Web Excursions 2022-01-05
iCloud Private Relay Overview [PDF]
Introduction
Private Relay helps protect users from [] unwanted tracking
by ensuring the traffic leaving their devices is encrypted, and
by sending their requests through two separate internet relays
so that no single entity can combine IP address, location, and browsing activity into detailed profile information.
Using Private Relay
“Maintain general location” means that Private Relay will choose Relay IP addresses that map to a roughly city-level area consistent with where the user is actually connecting from.
This allows sites to use the Relay IP address to show accurate localized content.
“Use country and time zone” means that Private Relay will choose Relay IP addresses across a broader, more regional area to give added privacy.
Designed for Privacy
Private Relay is built on the principle that IP addresses that identify users need to be separated from the names of websites that users access.
Private Relay’s dual-hop architecture protects the privacy of users by separating
who can observe their IP addresses from
who can see the websites they visit.
Private Relay Dual-hop Architecture
The user’s device opens up a connection to the first internet relay (also known as the “ingress proxy”).
The software for the first internet relay is operated by Apple in locations around the world.
As the user browses, their original IP address is visible
to the first internet relay and
to the network they are connected to (e.g., their home ISP or cellular service).
However, the website names requested by the user are encrypted and cannot be seen by either party.
The second internet relay (also known as the “egress proxy”) has the role of
assigning the Relay IP address they’ll use for the session,
decrypting the website name the user has requested and
completing the connection.
The second internet relay
has no knowledge of the user’s original IP address and
receives only enough location information to assign them a Relay IP address that maps to the region they are connecting from,
conforming to the IP Address Location preference they selected in Private Relay settings.
operated by third-party partners who are some of the largest content delivery networks (CDNs) in the world.
The system is designed to allow new partners to be onboarded
Different than a VPN: No single party has access to both the user’s IP address and the details of their browsing activity; does not allow users to represent themselves as connecting from a different country or region.
IP Addresses, Identity, and Location
The selection of Relay IP addresses is influenced by the user’s original IP address and IP Address Location setting preference.
the Relay IP addresses rotate over time and between sessions
The first internet relay uses a traditional geo-IP lookup to determine which geographic area best represents the user’s original IP address.
then sends this information back to the user’s device in the form of a geohash (truncated to four characters, representing roughly an 800 km2 area).
Geohash: a unique multi-character representation of a specific geographic location on earth. It subdivides the globe into a series of grid-like boxes, which get more precise based on the number of letters and digits.
If the user has selected “Maintain general location,” the user’s device will share the geohash information with the second internet relay.
If “Use country and time zone” is selected, geohash information is not shared and the second internet relay will select a Relay IP address
Exclusive IP addresses
The second internet relay has no knowledge of the user’s original IP address.
The Relay IP addresses used by Private Relay are not used or shared for any purpose other than to provide the Private Relay service.
[Such IP addrs are] published to the major geo-IP industry databases and is posted publicly by The entire list is Apple at: mask-api.icloud.com/egress ip-ranges.csv
as geo-IP mappings, to map the location provided by the Relay IP address. Websites and apps can continue to use existing location mechanisms, such
Transport and Security Protocols
Connection proxying
Private Relay uses technology being developed by the MASQUE working group at the Internet Engineering Task Force (IETF).
Specifically, MASQUE is a way of using HTTP/3 and QUIC as secure proxying technologies.
Private Relay takes particular advantage of some features of QUIC to make proxying connections more efficient and secure.
multiplexs different streams of data; proxys unreliable datagrams
achieve great performance even in poor network environments
allows connections to easily switch between network interfaces (e.g., Wi-Fi and cellular networks.)
To authenticate the proxies, devices validate the raw public key sent in the TLS handshake, and compare it to an expected value shared in an authenticated configuration separately.
Private Relay uses both the CONNECT and CONNECT-UDP methods in HTTP/3 to set up connections quickly.
DNS name resolution
To protect the privacy of DNS name resolution for all queries sent by the device and prevent such tracking, Private Relay uses Oblivious DNS over HTTPS (ODoH).
adds a layer of public key encryption, as well as a network proxy
only the user has access to both the DNS messages and their original IP address at the same time.
ODoH sends DNS queries through the first internet relay, so the DNS server cannot identify the user issuing a query. Each query itself is padded and encrypted
To ensure that DNS answers retrieved over ODoH are correct for the network that the device is on,
the device is able to learn its public IP address subnet from the first internet relay and
send that value in the encrypted query to the DNS server using the EDNS0 Client Subnet option.
Safari and unencrypted HTTP, which use connection proxying, do not need to first do ODoH queries.
They connect through the proxy using names instead of IP addresses.
Relay access and fraud prevention
Authorization is performed by presenting a valid, anonymous token based on RSA blind signatures.
These signatures are sent as one-time-use tokens to each proxy when establishing a connection
The proxies can validate the tokens with a public key to validate that the user is legitimate, without actually identifying the user.
Tokens and keys are rotated daily to ensure users have authenticated recently.
The proxies also perform asynchronous double-spend prevention to stop a token from being shared and used for fraudulent access.
For a device to connect to iCloud Private Relay, it must first be authorized.
Built-in fraud prevention
The combination of stable Relay IP addresses and fraud prevention is intended to provide websites with added trust when seeing connections from Private Relay users.
To mitigate abuse, rate limiting restricts how many tokens a user’s device can retrieve per day.
Logging
proxy logs do not contain enough information to connect a user’s IP address or account information with their browsing activity.
The information logged by Private Relay contains no unique identifiers and is limited, [which notably include]
for the sole purpose of operating and improving the service
performance metrics
Private Relay system resource usage
fields related to anonymous token issuance are logged as a part of Private Relay’s fraud prevention and anti-abuse measures
iCloud account, software version, and request timestamp
Coverage and Compatibility
there are some cases where Private Relay may not be applicable, or the service may be unavailable
Private Relay is designed to provide clear status information and control to the user, and provide appropriate controls to enterprises and network operators that might require the ability to audit all traffic on their network.
Local and corporate network servers
Private Relay only protects connections on public internet servers,
while still allowing users to access local or private servers directly with Private Relay enabled.
If a proxy or ODoH server detects that a specific server name is not a public internet name,
it instructs the device to try to access the server directly over the local network.
the device will never allow direct connections to names that are on the DuckDuckGo known tracker list.
Private Relay will not attempt to proxy traffic that the device knows is specific to the local network
Cellular services: Multimedia Messaging Service (MMS), telephony services (XCAP), Entitlement Server access, tethering traffic, and Visual Voicemail [are ignored]
Enterprises and device management
If a device has a VPN installed, for either enterprise or personal reasons, traffic that goes through the VPN will not use Private Relay.
Similarly, a proxy configuration, such as a Global Proxy, will be used instead of Private Relay.
a management profile can be used to disable Private Relay on the device.
Custom DNS settings: An unencrypted DNS server provided by a local network or manually edited in Settings (iOS) or System Preferences (macOS) will not be used for iCloud Private Relay traffic.
Network settings: Users will be alerted that they need to either disable Private Relay for the network or choose another network.
The fastest and most reliable way to do this is to return a negative answer from the network’s DNS resolver,
preventing DNS resolution for the
mask.icloud.com
andmask-h2.icloud.com
hostnames necessary for Private Relay traffic.