• mipadaitu@lemmy.world
    link
    fedilink
    English
    arrow-up
    89
    arrow-down
    1
    ·
    7 个月前

    The ISP can see every domain, but not every page. That’s what HTTPS everywhere was all about.

    • Björn Tantau@swg-empire.de
      link
      fedilink
      arrow-up
      15
      ·
      7 个月前

      And hopefully in the future they won’t even he able to see the domain. I wonder why they never considered giving out certificates for IPs to solve this problem. Seemed like the easiest solution to me.

        • JDubbleu@programming.dev
          link
          fedilink
          arrow-up
          2
          ·
          7 个月前

          There was a demo for a technology put out recently that circumvents this. I don’t remember the exact mechanisms, but it obscured DNS such that your ISP couldn’t see the DNS record you requested, and then used a proxy to route traffic before it hit the final endpoint eliminating exposing the IP to your ISP. It worked very similar to a VPN, but without the encrypted connection, and had some speed focused optimizations including the proxy being proximate to your ISP. It was pretty interesting.

      • mipadaitu@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        1
        ·
        7 个月前

        It doesn’t really help. The ISP needs to route you somewhere to get the data, so they’ll need to know who you want to talk to. Even if they don’t see the DNS name (like if you used a third party DNS server) they can still associate the IP address with someone.

        There’s things like TOR and VPNs that can route your information through other third parties first, but that impacts performance pretty significantly.

        • CosmicTurtle0@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          4
          ·
          7 个月前

          Depending on where you’re going even IP addresses are getting to the point that they aren’t helpful. IP addresses are likely to belong to a cloud provider, and unless they are hosting email or a service that requires a reverse record, all you’d get is the cloud provider’s information.

      • theneverfox@pawb.social
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 个月前

        How does that help? You can tell any computer it’s Google.com or IP 8.8.8.8. you can tell your device that the other computer is correct, and middle man yourself

        Except, we have one key to rule them all, one key to bind them. There’s literally a group of people who split the root key among themselves, and scattered it across the world (when they went home). They get together ever year or two, and on a blessed air-gapped computer, unite the key to sign the top level domains again. Those domains sign intermediate domains, and down the chain they sell and sign domains.

        If any of these root domains fall to evil, these brave guardians can speed walk to the nearest airport and establish a new order

        (I think we actually just started installing all the root and some trusted intermediate domains on every device directly, so I’m not sure if they still bother, but it’s a better story)

        The solution you’re looking for is DNSS, where we encrypt the DNS request too so they can’t see any of the url. Granted, they can still look at you destination and usually put the pieces together, but it’s still a good idea

        Ultimately, packets have to get routed, all we can do is do our best to make sure no one can see enough of the picture to matter. There’s more exotic solutions that crank that up to 11, but the trade offs are pretty extreme