The GOP’s craven selling-out of user privacy to ISPs has me wondering, just how private is the modern web?
Only sort of private. HTTPS Everywhere is working, at this point I’m surprised if a site doesn’t support SSL. So the contents of web requests and replies are encrypted. Of course the IP address of who you’re talking to is not protected. But the hostname is also in cleartext; your ISP can see that you are specifically visiting eff.org or nelsonslog.wordpress.com. This is true both in HTTP/1.1 and HTTP/2.0.
Really the hostname is being exposed by SSL/TLS itself, in the Server Name Indication. The SNI is the way a single server can serve multiple web domains, it’s virtual hosting for SSL. The client initiates a connection and sends in cleartext “I’m trying to talk to eff.org”. The server responds with negotiating a connection using eff.org’s certificate. (The hostname may also appear in the request as a Host header, but I believe that’s encrypted.)
Why not encrypt the hostname in SNI? Who do you encrypt it for? SSL is as much about verifying server identity as it is encrypting the traffic, so the protocol starts with the client asking for a specific identity to set up the encryption. I think the hostname could be encrypted in the handshake with a second encryption channel, but I haven’t thought hard about it. And I have no idea how hard it would be to implement in practice, much less get adopted.
Note that HTTP/2.0 doesn’t do anything new about hostnames, it just uses TLS 1.2. The HTTP/2.0 spec mandates SNI support and that the client use it to specify the destination host.
Outside HTTP, your DNS hostname queries are also being sent in plaintext. So your ISP could snoop (or hijack) those. Thanks to Tom Jennings for pointing this out to me. In theory
DNSsec or DNSCrypt or something like Dingo could protect against this, maybe now’s the time to get serious about deployment.
While I’m here, a lot of discussion yesterday was along the lines of “well time to use a VPN”. But VPNs don’t really solve the problem and introduce lots of new problems on their own. I only like them when you’re in a hotel with a shitty network or you need a specific private intranet connection.
It’s really a shame IPsec failed.