[Cryptography] Apple's iCloud+ "VPN"

Jerry Leichter leichter at lrw.com
Mon Jun 14 07:58:25 EDT 2021

Apple recently announced a new service that will become available with the next versions of MacOS and iOS, as long as you have a paid subscription to their iCloud service.  The press has widely (but not universally; CNN at least had a reasonable article) described this as an Apple VPN, but it isn't.  The full details aren't known yet but the description makes it clear that it's actually an Apple onion router.  The routing uses two hops; Apple provides the first, and "independent third parties" (not yet specified) provide the second.

There are some interesting tradeoffs.  The service only works in Safari, Mail, and a few other applications.  It's not clear if the API will be public for other browsers or applications to use.  As part of it, they are also doing some kind of "private" DNS; it's not clear if that routes through the onion layers, too, though it would make sense.  All in all, a very Apple approach:  They deny themselves any knowledge of a customer's DNS queries and Web traffic, so if served with a subpoena they have very little to respond with.  And, it works completely transparently (and presumably very simply for the end user) with Apple applications.

An big tradeoff for some is that the exit node is always chosen to be in the same geo location as the entry node.  You can view this as a sop to the various on-line video providers, who insist on their geo restrictions; or you can view it as a concession to reality:  If Apple didn't do this, the video providers would block their exit nodes, as they do with any VPN provider that gets large enough for them to notice.

How this will interact with a VPN - especially with a VPN implemented in a middle-box rather than on the Apple device - is unknown.  We'll see when it ships.

In one move, Apple has taken onion routing from a specialized tool for hackers to something that will be in daily use on billions of devices.  It will be interesting to see how the rest of the industry responds.  (Rather than simply saying they do no logging, why don't VPN providers implement a onion router - perhaps partnering with other VPN providers - so that they simply have nothing to log?  I'd expect to see that emerge sooner rather than later.)

                                                        -- Jerry

More information about the cryptography mailing list