[Cryptography] Apple's iCloud+ "VPN"

Bill Woodcock woody at pch.net
Mon Jun 28 03:27:32 EDT 2021 


> On Jun 28, 2021, at 5:09 AM, Lanlan Pan <abbypan at gmail.com> wrote:
> They are using ‘Oblivious DNS’. A technology co-authored by Cloudflare, Fastly, and Apple.

Neither of these statements is correct.

They’re using ODoH, not ODNS.

ODNS was authored by Anne Edmundson , with Paul Schmitt, Allison Mankin, and Nick Feamster.  None of the are associated with Cloudflare, Fastly, or Apple.

> The first step, a number of years ago, in improving the privacy of DNS - an otherwise entirely plaintext protocol, was to use https (or TLS) between the client and the resolver.

The first (and sufficient) step was TLS.  HTTPS came later, as a significant privacy and net-neutrality downgrade.

> This stopped eavesdropping but the resolver still knew what the request was and where it was coming from.

…which means that it didn’t stop eavesdropping, it just reduced the number of parties to the eavesdropping, which consequently vastly increased the monetization value of the data for the parties which now possess a scarcer resource.  Reduction is good but, as you point out, its incompleteness was why ODNS was conceived.

> Oblivious DNS adds am extra hop in such a way as the resolver knows what the request is - so can answer it - but doesn’t know who the requestor is.

That is only true in the case in which the “target” or exit node is not also a CDN and party to subsequent web transactions which invariably contain authentication / login / cookie / fingerprint information.

If the target / exit node is operated by a CDN, ODNS and ODoH are worse than useless, and provide only a false sense of privacy.

> My location has regulations that require ISPs to prevent access to some BitTorrent and file sharing sites.  ISPs have a choice of technology to do this as long as the content providers (movie studios, record companies) agree. One is to prevent DNS queries returning the right answer, instead resolving to a scary webpage that says naughty.  If iCloud Private Relay sends to a resolver such as provided by google or cloudflare or quad9 then I don’t see how the interception by the ISP will be relevant.

Cloudflare has reportedly already complied with content-based blocking requests via their DNS last year (though their case was more clear-cut: the infringing torrent site was their paying customer), and Quad9 is currently fighting an injunction which would force blocking of unrelated domains.

> It is possible the public resolvers have to adhere to the regulations in the jurisdictions they operate, but unsure.

Google and Cloudflare for commercial reasons.  Quad9 may be forced to to avoid jail time for its board.

> It isn’t obvious that Apple has thought of this.

The relevant parties at Apple are aware of this.

> Interesting initiative and as said, moving the kind of relatively obscure stuff like that which Tor does to the mainstream with low friction ought provoke some movement elsewhere.

For better or worse, yes.  I’m not sure people recognize just how much this will affect performance, though.  It’s not pretty.  Regular Tor users know what I’m talking about; this isn’t particularly better.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210628/cb361a82/attachment.sig>

More information about the cryptography mailing list