Why Your ISP Still Knows Where You're Going (Even With HTTPS)

Published on 2026-03-01 15:49 by Frugle Me (Last updated: 2026-03-01 15:49)

#CyberSecurity #InfoSec #DataPrivacy #Networking #Encryption
Share:

Why Your ISP Still Knows Where You're Going (Even With HTTPS)

You’ve probably seen the little padlock icon in your browser and thought, "Great, I’m invisible." While HTTPS (Hypertext Transfer Protocol Secure) is a massive win for privacy, it isn't a magic invisibility cloak. It encrypts the content of your conversation, but it doesn't hide the identity of who you are talking to.

Think of it like sending a sealed letter through the mail. The post office can't read your letter, but they definitely know whose name and address are on the envelope.

Here is exactly how your network (and your ISP) still tracks your browsing habits.

1. The DNS Request: The "Unsealed" Phonebook

Before your browser can connect to a website, it needs to turn a name (like example.com) into an IP address (like 93.184.216.34). This is handled by the Domain Name System (DNS).

  • The Flaw: By default, DNS queries are sent in plain text.
  • The Result: Even if the website itself is encrypted, your network sees the initial "shout" to the DNS server asking where the site is located. They log this request, and now they know exactly where you’re headed.

2. SNI: The "Handshake" Before the Privacy

When you arrive at a server that hosts multiple websites, your browser has to tell the server which specific site it wants to see so the server can provide the correct security certificate. This process is called Server Name Indication (SNI).

  • The Flaw: The SNI happens at the very start of the connection—before the encrypted "tunnel" is fully built.
  • The Result: The hostname of the site you are visiting is sent in the clear. Anyone "sniffing" the network traffic can see the domain name fly by.

3. IP Destination: The Paper Trail

Every packet of data sent over the internet needs a header that contains the source IP (you) and the destination IP (the website). This is part of the core routing of the internet; without it, data wouldn't know where to go.

  • The Flaw: While the data inside the packet is encrypted, the Destination IP is always visible to the routers and switches along the path.
  • The Result: Since many large websites have their own dedicated IP addresses or ranges, an ISP can easily cross-reference that IP to a known company or service.

What IS Protected by HTTPS?

It's not all bad news. While they know where you are, they don't know what you're doing there.

Feature Visible to Network?
The Domain (e.g., amazon.com) Yes
The Full URL (e.g., ://amazon.com) No
Your Password/Login No
The Specific Page Content No
Search Queries No

How to Tighten Your Privacy

If you want to hide the "envelope" as well as the "letter," you need to look into these technologies:

  1. DNS-over-HTTPS (DoH): This encrypts your DNS requests so your ISP can't see your initial "phonebook" lookups. Most modern browsers (Chrome, Firefox) have this in their settings.
  2. Encrypted Client Hello (ECH): A newer standard designed to fix the SNI "leak" mentioned above by encrypting that initial handshake.
  3. VPN (Virtual Private Network): A VPN creates an encrypted tunnel for all your traffic (including DNS and IP headers). Your ISP only sees that you are connected to a VPN server, but they have no idea where your data goes after that.

Summary

HTTPS protects your secrets, but it doesn't protect your destination. To stay truly private, you need to layer your defenses.

← Back to Blogs

Comments (0)

Want to join the conversation?

Please log in to add a comment.