_-__--- on Oct 8, 2015 | parent | favorite | on: Verizon revives "zombie cookie" device tracking on...
Tor as an OS-level feature may not spark the best reaction. It's been given a bad name ("deep web," silk road, etc) in mass media and many people don't understand it enough to think of it as anything other than bad.
I think that it'd be cool to have, but I don't think that Apple would ever implement it.
jameshart on Oct 8, 2015 [–]
Agree, it's phenomenally unlikely, but then again there is a part of me which could actually imagine Apple doing something like it. They wouldn't use Tor, of course, they'd build a proprietary equivalent, and then come out on a black stage to 'introduce Apple Undercover, a revolutionary enhancement to personal network privacy and security'.
Your prediction of it being called Apple Undercover is significantly more 80’s though. And I like it.
So much so that I would accept Apple using something other than Helvetica this one time for a Miami Vice typeface and a Michael Knight and Kitt intro at WWDC.
I cannot stress enough that Hasselhoff needs to stay in character the entire time or the whole concept doesn’t work.
Hasselhoff drifts on to stage in KITT, jumps out, and tackles Tim Cook. They then get up, shake, laugh, and take turns explaining how iCloud+ VPN makes it look like everything you do online comes from Apple.
(a) There is pressure from many governments to give backdoor for surveillance. Or just comply with subpoenas that are against human rights.
(b) Complying with local laws generates PR damage. It makes privacy and ethics as a brand strategy look disingenuous.
The solution is, of course, to generate truly secure system where Apple can't make backdoors. Those services may not be available in some countries, but then it's just missing service, not a compromised system.
This is something Apple is increasingly working on. For example, in Fall 2020 they actually revised their CPU designs (including older CPUs) with a new Secure Enclave design that uses mailboxes to more securely store the number authentication attempts inside the secure enclave.
The goal of this is to make it so that even if the FBI had an incident similar to 2016, Apple would not be able to fulfill their request to make a backdoor, and the FBI wouldn't be able to make a backdoor even if they had the power to sign and run any code they wanted on the phone.
That's how you make a secure system these days. You can't just make it secure to everyone but yourself and fight the government - you need to secure it from yourself as well.
That only works if you don't give control of the servers over to a third party and also use encryption on the servers. Which Apple has not been able to do across the board.
I’m not so sure. If you read back up that thread, the thought that triggered it was from qzervaas:
Apple's already shown they don't like this behaviour with their randomised MAC addresses in iOS 8+.
And elsewhere in the thread people called out the fact apple had already introduced support for ad blocking. So Apple’s privacy-positive posture was already in the air.
I think there is a sense in which privacy was already a differentiator for Apple in iOS (as contrasted with Google’s motives in android in particular of course) - so this did feel like a not completely implausible way they could go to double down on that differentiator.
Steve Jobs talking about this at D8 in 2010, and of course the privacy features he talks about were baked into the OS APIs from the start.
Apple's rift with Google over user data collection in Google Maps goes back to 2009 when Google held Apple to ransom for the user data in return for turn-by-turn directions. Apple refused and started building their own maps service, buying Placebase in July that year.
It's really not about privacy though, the insight needed (not that I'm saying it was easy to make this particular prediction) is that Apple is all about the Walled Garden. It can't be Tor because Apple doesn't own Tor, and so that's not inside the Walled Garden, whereas "Apple Undercover" even if it were functionally no better or worse than Tor, is magically blessed by the Apple branding. And Apple have been all about Walled Gardens for decades.
Tor has reputation problems. Lots of services block tor exit nodes because of all the abuse that comes from them.
By making it a feature for paying subscribers only, Apple probably hopes that their solution won't be interesting for criminals. (Apple will likely cooperate with law enforcement)
Dont. You should be proud. I made numerous prediction that turns out to be right when everyone else is calling you crazy. You should enjoy the moment of victory. And I do remember reading your comment at the time, so it is great you link it back.
Props to Apple for the design of this service. It doesn't hit all the privacy targets that long-time personal VPN users might be looking for, and it doesn't get into the game of trying to circumvent region locked content*, but otherwise it's likely to be a solid privacy improvement for almost all users in a careful and deliberate way.
I use a VPN for other reasons (downloading Ubuntu ISOs mostly) but I'll probably turn this on and leave it running on all my devices because of how transparent it appears to be. I trust Apple's onion-routing design more than I trust my VPN provider not to log things.
* I'm actually glad they don't try to get around region locks. I consume a lot of BBC content and live in the UK. I'm constantly struggling with my VPNs (with UK endpoints) being blocked because others outside the UK could be using them. It would be nice if the BBC didn't block like this, but UK residents do typically pay for the content whereas those outside the UK are unable to.
I mean, they're willing to work for ISPs doing torrent detection, which has been a scummy business from the start. Somehow, I would imagine they would be even less respected than the feds at defcon, since the feds actually do technically challenging things occasionally.
In a world where white noise[1], birdsong[2] and someone playing Beethoven on the piano[3] get copyright strikes/takedown notices - I don't think someone getting a copyright notice for downloading Ubuntu is that far fetched.
There's actually an album called Ubuntu. Quite possible some duncehead set up a bot to download all torrents with Ubuntu in the name and scrape the IPs.
Anecdote from my MSc year in 2003. In the dorm room I had 10Mbps Internet connection via the University's network which was quite amazing for the time. So among the real Linux ISOs, I tormented also the other kind of ISOs. At some point the Uni NOC reached out telling me that I'm consuming lots of BW for torrents which is against the policy, at which I replied that I download Linux ISOs and I'm happy to schedule it for after midnight, outside of peak hours. After some days I get a reply that please do so from another guy who forgot to remove the quote from his previous colleague which went something like "hey we have a problem with this guy's answer"
Thanks for clarifying. I've not encountered the use before, maybe because here in the Nordics piracy has been -is- very normalized.
The other reply told about a uni tale. I've heard about a similar story about someone torrenting actual Linux ISOs on university network. That resulted in a stern warning else the student would be barred from using the network and computers. Basically an automatic fail for future studies.
High availability (through mirrors) is still a good thing. My experience is that torrent files are sometimes a lot faster, sometimes less so. Just as mirrors.
Semi-related to this, but they do offer an option to pick between preserving your approximate location and using a broader location.
The example they took in one of the sessions was, if you live in San José, with the first option, you'll get an exit node near San José so you can still get local "content". With the second one, you could get an exit node in Los Angeles.
In practice in Europe, it looks a bit different. I do live in the north west of France, and with the first option I regularly get an exit node in the southwest of France (from Fastly), about 700km away (which is pretty fine by me).
With the second one however, I get exit nodes in Germany and the Netherlands (pretty much exclusively Cloudflare), which can become an issue with region locked content. I had the issue with Prime Video last week not offering me a Tennis match for which they only bought rights for in France.
Obviously it's still early and they might tighten a bit the locations outside of the US, but overall it's definitely quick and well thought out.
Last thing, all your traffic from Safari (and presumably some other Apple services ? Still unclear) whether http or https will be routed through it. Only http traffic from 3rd party apps (Firefox, curl etc) is routed through the relays, which I think is a pretty sensible default.
> It would be nice if the BBC didn't block like this, but UK residents do typically pay for the content whereas those outside the UK are unable to.
As an exiled Londoner, I would love to be able to pay to access BBC programmes. Unfortunately I can’t, so a VPN is often the only solution (well, I guess torrenting would be another one, but it’s not really better).
If only there was a way to store a user's information so that they could be identified with some sort of a login process that would indicate that they are a current valid member. It would also be impressive if this same system would allow the user to indicate that they are currently abroad to allow a temporary exemption of geofencing.
Obviously, this is something licensing agreements do not allow for, but it seems like such an obvious user friendly concept that it will never be allowed.
