[Cryptography] Apple's iCloud+ "VPN"

Lanlan Pan abbypan at gmail.com
Sun Jun 27 23:09:04 EDT 2021 

Liam Ayr via cryptography <cryptography at metzdowd.com> 于2021年6月23日周三
下午1:56写道:

>
> Apple recently announced a new service that will become available with the next versions of MacOS and iOS, as long as you have a paid subscription to their iCloud service.  The press has widely (but not universally; CNN at least had a reasonable article) described this as an Apple VPN, but it isn't.  The full details aren't known yet but the description makes it clear that it's actually an Apple onion router.  The routing uses two hops; Apple provides the first, and "independent third parties" (not yet specified) provide the second.
>
>
> Apple says the intent is not anonymity (a central tenet of onion routing)
> but enhanced privacy.  To what extent provable anonymity is delivered is
> probably not yet known.
> The second hop, as far as reported tests has shown is being provided by
> Cloudflare, Fastly and Akamai CDNs. So three of the main ones. Cloudfront
> being the notable omission.   The model is the apparent source to the
> destination will be region specific.  Example of a connection using the
> relay from San Francisco will appear to the destination as somewhere in
> California.  I think technically this will be defined and constrained by
> the nearest edge node of the CDN.  Where I live none of those CDNs have a
> POP anywhere near me.
> Unknown but they might need to be aware of local regulatory restrictions -
> some destinations prohibited by law and ISPs are required to block them by
> some method.  Though realistically the laws are for the ISPs so another
> tricky area for Internet regulation.
>
>
> There are some interesting tradeoffs.  The service only works in Safari, Mail, and a few other applications.
>
>
> Mail is unrelated as far as I can see.  There’s certainly no mention of it
> from Apple. I can’t see how the design would actually work anyway.  Might
> be confusing it with Apple Private Mail, introduced a couple of years ago.
> When signing up to websites (like forums), there are now, in many places
> ‘sign in with Apple’, alongside ‘signin with Facebook', Or Google, others.
> In Apple’s case you sign in to iCloud and have the option to create a
> fictional email address  like ‘<someRandomString>@privaterelay.appleid.com’
> so you can be contacted via email without revealing your actual address.
> You can have as many you like and delete them when you start getting
> rubbish to them. Apple makes no comment regarding anonymity other than what
> the recipient sees.  Law enforcement asking for the real identity is
> presumably able to get Apple to tell them, for example.  Don’t know what
> the other applications are part of Apple Private Relay
>
more trackable

> It's not clear if the API will be public for other browsers or applications to use.
>
>
> The key information regarding any API for other points of developer
> interest are in two videos from the recent conference.
> The more specific information is in the more general session, here
> https://developer.apple.com/videos/play/wwdc2021/10085/
> The session dedicated to Apple Private Relay has, strangely, less
> technical detail. https://developer.apple.com/videos/play/wwdc2021/10096/
>
> As part of it, they are also doing some kind of "private" DNS; it's not clear if that routes through the onion layers, too, though it would make sense.
>
>
> They are using ‘Oblivious DNS’. A technology co-authored by Cloudflare,
> Fastly, and Apple.  It essentially is an encrypted proxy.  The first step,
> a number of years ago, in improving the privacy of DNS - an otherwise
> entirely plaintext protocol, was to use https (or TLS) between the client
> and the resolver.  This stopped eavesdropping but the resolver still knew
> what the request was and where it was coming from.  Oblivious DNS adds am
> extra hop in such a way as the resolver knows what the request is - so can
> answer it - but doesn’t know who the requestor is, while eavesdroppers can
> see the client is making a DNS request but doesn’t know what the request
> is, nor do they know which resolver is bring contacted.  The solution is
> not onion routing. Relevant papers are
> https://odns.cs.princeton.edu and - more comprehensive  -
> https://blog.cloudflare.com/oblivious-dns/ It is a neat solution.
>
> [ …]
>
> An big tradeoff for some is that the exit node is always chosen to be in the same geo location as the entry node.  You can view this as a sop to the various on-line video providers, who insist on their geo restrictions; or you can view it as a concession to reality:
>
>
> Yes.  My location has regulations that require ISPs to prevent access to
> some BitTorrent and file sharing sites.  ISPs have a choice of technology
> to do this as long as the content providers (movie studios, record
> companies) agree. One is to prevent DNS queries returning the right answer,
> instead resolving to a scary webpage that says naughty.  If iCloud Private
> Relay sends to a resolver such as provided by google or cloudflare or quad9
> then I don’t see how the interception by the ISP will be relevant. It is
> possible the public resolvers have to adhere to the regulations in the
> jurisdictions they operate, but unsure.  It isn’t obvious that Apple has
> thought of this.
>
> Still, interesting initiative and as said, moving the kind of relatively
> obscure stuff like that which Tor does to the mainstream with low friction
> ought provoke some movement elsewhere.
>
> In general Cloudflare’s public statements in the last few years have been
> fairly positive about privacy.
>
> regards
>
> LA.
>
>
> If Apple didn't do this, the video providers would block their exit nodes, as they do with any VPN provider that gets large enough for them to notice.
>
> How this will interact with a VPN - especially with a VPN implemented in a middle-box rather than on the Apple device - is unknown.  We'll see when it ships.
>
> In one move, Apple has taken onion routing from a specialized tool for hackers to something that will be in daily use on billions of devices.  It will be interesting to see how the rest of the industry responds.  (Rather than simply saying they do no logging, why don't VPN providers implement a onion router - perhaps partnering with other VPN providers - so that they simply have nothing to log?  I'd expect to see that emerge sooner rather than later.)
>
>                                                         -- Jerry
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210628/db7b88ee/attachment.htm>

More information about the cryptography mailing list