The ISP can see every domain, but not every page. That’s what HTTPS everywhere was all about.
And hopefully in the future they won’t even he able to see the domain. I wonder why they never considered giving out certificates for IPs to solve this problem. Seemed like the easiest solution to me.
They need the IP address to know where to forward the packet to. Hard to avoid that without VPN or TOR.
There was a demo for a technology put out recently that circumvents this. I don’t remember the exact mechanisms, but it obscured DNS such that your ISP couldn’t see the DNS record you requested, and then used a proxy to route traffic before it hit the final endpoint eliminating exposing the IP to your ISP. It worked very similar to a VPN, but without the encrypted connection, and had some speed focused optimizations including the proxy being proximate to your ISP. It was pretty interesting.
It doesn’t really help. The ISP needs to route you somewhere to get the data, so they’ll need to know who you want to talk to. Even if they don’t see the DNS name (like if you used a third party DNS server) they can still associate the IP address with someone.
There’s things like TOR and VPNs that can route your information through other third parties first, but that impacts performance pretty significantly.
Depending on where you’re going even IP addresses are getting to the point that they aren’t helpful. IP addresses are likely to belong to a cloud provider, and unless they are hosting email or a service that requires a reverse record, all you’d get is the cloud provider’s information.
Yeah, but often enough multiple sites share a single IP. It would already be better if the ISP (and everyone in between) didn’t know whether I wanted pink-fluffy-unicorns.com or hardcore-midget-bdsm.com.
SNI says no.
ECH/ESNI says yes
They can see the entire URL, not just the domain. They just can’t see the contents themselves. But they can still see “dudesfuckingfurniture.com/gettingfreakywithadresser.mpeg”
It’s actually more secure than that.
https://blog.mozilla.org/en/products/firefox/https-protect/
They’d see the URL, but not the specific page.
They’d also theoretically see the size of the URL, and the size of the page, along with the transport type. So they can infer a lot of information from the exchange, but they couldn’t say for sure what you were viewing on a specific website.
I’m not sure if that’s a real website. I’m not checking.
Narrator : Vej definitely did in fact check.
As always on the Internet, rule 34 applies.
When it comes to HTTPS, this is just plain wrong on a technical level.
The example link doesn’t work :'(
I was ready to go down a rabbit hole there
Are you sure? The file path after the domain would not be necessary for an ISP to see, only the domain. I’m not sure how all that works, but it’s definitely not a technical requirement thay they can see the complete URL.
After more research, you might be right. I could have sworn I saw full URLs in my router logs on encrypted sites though. I’ll have to check again.
Encrypted DNS anyone? (NextDNS for example)
That solves a completely different problem. The ISP can still see who you requested data from.
That’s more about security around retrieving the correct IP address from a DNS query, and doesn’t do that much for privacy.
DoT also encrypts the request, so the ISP cannot spy on the Domain Name you have requested.
And thanks to Https the ISP only sees the IP address which cannot in every case be resolved to a unique Domain, especially large sites that are hosted on service providers like Cloudflare, amazon etc etc
But what’s not encrypted by either is the Server Name Indicator or SNI, ie: the initial request to a webserver stating which host you’re trying to reach at that IP, before establishing the TLS connection, contains the domain you’d requested via DoH/DoT, in plaintext.
encrypted SNI is a thing now.
True. Known as Encrypted Client Hello now, as part of TLS1.3.
It seems many more browsers support it than last I’d looked. I’m curious to see how much of the general web has adopted support for it onnthe server side. I’ll have to look into that more, and see what it’ll take to setup for self-hosting.
https://www.cloudflare.com/learning/dns/dns-over-tls/
If I understand it correctly DoH (which I use with NextDNS) should prevent ISP from snooping.
The fact anyone ever thought this was for any reason other than making it easier to hide your porn browsing history from your mom is just silly.
That and" stalking" people on LinkedIn
This and avoiding that pages, which you don’t use daily, fill your HD and browser with all kind of crap you don’t need and want.
I use it to browse products and content that I dont want in my ad profiles. Like, sometimes I’d like to take a look at what my resident right wing nut case posted, but without having the ad brokers think that I need an AR15 and a Trump bible.
Also it’s for loading web pages that don’t behave well otherwise
That’s pretty much all I use it for. To keep my porn browsing off of my history.
Not to hide it from anyone, I don’t live with my mother anymore and I don’t think my SO would care. More so that when I google something, I don’t get porn auto complete entries in my everyday browsing.
