I have the following question:
If I use a VPN, in this case ProtonVPN, can my ISP provider see the content of the web pages I visit and all my internet activity or can they see any activity I do?
Thanks in advance for the answers
ISP can’t see the web pages contents with or without a vpn connection
ISP will only see that you’re doing encrypted traffic to the VPN server.
Make sure your DNS traffic either goes to the VPN’s DNS inside the tunnel, or you’re using an encrypted DNS.
With or without a VPN as long as you are using HTTPS your ISP can’t see the actual content but they can see the domain and IP address you are visiting.
E.g. they can see you connected to google.com and the IP address google.con resolves too.
If you are using encrypted DNS they can still see the domain name from SNI unless both the site and your browser support encrypted SNI.
With a VPN unless you are leaking data they can only see your connection to the VPN provider.
^This. Watch this very well-made video by Tom Scott about VPNs before deciding if you need a VPN.
Your ISP can see everything you send. In some cases (e.g. https) they see an encrypted data-stream to a particular server such that they do not know what was said but between which parties (the so called meta-data). Even then https is not necessarily enough because e.g. google might have some servers hosted by your ISP to give you faster results. Obviously the encryption is useless in that case.
HTTPS can 100% be snooped on
While I love Tom Scott, what he didn’t tell you is that, even in the UK, ISPs have to log every site you visit, and every communication you send (from whom, to whom, and when). This information is kept on file, and made available without warrant to a shockingly long list of everyone from the government and security services, to HMRC and the NHS, Fire Service and police, to the Food Standards Agency and the Gambling Commission.
Really?! The UK has the worst mass surveillance in the ‘developed’ world, competing even with the likes of China and NK. Even without the ‘content’ of your data (i.e. what you read or did on individual websites, the content of your messages), the metadata is extremely valuable and can be used against you in all sorts of ways. Ask Ed Snowden.
No, encrypt all the things. GPG for email, Signal for IM, DoT for DNS (DoH can be used to fingerprint you), and WireGuard for your Internet traffic. Layer your security, especially on mobile phones where the OS will bypass a VPN for its own purposes, leaking DNS in the process. A DNS profile installed in addition to the VPN will catch those.
using a VPN would also be useless in that case (for anyone wondering)
You’re right, IF you are talking about when a client has installed a TLS certificate for a firewall like watchguard which then uses the firewall’s TLS certificate for all HTTPS traffic instead of the destination websites actual certificate.
This allows the firewall to decrypt the HTTPS traffic and inspect it. Don’t have the firewall’s TLS cert installed? Then the firewall isn’t decrypting that HTTPS traffic.
But what you are implying, that HTTPS can just be snooped on “100%” is completely incorrect.
Yes, there are actually two things to consider here:
- When using a VPN, the VPN hoster sees all the traffic going through it and is in a similar position as the ISP without VPN
- Google requests can always go through a caching server. If that caching server is not hosted by the VPN provider there’s at least some separation of information: the VPN provider possibly knows your identity but can not tie it to the search terms (because it does not have access to the caching server).
so you mean an ISP that controls your firewall has 0 ability to install their own certs… this happens in every school and enterprise network I promise and you dont even notice
so you mean an ISP that controls your firewall has 0 ability to install their own certs…
The ISP’s control over a firewall on your ISP provided router is irrelevant. In order for them to decrypt your HTTPS connections you would have to install their certificate to the trusted root certificates on each of your devices…
Your ISP is not installing their own certificate on your devices and decrypting your HTTPS traffic…
this happens in every school and enterprise network I promise and you dont even notice
Yes, this does happen on a lot of school and corporate networks on company/organization owned devices that have the corporate TLS certificate installed to the trusted root certificate stores.
However this doesn’t mean that they are automatically able to decrypt all HTTPS traffic. If you join a non-company owned device or any device that doesn’t have the corporate certificate installed then the corporate firewall is not able to decrypt your HTTPS session.
The firewall might block your internet access if you aren’t using it’s certificate, or it might try and force you to use the certificate, but you would get a big warning message in your browser that the connection isn’t secure and you would have to manually allow the connection with the untrusted TLS certificate.
A LOT of businesses and schools also have incredibly shitty security and don’t do any TLS/SSL decryption at all and rely solely on endpoint antivirus and a basic firewall that might not even do Deep Packet Inspection.
I’m an information security professional. While there are ways to break HTTPS (such as downgrade attacks which are mitigated by enforcing minimum TLS versions and HSTS preloading) it’s not as trivial as simply saying HTTPS can be snooped on “100%”. TLS 1.3 is not going to be snooped on unless you explicitly allow an insecure connection or install a certificate to your devices trusted root certificate stores allowing a corporate firewall to decrypt the traffic that is using it’s own certificate for encryption.
The exceptions here I already mentioned in my original comment are the SNI header and the ECH which will have the domain name of the website, but won’t reveal any of the actual content being transmitted over HTTPS.
And I install packet inspection systems and you 100% can get get certs to inspect ssl traffic it really is super simple if the cert is from a trusted signed CA then your browser doesn’t even notice.
this is also ignoring HKPK although AFAIK browsers are deprecating this feature