I know VPNs aren’t the best for privacy, but I’m curious, would a VPN be able to only see a domain and subdomain if the website is https? or can they see more somehow?
Your hunch is correct. The VPN does get the same insights as your ISP traditionally would.
Think of a VPN as like a tunnel. Your computer is connected to one end and your internet connection, rather than appearing to come straight out of your computer via your internet services provider comes out somewhere else. That ‘somewhere else’ is controlled by whoever manages your VPN. Beyond this there isn’t any difference regarding what you can access or not via your internet connection- email, HTTP, https etc. To the outside world, you appear to be wherever the VPN exit point is. This is why people use VPN to watch, for instance Netflix from a different country.
It is true that you should bear in mind whether all of your traffic is going over the VPN or not. As for instance /u/cellardoor has pointed out You should be careful that your DNS traffic also goes over your VPN. Otherwise, people will see where you’re going as your computer looks up the addresses even if they cannot see the traffic itself. There are many other options, but if you’re using a VPN service sold to the general public then you should just check if all your traffic goes over the VPN or not.
in case I have misunderstood your question, You are sending all of your traffic via the VPN operator using their encryption, so you should presume that they can see all of your traffic over that connection unless it is separately encrypted.
The domain name is sent in cleartext at the start of the connection so that the server knows which virtual server you are connecting to, and which encryption key should be used for the connection (as a single server may be serving multiple sites, which can use separate encryption keys). See e.g. https://en.m.wikipedia.org/wiki/Server_Name_Indication for a more detailed explanation.
So the VPN provider can see the site you are connecting to, but not the full URL, just like an ISP can.
I heard that ISPs can only see the subdomain and domain, so I assume it would be the same with VPNs
Even with just HTTPS they can’t see anything other than the domain name. With VPN, ISP’s only see one domain: the VPN itself.
Every modern VPN that having an app which runs continuously on your device will do DNS over the VPN, too. I’m just saying that, if you configured the DNS yourself, on a Raspberry Pi or something, maybe you didn’t change your DNS and maybe its leaking.
You should also make sure your web browser isn’t set to use something else like Cloudflare. In Firefox, this is controlled through the “DNS over HTTPS” setting. You want that to be OFF.
A good VPN provider will have a tool on their website to check for DNS and WebRTC leaks. Mullvad VPN has this, for instance.
URL path (resource) is end-to-end (between your browser and end website) encrypted in an HTTPS request, along with the body, any query parmeters in the URL and POST params. So only the domain (or more specifically the IP) is transparent to your VPN provider.
As another user mentioned, the domain could get leaked to your ISP (besides the VPN provider) via DNS requests (depending of your PCs DNS cache lifetime and router cache), unless you use your own DNS provider over HTTPS. But your requests would still include an IP, which could be reversed to a domain via a trivial whois / lookup in a list.
But the thing you are worried about, the path in the URL (folders as you call it, but nowdays URL rewrite means that most probably there isn’t a direct association between URI and web server’s disk structure) should be encrypted and only the website you are visiting can decrypt it (via its private key of the SSL certificate).
Ignore the other comments here. These couch experts don’t know what they’re about.
A VPN hides your traffic from your ISP/network operator. This includes the domain you request (test.website.com) as well as the resource (/hello/123.html)
IF
you also set your DNS server to something other than your ISP or VPN Provider (such as Cloudflare’s 1.1.1.1 service). Otherwise your ISP will see you are looking up that website.
BECAUSE
the website hopefully uses HTTPS, and the request to that website is end-to-end encrypted, including the resources you’re requesting from the server.