I’m fully aware that my traffic is able to be monitored by my ISP (at least to the extent that there’s a connection that exists. HTTPS is still not capable of being easily decrypted), and my DNS is resolving the address for the porn sites, and that Google (or whatever search engine) is logging that the search happened… Or that the sites see my connection, from my IP, and know what I watched.
My only objective is that they can’t link that to my normal browsing or accounts.
You know all those “share on”… Twitter/Facebook/whatever links? When they load, from Facebook, it asks the referer URL, and checks the browser for any cookies that might associate that browsing to a person for ad customization. Incognito isolates that information, so while Facebook/X(Twitter)/whoever may know that someone went to that URL, they have no cookie data to link it to a person uniquely, so they have information that the site was visited, but no idea who visited the site since any session cookies I have for those services are in my non-incognito browser.
You know all those “share on”… Twitter/Facebook/whatever links? When they load, from Facebook, it asks the referer URL, and checks the browser for any cookies that might associate that browsing to a person for ad customization. Incognito isolates that information, so while Facebook/X(Twitter)/whoever may know that someone went to that URL, they have no cookie data to link it to a person uniquely, so they have information that the site was visited, but no idea who visited the site since any session cookies I have for those services are in my non-incognito browser.
I mean, this is a little outdated by today’s practices. Any ad tracker worth their salt will be using browser fingerprinting as well.
Imagine this scenario: You have a user with a specific browser, with specific extensions installed, (which you can derive from the fact that your ads are getting blocked by a specific ad blocker, they have the “Do Not Track” flag enabled, you have a nice monitor with a large aspect ratio and you’re browsing in full screen so the site can see that aspect ratio, etc…) from a specific IP address. In normal browsing, this user has a tracking cookie so your “share on Facebook” buttons can see what sites they’re visiting.
But now you’re seeing an identical browser, with identical extensions, on an identical IP address. But this time it doesn’t have your tracking cookie. Sure, there’s the chance that two people are using identical settings. But as your extension list grows and your browser becomes more unique, your fingerprint becomes more easily identifiable. So now, even without that tracking cookie, they’re able to use that fingerprint to infer that you’re the same person and link your incognito browsing back to your regular browsing.
The one word more people need to know about: threatmodel
incognito browsing has been proven to not be as private as it seems.
Its true for every browser except Tor.
I think Firefox uses DoH by default in certain places
Hey there, I have been lately trying to better understand how privacy/my network work lately. I’m kind of right at that line where the next barrier gets pretty technical. I think I have a decent understanding of DoH, but I know it has quite click for me yet. How would you describe it? (I’m assuming that is an acronym for DNS over HTTP?)
Yes, or more precisely it’s DNS over HTTPS.
The S at the end stand for Secure, but technically it means that it is HTTP inside TLS. TLS encrypts the traffic, and verifies server responses to be authentic.
HTTP and HTTPS are most often used by websites, but there are many more common uses of it.When a program - like firefox - uses DoH to resolve domain names (that is, find their corresponding IP address, they can have multiple), then instead of asking the DNS server that was configured in the operating system (often automatically set by your router’s “advisory”, though DHCP) through a clear text channel that is prone to inspection and manipulation, instead of that it asks a DNS server that communicates over HTTPS, just like webservers do.
By doing this, domain name lookups have the protection of TLS, and they look like as if you have just visited a website. It’s harder* to find out which server was that request sent to, what was the purpose of that request, and since the content of the request is encrypted, and the response is encrypted and signed just as when visiting a website, it’s harder to see as an outside observer what was being done, including what website’s IP did you look up, and it’s harder for them to modify this response.DoH servers to be used may be set up with an IP address if that is fix and never changes, or through a domain name. If you only have the domain name of a DoH server, then you can’t contact that yet, first you have to look up it’s IP address using either an other DoH server who’s address is fix or the current one is known, or with a plain DNS server.
This is really helpful thank you. Definitely somewhere between “I kind of get it” and “I understand some of these words,” but I think with a little term research and some pondering this will click better. Appreciate your taking the time to break it down!
At a minimum this meme maker has no idea how TLS, browsers, cookies, or DNS work.
TLS doesn’t encrypt the host name of the urls you are visiting and DNS traffic is insanely easy to sniff even if you aren’t using your ISPs service.
Yeah, my point exactly.
Um, if you use their DNS they do. Some ISPs force that in fact.
How can the ISP force their dns? They can’t know where you got the destination ip from.
They could technically just drop and traffic over port 53 that is not destined to their own DNS servers. But that’s china level shit. I’ve never seen an ISP control this in North America.
