iCloud Private Relay
Michael Grothaus (via John Wilander, Alex Guyot):
The obvious comparison people will make is that iCloud Private Relay is Apple’s version of a VPN (something I have called for in the past for the company to offer). But from an engineering perspective, Private Relay’s privacy protections make VPNs look weak.
[…]
iCloud Private Relay uses a dual-hop architecture. When you navigate to a website through Safari, iCloud Private Relay takes your IP address, which it needs to connect you to the website you want to go to, and the URL of that site. But it encrypts the URL so not even Apple can see what website you are visiting. Your IP and encrypted destination URL then travels to an intermediary relay station run by a third-party trusted partner.
See also: WWDC, Nick Heer, Hacker News, Accidental Tech Podcast, MacRumors, TidBITS.
It’s a little weird that Apple doesn’t want to talk about who these “trusted partners” are, because if we don’t know who they are, how are we supposed to trust them?
Stephen Nellis and Paresh Dave:
Apple’s decision to withhold the feature in China is the latest in a string of compromises the company has made on privacy in a country that accounts for nearly 15% of its revenue.
According to Apple, “regulatory reasons” prevent the company from launching Private Relay in China, Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda, and the Philippines.
Apple mentioned these country limitations in June, but it seems that Private Relay will not be available in Russia either, after Apple apparently disabled the feature there over the last day or so.
Hats off to Apple’s architects. At first glance, the principle behind this “dual hop” seems inspired by Tor, a browser that “directs Internet traffic through a free, worldwide, volunteer overlay network” with an encryption scheme that promises to “conceal a user’s location and usage” from prying eyes. The main issue with Tor has always been that it’s slow. Apple claims Private Relay works “without compromising performance”. There are reasons to be very skeptical of that claim by Apple (more on that later), but nevertheless, Private Relay will certainly be far faster than using Tor.
[…]
Private Relay will ruffle the feathers of ISPs and local network administrators.
This is a power move reminiscent of 1) when Apple launched the iPhone and decoupled phone software from the carrier, and 2) when Apple launched iTunes and CD-selling music labels had to come on board.
The industry will push back, leading to friction for consumers.
Many local area networks, such as WiFi on college campuses, will end up prohibiting Private Relay traffic. This will lead to inconvenienced users, who will be presented with dialogs to disable Private Relay for that network. I’m sure ISPs of all sizes will be tempted to also put in place hard blocks.
Florian Forster (via Hacker News):
If a user enables this feature, your RIBA [Risk Based Authentication] seriously will have a bad time. This is because, as you can see below, the user’s IP Address will be more or less useless as a signal. As of writing this blog I was in Switzerland and the IP used to egress my traffic was in a region located in the US. If this also tends to change a lot and fast you can basically throw away IP addresses as data of your RIBA.
As expected, using Private Relay may get you flagged on certain sites, such as Wikipedia. Haven’t hit a captcha yet but I’m not looking forwards to it…
Funny side-effect of iOS’s new private browsing: websites keep signing me out and reporting irregular login attempts. I have to remind myself that I sometimes live in Sweden now.
Private Relay currently has a significant impact on Safari’s performance. Here’s my Internet speed outside Safari using the Speedtest Mac app.
My connection was noticeably slow and laggy. After a bit of troubleshooting, I discovered Private Relay is the culprit.
Why does iCloud Private Relay randomly turn itself back on? I didn’t reboot or anything here. And, the option to disable it again is missing. (Usually appears again if you go back a menu and forward again).
I have a VPN app that uses a tunnel to route traffic, and I’m finding that port 80 traffic cannot be routed when Private Relay is enabled. Oddly, it’s just port 80 traffic. HTTP traffic over 8080 or other ports still work fine.
Specifically, connecting the socket using the
connect()function for a port 80 address always returns the same error "No route to host".
Essentially, Apple has decided to launch iCloud Private Relay as a beta when iOS 15 ships in the fall, and the feature will be turned off (for now) by default. Paying iCloud users will be able to turn it on and try it out.
Here’s my concern about iCloud Private Relay compatibility, though: if web publishers want to make sure their sites are compatible with iCloud Private Relay, they can make it work. They might just need more time. But everyone knows there are sites that aren’t interested in your privacy. That’s the whole reason Apple even made this feature. For a lot of websites, if the answer to an iCloud Private Relay compatibility issue is “Disable iCloud Private Relay”, that’s fine by them. For a lot of privacy-invasive web publishers, their goal, I suspect, is to break iCloud Private Relay, not fix their shit-ass websites to work with it.
Previously:
- Mail Privacy Protection
- Hide My Email
- One-to-One IP Targeting
- Oblivious DNS-over-HTTPS
- “No-Logging” VPN Providers
- Most “Free” VPN Apps Secretly Owned by China
- Apple Pulls VPN Apps From China App Store
