HTTPS typically still have the site domain in clear due to SNI.

> HTTPS typically still have the site domain in clear due to SNI.

Can you eli5 that please?

To support multiple sites per IP the browser has to send DNS name of the site to the web server. Moreover, since certificates that the server uses for encryption depends on the site name, the name cannot be encrypted within HTTPS. So the browser sends the name in clear when initiating the connection. This is called SNI, server-name-identification.

It is possible to encrypt SNI, but most sites do not support that as the setup is non-trivial and error-prone.

Huh

So HTTPS doesn't really stop tracking, it only prevents people from snooping on what data you are sending to and receiving from the website

There has been some work on encrypted server name indication: https://www.cloudflare.com/learning/ssl/what-is-encrypted-sn...

I use CloudFlare's 1.1.1.1 DNS to mitigate my ISP tracking the domains I visit. They have an iPhone app too. I don't know enough about the space to say whether it's 100% effective.

Again, due to SNI tracking sites that one visits is possible even if DNS traffic is encrypted. At the very least one needs for the site to support ESNI or encrypted-site-name-identification.

But then in practice for ESNI to be effective one needs for the site to use CDN or similar solutions to ensure that there are a lot of sites for the given IP.