> but UK residents do typically pay for the content whereas those outside the UK are unable to.
In essence, what you're saying boils down to "it's already paid for, but nobody else can have it anyway". It's unreasonable and there is no need to make excuses for this behaviour.
It's generally down to the terms for content that networks (BBC in this case) buy licenses to. The IP owners don't want the networks to allow the whole world access to that content for the price that the network is willing to pay to show it to their region.
But also, and mostly, in reverse. The BBC is the producer and license owner of a ton of programming, and rather than offer that to the world for a subscription fee, they choose to offer it to select partners (previously mainly PBS, now Netflix and Amazon) for a licensing fee, or sometimes in a coproduction arrangement.
This is big money, up-front, with no need to build out a global delivery system or deal with millions of customers.
The BBC aren't allowed to. There are very strict terms in which the BBC can operate. So what they have to do is sell to subsidiaries like BBC America. And there in lies the licensing issues described in the GPs post.
This is one of those classic examples of something that looks really simple from an outsiders perspective but once you have to deal with the details you realise it's anything but simple. And through no fault of the BBC either, I might add. Various commercial stations and news outlets have campaigned relentlessly to shut the Beeb down. It's a miracle the service is still operating, even if their hands are tightly tied.
More generally, geographic licensing maximizes revenue without damaging brand goodwill for the vast majority of customers, so pretty much everyone is going to do it.
Hell, I thought the practice would die (or at least slow down) when Netflix started transitioning away from syndicated TV and movies; this never happened. Netflix will totally geoblock their own shows so they can, say, release a cartoon on a weekly basis in Japan but in binge-watchable chunks in America.
You will continue to see anything more premium than a high-subscriber-count YouTube channel be geoblocked until and unless one of two things happens:
- Geoblocking gets so heinous that it starts to push people away from shows and services, beyond ordinary subscriber churn. This is unlikely - the US is the biggest market for a lot of this stuff, and that's a market full of people who have no desire to watch foreign media ahead of an official release. Hell, most of us don't even have passports, and think that you can just move to another country by asking politely.
- Some country or trading bloc gets enough of a bug up their butt about getting releases late that they start amending copyright law to ban the practice. AFAIK, I've heard Australia was considering banning region locked DVD players at one point; and that the EU was considering forcing online video providers to license content on an EU-wide basis.
of all the streaming services, I have found Netflix to be the one that cares least about geoblocking. they appear to care on the outside to appease the production outlets, but on the inside they don't appear to block or discourage VPNs at all. unlike the BBC who actively, and aggressively, geoblock their content
> The BBC is the producer and license owner of a ton of programming
The BBC is complete license owner of virtually zero programming. Almost all (as in 99.9%+) of their content uses substantial third party copyright works where the cost implications of selling internationally still apply (just the music rights alone will drive you mad, and it's far from uncommon for BBC content that is shown in the UK to have a different soundtrack to the internationally sold version to the likes of Netflix due to the licensing cost and complexity).
It is also worth noting that the BBC makes a lot less than people think, especially if you consider BBC studios to be a quasi-separate production entity now (which it is!).
totally agree. I had no end of shit trying to watch BBC News channel from abroad. I'm a UK national, I own a house in the UK, I pay UK taxes, I pay your stupid TV licence fee, you're broadcasting live over 3 separate CDNs, just let me watch the fucking news. I eventually subscribed to an illegal IPTV service for that one sodding channel. I don't even need the other 17,000 channels. the BBC drove me to it
looked interesting, but is around double the price for around max 2 hours viewing per day, with no guaranty of supporting BBC streams. from experience I'll presume they know about this service and are actively blocking their subnet
I'm paying around half the price for unlimited viewing of direct streams (no faffing with client protocols) which come transcoded for home and mobile usage
the tenants wouldn't approve (they pay for elec and internet). plus I'm away for twelve months so no chance of onsite troubleshooting, physical reboots after power outages, etc.
So, you are saying that the TV license you are paying for is actually being used by the renters in the house you own. Is that a fair statement? That puts a bit of a different spin on it.
due to the timing of things, I prepaid for ten twelfths of their residence. I didn't seek recompense as I knew I would be consuming one channel. I am unaware if the tenants use a tv
It really hasn't already been paid for. For example, say you are a composer who wrote some music for a BBC series. You get paid more for something in wide release than for something released only in the UK.
> what you're saying boils down to "it's already paid for, but nobody else can have it anyway"
This is already paid for but the next show isn’t.
If the BBC were sold to the public as a soft dollar expenditure, it would be one thing. But it wasn’t. I’m not sure it could be in today’s Britain. Ignoring the freeloader problem threatens the support on which the BBC’s funding depends.
This is a debate with reasonable arguments on both sides.
Licensing issues aside, it would cost _additional_ money to actually serve all that content to a global audience (shipping bytes over the internet isn't free).
This is as much to do with their content license agreements as it is BBC being disinterested. Material BBC licenses to distribute, they are limited to the UK, and content BBC licenses to foreign TV presumably can't be also distributed to that same region. There is a service BBC run which allows those outside the UK to stream some content (https://www.britbox.com/us/).
I took a look at this, it seems the way it works is when you do a DNS lookup it does a lookup itself and rewrites the IPs before returning to you. It stores a mapping of client IP and rewritten IP to real IP and when it gets a request on the rewritten IP it looks up the original and proxies the request. Pretty cool, but I wouldn't trust it with anything unencrypted. It offers no privacy benefits.
Until a few months ago, I had never really used BitTorrent to do anything - save for about 20 minutes back in HS almost 20 years ago (!)
(I think I was running uTorrent on Windows, it was weird and I really didn't know how to use it.)
However, in order to "acquire" [this][1], torrenting was realistically the only sensible option I had. A direct download from the Internet Archive would have taken roughly 7 hours @ 100 Mb/s. The torrent file was done in an hour.
To my great surprise, the link isn't dead, so...yeah :)
13GB would take less than 20 minutes at 100Mbps. Regardless, I’m not sure why you only consider near instant downloads “sensible”. I often spent several days downloading things when I was younger.
Yes, 100Mbps is ~12.5 MB/s, however when I initially tried the .mp4 link I found actual speeds to be much less, (hence the hours long wait I mentioned) so there's definitely throttling going on somewhere.
Also, don't count your chickens before they hatch. I remember downloading Flight Simulator 2002 mods over a 56K modem in my youth - anything over 10MB was a stretch - and I didn't actually have a broadband connection until I went off to college in 2005.
And here I was, still thinking Linux was "an illegal hacker operation system, invented by a Soviet computer hacker named Linyos Torovoltos, before the Russians lost the Cold War".
PIA is owned in a weird structure I don't understand in a jurisdiction where any legal agreements with my home country are, most likely, non-existant or untested. They also seem to have enormous amounts on money to spend on marketing or paying off torrent review sites.
Everybody recommends them, but all of these things make me uneasy.
FWIW, Mozilla VPN is based off Mullvad, which I've enjoyed for a year to download Linux ISOs and I've never had an issue with. Also they have one of the most anonymous of setups (accept cash, crypto, no username or passwords or personal details required, you're just given a random account number you can add credit to)
NordVPN is oversubscribed crap.
PIA was founded by Andrew Lee, the big brain behind the current Freenode drama, with help of the infamous Mark Karpeles of Mt. Gox fame. I'd rather use something else.
Yeah I used them for years before they were bought so had a lot of trust then. With the recent Freenode issues I'm not sure if I'll renew, but they do seem like one of the few VPN providers that understands privacy and isn't trying to sell shady security-theatre with poorly justified arguments.
That would be an incorrect assumption. It's an onion that goes to Apple first and then to a variety of external vendors -- Fastly, Cloudflare, Akamai, and likely others.
I've been trying to point this out to people but YouTube personalities have a louder voice than anyone else so you end up with bad information.
