{"id":34614,"date":"2022-01-04T15:57:39","date_gmt":"2022-01-04T20:57:39","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=34614"},"modified":"2022-01-13T16:53:25","modified_gmt":"2022-01-13T21:53:25","slug":"icloud-private-relay-white-paper","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/01\/04\/icloud-private-relay-white-paper\/","title":{"rendered":"iCloud Private Relay White Paper"},"content":{"rendered":"

Apple<\/a> (via John Wilander<\/a>):<\/p>\n

When Private Relay is in use, the user’s device opens up a connection to the first internet relay (also known as the “ingress proxy”). The software for the first internet relay is operated by Apple in locations around the world.<\/p>\n

As the user browses, their original IP address is visible to the first internet relay and to the network they are connected to (e.g., their home ISP or cellular service). However, the website names requested by the user are encrypted and cannot be seen by either party.<\/p>\n

The second internet relay (also known as the “egress proxy”) has the role\nof assigning the Relay IP address they’ll use for the session, decrypting the website name the user has requested and completing the connection. The second internet relay has no knowledge of the user’s original IP address and receives only enough location information to assign them a Relay IP address that maps to the region they are connecting from, conforming to the IP Address Location preference they selected in Private Relay settings. The second internet relay is operated by third-party partners who are some of the largest content delivery networks (CDNs) in the world.<\/p>\n

[…]<\/p>\n

To ensure only Apple devices and valid iCloud+ accounts can use Private Relay, the server performs device and account attestation using the Basic Attestation Authority (BAA) server prior to vending out tokens. To mitigate abuse, rate limiting restricts how many tokens a user’s device can retrieve per day.<\/p><\/blockquote>\n\n

Previously:<\/p>\n