That is where DNS over TLS and DNS over HTTPS come in. 🙂
Yes of course.
They can also redirect that traffic to their own DNS servers, so you think you are using 3rd party DNS, when you are actually still using theirs. This became legal when the Trump administration got rid of net neutrality legislation.
OpenDNS has an article on how to test if your ISP is doing it. https://support.opendns.com/hc/en-us/articles/227988727-How-can-I-tell-if-my-ISP-Allows-Third-Party-DNS-Providers
No, a lot will default to that, but they can’t force you to use any particular dns server. I mean they can, buts a fcc violation at that point I believe
It became legal when the Trump administration got rid of net neutrality legislation.
This is why it is so important to get it back, but the current administration is dragging their feet.
…no, it didn’t. IPs can’t just block access to specific dns servers Willy nilly. They can slow down specific dns servers of their choice but there’s literally no incentive to do so. Your individual dns traffic isn’t that important I promise.
They do worse than block it, the redirect it to their own servers.
And the data is worth it at volume. They have hundreds of thousands of users, along with the region they are in, as well as data on what websites they visit.
Advertisers have and continue to pay for that data.
Never had an ISP firewall my DNS. Not sure what country you live in, but it sounds like China at that rate.
It’s usually ISP specific.
Some ISPs in the USA and Germany have been doing it. This is why DNS over HTTPs exists to bypass those blocks.
I always thought they exist because privacy. Regular old DNS requests are not encrypted so even if you send a request to 9.9.9.9 your ISP can still see it.
Assuming you’re using https, your ISP cannot see what pages you visit. It can only see what website you access (IP address).
The typical default configuration has the ISP providing DNS services (and even if you use an external DNS provider, the default configuration there is that the DNS traffic itself isn’t encrypted from the ISP’s ability to analyze).
So even if you visit a site that is hosted on some big service, where the IP address might not reveal what you’re looking at (like visiting a site hosted or cached by Cloudflare or AWS), the DNS lookup might at least reveal the domain you’re visiting.
Still, the domain itself doesn’t reveal the URL that follows the domain.
So if you do a Google search for “weird sexual fetishes,” that might cause you to visit the URL:
https://www.google.com/search?q=weird+sexual+fetishes
Your ISP can see that you visited the
www.google.com
domain, but can’t see what search you actually performed.There are different tricks and tips for keeping certain things private from certain observers, so splitting up the actual ISP from the DNS resolver from the website itself might be helpful and scattering pieces of information, but some of those pieces of information will inevitably have to be shared with someone.
If you use DNS of TLS. Otherwise, they can see you resolve those addresses.
Even that isn’t enough, because of the SNI, right? One would need to also use encrypted SNI.
Only in Chrome? In every browser using private mode, private mode only delete the local storage (wbSQL, Serviceworkers, cookies, cache, etc), no other things, it hide nothing, for webpages which log you (or the search engine you use, AI and some other extensions which you use in "private"mode) it’s irrelevant if you use private or normal mode. It’s a very frecuent missconcept to believe that the private mode is the same as anonym browsing, simple extensions, like Cookie Autodelete or SiteBleacher do exactly the same as browsing in private mode, but with the feature that you can partial or full whitelist the pages where private mode isn’t needed.
More or less Private only if you use VPN, SPN, MPR, Snowflake or at least a proxie.
I only mentioned chrome due to the recent shenanigans with their “incognito mode”.
Well, all browser have incognito or private mode, it’s nothing special. Vivaldi in this moment has released in the last snapshot an inbuild MPR in test, this will be a real private incognito mode.
Also VPNs see everything you do, but please, again, enlighten me how paying some OTHER corporation somehow better protects me from corporations?
A VPN isn’t magically solving all privacy and security issues. Personally, I would trust Mullvad, Proton and IVPN with my data over my ISP. They’ve been audited, and they’ve been put to test multiple times, and not been able to give away data. But it all really boils down to personal needs, and each to their own on that. If you don’t want a VPN, then don’t buy into one.
Set https everywhere. Use secure DNS servers. Install TOR along with all that. Tell me how your VPN provider can “see everything you do” with many layers of encryption, decentralization, and propagation of your data?
different vpns will have different use cases.
some people just want to bypass geolocked content, this only requires having a vpn in whatever region you want content in.
those who only care about piracy and avoiding dmca claims, they need a VPN who do not keep logs. or is hosted in a country that does not respond to DMCA requests
those who need a VPN for privacy reasons, theres tiers of it. basically some people will refuse to use VPNs hosted in Five Eyes/Nine Eyes countries as the government would likely know your actions. some people dont care of government knows, others do.
