|>>|| No. 17163
That's correct, though you having said that maybe suggests a proper explanation might be needed.
You want to go visit "shedtube.xxx" for all your shed-loving needs. You don't know where that is, so you ask Google for directions (18.104.22.168 DNS). It tells you "Oh, shedtube.xxx is over there, on 10.11.12.13", so off you go.
You then connect to 10.11.12.13 and say "I want shedtube.xxx please" (HTTP GET), and the server at the other end says "Here you go" (HTTP 200).
But someone approaches your ISP, be it Ground, ListenListen, Nothing Anywhere, or whoever, and says "Sorry, we need you to stop people from getting to shedtube.xxx because it's been taken over by hackers on toast", so next time you try and visit, your ISP grabs that request and stops it getting to 10.11.12.13 and instead responds itself "Sorry, you're not allowed to see this".
So you try using a code to hide your request (HTTP over TLS - "HTTPS"), but the server at 10.11.12.13 has lots of different sites, all with their own keys. So just like the concierge in an apartment complex or an office building, the server needs to know which site you're after, so your coded message is tagged with an address label "shedtube.xxx, 10.11.12.13, The Internet". Your ISP can still read this, but it's got no way of seeing what the coded message was, nor do they have any way of knowing what the key is, so the response comes back saying "SO RR YY OUREN OTALL OWEDT OSEET HISXX" and you get confused because it won't decode properly. This isn't entirely a joke. Both Sky and Virgin respond to HTTPS requests for blocked sites by sending their "Site not available" page unencrypted.
In hotels and the like, people discovered that you could use DNS to route real traffic, so they started intercepting the DNS requests. When you ask "Hey Google, where's shedtube.xxx?" it comes back with "Hello Mr Internet Person, we are definitely Google and not Shady Hotel Wifi Service, and shedtube.xxx is totally on 10.20.30.40".
The only real solution to that would be to use a VPN tunnel with an endpoint somewhere else. Think of this as like a pneumatic tube. You put the message into a capsule at your end, and someone takes it out of the capsule at the other end, but all your ISP sees is a capsule. They can't see what's in it, and they can't interfere with it. The main drawback here is that you do need to be able to trust whoever's at the far end of the tube not to fuck with your messages, so invariably this means paying out money.