Windows 10: The ISP in the middle riddle

Dear Mystere,
i move the discussion here if you don't mind
because I think we were off topic...

Mystere said:

Your ISP can monitor everything you do on the internet.

Actually, yes. Your ISP can still spy on you. There's something called a transparent proxy server that the ISP can put in between you and the internet, and those can decrypt your HTTPS sessions and record the info if they want. I'm not saying they do, but they can. The proxy server intercepts the HTTPS negotiation and acts as it's own HTTPS server.

Here's an article about such proxies.
How the NSA, and your boss, can intercept and break SSL | ZDNet

Ok but are we talking about technical feasibility
Is the ISP supposed to work like that? I think we are
degenerating on the "thin foil hat" side here.
Anyway thanks for the link and case closed for me
and for the sake of the OP.

Mystere said:

Huh? What do you mean? I'm saying that not only is it technically feasible, commercial companies are selling proxy servers that do just that, and many many many companies use them, including ISP's. It's not tin foil, it's reality.

This is a quote from the link:

--If your company has set up the proxy correctly you won't know anything is off because they'll have arranged to have the proxy's internal SSL certificate registered on your machine as a valid certificate. If not, you'll receive a pop-up error message, which, if you click on to continue, will accept the "fake" digital certificate. In either case, you get a secure connection to the proxy, it gets a secure connection to the outside site -- and everything sent over the proxy can be read in plain text. Whoops. --

What I understand is that someone has to put a fake certificate in my machine
for this to work, otherwise i'll receive a pop-up error message that warns me
that the identity of the site is not to be trusted.

If what I understand is wrong i'd ask you, or someone with more expertise than me,
to better explain to me in simple words ...

roy111 said:

Is the ISP supposed to work like that?

Of course they do. It's another potential revenue stream that was just made legal here in the US.

You are getting worried about something minor. The only way to stay 100% private is to do away with all communication and connections. Just use your computer and the internet with some common sense and you'll be fine, following accepted good pactices and keeping your computer updated along with good AV software.

DeaconFrost said:

Of course they do. It's another potential revenue stream that was just made legal here in the US.

You are getting worried about something minor. The only way to stay 100% private is to do away with all communication and connections. Just use your computer and the internet with some common sense and you'll be fine, following accepted good pactices and keeping your computer updated along with good AV software.

Hi, thanks for your replay,
i'm more curious to understand how it is supposed to work, did you read the
article in the link?
The subject is if someone can somehow be in the middle beetween a PC and
a secure connection with e.g. google (privacy is already gone here) so is
all this https encripted connection and certificate authenticy just bullshit?

TairikuOkami said:

Note, that it is an old article and they are talking about SSL, most browser do not even support SSL anymore, TLS is a standard these days. So do not worry, if the connection is encrypted, it is encrypted.

ISP can see, what domain you are visiting, but not the actual URL and other info. Lets say you visit youtube.com/someshadystuff ISP will see, that you are on youtube, but not the shady stuff. But if the whole domain is somewhat illegal, like howtobecomeaterrorist.com, encryption will not help you.

For common browsing I use those (for sensitive browsing, I download TOR and remove it afterwards):

1. Non-ISP DNS connected via dnscrypt, if the DNS requests are not encrypted, ISP can see them.
2. Privacy search like StartPage or DucDuckGo, which is encrypted, SP shows images via proxy.
3. HTTPS Everywhere addon, which makes sure TLS is enabled, if the webpages supports it.

The best way is to use VPN, but note, that some leak, so make sure to pick the right one.

That One Privacy Site | Simple VPN Comparison Chart

VPN Testing

Thanks TairikuOkami,
i find your explanation logical and coherent.
I consider this solved.

Wrong reply sorry.

TairikuOkami said:

Note, that it is an old article and they are talking about SSL, most browser do not even support SSL anymore, TLS is a standard these days. So do not worry, if the connection is encrypted, it is encrypted.

ISP can see, what domain you are visiting, but not the actual URL and other info. Lets say you visit youtube.com/someshadystuff ISP will see, that you are on youtube, but not the shady stuff. But if the whole domain is somewhat illegal, like howtobecomeaterrorist.com, encryption will not help you.

For common browsing I use those (for sensitive browsing, I download TOR and remove it afterwards):

1. Non-ISP DNS connected via dnscrypt, if the DNS requests are not encrypted, ISP can see them.
2. Privacy search like StartPage or DucDuckGo, which is encrypted, SP shows images via proxy.
3. HTTPS Everywhere addon, which makes sure TLS is enabled, if the webpages supports it.

The best way is to use VPN, but note, that some leak, so make sure to pick the right one.

That One Privacy Site | Simple VPN Comparison Chart

VPN Testing