How ISP sees the HTTPS traffic? [duplicate]

https ssl browsing

If I am visiting a https url say https://www.youtube.com/watch?v=7HKoqNJtMTQ. What exactly my ISP will see ?


Solution 1:

You can always install Wireshark and see what's going out of your Internet-facing network interface for yourself.

This Stack Overflow post gives you specific details. The destination host you are connecting to will be known, as it's part of the certificate involved in the SSL setup. That's the "www.youtube.com" part of the URL. The rest of the specific URL isn't visible to your ISP, but if you are using your ISP's DNS servers, your ISP will be able to know you at least made a DNS lookup to that site. A DNS lookup cannot be tracked back to a specific URL but keep in mind some sites put different types of content on different servers (such as Bing putting all explicit content on its own domain) and that could implicate you. Use a non-ISP DNS such as OpenDNS if you can.

This is assuming you've verified that the certificate presented by the server is the one you are expecting. SSL proxies (i.e. "man-in-the-middle") are possible but they will substitute a different certificate - which is on you to check for, especially if the substituted certificate is part of the plethora of "trusted root certificates" recognized by most browsers.

Solution 2:

wildcard attack

If the ssl certificate of the destination site is compromised, e.g. by a wildcard certificate owned by a 3rd party, the confidentiality can be compromised on the way to the destination side. (e.g. see this article)

company use case

If your ISP is your company, all your traffic may become visible for the company.

Think about a setup, there an additional root certificate owned by the company is deployed to the browser key store. Using this certificate the attack described is easily possible.

In this case a ssl enabled reverse proxy like squid can be used to crack up your encrypted connection.
This is under some circumstances a valid setup, because it allows the use of security systems (e.g. malware scanner) also for ssl encrypted traffic.
The use of such a setup depends on legal restriction in the specific county. In Germany the "Betriebsrat" (employees representatives) have to acknowledge this.

Related

how can I quickly get to Manage saved passwords in chrome?
How to create a horizontal PDF in Excel 2010?
Start SSH in ConEmu
How do Terran hide SCVs within command centers?
Is there any possibility how to see the elapsed GAME time in multiplayer SC2?
What is "team 2v2", how it differs from "random 2v2" and how to enable it?
Alterac Valley Bonus Honor
How to make a server for more than 4 people?
What counts as similar for the Jury Rigging perk
Is a Kinect unit tied to one Xbox?
How do I get out of Soul Form?
What are the original Xbox hardware revisions?