Modern HTTPS connections send the URL you are connecting to in the initial hello, so the remote webserver knows what security certificate to use when you connect. A lot of web servers host multiple sites, especially for smaller webpages, and so it doesn’t assume that since you connected to that specific webserver, that you’re connecting to the site that the webserver is hosting, even if it’s only hosting a single site.
This can leak the data to anyone sniffing the traffic.
You can also determine some traffic by IP address, this is for larger web services like Facebook, youtube and other sites of similar size. They load balance groups of IPs for their traffic, all are serving the same data. So if you connect to an IP that’s owned by Facebook, for example, then your actions can be easily derived.
Since the connection is still secured by TLS, the content can’t be deciphered, but the location you are going to absolutely can.
The ISP will always know the IP you’re connecting to. Encrypted DNS might get you slightly more privacy for sites using shared IPs like with Cloudflare. But in a lot of cases, there’s only 1 website per IP, so the ISP still knows where you’re browsing. A VPN solves this by routing all traffic through the VPNs IP first. But you can still be tracked just the same by the VPN and to an extent, the VPNs ISP.
DoH & DoT still leak the domain name (and of course IP address) you’re connecting to. The domain name leak can be solved by Encrypted Client Hello but that’s still a draft and not turned on for many servers.
What about DoH/DoT which comes enabled by default in some browsers I believe? This should “hide” your activity from isp/router as well, shouldn’t it?
Yes and no.
Modern HTTPS connections send the URL you are connecting to in the initial hello, so the remote webserver knows what security certificate to use when you connect. A lot of web servers host multiple sites, especially for smaller webpages, and so it doesn’t assume that since you connected to that specific webserver, that you’re connecting to the site that the webserver is hosting, even if it’s only hosting a single site.
This can leak the data to anyone sniffing the traffic.
You can also determine some traffic by IP address, this is for larger web services like Facebook, youtube and other sites of similar size. They load balance groups of IPs for their traffic, all are serving the same data. So if you connect to an IP that’s owned by Facebook, for example, then your actions can be easily derived.
Since the connection is still secured by TLS, the content can’t be deciphered, but the location you are going to absolutely can.
It really depends on a lot of factors.
Ok, thank you and all the others for explanation.
The ISP will always know the IP you’re connecting to. Encrypted DNS might get you slightly more privacy for sites using shared IPs like with Cloudflare. But in a lot of cases, there’s only 1 website per IP, so the ISP still knows where you’re browsing. A VPN solves this by routing all traffic through the VPNs IP first. But you can still be tracked just the same by the VPN and to an extent, the VPNs ISP.
DoH & DoT still leak the domain name (and of course IP address) you’re connecting to. The domain name leak can be solved by Encrypted Client Hello but that’s still a draft and not turned on for many servers.