Skip to content

Does HTTPS hide which website you're visiting from your ISP or network?

Short answer

Mostly no. The destination hostname is sent in the clear in the TLS ClientHello's SNI extension, and your DNS query usually reveals it too, so an ISP or network can see WHICH site you visit even over HTTPS — they just can't read the path or content. Encrypted ClientHello (ECH) and DNS-over-HTTPS can close this gap, but they aren't universal. 'HTTPS hides everything' is the misconception.

"HTTPS means nobody can see where I'm going" is one of the most common security misconceptions, and interviewers use it to test whether you understand what TLS actually protects.

What HTTPS does and does not encrypt

HTTPS encrypts the application-layer payload: the request path, headers, cookies, body, and response. An eavesdropper cannot read the URL after the domain or your data. But the connection has to be set up first, and several setup details are visible. The TLS ClientHello carries a Server Name Indication (SNI) extension — the destination hostname in plaintext — so that a server hosting many sites on one IP can present the right certificate. Anyone on the wire reads it.

DNS makes it worse

Before the TLS handshake even starts, your client usually performs a DNS lookup for the hostname, and classic DNS is unencrypted UDP/53. So the network often learns the hostname twice: once from DNS, once from SNI. Even the destination IP address in the IP header is always visible.

What actually closes the gap

Two technologies help. Encrypted ClientHello (ECH) encrypts the SNI inside the handshake, and DNS-over-HTTPS (DoH) or DNS-over-TLS hides the lookup. With both deployed, the observer is left mostly with the IP — and even then, traffic analysis (timing, packet sizes, and IP-to-site mappings for sites not behind large CDNs) can still leak the destination. Neither ECH nor DoH is universally deployed in 2026.

Why the distractors are tempting

The "yes, TLS encrypts the hostname" options sound right to anyone who believes encryption is all-or-nothing. The "SNI gets encrypted after the handshake" answer confuses the unprotected ClientHello with the later encrypted records — but SNI is sent before keys exist.

What interviewers want

A clear "no, mostly not" plus the two leak channels (SNI and DNS) and the names ECH/DoH as mitigations. That shows you reason about the protocol, not the marketing.

Likely follow-ups

  • What is Encrypted ClientHello (ECH) and which gap does it close?
  • Why does plain DNS still leak the hostname even if SNI were hidden?
  • Can an observer infer the site from IP and traffic size even without SNI?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.