Props to Apple for offering an (albeit low entropy) onion router on their own infrastructure. I can't imagine this is going to win them any friends in government circles but it's definitely a step in the right direction.
I'd also really like to see Apple come clean about the iCloud backup encryption debacle. A lot of people are trusting it to be something it's not and it should really be clarified on-device what it is and is not before opting in.
It's why I only use my Apple ID for grabbing apps from the app store. I have disabled all the `cloud storage` features of iCloud. iCloud is a privacy nightmare.
I utterly agree that other direct-to-consumer options are in the same boat - but Apple is quite heavy-handed in it's messaging about, well, messaging being encrypted and private and no-one (including Apple) being able to read your messages. That's only true if you don't backup to iCloud.
I would expect most people on HN to be aware of all of this of course but when you're so strongly selling your privacy protections as part of your brand, it's a pretty glaring window to leave wide open.
By that logic though, Google Drive, OneDrive, AmazonS3, they are all privacy nightmares. And you might agree, but Apple is hardly alone.
And like the article says, they didn’t want to poke the bear anymore. Of course the FBI has congressional friends. It is possible that Apple saw the risk of it backfiring and making things worse as too great.
Google does end-to-end encryption of Android backups. And Apple knows how to do it too, but they intentionally restricted their implementation to only cover backups of Keychain passwords and a few other things, apparently because they don't have the courage to stand up to the FBI, according to Reuters. Strange considering their public stance against the FBI in the San Bernardino case and on privacy issues in general. Especially since iCloud backup totally defeats the highly touted end-to-end encryption in iMessage.
Yes, backups, and Apple should get on that. However, your photos in Google Photos, your location data, your uploads in Google Drive (equivalent to iCloud Drive OP is talking about), not end to end encrypted and no option for it.
I think market share is another sign. Does anyone use actual Android Backup, or do they use the unencrypted “backups” in G Photos and elsewhere? For that reason should the FBI care? Maybe I’m wrong but I believe actual Android Backup is much less used than iCloud and confusingly named alternative “backups” within Google apps.
Let's be really frank about it - no large company is going to offer end-to-end encryption of photos because of what kind of photos might end up on their infrastructure if they do. And honestly I don't blame them at all.
I'd just like to see Apple be more transparent with this one particular issue because it undermines so much of what they're advertising to the consumer.
A transparency label for iCloud backup showing what is and is not E2E before enabling would do. Most people (myself included) would be quite happy with photos being encrypted by an Apple-held key (I'm not worried about the police seeing my boring lunch pics, I just don't want photos of my kids being readily accessible to everyone else).
It should be made clear if they're offering E2E for some features that other settings will render it pointless is all I'm saying.
Are you really arguing that because child pornography exists, no large company should offer ETE photos?
Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?
And that photos present some of the most sensitive materials on your device:
- geo-IP location showing basically everywhere you have taken a photo in, ever since the dawn of time
- people's consensual sex tapes
- photos of passwords, account recovery codes, private keys, seed words
In the bloom filter example, what device calculates the hash inputs for the bloom filters? If it's the server, then the server needs a copy of the image to check. So is it the client? If so, how can you prevent a malicious client from forging their hashes to be those of known-safe images?
Not saying it's not possible to build an E2E image storage service that also has the protections society tends to demand. Just saying that I haven't seen anyone do it yet, because these problems are subtle.
Apple has direct-from-bootloader control over all of their hardware, unless you boot Linux on a Mac (in which case you don't get iCloud).
So a 'malicious client' doesn't need to be part of the threat model here. And also, if you really stretch your argument, that's like saying we need to outlaw Linux and open source software because malicious actors can modify the code.
The whole idea that society demands content providers compromise ETE just because of child pornography isn't something I've heard of being 'accepted as common truth' outside of this post.
Some politicians demand it, but I thought at least amongst tech, there's the recognization that strong, *unbreakable* encryption is important.
There's an implicit obligation to build services and technology that is resistant to abuse, but that isn't an argument to not implement ETE.
Thanks for the "how" - I guess if you fully control the client and server, there's some extra checks you could implement client-side based on the cryptographic root of trust.
FWIW, I wasn't really trying to make a prescriptive statement about how the world ought to be, I was more trying to describe what (I think) the perspective of these corporations has been on the matter.
In the past, I've been an encryption advocate with the knowledge that we (tech) must sacrifice some ability to appease politicians in implementing it. What you're describing sounds like an innovative way to preserve privacy and provide security for at-risk people, which is a perspective I haven't heard before.
> Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?
This is not a good argument. “Known child abuse material” is the tip of the iceberg. There’s nothing stopping people from creating new “child abuse material”, and the people who are doing that sort of thing are the ones who are more important to catch.
I’m arguing that because it exists no company of Apple’s size is going to risk unknowingly hosting it, and I wouldn’t either if I were in their shoes.
I agree with you in terms of photos being some of the most private information we have, but the E2E argument doesn’t ever get won by the tech community without a guarantee of blocking/catching/preventing CP and being able to make that evidence available for prosecution.
To the arguments above: Any processing server side implies no real E2E. Any processing client side is by definition under the control of the client and subject to forgery/hacking/spoofing/tampering.
Absolutely every large company hosts an incredible amount of child pornography and abuse material.
Facebook is the largest platform for child trafficking, and Google is the world's largest resource for finding out how to commit criminal acts.
Crime always exist. We shouldn't build a techno-totalitarian surveillance state just because crime exists.
"It is better that ten guilty persons escape than that one innocent suffer".
Chinese Communists employed similar but opposite reasoning during the uprisings in Jiangxi, China in the 1930s: "Better to kill a hundred innocent people than let one truly guilty person go free".
I don't understand this line of reasoning. Why should photo libraries not be end-to-end encrypted?
Are you suggesting that Apple or the government should be able to search your personal photo library stored in the cloud at any time because maybe you might have child porn in there?
I understand that companies need to scan groups and social features that are used for trafficking underage porn. But do we really need to snoop into the private libraries of innocent people just because they might have illegal material?
Having access to millions of peoples photos is such a huge privacy risk that I can't think giving it up is worth while to make it slightly easier to catch a handful of criminals.
Any large company can offer E2E encryption, as long as they don't have extenuating interests that could make them liable for the way I use their services. Unless Apple is harvesting my data on the regular, they should have no problem with me being the sole keyholder for my iCloud account.
I think Apple would need to ship a different OS in China.
Cloud services offered there must store data in the country and be operated by Chinese companies. (Apple is complying with this)
But Chinese companies HAVE TO assist the authorities in obtaining systematic access to private sector data. (This is not possible with E2E for backups and photos)
Apple already does this. All Chinese iCloud data is stored in a mainland datacenter, completely owned and operated by their government. Similar setups exist in Russia and France, where Apple kowtows to local governments at any cost to turn a buck in their hometown.
Look at the Reuters article they linked. iCloud backup is the issue. Usage of iCloud backup and Android backup are probably very similar (in percentage terms), why would you expect that Android backup is used less? They are pretty much equivalent features, except that one is end-to-end encrypted and the other is not. In both cases, photos are handled separately.
iCloud E2E would be great, even if they offer it at double their current Storage price.
But I would be happy with iOS Time Capsule. Or even sell E2E Backup solution only with an iOS Time Capsule. Great way to increase their Services Revenue.
Nowhere in the linked site that I’ve been able to find does it explain clearly that iCloud backup undermines on-device encryption.
The point is that the deep compromises made inside iCloud Backup are hidden from the user and (at best) buried deep in technical documentation. So deep in fact that I can’t find any mention of it on that site at all.
Storing an essentially plain text copy of your entire phone on an Apple server is the default setting. You have to actively find the setting to enable the security feature (not having Apple give your data to any gov they want) by disabling another feature that makes no mention of security (backups). iOS is not safe.
