iCloud Private Relay is one of the coolest things to happen in privacy and network encryption in a while. I'm going to update this thread as I learn more about it. Early impression: Overall it looks great, but I can see a few gotchas too.
There are two WWDC21 talks online about it already. The first is a general overview, so it's not too detailed, but it's well crafted.
developer.apple.com/videos/play/ww…
The second has more detail, skip to 24:30 for the private relay section: developer.apple.com/videos/play/ww…
At a high-level: Private Relay is like a smaller version of Tor and it uses a simple kind of onion routing. Your iPhone sends an encrypted DNS request or connection to an oblivious ingress proxy. That ingress proxy can see your IP address, but not the details of your request.
Then your DNS request or connection is forwarded to an egress proxy. That proxy can see the website you're accessing, but it doesn't know your IP address. Neither proxy gets to see your actual HTTP requests or connection level data, that's still end-to-end.
Apple run one of the relays (the ingress proxy I think) and "a content provider" runs the egress proxy. Sounds like a CDN, but no announcement yet. Both of these proxies need huge and deeply-distributed global foot-prints to be effective.
Of the two relays, I think the egress proxy is more trusted because more tracking can be encoded into unique DNS names via server-side redirects and javascript tricks. It'll be interesting to see if anyone tries that.
Apple's explanations so far are about anonymizing IP location from websites. There's no mention of abuse or law enforcement. There's also no statement about not logging or not being able to recover the correlation. It's definitely not being pitched as a Tor, which is fine.
There's no mention of IPv6, but the example IP addresses in the more detailed talk are all documentation-and-example-prefix (nice touch!) IPv6 addresses, so good chance it uses IPv6 when possible, which gives a lot more space for address randomization.
Private Relay uses HTTP/3 QUIC over UDP/443 for comms between your device and the private relay network. I worry a bit that QUIC might not be entrenched enough to avoid getting blocked outright by networks who don't want this. It'll be interesting to watch the brinksmanship.
Today QUIC on UDP/443 is blocked on something like 5% to 7% of networks, which is a lot for something you want to work seamlessly. I'd gave gone for TCP/443 but that's me!
The biggest gotcha so far might be the bad neighborhood problem. Whenever you share an IP address with a broad bunch of other people, you're going to run into abuse processes triggered by some of those other people.
Simple example: someone else gets their password to a website wrong enough times and that website might treat them like a bot, trigger Captchas or rate-limiting, maybe even reset your password because you came from the same IP.
Obviously I work for a competitor of sorts, but if this is true I'll be turning this off. As much as I like some of the cool things CloudFlare do, I do not trust how they manage security and privacy issues.
I'm still chewing on this slide, there's more in it than it appears. The server side connection shows a 518-length TLS hello message. Was that inside one of those 1292-byte QUIC datagrams? If so, that's neat, and maybe there's length-obfuscating padding?
If there's no length obfuscation, private-relay will still be vulnerable to content-fingerprinting. It's no worse than regular connectivity, but in theory the relay providers or someone in the patch could still make really good guesses about what the website/content is.
The other gotcha, which is kind of the point actually, is that GeoIP lookups become more coarse, so a website's guess about where you are loses fidelity. Apple suggest using CoreLocation instead, but not everyone uses it.
Someone asked me about the blind signatures that are in the protocol: they are boring, which is good! Not enough detail to see how the chaining works, but I'd be surprised if it wasn't super well designed. Apple gets that stuff right.
Caught in the cross-fire of all this is that those fun articles you sometimes see about a congressperson or senator's wikipedia article being flatteringly edited from congress's network will all go away.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Colm MacCárthaigh

Colm MacCárthaigh Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @colmmacc

8 Jun
Recently reminded that of all of the bad ideas in SRE culture, that error budgets really are an outright toxic concept. I've only quadrupled down on that in the last few years. Even just hearing the words is like a signal to help deprogram someone.
In brief:

1./ The word "budget" is way too often interpreted as "a certain amount of customer pain is something you can spend." Absolutely not. Fire people who intentionally invoke customer pain. With haste.
2./ The concept fosters a kind of beaurocratic boundary that reinforces the outdated "us and them" model that is at the core of SRE and the shady attempt to claim that separate teams specializing on dev and ops is somehow as effective as devops.
Read 4 tweets
10 Nov 20
Gateway Load Balancer is *HUGE* and brings a capability to the cloud that has never even existed in traditional/legacy datacenter networks. It's not "just" ECMP. Flows are symmetrical, and sticky! Let me explain ...
GWLB let's you spread incoming or outgoing traffic over multiple firewalls, intrusion detection devices, packet inspectors, etc. It's horizontal scaling for network appliances, running on EC2 Instances. So far so good ... that sounds like ECMP.
But ECMP in datacenter networks doesn't align "north-south" and "south-north" traffic for the same flows (network connections) over the same devices, and it also "scrambles" all of the traffic when you add or remove a node to do any scaling.
Read 7 tweets
8 Nov 20
Are you a US Citizen or Green Card holder who has won the tech lottery and has > $100k discretionary income? I know for sure there are some reading. Consider maxing out and donating $5000 to the Fair Fight PAC, and $2800 each to Warnock and Ossoff. Reasons ...
First let's acknowledge that campaigns accepting this kind of money is an insanely corrupt practice way outside of international and democratic norms. It biases everything towards the donor class. So please don't expect anything in return ... except a functioning US democracy.
The US electorate have voted overwhelmingly for a democratic government. Huge popular Democratic Party candidate majorities for presidency and house, potentially even the senate. But that may not be the actual government we get.
Read 11 tweets
6 Nov 20
Friday morning tweet thread: some more depth and detail on AWS Nitro Enclaves, the trusted execution environment / confidential computing platform which we launched last week. aws.amazon.com/ec2/nitro/nitr… . Let's dive in!
If you're reading this thread, you're almost certain familiar with Amazon EC2. The basics: EC2 customers can launch Instances, which are virtual servers in the cloud. "Virtual" means we make one physical machine seem like many machines. It's powered by our virtual machine tech.
With AWS Nitro Enclaves you get to also create and run more super highly isolated virtual servers that are attached directly and only to your EC2 instance. Think of it like having another server, but with no connectivity at all except a cable plugged in to your Instance.
Read 54 tweets
29 Jun 20
Monday morning mini-thread. I rarely re-read books, but there are essays, letters, and speeches I re-read every year or two. Here I'm going to share 11 that have an enduring impact on me. Each is great writing, but also brilliant thinking.
1. The Inner Ring by CS Lewis lewissociety.org/innerring/. I'm not a big CS Lewis fan, but in this speech he condensed so much about how the world really works, and how corruption arises, and how to resist it.
IR gets across how the real movers and shakers aren't always the people with the titles or positions, and it distills a kind of soulful plaintive craft-like dedication to purity and quality that draws influence from religion and philosophy and shows up later in Pirsig's ZAMM.
Read 19 tweets
15 May 20
@bhoflack @danluu We rejected a Maglev-like design because probabilistic LB doesn't work for the vast majority of workloads. Most customers have only 2 LB targets, they're also often slow, and subject to garbage-collection pauses. Probabilistic LB increases utilization way too much.
@bhoflack @danluu It's a design that works well when you have lots of very fast, very consistent targets. You could say it worked well at Google then, but I'm not sure I'd agree. It also imposes that constraint tax on your ecosystem; teams may be forced to optimize way earlier.
@bhoflack @danluu Our world view of load balancers is that they primarily an organizational tool designed to free teams from problems and complexity. Helps you not work as much on HA, GC, or long-tail latency, quite as much. The paper reads like awesome bin-packing is what LB is about.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(