Is browsing Github pages more private?

In “Why not use encrypted DNS”:

This method is only useful when the IP address belongs to a server that only hosts few websites. It’s also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc.).

But I thought that the subdomain of a website also shows up for ISP, and all the given examples use subdomains not URL to separate websites. i.e: example.github.io instead of github.io/example. In the latter case, ISP can’t know you’re accessing “example” but in the first one can know.

That quote is from the section discussing identifying websites via IP address specifically.

So unless SNI is encrypted, accessing Github and the other sites don’t have privacy advantage over accessing regular websites?

There’s probably just a minimal advantage, I wouldn’t consider it private. The page is discussing IP/website correlation specifically, imagine this:

If you are not using Encrypted DNS, and your ISP only inspects DNS queries and IP traffic,

  • When you visit site-a.github.io,
    • Your ISP sees you made a DNS request for site-a.github.io
    • Your ISP sees you connected to 185.199.108.153 (and knows this IP belongs to GitHub)
  • When you visit site-b.github.io
    • Your ISP sees you made a DNS request for site-a.github.io
    • Your ISP sees you connected to 185.199.108.153

Thus, your ISP can tell when you visit Site A or Site B specifically. But, if you are using encrypted DNS:

  • When you visit site-a.github.io,
    • Your ISP can’t see your DNS request
    • Your ISP sees you connected to 185.199.108.153 (and knows this IP belongs to GitHub)
  • When you visit site-b.github.io
    • Your ISP can’t see your DNS request
    • Your ISP sees you connected to 185.199.108.153

Thus, your ISP can’t tell when you visit Site A or Site B specifically, just that you visited some site hosted by GitHub on that IP.

But, we don’t live in a perfect world, and as you pointed out, SNI (and OCSP) also leak the domain you’re visiting. So realistically yes, there isn’t much of a privacy advantage to visiting sites on shared hosting.

1 Like