OP is talking about the security of iCloud backups and that using this feature cancels out a lot of the end-to-end encryption that Apple talk about heavily in their marketing.
I have very little respect for Youtube personalities (thinking of LTT in particular) when it comes to talking about Apple in particular. They are so wedded to their "everyone, except us, is evil" perspective that their knee-jerk reaction to almost anything from Apple, privacy or otherwise is negative. (LTT spent the first bit trashing Apple for making marketing claims about the M1, instead of letting them do, then refused to back off when numbers backed up their claims, continue to trash anything with Apple and privacy, etc).
Apple is not without sin. If we get out of this entire epic lawsuit (another company not without sin) with consumers winning the ability to side-load, it's a win. But for the most part, Apple has a multi-decade history of usually working for customers in above-board ways, as opposed to Facebook, Googles and other(s).
I am running APple's betas for iOS, iPadOS, and macOS right now - I really appreciate their implementing yet more privacy.
re: non-encrypted iCloud storage: I agree with you. I keep medical and financial data encrypted (e.g., their Pages app supports encrypting documents, and you can encrypt PDFs, etc.) but I would rather they did this for me. That said, for the 90% of my files that I would post on a street corner, I find iCloud storage across my devices is handy.
But how secure is encrypted pages and PDF? My understanding was it is not useful against a determined attacker and anyone able to access your iCloud will be in this category.
Apple won't come clean until they can sweep it under the rug like they did with the other debacles (see: keyboards). Being honest about those things undermines their "Apple knows best" image attempt.
> I can't imagine this is going to win them any friends in government circles but it's definitely a step in the right direction.
Apple already has all the friends they need in the "government circles". They're fully enrolled in PRISM and are well-known to kowtow to the demands of corrupt leadership (see: Russian iPhones, Chinese iCloud hosting)
Apple is “fully enrolled” in PRISM just like any other company with U.S. operations, because PRISM is the internal NSA source designation for material acquired via FISA warrants, and complying with FISA warrants is not optional.
You can't not comply with the government of a country unless you are a country. And the citizens of Russia and China would not appreciate that, because they actually like their governments, and don't care what you think.
> I can't imagine this is going to win them any friends in government circles but it's definitely a step in the right direction.
Quite the opposite. Governments probably already have taps to decrypted traffic.
Otherwise how come that would even be legal to run?
If someone commits a crime and government cannot find evidence, because Apple gives shielding, then isn't that making them hypothetically an accomplice?
> Otherwise how come that would even be legal to run?
Why wouldn’t it be? I was under the impression that what isn’t forbidden by law was legal by default. AFAIK, running a VPN platform isn’t illegal.
> If someone commits a crime and government cannot find evidence, because Apple gives shielding, then isn't that making them hypothetically an accomplice?
I hate this argument. It’s lazy and can be used to accuse anybody in any context, and shut down discussions that we should be having. By that standard we are all accomplices for some crimes.
>I was under the impression that what isn’t forbidden by law was legal by default.
Even beyond that, personal privacy from the government is enshrined in the 4th amendment. Just because there was some executive actions and illegal laws made does not mean the 4th amendment suddenly disappears. No person or entity has the right to dragnet all communications.
I'm doing the opposite. Saying that the fed is actively engaging in illegal search and seizure is not ignoring the whistleblowers that brought the scope of the issue to light, it's acknowledging the issue.
The point is that the Constitution is largely meaningless, feel-good fluffery that has no actual bearing on which of our so-called rights are actually available to us.
It's an aspirational document in a largely lawless land, more a historical oddity than the supreme anything. If you wait for legislators and law enforcement to fix personal privacy, you've already lost... the US law enforcement culture is actively hostile towards individual rights because it makes their jobs harder. The only real difference to, say, China, is that we like to pretend otherwise. But the reality in the ground is that nobody on the grid has had meaningful privacy for decades now.
>The point is that the Constitution is largely meaningless, feel-good fluffery that has no actual bearing on which of our so-called rights are actually available to us.
IANAL but this sounds fundamentally wrong in every way I interpret it. The Constitution is a set of laws that cannot be contradicted by any other law, executive action, or judicial action, with the exception of an amendment.
> No person or entity has the right to dragnet all communications.
Indeed. And the fact that this is not recognised as a fundamental human right is a serious limitation of the charter and universal declaration. And yet, it comes up regularly.
By the same logic, I’m the taxpayer who paid to help build the highway that the drug kingpin used to get away during a high speed chase. I’m an accomplice now.
I’m the scientist who purified the water that the criminal used to get enough strength to run away. I’m an accomplice now.
> If someone commits a crime and government cannot find evidence, because Apple gives shielding, then isn't that making them hypothetically an accomplice?
We have recent and specific case law around this. The cherry on top is it was Apple on the other side.
No, this is not how being an accomplice works in the U.S. It’s not how it works anywhere with the rule of law.
> The first assigns the user an anonymous IP address that maps to their region but not their actual location. The second decrypts the web address they want to visit and forwards them to their destination. This separation of information protects the user’s privacy because no single entity can identify both who a user is and which sites they visit.
Apple is not saying nobody can deanonymize you - they are being very careful to only state that no single entity can deanonymize you. Hence you should still assume this is not a good protection against any entity with subpoena power, or the ability to compel the cooperation of Apple and their 3rd-party egress relay providers.
That makes me wonder whether an analysis could be done over a long period of time to determine where in the region the user isn't, and thereby narrow down where the user is.
I'm curious what the details around the anonymous IP address assignment are. Protecting copyright holders seems to be the point of the IP assignment to not break content restrictions.
Are they able to assign a set for an entire country? If so, that doesn't narrow it down all that much. However, major league sports blackouts wouldn't work, so is it by city?
> It's not clear if the API will be public for other browsers or applications to use.
Apple has already confirmed that other app traffic will go through iCloud Private Relay “no matter what networking API you're using”, with some exemptions:
> Not all networking done by your app occurs over the public internet, so there are several categories of traffic that are not affected by Private Relay.
> Any connections your app makes over the local network or to private domain names will be unaffected.
> Similarly, if your app provides a network extension to add VPN or app-proxying capabilities, your extension won't use Private Relay and neither will app traffic that uses your extension.
Not super familiar with 1.1.1.1, but I use NextDNS and it's no longer implemented as a VPN – they use the native iOS encrypted DNS feature. I wonder how iCloud Private Relay works with that.
> All in all, a very Apple approach: They deny themselves any knowledge of a customer's DNS queries and Web traffic, so if served with a subpoena they have very little to respond with.
Maybe I am missing something but I view this is a rather genius move. They have plausible deniability + actually introduce some protection for their users.
Not sure how to read the original post though. Is it praising Apple? Is it mocking them? We don't have to be polar of course, I am just wondering.
Apple has claimed this shtick several times (as well as many other VPN companies), but it actually requires a pretty intricate software setup to pull off. The best VPN services won't even have hard drives to store logs in: that way, even individuals with a court-issued warrant can't get your info. I'd imagine there's sufficient pressure on Apple from PRISM and other governments to keep some level of rudimentary logs.
(And if Apple has logs of which IP address accessed a resource from which egress provider at a specific time, that is often enough to do what most governments are looking for... such is the limitation of two hops, and why Tor has three. I truly hope Apple has designed their system to avoid logging anything about their ingress packet flows.)
> The best VPN services won't even have hard drives to store logs in: that way, even individuals with a court-issued warrant can't get your info
Courts can compel them to log this information, so all claims about not keeping logs are just theater. The second they're ordered to by a court in the US, they will.
IANAL as well, but your first line is definitely not true. A writ of mandamus is one of many such ways a court can compel behavior, though typically a tool of last resort.
Courts order individuals, businesses and officials to take actions as a matter of course: to stand trial, to comply with subpoenas, to adhere to a contract, to make restitution, and so on.
