While HTTPS encrypts the content of an internet connection, there are various techniques that third-parties such as telcos can apply and determine to what site a user is connecting.

Third-parties may not be able to break the encryption and sniff on the traffic, but they can track or block users based on these leaks, and this is how some ISP-level parental control and copyright infringement blocklists work.

The primary two techniques used by telcos include (1) watching DNS traffic or (2) analyzing the SNI (Server Name Identification) field in HTTPS traffic.

The first technique works because browsers and apps make DNS queries in plaintext, revealing the user's intended site destination even before a future HTTPS connection is established.

The second technique works because the SNI field in HTTPS connections is left unencrypted and similarly allows third-parties to determine to what site an HTTPS connection is going.

But over the past decade, new internet protocols have been created and released to address these two issues.

DoH (DNS over HTTPS) and DoT (DNS over TLS) can encrypt DNS queries.

And when combined, TLS 1.3 and ESNI (Server Name Identification(sic)) can also prevent SNI leaks.

These protocols are slowly gaining adoption, both in browsers and with cloud providers and websites across the globe, and there is no better sign that these new protocols work as advertised as the fact that China updated its Great Firewall censorship tool to block HTTPS traffic that relied on TLS 1.3 and ESNI.