Using HTTPS? The URL may not be fully encrypted, hence can be tracked (opens in new tab)

(stackoverflow.com)

2 pointssci_c06y ago2 comments

2 comments

2 comments · 2 top-level

When request is made over HTTPS, the server name in the URL may not be encrypted, only the path to the resource will be encrypted.

i.e.

if you type https://www.example.com/path/to/my/resource?show=pretty then the www.example.com may be sent in plain text only the path part will be encrypted.

Piskvorrr6y ago

TL;DR: SNI sends hostname (not whole URL) in plaintext, ESNI (encrypted) is not widely supported (not in Chrome, off by default in Firefox, visited domain also needs to support it).

j / k navigate · click thread line to collapse