[Cryptography] Apple's iCloud+ "VPN"

[Bill Woodcock]

> On Jun 23, 2021, at 6:31 AM, Liam Ayr via cryptography <cryptography at metzdowd.com> wrote:
> 
>> As part of it, they are also doing some kind of "private" DNS; it's not clear if that routes through the onion layers, too, though it would make sense.
> 
> They are using ‘Oblivious DNS’. A technology co-authored by Cloudflare, Fastly, and Apple.  It essentially is an encrypted proxy.  The first step, a number of years ago, in improving the privacy of DNS - an otherwise entirely plaintext protocol, was to use https (or TLS) between the client and the resolver.  This stopped eavesdropping but the resolver still knew what the request was and where it was coming from.  Oblivious DNS adds am extra hop in such a way as the resolver knows what the request is - so can answer it - but doesn’t know who the requestor is...

Unless they happen to be a CDN, in which case they’re also hosting the thing that’s being requested, see whatever authentication the user has to do to the site, see what cookies the user is holding, can fingerprint the HTTPS stack, and can tie all of that back to the client's encryption key.

Moral of the story is to never, ever, ever use an exit node that’s also a CDN.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210623/31395536/attachment.sig>