything is encrypted between your computer and the remote server, so your ISP can't intercept any of your data*. Your ISP could easily view any non-ssl (http://) connections though.

Note that the firesheep firefox plugin exposed a hole in this mechanism last year. Many websites use https just for your initial login and then switch back to http for the rest of the traffic. In this case your ISP could intercept your traffic after you logged in. Someone else on your local network could also run the firesheep plugin and hijack your session with say facebook and impersonate you.

Most large websites are now transitioning to https all the time to fix this hole. It's not really something you need to worry about on your home network too much, but you should be aware of how this works.

Assuming you're not ignoring certificate warnings, and your computer/browser has not been compromised.

* It can also see the hostname you're requesting from a possibly shared host. Since TLS1.0 the hostname is transmitted in plaintext (SNI)

Solution 2:

I think you might wanna watch the following video from 27th Chaos Communication Congress (CCC):

"How the Internet sees you: demonstrating what activities most ISPs see you doing on the Internet"

  1. Info Page
  2. Video (embed) and mp4 to download
  3. Pdf of the speak

Solution 3:

Philiph is right for "If you start at an https:// address, everything is encrypted between your computer and the remote server" with one caveat: all you know with HTTPS is that everything is encrypted between your computer and somewhere else.

There is a risk that your communications could be tampered with at the ISP using a man in the middle attack — and if you think that that can't happen, see the news about Tunisia which shows what can happen if a malicious agent has access at ISP level.

This can only be avoided if:

  • A user always uses the correct https:// URL.
  • A user does not ignore certificate warnings.
  • The user is 100% sure their computer has not been tampered with.

Otherwise, an ISP could tamper with the connection in a way a non-tech savvy user may not notice.