It protects you only if you have chosen the right VPN provider.
Of course if you choose some random VPN that was advertised in a youtube video that may as well be a downgrade depending on what your ISP does with your data already.
But if you choose a honest VPN provider, who’s values aligns with yours, and does not share (neither collect) any data on your usage and traffic, then that can easily be better.Also keep in mind that ISP’s often operate knowing that they are the only provider in the area. Or the only usable one, or that the others aren’t better either. There’s no competition, and they make use of the fact that they can do whatever they want that is legal (a lot of things is), because the user can’t just switch to another that does not do it.
However, there’s a competition between VPNs. Unfortunately most of that competition is driven by lies, but fortunately not all of it is.
Replace ISP with VPN, if you use them.
So you think people should assume they have absolute privacy because of the word “incognito”?
The joke says the opposite. He’s not hidden at all.
The joke is making fun of anyone who does assume incognito mode is hiding anything from third parties.
All the Chrome bashing around this issue is pathetic. Every major browser has the same feature and none that I know of give it a name that makes the purpose any more clear. It’s obvious a lot of people have an irrational hatred of Chrome and don’t understand the actual issues involved.
Everytime this is reposted in a new template I remind everyone that no one is using incognito mode to hide from their ISP they are using it to hide from their spouse or partner.
I’m not even hiding it in the sense that I’m being sneaky. My spouse just rather not see it in the suggestions!
No doubt. Whoever’s making these memes obviously wasn’t around when Incognito/Private browsing was introduced. It was never advertised as hiding anything from your ISP.
Eh, or they just don’t want a forever history stored on their own computer any more than they want it stored on someone else’s computer.
…and so that typing in a url doesn’t automatically auto fill with a site you’d rather not let anyone else see.
That’s an option you can disable, no need for incognito
Yes, but I want auto fill turned on for some websites because they go straight to the section that I want instead of navigating through the site every time.
Beyond that it’s legitimately useful for logging into a second account on a site or for various testing purposes as a web developer. Though if you’re consistently using it for the former, containers are a better solution.
Also useful for testing links that might only work if signed in.
For instance, if I share a link to a OneDrive file, will it force the receiver to sign up with Microsoft before they can view the file.
Absolutely! I do that all the time.
i use private windows mainly so i don’t clutter up browser histories with useless stuff i won’t go back to (if i do run across something to save, it gets bookmarked or printed to pdf).
Yeah thats why I use Firefox Focus on mobile. It has no feature to save history. I use normal Firefox in case I want to save history or login permanently
My wife knows I watch porn occasionally. I don’t need the obvious URL’s popping up whenever I start typing. I’m just one fat finger away from a bad mistake and subsequent loud sounds on my studio speakers when anyone could be around if I don’t do that.
It’s best to keep that stuff separated out to spare yourself some incredibly avoidable embarrassing moments.
Not even to hide anything from anyone, but to not have porn pop up in suggestions when casually browsing internet.
I do this on both phone and computer, that my wife doesn’t even know password to (or care about)
I also use private mode for searching things that I myself would be appalled to find in my own search history.
Or occasionally just when I’m looking up something stupid and don’t want to see advertisements for the next two weeks for it.
That’s pretty advanced usage - hiding stuff from yourself.
Never underestimate the depths of my shame.
I produce a podcast that gets us into some twisted corners of the internet. Especially when I fact check things for the other hosts. Mullvad + proton VPN always up, no question.
I mainly use it for random things that I don’t want to influence my recommendations, like clickbait YouTube videos.
also good for temporarily logging in to an account on a service without logging out of your regular one on main
Literally my usecase for it. Quickly test the browser if it’s an issue related zo my account or not.
I do this but whenever i have to quickly use someone else’s computer
me too, it doesn’t disturb the owner’s account and you don’t have to worry about whether you logged out afterwards.
I mainly use it so my wife doesn’t see the stupid crap I look up
It’s for wanking. That’s it. It only ever goes to pornhub
no there is also a second use. to search answers for questins you’re too embarassed about
There is nothing embarrassing about learning something new.
I’m in my thirties, single for years and occasionally make sexual jokes. People know I fap. Everyone faps (huh, could be the title for an educational children’s book…), I don’t hide my browser history. Other question is who from? I live alone.
I use it for Xmas shopping and for when I don’t want a site to auto login with any of my sessions.