I am not deeply familiar with lawful intercept law and case law around national security letters (what little there is), but I would not gamble anything of value on the principle that courts cannot compel someone to take actions.
Let's assume that your are right, which I think is true. While courts cannot compel companies to do some things, they can certainly compel them to do things that are a normal part of business, like producing paperwork, or in this case, logging activity.
With an NSL, they could approach a company and require them to start collecting logs and also to not communicate about the new requirement, at which point a privacy-focused company's only choice would be to either comply or stop offering the VPN service entirely without saying why.
Without an NSL, the company would be free to communicate about why it was no longer offering the VPN service, or to announce that they were going to be logging from that point on, giving people an option to stop using the service if that's a problem for them.
But not having a hard drive in place currently, that prevents the courts from getting information about any activity before the court order or NSL is issued, as far as I can tell, which I guess is what those companies are counting on.
If the court did compel a VPN company to log compromising information, I'd imagine most companies would tell you. After all, you're just trying to be transparent to your consumers.
> I think this is great, if only as a way to kill the bullshit consumer VPN business, which sells snake oil.
Having a US megacorporation kill a whole market segment and pull it into their monopolized walled garden sure seems like an improvement. After all, they pinky promise they will not ever abuse that! /s
By this logic our computer operating systems would not improve, ever. Web browsers, built-in networking, music players, image editors, mail programs, even Solitare - all things that at one time were separate market segments.
All of those products have been improved by COMPETITION. The most critical, most important and ONLY thing that makes modern capitalism work for non-rich human beings.
Every single field you mention was thriving when there were multiple players fighting over your money and have started to become exploitative and abusive as soon as one player killed the others and started rent-seeking. Competition is crucial for market economy to work.
I find it utterly bizarre that someone educated would think that a death of market by megacorp monopoly would somehow drive improvement.
Consumer VPN isn’t a market where competition is driving better products. All of the products are the same technically - it’s a trivial service to standup. Sort of like a home security company… there are good ones, but most are garbage peddling FUD, especially fear.
The differentiation is purely marketing. Some VPN providers are basically grey market means to bypass TV blackouts. Others claim to be privacy focused, but are in fact the opposite. A few are actually privacy focused.
IMO, having megacorp(s) roll up the junk use cases actually drives meaningful competition by putting the lousy players out of business or driving consolidation in a crowded market.
VPNs mostly do what they claim, but they may or may not be government or marketing honeypots, and a lot of the sales pitches around hackers and privacy aren't as interesting in the days of HTTPS. Aside from piracy and bypassing region restrictions, you're just hiding your IP address, but those change often enough already.
>Preference falsification is the act of communicating a preference that differs from one's true preference. The public frequently conveys, especially to researchers or pollsters, preferences that differ from what they truly want, often because they believe the conveyed preference is more acceptable socially.
The reason why the VPN business is booming is to avoid those pesky content infringement letters, and to workaround geo restrictions.
OP is upset that they advertise themselves as privacy tools, but that's just marketing.
I find it funny that people here mistrust companies like Facebook and Google, but then turn around and hand off their entire network activity to a faceless, anonymous VPN company.
I think a lot of that distinction turns on how well your network data is linked to your identity. In the case of Mullvad, you can pay them anonymously by putting cash in an envelope and just mailing it to them,[1] which lowers the trust factor involved.
Doesn't a consumer VPN keep my ISP from building a data profile on me?
Yes, I get that now my VPN provider can build that data profile, but I am certain that my ISP is a vile monopoly that has corrupted the regulators that are supposed to represent me.
I have Sonic, so I trust my ISP more than a random VPN provider. Even if you have AT&T, they have a legal team that makes they provide a lot of opt-outs. I don't trust that they work, but there are a lot more eyes on them than a VPN provider.
Have you noticed all the ads say “Hackers can spy on your connection when you log into your bank at Starbucks.”
That’s complete FUD. HTTPS completely avoids this issue (especially with a bank). Very few websites use HTTP now.
While VPNs do have their valid use (preventing your ISP from spying, changing geolocation, and private networks for eg, work), most of the marketing is spreading misinformation.
I've seen stats for a couple of the biggest VPNs. Massive majority of their traffic is just switching geolocation restrictions (US Netflix and similar).
They don't tend to advertise that. Some do, but it's not their main message, because "prevent ISPs from spying" is cleaner.
iCloud+ does not solve this, so there will be a sustained need for VPNs, particularly those that invest effort into into avoiding Netflix blacklists.
> “Hackers can spy on your connection when you log into your bank at Starbucks.”
I've also heard this from a reputable news source (NPR) in the past few years, even though it hasn't been true for banks for at least 15 years, ~5 for most websites.
This is true, but note that, for example, on iOS an application can't do that without prompting. Now, most people would probably hit “Approve” if one of their security products said it was necessary.
> Many consumer VPNs install a client, and it would be trivial to ship a new trusted certificate with it.
A lot of browsers have their own root chain, and also now do certificate pinning, so will (IIRC) only accept specifically designated certs for particular sites (doesn't Google/Chrome/Gmail do this?).
That wouldn’t change that clicking the lock icon in your browser would show the same certificate on every website, and that this certificate was universally valid. Pretty obvious…
Not really, because, you can use on-demand certificate issuance.
Hell, if you really want to, you can even name your certificates the same as existing certificates and the only way to detect the forgery would be to compare the actual public keys (and who does THAT).
I feel like I'm writing an evil roadmap here, but, you can even do multiple root certs with different names and trust them all, do a whole "fake" PKI infrastructure which would be impossible to detect unless you were comparing the actual keys.
> I feel like I'm writing an evil roadmap here, but, you can even do multiple root certs with different names and trust them all, do a whole "fake" PKI infrastructure which would be impossible to detect unless you were comparing the actual keys.
Yeah, just imagine being beholden to some federal statue impropriety (easiest in taxes) and running one of the these vpn organizations...
If and when browsers start requiring pre-certificate transparency logging, anything like this should no longer be possible to pull off, since none of the fake certificates would be able to contain a stapled pre-certificate "signoff" from a trusted CT log.
On the other hand, a lot of VPNs provide proprietary client software (even though all the major OSes have built-in support for the common VPN protocols such as IPSec, L2TP, etc) so they could very well sneak the root cert in there too.
You’re “protecting” yourself against Starbucks monitoring you by establishing a secure connection to a grey market entity with more of an interest in your activity.
So far, partners of Apple I’ve seen the service forwarding to are CloudFlare, Akamai, and Fastly. There may be more but those are the ones I’ve seen and heard.
Wait a second, didn't the Fastly breakage happen the day after WWDC? What are the chances that the one client was Apple and their config was for this service :)
My guess is one of the major reasons for having the exit nodes in the same geo location as entry nodes is to have continuous operations in China. Without this constraint, they would have allowed chinese consumers to access the free web, which would ban them instantaneously.
I don't think Apple cares as much about video content providers, though.
That’s not the reason. In China, Myanmar, Egypt, and several other countries this service will not be available at all. Those customers will just have regular old iCloud.
A more likely reason is that video streaming services with georestrictions like Netflix, Amazon, or BBC would have lost their minds.
It wouldn't have been too hard to just implement this feature for chinese customers if that was the only driver.
But I agree that making the exit node in the same country probably goes beyond video content providers, it avoids all sorts of potential legal, diplomatic and practical issues.
Apple has always given in to China's demands. A few years ago they even moved their entire Asian iCloud datacenter to the China mainland after the government issued some vague complaints about "nationalism" and "security".
This is interesting. I think overall I approve as it benefits people by default.
It does mean you now have to trust Apple since that's the first hop. However you're already doing this when you spin up your AWS Lightsail Wireguard instance, say. AWS can see ingress and egress traffic and so you just need AWS to not be part of your threat model. Same here. Though I dont see this as too much of a problem since it applies to devices and services where you've already made this explicit choice.
