• fl42v@lemmy.ml
    link
    fedilink
    arrow-up
    21
    ·
    9 months ago

    Technically incorrect unless you use http for some weird reason. The ISP can see the domain only, and (afaiu) not even that if encrypted client hello is used. At least kinda: they still see the IP which is not always unique.

    • Papamousse@beehaw.org
      link
      fedilink
      arrow-up
      8
      ·
      9 months ago

      Yes, this is why you should use DNS over TLS. My router signal to every DHCP client that it is the DNS resolver, and internally use DoT/dnssec to query IPs. It also intercepts every request on DNS port in case of some DNS are hard-coded on some devices.

      • FreeFacts@sopuli.xyz
        link
        fedilink
        arrow-up
        3
        ·
        9 months ago

        DNS over TLS won’t save you thanks to SNI. As there is a huge shortage of IPV4 addresses, same IP addresses serve multiple hostnames, and to provide a working encryption, TLS handshake includes the requested hostname in plain text so that SNI can be used to determine which certificate should be used. That plaintext hostname is something your ISP can easily log.

        Rule of thumb is, Https does not provide anonymity, only encryption.

    • yeehaw@lemmy.ca
      link
      fedilink
      arrow-up
      6
      ·
      9 months ago

      But the IP can also sometimes be meaningless if there are proxies or vhosts used.