Most of the traffic on the web is encrypted. And more websites are adopting basic encryption measures every day. That means that, in theory, eavesdroppers have a hard time seeing whom you're writing to on Gmail or what you're looking up on Wikipedia.

But there's a catch. Big sites like Google and Facebook can see what links you click from their services, and use tracking cookies to follow you around the web. Various tools can help you block this type of tracking, but another big window into your browsing habits remains. Your broadband provider or someone who has hijacked your internet connection could still see what sites you're visiting. They might not be able to tell what you're watching on, say, Pornhub, but they can know that you visited the site.

That's an obvious problem for people who live under authoritarian regimes. But there are other reasons to worry. Many broadband providers in the US are also media and advertising companies. Verizon, for example, has an extensive digital advertising operation thanks to acquisitions of AOL and Yahoo. It's perfectly legal for carriers to their customers' internet history to target advertising.

For the past two years, the Internet Engineering Task Force, which sets standards for the web, has been working on a new protocol for the internet's address book---the domain name system, or DNS---that would make it harder to spy on what pages you visit. The standard isn't finalized, but the security company Cloudflare appears to be launching a service called "1.1.1.1 that supports the new protocol. A test version of the Firefox web browser implements the protocol, but Cloudflare's service is not enabled by default.1

The 1.1.1.1 website was publicly available Thursday, drawing links and comments on Hacker News. The 1.1.1.1 site was offline by mid-day Friday. But a cached version of another Cloudflare page with the same content was still visible at Archive.org.2 Cloudflare declined to comment.

The reason it's so easy for prying eyes to see what websites you're visiting has to do with the design of DNS. Whenever you visit a website using its domain name, like "wired.com," software on your phone or computer looks up the domain using what's called a DNS resolver. The DNS resolver, typically run by your broadband provider, translates the domain name into a number called an IP address that your device can use to actually find the site you're looking for.

Communication between your device and the DNS resolver typically is unencrypted. You can get around this by using a service called a virtual private network, or VPN, which routes all your traffic through a single connection, essentially making it appear that you only visit one site. But an incorrectly configured VPN could still "leak" DNS information.

The new "DNS over HTTPS" protocol would fix that by encrypting communication between devices and DNS resolvers much the same way web traffic is encrypted today. The operator of a DNS resolver would still be able to see what sites you're visiting, but it would be much harder for outside parties to intercept that data. A similar protocol called DNSCrypt works with Cisco’s DNS resolver OpenDNS, but hasn’t been widely adopted.

The idea behind Cloudflare's service is that instead of using the DNS service offered by your broadband provider, you would go into your operating system's preferences and point to 1.1.1.1. You can do this today, but because most operating systems don't support DNS over HTTPS, your DNS queries generally won't be encrypted unless you’re using software that supports the standard, such as the test version of Firefox.