The app limitation thing is a shame and hopefully there will be an API at a later date.
The exit node choice based on exit-locality kinda makes me think Apple either:
- Want to restrict this service being (ab)used for geolocked content (Netflix etc)
- Want to speed up the service by providing the closest exit node (Performance)
Of course given all the FBI cases, you also have to consider other possibilties for the creation of this service.
Craig Federighi, on the most recent episode of The Talk Show with John Gruber [0] about 47 minutes into the episode, talked about this and I think both your assumptions are correct. For the first one I'm sure they didn't want to deal with the complexity of picking an exit location nor did they want to be a party to getting around geo-locking and so this gave them the best of both worlds, no UI and no issue with geo-blocking. For the second point I think that is also the reason as well as it's often helpful if a website knows your general location (For relevant recommendations, CDN routing, etc) but we'd prefer if the website didn't know exactly where we are coming from (IP-wise) which can be used for tracking/ads.
This is great. I hope this spurs Google to make their VPN (https://one.google.com/about/vpn) more widely available. A few audiences they could expand it to: any ChromeOS device, any Pixel phone, any Android phone, any mobile Chrome user, any Chrome user.
Because Google is definitely the most trustworthy company when it comes to data governance and respecting user privacy. No chance they'd use it to put you into a FLoC-type thing, benefiting their own advertising business while shutting out competitors.
Google, the engineering company, always plays second fiddle to Google, the advertising company.
I don’t trust google and apple equally. I trust google about the same level as comcast/etc.
apple having less advertising influence is more trustworthy, I think, in terms of privacy. don’t lump google in with them.
Meanwhile apple has many many anti consumer anti competitive policies so while I may trust my privacy with them more, I wouldn’t trust them to fight for my privacy rights in the long run.
I agree on the Apple, but not on Google. AT&T, Comcast, Verizon, Deutschetelekom, British Telecom, NTT, etc. Have spent the last 15 to 20 years being absolutely deskilled by people leaving for better jobs in the hyperscalers. If you’re worried about any telecom carrier looking at your traffic then all you need to do is make sure that encrypted client hello and DNS over HTTPS are used by the devices that you have. The products that they use to do deep packet inspection are all falling apart at this point and since they have no internal technologist they are busy asking vendors to fix it for them, and the vendors can’t fix it either.
Worrying about the carriers was really hot for a while especially post Snowden, but it’s really not a genuine threat.
They don't have an inherent conflict of interest the way Google does (advertising vs privacy in the same company). The App Store makes them plenty of money, and if anything, enhancing user "privacy" by limiting access of other adtech vendors only strengthens their walled garden and increases revenue. Even something like Fortnite or the Epic store... as long as they can dictate their entire stack from hardware to software (very much unlike Google + OEMs + third-party stores), they'll have a huge advantage over Google in terms of being able to limit your personal info being used by third parties, while still retaining it for their own use.
Another reason could also be that the servers operate in the same nation that you are from. If Apple or no suitable partner has servers in South Africa, that could also be a reason.
And, of course it could be politics. The South African government, I wouldn’t know, but it could be possible that they wouldn’t let tech companies from the US build servers in their nation.
Apple said it also will not offer "private relay" in Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda and the Philippines.
I hope it'll not bring captcha hell, as Google does for using VPNs. Twitter is simply blocking my VPN provider. eBay sends scary email every time I login.
This will come down to reputation. VPN providers which don't do a good job managing abuse from their networks get blocked a lot more readily than better run networks, and in this case they'd be able to make pretty strong assurances that they can link activity to a single user.
To use it you're clearly using early beta software. Clearly it isn't going to "turn itself on again".
I turned it on and actually forgot I did. Performance is decent here. I mean of course it's going to be worse than native, but that's the compromise.
As to trusting Cloudflare -- what do you mean? You understand your connection is still TLS end-to-end encrypted (presuming that's what we're talking about), right? I mean...presuming the site your talking to isn't using Cloudflare SSL. In no way does this reduce that security. If you're talking about HTTP, well everyone in between can already see that.
> Clearly it isn't going to "turn itself on again"
Why is it so clear? An iPhone hotspot turns itself off as soon as a device disconnects, with no option to leave it on, presumably for security or battery reasons.
> To use it you're clearly using early beta software. Clearly it isn't going to "turn itself on again".
Of course I’m talking about the beta version. But I can assure you that once I found out that it interferes with internal DNS, I turned it off (it’s on by default on the current betas) and a day later it was back on.
That’s what I meant with „it turns itself on again“
If you tap the wifi button in your controll center it just turns it off for 24 hours or when you switch locations. If you turn it off in the Settings App then it stays off.
yeah, but even so, it’s one of these occasions where an os symbol has been altered to change behaviour without the user’s consent or control
it’s not quite as egregious, but it reminds me of how a lot of desktop apps now just minimise to tray rather than actually ending the process when you click the close button. discord is probably the worst offender for that, since it’s not (that I’m aware) a customisable behaviour
The control center wifi control always worked this way. It wasn't "altered", that is a primary feature of its functionality.
Apple gains nothing from your WiFi re-engaging. But many users do because, as another comment mentioned, people turn it off in control center because their connection is temporarily shit, or more likely just accidentally. Then they get to end of month and they have a monster cell overage.
Someone was using control center wrong (despite it very clearly indicating the use of the button). It's a learning experience.
Again, that’s not true. Control centre, or some incarnation of it, has been around at least since iOS 6. It just sounds like you haven’t used an iPhone for very long
In case you’re just entirely misunderstanding what we’re talking about, I’m referring to being able to turn off the wifi when you swipe up from the bottom of the screen. This has been a feature since I’ve used an apple device, which is since iOS 5 or 6. Whether it’s been called “control centre” or not is irrelevant. That’s not even what I referred to it as in my first comment.
> This breaks DNS resolution for company-internal domains.
Is this not the case for any VPN or proxying service? In fact, it could even be a security flaw if your internal domains were accessible on external VPN style endpoints?
Also it’s developer preview 1. People like the OP who gripe about bugs on such an unfinished product are the reason why Apple doesn’t make those first builds available to anyone but their registered developers for the first month.
I have of course reported the issues using the feedback app, but judging by previous experiences with other apple betas, I wouldn’t hold my hopes up of any of this getting fixed.
There’s value in talking about issues early as it allows admins of corporate networks to make adjustments to their infrastructure (like introducing split dns rather than just have *.internal.example.com resolve to internal addresses) to be prepared for the eventual launch of this feature in September
The root's observation is that it doesn't use the machine configured DNS. The overwhelming majority of VPNs also don't use the machine configured DNS. Maybe not "any", but if you're using a VPN you're generally going to want your DNS going over it as well.
But it is worth noting if you're on a corporate network, or if you use a DNS solution like NextDNS -- when you turn on PR those no longer play a part, at least to Safari traffic.
I use NordVPN. It specifically has an opt-in setting to use locally discovered DNS in favor of their in-network DNS. This is crucial since out-of-network DNS can leak activity.
I’m not sure what kind of network you believe I described, but would be useful to have a clearer explanation from you.
It is for any VPN client that routes DNS traffic through the VPN as well as HTTP and other web traffic. It's not out of the ordinary for this to happen.
Does it work like an https proxy (with CONNECT) or a socks proxy?
Because if it is instead actually unwrapping the connection somehow (eg. mitm) then they would be able to see the content, and that seems like a huge no-go -- both for the users, AND for apple as I would think it would open them up to liability.
note: they certainly would be able to see unencrypted http traffic regardless though.
