[Cryptography] Apple's iCloud+ "VPN"

Wed Jun 23 10:38:13 EDT 2021

On Wed, 23 Jun 2021, Liam Ayr via cryptography wrote:

> Apple recently announced a new service that will become available with the next versions of MacOS and iOS, as long as you have a paid 
> subscription to their iCloud service.  The press has widely (but not universally; CNN at least had a reasonable article) described thi
> s as an Apple VPN, but it isn't.  The full details aren't known yet

It's pretty clear at this point. Oblivious DNS with a two step tor-like
routing that obscures your IP from the target sites you are contacting
as coming from one of the CDNs. It uses  It uses:

- MASQUE https://datatracker.ietf.org/wg/masque/about/ 
- Oblivious DoH https://datatracker.ietf.org/doc/html/draft-pauly-dprive-oblivious-doh-06
- QUIC and HTTP/3

> There are some interesting tradeoffs.  The service only works in Safari, Mail, and a few other applications.

Just because the library calls for getting web pages in those programs
go through the proper apple network library API that adds the support
for this. It is expected to be extended later on.

> Mail is unrelated as far as I can see.

I think it refers to both the SMTP/IMAP TLS connections, as well as
mail content URI's.

> It's not clear if the API will be public for other browsers or applications to use.

AFAIK, it is. Eg when using the proper API to open a web page, it would
be covered. Currently, it covers any TCP and QUIC/UDP, and once MASQUE
defines IP proxying, it could theoretically be able to do raw IP as well.

> They are using ‘Oblivious DNS’. A technology co-authored by Cloudflare, Fastly, and Apple.

Yes, see the above linked internet draft.

   It essentially is an encrypted proxy.  The

> An big tradeoff for some is that the exit node is always chosen to be in the same geo location as the entry node.  You can view this a
> s a sop to the various on-line video providers, who insist on their geo restrictions; or you can view it as a concession to reality:

It can also be argued that it is limits the expore of the traffic. If
you always pick an entry and exit node on a different continent, you
always have to pass the transit which can be much more closely monitored
that when if you remain within the same local peering group.

> Still, interesting initiative and as said, moving the kind of relatively obscure stuff like that which Tor does to the mainstream with
> low friction ought provoke some movement elsewhere.

:)

> If Apple didn't do this, the video providers would block their exit nodes, as they do with any VPN provider that gets large enough for
>  them to notice.

Possibly. Although I would more blame the content providers than the
video stream providers. It's the content people that have all their
weird geographic location based legal contracts for content
distribution.

> How this will interact with a VPN - especially with a VPN implemented in a middle-box rather than on the Apple device - is unknown.  W
> e'll see when it ships.

If the VPN is implemented in front of the apple device, it should be
irrelevant, other than changing the apparent location of the apple
device based on the NAT IP at the VPN exit point.

> In one move, Apple has taken onion routing from a specialized tool for hackers to something that will be in daily use on billions of d
> evices.  It will be interesting to see how the rest of the industry responds.  (Rather than simply saying they do no logging, why don'
> t VPN providers implement a onion router - perhaps partnering with other VPN providers - so that they simply have nothing to log?  I'd
>  expect to see that emerge sooner rather than later.)

A large part of VPN providers is censorship avoiding and geolocation
forging. Neither are covered by this new Apple service. These services
are mostly orthoganol.

Paul