Through pressure from Google, Facebook, and other major providers such as Yahoo and Apple the world wide web is slowing becoming more secure, with web services using HTTPS to encrypt web traffic by default. However, the arrival of the draft Investigatory Powers Bill raises questions about who can potentially get access to what – here are some answers.
Can anyone see all my web requests?
Yes. Whenever you see HTTP in the browser’s address bar then any data sent over the link will not be encrypted. This means the address of the page and domain you’re browsing, and any data you send, such as in a form, and any data which is returned.
Can anyone see my web requests if I use HTTPS?
No. If you see HTTPS in the browser’s address bar then the connection is encrypted using SSL/TLS. Only the IP address of the destination (and the port used, usually 443) can be determined. No details of what pages or resources were accessed, nor any further data sent over the connection will be accessible. Google, Facebook and many other major online services now use HTTPS by default, so all your Google search requests, for example, are protected and your ISP cannot see the URL and the results of the request.
If I use HTTPS, will anyone be able to access my details from the remote web server logs?
Yes. HTTPS tunnels encrypt data across the internet to prevent eavesdropping, but the traffic is decrypted at either end so the server log will show details of which IP address has accessed what resource and when. As the SSL/TLS used by HTTPS uses a client-server model, the key required to decrypt the connection is available on the server – unlike with end-to-end encryption services where only the parties involved have the decryption key. This means spies and investigators could serve a warrant and demand the service provider hand over its copy of the decryption key and access your communications. HTTPS only protects the transmission of the data over the internet, and the full details of the request and reply can be logged on the server.
Can my DNS requests be logged?
Yes. DNS – the Domain Name System, which translates human-friendly domain names into the IP addresses of the web servers where web pages are located – uses unencrypted UDP on port 53. Your ISP will be able to log your DNS requests, and any spies or investigators will be able to request that data.
Can my ISP determine which of us at home is accessing a certain site?
No. Typically, home broadband connections share a single, traceable public internet IP address between many computers and smartphones using what’s called Network Address Translation (NAT). Your ISP will log only the single public IP address assigned to your home router, not which individual device in the home was using it at the time.
If I connect to a website using a VPN, will my requests be logged?
Perhaps. A virtual private network (VPN) is a point-to-point encrypted tunnel from one computer to another through the public internet. Your ISP cannot see the details of the data packets travelling through the tunnel. Exactly what network traffic goes through the encrypted tunnel and what doesn’t depends on how the VPN has been set up. For example, it’s possible to pass DNS through an encrypted tunnel, too, if it is routed to the corporate VPN server. Companies also often use systems called proxy servers, where the details of the computer within the network will not be revealed to external logs.
If I use a Tor browser, will my ISP be able to log my web requests?
No. Using a Tor-enabled browser it’s possible to browse the public internet using the Tor anonymising network. Your ISP will not be able to see any of the data transmitted, and the web server log will record only the address of the gateway node – the entry point into the Tor network, not the origin (your browser) or ultimate destination (the web server).
How can ISPs trace me?
Normally, a session cookie is used for each user’s web browsing session. These are unencrypted, clear text items which can be harvested when communicating over HTTP and mined for information that will often reveal identifying details about the user.
Will my emails be scanned for details?
Unlikely. Many email providers now encrypt email traffic across the internet, for example web-based email such as Gmail or Yahoo Mail (using HTTPS), or encrypted versions of the common mail protocols, such as POP, SMTP or IMAP. So your ISP cannot read your emails, but will know that you’ve accessed an email service. This means the ISP will have no details to pass to spies or investigators.
Will investigators have powers to examine web server logs?
Yes, for those based in Britain. But servers for the most used web services are based outside the UK, and so not subject to UK laws. The credibility of evidence gained from web server logs is also questionable as they can often be tampered with, while IP addresses can be spoofed (faked).
Could there be a “man-in-the-middle”?
Perhaps. The draft Investigatory Powers Bill provides investigators and spies with the right to tamper with hardware and software in order to access data, for example in order to help circumvent encryption. While this may be of limited use for websites hosted outside the UK, there are many pieces of equipment in the UK between your web browser and those servers. There are also other ways of tricking web browsers and other software using HTTPS – as demonstrated by the “man-in-the-middle” attack used by the Superfish software installed on Lenovo computers.
Will an investigator see my passwords?
No. Any properly-designed website login system uses HTTPS – if it doesn’t, and you’re dealing with sensitive information, don’t use it. Any data including passwords sent over HTTPS is encrypted and secure.
So, who really knows what I access?
Google. You can even download your complete history of every search you’ve ever made.