Not sure why you said correct, as it's both. A big part of private relay -- I would say the most significant part -- is to allow people to talk to websites without giving up their personal IP (and from that pretty tight geolocation, and with fingerprinting a correlation with loads of other data they collect). Apple makes a big deal about it being about maintaining privacy, not just against snooping of traffic -- which is unlikely -- but against fingerprinting and targeting from the services and sites you connect to.
And to answer the original guy, no Apple does not add any headers or details to tell the destination what your IP address is. They just see that they're talking to an exit node somewhere approximal of your general region.
So I seem to be completely missing... what is this actually for? What's the value proposition for the average consumer?
It doesn't replace a VPN into your company's or university's network (for accessing private resources).
It's not for accessing streaming TV in different regions.
HTTPS is already secure.
In theory it seems like it could be used for illegal torrent downloading, but given that Apple is in the media business, something tells me they'll do their best to block torrenting.
And for things like videoconferencing, it will almost certainly degrade performance to a degree (latency, bandwidth, or both).
The only thing left seems to be your ISP and/or coffee shop WiFi being able to track what IP addresses you communicate with. Instead, they don't, but Apple does. Is that really a benefit, or a benefit any average consumer cares about?
It provides VPN-style protection against your ISP and does also protect you against IP address tracking. This means you and people in your household have one fewer data point that links you.
NextDNS is encrypted DNS. DNS is like using your neighbor across the street for all your directions, except you have to shout.
"YO, WHERE'S THE GROCERY STORE AGAIN? ALSO AFTER THAT I'M VISITING THE STRIP CLUB, AGAIN."
NextDNS turns that shout into a signal/telegram message, to a different neighbor. There's still a neighbor involved, but at least the neighborhood doesn't get to hear anymore.
If they include DNS in the onion routing scheme, it turns into a game of telephone, where the neighbor doesn't know you anymore.
Correct me if I’m wrong, but as I understand it a two-hop onion network is still trivially breakable with (two) warrants, especially since both Apple and Cloudflare/etc., are US companies. Which would make it a VPN in the duck-type sense.
It depends, whether they do no logs. There are many VPN providers in the US which don’t have logs, so that if they are subpoenaed, they have nothing to give.
The beauty of Apple’s double hop is that if one partner was hacked, secretly wiretapped, or had lied about not keeping logs, your connection would still be private.
But, that assumes that nobody on this network is keeping logs. If they are, then it could be theoretically possible to piece them together. However considering Apple’s marketing with privacy, it would be interesting to see whether they keep logs on each endpoint or not.
> There are many VPN providers in the US which don’t have logs
Many claim they don't have logs, and my understanding is that it has been sometimes revealed that they do have logs. Also, how do you run a server without logs? Many think those claims are BS.
If they don’t clearly state ‘no logs’ then its unlikely they are not logging. My bet is they’re logging everything, because they have no advantage in not logging.
To party 1: "Give us a netflow log of all of this user's traffic."
To party 2: "Give us a list of all outbound connections matching this netflow list of inbound proxying requests."
It would work the other way around as well (going from visited sites to a given Apple id). If you can monitor all nodes in an onion routing network, you can deanonymize everybody.
Well, here’s the catch. Even if logs were kept, the 2nd party as far as we know does not have a unique identifier passed onto it.
This means that Apple’s logs would say this user authenticated and passed some encrypted stuff to Fastly, and Fastly would say that it received requests from Apple, without an identifier to match it up against the first request.
Once this scales and Apple has millions of requests incoming, there will be no way to conclusively prove that two requests are the same.
In which case a double subpoena is again useless. And this assuming they keep logs - if they don’t keep logs, which is more likely, it’s even more useless.
This also aligns with something we currently know. Apple says they can’t see your requests. This implies that they just pass data along in an encrypted format to their partners. So all Apple does is make it so their partners don’t know your device, and the partners ensure Apple doesn’t know your request.
Ultimately, even if logs were kept, there would have to be a unique identifier of some sort that was passed on to the second server from the first server to break the system. You decide the odds that they did that. Sounds a lot like an IP Address, in which case why not just build a classic VPN?
Surely some "unique" identifier is required for each TCP session between Apple and the exit node so that Apple knows where to send the data it gets back, even if it's just the port on which Apple connect to the exit node as with standard TCP session management.
If Apple logged (incoming IP from user, outgoing port to exit node) pairs for each session, and the exit node logged all requests, this should be sufficient to associate all requests with a given user IP, right? Or am I misunderstanding you?
I wouldn’t expect them to log it, personally, I think that can only lead to headaches down the line. My reason for responding is just that I disagree that there is no way for another party to associate all requests even if Apple & exit node both fully cooperate and keep logs.
We are thinking about this the same way. Individual sessions don't do you much good, but there is traceability iff both parties keep complete logs. Which seems unlikely unless coerced.
If your threat model includes state level actors, there is no commercially available solution that will make you 100% safe. This is about privacy from private corporations and making it more difficult and more costly for governments to get your data. But the latter is always possible when you use the web.
My personal threat model doesn't include state level actors, but if it did I would certainly differentiate between a solution that the NSA can break with some expense and one that my local police department can break with a warrant.
My actual threat model is advertisers, so I think the Apple solution is quite elegant and will serve me well. It shouldn't be conflated with TOR though.
You need lots of nodes to make it secure, performance is low even by VPN standards, and it’s dangerous to run a node. Unless you have some likely way to change one of those it’s going to be really hard to get volunteers – and payment is worse because most customers will expect better service.
The more nodes you have participating the more secure an onion system tends to be. Since the Tor network can carry most kinds of traffic, the motivation to avoid a fork is strong.
> The more nodes you have participating the more secure an onion system tends to be.
Tor isn't very large as it is, and (I would guess) it's the largest. If another onion routing network didn't grow the audience, you would have two even smaller networks.
> the Tor network can carry most kinds of traffic
Isn't Tor limited to routing TCP? That would rule out QUIC, for example.
I'm currently running the beta and this doesn't work on my router (provided by one of the largest ISP's in the UK). When I go to settings it displays a message that the router is unsupported by private relay. Hopefully it's something they can fix before launch but if not I wonder how many other routers are unsupported?
> or you can view it as a concession to reality: If Apple didn't do this, the video providers would block their exit nodes, as they do with any VPN provider that gets large enough for them to notice.
I seriously doubt any reasonable video streaming service would cut off such a huge chunk of their user base just because they are using an iPhone.
So far the two different third parties I’ve seen are Cloudflare and Akamai. Has worked relatively well here, besides the fact that some bug has made it so it turns back on randomly, which isn’t a big deal.
I'm curious how they are securing the feature that keeps you in the same region. Since that feature encourages content providers to not block, it would be a desirable target to work around.
yeah I was thinking about how difficult it might be to spoof your location prior to the Apple Router, and have it come out the other side nicely laundered
A VPN is a middleman that accepts your traffic and forwards it, hiding who you are to servers. An onion router is like a VPN but instead of 1 middleman, the middleman is a whole random network of middlemen, and those middlemen also hand off to other middlemen.
What I don’t get is why people don’t regard Onion Routers as a form of VPN. It’s still uses a virtual private network, just more of them. a network of networks.
Surely TOR is a type of VPN?
Maybe there’s some details I’m missing. I’m no expert
Really mostly convention. Yes you could label it that way, but people consider it to be enough of it's own thing to not do so. (+ there is some value in not conflating the two because they do have different threat models etc and users should treat them differently too)
Don’t forget that neither is a pure VPN, though that’s not always a bad thing — Private Relay is better than a VPN because onion routing means “no one party”[1] can correlate your connections and identity.
However WARP, being more like a VPN, requires you to trust Cloudflare to not log DNS lookups / the servers you connect to and associate that with your origin IP.
Why do I hesitate to call WARP a real VPN? It reveals your actual IP address to websites you visit via X-Forwarded-For. [2]
Also I think the fact that iCloud Private Relay will be built-in makes it more private than WARP — more users’ traffic will come out of each node.
