QUOTE(lurkingaround @ Oct 17 2019, 08:39 PM)
Quoted from the same link.
Can you please answer my questions.?
If your ISP knows which website and webpage you have visited, it can type in the same IP address or URL to view the same decrypted webpage/site that you have visited. Simple, ain't it.?
....... Afaik, HTTPS encryption of web traffic is mostly to prevent MITM hacking attacks.
Hence, the police and MCMC, through the ISPs, can know who are the ones who have visited certain extremist websites, bomb-making tutorial websites, child-porn websites and other websites of illegalities. lurkingaround, your understanding is halfway.
you also have sessions to differentiate different visitors, so what you see will depend on what the webmaster wants your session to see, even if you typed the exact same URL with all the query strings intact.
--------
but before you get to load the web resource available at the URL, your computer needs to find the machine-readable location of that server hosting the URL. that's where DNS "phone directory" comes in.
all this while, DNS protocol is practically plain-text over TCP/UDP port 53. that's how anyone including your ISP, can just sniff your traffic and learn which server - NOT URL - that you are trying to get in touch with. it's like learning that your friend asked a specific "phone directory" (Google, Cloudflare, etc) and but as far as this has been going on, you finally get to learn who your friend wants to call.
---------
but you have not learned what your friend actually wants to talk about with the server. to know what is being talked about, you will need to sniff longer for your friend to successfully complete that call to the server.
to prevent you from eavesdropping DURING THE CALL, this is where discarded SSL protocol and replament TLS protocol comes in; to encrypt, AND OPTIONALLY, to authenticate the identity of either or both ends. you usually "see" SSL/TLS in action when you use HTTPS to browse /k.
---------
using SSL/TLS will begin any communication by encrypting it before anything else, thus anything communicated afterward will be garbage to listeners. you cannot even learn which URL is being asked for.
(this is where you are wrong. a properly-secured SSL/TLS traffic will not reveal what is being communicated about. your ISP is not capable of learning the exact URL you are visiting.)
--------
DNS-over-TLS is basically to replace existing plain-text DNS queries with TLS-encrypted queries. With DoT, you still can learn which "phone directory" your friend is asking from, but now even eavesdropping will not reveal who is it that your friend wants to call.
------
additionally, DNS-over-TLS makes use of the authentication function of TLS protocol to make sure that you are really talking to certified "phone directory" (Google, Cloudflare, etc.), so no one can just slip in a pretending DoT server in the middle.
-------
since DoT is a replacement protocol running on new port 853, it is not outright compatible with most devices and operating systems and what else on the market. so to provide some-sort of compatibility AND to avoid access to DoT being prevented by simply blockkng port 853 (think China), DNS-over-HTTPS through usual port 443 is implemented as well. same concept, but now interfaced indirectly through http-based API instead of directly answered by DNS server.
-------
DoT/DoH prevents man-in-the-middle from reading or tampering your DNS queries and responses in-flight.
QUOTE
With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data. - ICANN
-------
so with DoT/DoH and SSL-/TLS-encrypted http, smtp, ftp, you are almost protected from start to finish. almost. since an attacked focused on you will still be able to sniff the address of the server after all.
to prevent that, NOW, you'll need VPN.