Proxy24
All posts
Security

HTTPS Is Not Enough: What It Doesn't Protect You From

Proxy24March 19, 2026 · 7 min read

What HTTPS Actually Does

HTTPS encrypts the contents of HTTP requests and responses — the URLs you request, the page HTML, login forms, cookies, and response bodies. It also authenticates the server, assuring you that you're talking to the real domain and not an impersonator. These are genuinely important guarantees. But HTTPS says nothing about who is making the request.

Your IP Is Still Visible

Every HTTPS connection begins with a TCP handshake and a TLS negotiation. Both expose your IP address to the server you're connecting to. The server's access logs record your IP, the timestamp, and the resource requested. Your ISP sees the destination IP even if it can't read the payload. Your IP address alone is often sufficient to identify your ISP, city, and in some cases your building.

Metadata Leakage

Even with perfect encryption, pattern analysis is powerful. The size of encrypted packets, the timing of requests, and the sequence of connections can reveal what you are doing. Researchers have demonstrated that encrypted Netflix traffic is distinguishable enough to identify specific films. Connection metadata — who talks to whom, when, and how often — is frequently more valuable to intelligence agencies than message content.

SNI and Certificate Transparency

During TLS negotiation, the Server Name Indication (SNI) extension sends the target hostname in plaintext so the server can present the correct certificate. Until Encrypted Client Hello (ECH) is universally deployed, your ISP and any network observer can see every domain you visit even over HTTPS. Certificate Transparency logs are also public, meaning every certificate ever issued for a domain is permanently recorded.

Layering Your Defences

HTTPS is necessary but not sufficient. A proxy or VPN hides your IP from destination servers and encrypts the SNI from your ISP. Combine HTTPS with a trusted proxy like Proxy24 and you get both payload encryption and metadata protection — neither the destination nor your ISP can see the full picture.