[1]: Obviously this is imperfect because the Apple (which knows your IP) and third-party (which knows the network traffic) nodes will likely be in the same jurisdiction as each other, subject to the same laws, as mentioned by other commenters.
Not being able to circumvent region locked content makes it only 50% useful for me unfortunately. I often end up using Epic browser which has a built in proxy from other countries to watch region locked content. I would recommend it for non-confidential stuff.
No. NextDNS and Pi-Hole serve DNS requests and are mainly used for ad blocking and content restrictions on your network. They don't tunnel or redirect your actual internet traffic the way a VPN does.
Just curious, are you on the free tier? Just wondering if 300k queries per month is sufficient for the average person. I have no reference to base that number on.
I was on the free tier but hit 300k requests in roughly 25 days. My primary smartphone, laptop, and parents' smartphones. Upgraded to NextDNS, happy customer for an year but jumped ship to pihole. Have two pihole devices on the Tailscale network. NextDNS was great. Checks all of my requirements. Just wanted to support open source software. I donate to pihole often instead.
I've also found that I still get creepily-targeted advertising, which is presumably based on IP. For example, I watched a youtube video in Firefox Focus on my iPhone. Later that day, I saw a youtube recommendation for a very similar video (on a topic that I do not ever engage with, except for the single video earlier that days) on my laptop, in Safari.
I use NextDNS on both devices. It's nice, but it's not a silver bullet.
More of Not Hosting it Myself. NextDNS is cheap enough and does the work really well. Part of my lifestyles simplification, especially when it comes to critical services.
Had few instances where some websites do not work when ad scripts are blocked. I had to debug while traveling and my wife is not too keen on tinkering with the Raspberry Pis.
NextDNS have similar issues, lots of newsletter unsubscription just fails. For NextDNS, I can just ask my wife, "Click that Shield Icon and Disable for sometime." For Mobile devices, "Open NextDNS and slide the Disable button."
i'm not the OP but I think it might be the issue with exposing pi-hole to the internet to access the dns outside of your home network. nextdns is cheap, i'm using it on all my devices, without the hassle to expose pi-hole to the internet.
I liked this little article as it reminds me of when the Web was still young and mainly just text with no formatting or graphics yet. Takes me right back to 1991!
Does this mean that all DDoS mitigation techniques need to exist before the exit node of this traffic? Which in turn mean, that everyone needs to outsource their DDoS mitigation to Apple.
Also the corollary would be, that anyone who is able to bypass the protection mechanisms Apple has in place to control DDoS, can use it to DDoS a service like Google, Microsoft and get the entire service banned for all iCloud+ users. Right?
Apple has sort of addressed this with only having it work with Safari and other apps that implement the API, rather than system-wide as something you can connect to. It’s probably going to take a lot of reverse engineering before hackers figure out the API and how to get third party devices to connect and authenticate, if at all. If you can’t get third party devices to connect, you are missing the first D in DDOS.
There is also almost certainly an authentication mechanism in place, even if you were to reverse engineer the API. You'd need a bunch of paid iCloud accounts to have a DDoS be at all feasible with this service.
Additionally, Cloudflare themselves, one of Apple's third party partners, offer DDoS protection services. Because they see all the exit traffic, they'd be able to detect the DDoS and block it.
sounds awesome! tor as a system service with a professionally managed network. beyond making ad tracking harder, i wonder what sorts of new application spaces this may open up. i can already think of one! (and no, it's not some shady illegitimate/illegal bs)
> An big tradeoff for some is that the exit node is always chosen to be in the same geo location as the entry node. You can view this as a sop to the various on-line video providers
How could it be a "sop" to video services, isn't it exactly what they want, no more no less?
We were talking about video streaming services though, they usually require a log in, and in any case they’ll have a cookie so they know who you are.
Region locking is fine right, that’s exactly what Cloud+ provides, same thing with your third point.
As to the second one, I don’t know how big the simulated regions are but i suppose it will look like different houses at least. I’m sure netflix will think of something though.
> We were talking about video streaming services though
Were we? I read "on-line video providers," which could as easily be the BBC or YouTube as Netflix. It seems like your most recent comment is the first one to mention streaming.
I wish there was a non-dubious VPN service with an exit in a non GDPR country, or at least one with internet privacy. I rolled a strongswan VPN through AWS EC2 but all the egress points are in countries that can be exposed.
Isn’t iCloud+ “VPN” (Private Relay) just white-labled Cloudflare Warp? Is “onion router” a new development or is Jerry overzealously inferring there’s more than meets the eye here?
Apple in a few months to VPN's: give us 30% share if you want to serve as exit node to Apple iCloud+ VPN.
Two part strategy as always:
1. Get yourself in-between of an already functioning system, by force if needed
2. Abuse your market position to gain millions of users, make it super easy to use this as default, and make existing players compete for their 70% share of what they already were earning.
This goes against my general distrust of giant corporations, but I trust Apple a lot more than I do the extremely shady VPN companies infesting the internet
A pretty decent overview of the scope of the product.
As mentioned in the video, the service also is involved if your app does HTTP over port 80, offering at least some marginal level of improvement. Otherwise it leaves your app traffic as is.
As to Mail, the linked comment mentions that but I don't remember it being a part of the solution (nor does it seem feasible that it could be). Apple offers privacy improvements in mail, but not via the private relay.
I don’t really mind paying few bucks for privacy. But I think Apple in the process is gonna kill a lot VPN providers. While I don’t care right now I hope it doesn’t make Apple a monopoly.
It won’t harm VPN providers, I don’t think, for a few reasons.
- VPNs are actually less private than iCloud+ double hop design, but could be much faster due to only having a single hop.
- Unlike a VPN, you can’t choose the location of the server you exit at, and the exit server cannot be in a different nation. If you are in the US, iCloud+‘s relays are in the US. No circumventing georestrictions here.
- Apple does not market their service as a VPN and never said it is one. For most customers, they don’t know this is a VPN substitute because it doesn’t call itself one. So if you have “VPN” in your mind, this isn’t something you think of as an option.
All traffic in Safari goes through relay. However, in 3rd party apps, all traffic over 80 goes through relay and traffic over 443 is exempt. There is going to be an API though for if you want your 3rd party app’s 443 to go over the relay if you desire.
Everyone I know who uses a VPN doesn't really care about Privacy with a big P (i.e. state actors etc), they either use it to get around geo-blocks or to conceal their use of BitTorrent and maybe porn sites and this only seems to cover the last of those.
This could also mean now major companies security teams have even more incentive to track onion routing users and to check their pattern of traffic to ensure they are legitimate Apple users and not some tor user instead of just blanket-blocking every tor user. This could make tor less secure in the long term if more open source/closed source projects (NSA notwithstanding) are started and dedicated to analyzing and delayering tor traffic.
Potentially, this provides troves of data to the exit node operators (CloudFlare, Fastly, Akamai, ...). Yes, it's the same with all VPNs and ISPs, but I think users should be made aware that now instead of your ISP analyzing the data, an even bigger and more capable corporation is. And if Apple is controlling the entire onion chain (I would be surprised if they weren't), they have even more data available, mainly with a corresponding IP of yours. In the net sum, you are hiding the transmitted data from your ISP and the IP from the sites you visit, but you are handing over all this information to a centralized place - Apple and exit node providers. Potentially, they can use the information to connect the dots more easily and fully than any ISP or site ever could.
This is not quite correct though - entry side and exit side are specifically and intentionally not operated by same entities. So Apple knows who you are but doesn’t know what you’re looking for or where you’re going - your traffic is passed straight through to the exit layer. Exit layer operator knows what you’re looking for and where you are going but doesn’t know who you are or where you’re coming from.
https://news.ycombinator.com/item?id=10355868