Firefox containers
Put all your accounts in different containers and just open the page outside of them (also great for multilogging and not being cookie tracked)
That’s great for sites you visit routinely but way more hassle than it’s worth for one-off visits.
You can have a container for one offs though I don’t think you are worried about them auto logging in
I do this as well for work stuff. Multiple tenants and customers. It’s great.
Because different accounts are not possible on every OS, right?
Browser profiles serve very different needs from OS level accounts.
Yes, they do. I use 4 different browser profiles for various things. But everyone who uses my computer while I cannot control what they do, gets their own user account or can use a guest account.
My brother in Christ, you are literally giving an example of how browser profiles and OS accounts solve different problems.
I use private mode for a whole bunch of stuff, visiting shopping sites i dont want coming up in targeted ads, watching youtube videos that are out of my usual jam and not wanting to get endless suggestions for crap im not into because i wanted to see a plumbing repair how-to or listen to a song wildly out of my usual genres because i was in the mood.
I always thought private browsing was just so all the porn content doesn’t stay in search history’s and the address bar doesn’t auto fill fatasshonkeybabes.com if my grandmother sits down to look at her Facebooks.
That is exactly what it is.
And it was always clearly stated as such. It’s absurd that anyone was upset by this. I have yet to find a single user on here who did not properly understand what it was for, or at least none willing admit to being that dumb.
Everybody knows the deal. We just like to keep joking about it, as we see above in the OP meme.
You’ve yet to find a user on here, Lemmy, an obscure obfuscates fediverse that is mostly a refuge for very technical people unhappy on Reddit.
I haven’t even found a user that didn’t have a very personal opinion on Linux.
Now try to say the same thing about Facebook.
I’ve never used Linux and don’t even understand it so that last part’s not quite true anymore.
I saw a lot of normal people who just didnt want reddit anymore. So here are a lot of non tech savy people too without even knowinng Linux.
I saw a lot of normal people who just didnt want reddit anymore. So here are a lot of non tech savy people too without even knowinng Linux.
Very non tech savvy person here, that is just a normie reddit refugee. I know what Linux is, but have never really worked with it. Don’t have an opinion about it. I recently installed a pi hole in my home network by following step by step instructions. That’s the most techy stuff I ever did in my life and I would have never dared to try it, if I hadn’t read a comment on lemmy that linked an easy introduction into working with raspberry pis.
Have you tried because of lemmy? Or was it something you flirted with before. Because your post do scream im secretly a technical person
Most non-technical person would think a pi-hole is probably another word for whatever the fuck a Bussy is.
Can a fellow non tech savvy person get that link please?
Why are you hogging all the hot singles in your area to yourself? Sharing is caring!
Private browsing in Google Chrome will not store your browsing data locally into your computer; but Google will still keep that data in their own records.
Use Mullvad, iVPN or Proton and they really won’t see what you’re doing
with Mullvad and iVPN, be sure to use the quantum encryption. And to help obscure your traffic with proton, be sure to use a proxy that has around 50% to 60% usage. That way anyone who tries to use a quantum computer to break the encryption on a proton VPN proxy is going to see everyone else’s traffic using that proxy as well as you. There would be a lot of shit to go through even if they use a quantum computer.
So your threat model assumes an actor with a quantum computer capable of breaking RSA, but not a regular computer capable of filtering by IP address?
filtering by IP address how?
the IP address of your modem? Well your ISP will easily be able to tell whether or not you’re using a VPN. And I guess at that level if someone used a quantum computer on your modem’s connection from the modem to the proxy, then yeah, they’d probably be able to evesdrop as long as they have access to the lines from your house to the hub of your local ISP and the VPN you’re using doesn’t have quantum-safe encryption.
If you’re in a position where you’d need to worry about a corporation or government using a quantum computer to get into your shit you’ve got bigger problems.
From what I understand, it requires a fuck-ton of electricity to run a quantum PC and they’d need to use even more electricity on top of that to keep it cool in a refrigerated room at sub-zero temperatures.
But that’s only what all the tech-companies making them are currently saying. There’s probably more advanced stuff that they’re keeping secret. We’ll never know until another whistleblower sacrifices their entire life to tell the world about it.
A VPN is only a single end point just like your ISP meaning you are only shifting the problem to your VPN provider who admittedly is more trustworthy than your ISP but you are still putting an immense amount of trust into a single point of failure.
If you truly want to hide from your ISP or really anyone, your only options are to use TOR or I2P where your traffic is encrypted and tumbled through multiple servers.