Hacker News new | past | comments | ask | show | jobs | submit login
Apple's iCloud+ “VPN” (metzdowd.com)
898 points by n1000 on June 16, 2021 | hide | past | favorite | 399 comments



Interesting. I thought I recalled talking about this on HN previously:

https://news.ycombinator.com/item?id=10355868

    _-__--- on Oct 8, 2015 | parent | favorite | on: Verizon revives "zombie cookie" device tracking on...

    Tor as an OS-level feature may not spark the best reaction. It's been given a bad name ("deep web," silk road, etc) in mass media and many people don't understand it enough to think of it as anything other than bad.
    I think that it'd be cool to have, but I don't think that Apple would ever implement it.

        jameshart on Oct 8, 2015 [–]

        Agree, it's phenomenally unlikely, but then again there is a part of me which could actually imagine Apple doing something like it. They wouldn't use Tor, of course, they'd build a proprietary equivalent, and then come out on a black stage to 'introduce Apple Undercover, a revolutionary enhancement to personal network privacy and security'.


Your prediction of it being called Apple Undercover is significantly more 80’s though. And I like it.

So much so that I would accept Apple using something other than Helvetica this one time for a Miami Vice typeface and a Michael Knight and Kitt intro at WWDC.

I cannot stress enough that Hasselhoff needs to stay in character the entire time or the whole concept doesn’t work.


Hasselhoff drifts on to stage in KITT, jumps out, and tackles Tim Cook. They then get up, shake, laugh, and take turns explaining how iCloud+ VPN makes it look like everything you do online comes from Apple.


KITT & Siri start flirting.


He may sing in German as the musical guest they sometimes have at the end of the keynotes, but that’s as much flexibility as I’m willing to allow.


The Hoff MUST sing ‘Jump in my car’ for this to really land.

https://youtu.be/dm7jEA3frY4


Can William Daniels at least voice the car saying "one more thing" before throwing it to Hasselhoff?


> I would accept Apple using something other than Helvetica

At this point, Helvetica itself would give a retro feeling if used by Apple. They’ve been all in on San Francisco for several years.


Nobody goes there anymore. It's too crowded.

https://imgur.com/gallery/2eBXYnT


It's funny how here in 2021 I read 1984 San Francisco as being in sPoNgEbOb vOiCe.


Apple is in crossfire:

(a) There is pressure from many governments to give backdoor for surveillance. Or just comply with subpoenas that are against human rights.

(b) Complying with local laws generates PR damage. It makes privacy and ethics as a brand strategy look disingenuous.

The solution is, of course, to generate truly secure system where Apple can't make backdoors. Those services may not be available in some countries, but then it's just missing service, not a compromised system.


This is something Apple is increasingly working on. For example, in Fall 2020 they actually revised their CPU designs (including older CPUs) with a new Secure Enclave design that uses mailboxes to more securely store the number authentication attempts inside the secure enclave.

The goal of this is to make it so that even if the FBI had an incident similar to 2016, Apple would not be able to fulfill their request to make a backdoor, and the FBI wouldn't be able to make a backdoor even if they had the power to sign and run any code they wanted on the phone.

That's how you make a secure system these days. You can't just make it secure to everyone but yourself and fight the government - you need to secure it from yourself as well.


That only works if you don't give control of the servers over to a third party and also use encryption on the servers. Which Apple has not been able to do across the board.


That is only true as far as your on devices Data. They still have to provide everything they have on iCloud.


Wow props for quite a prediction. You definitely deserve some recognition for that one.


An even more impressive prediction in 2015, a time when Apple was not positioned as some type of savior of user privacy.


I’m not so sure. If you read back up that thread, the thought that triggered it was from qzervaas:

   Apple's already shown they don't like this behaviour with their randomised MAC addresses in iOS 8+.
And elsewhere in the thread people called out the fact apple had already introduced support for ad blocking. So Apple’s privacy-positive posture was already in the air.

I think there is a sense in which privacy was already a differentiator for Apple in iOS (as contrasted with Google’s motives in android in particular of course) - so this did feel like a not completely implausible way they could go to double down on that differentiator.


Steve Jobs talking about this at D8 in 2010, and of course the privacy features he talks about were baked into the OS APIs from the start.

Apple's rift with Google over user data collection in Google Maps goes back to 2009 when Google held Apple to ransom for the user data in return for turn-by-turn directions. Apple refused and started building their own maps service, buying Placebase in July that year.

https://www.youtube.com/watch?v=39iKLwlUqBo


If anyone's interested in reading more, here's an article which discusses why Apple switched from Google Maps:

http://allthingsd.com/20120926/apple-google-maps-talks-crash...


I actually wrote a deep dive on Apple’s pivot to privacy. https://saturation.substack.com/p/apple-facebook-and-the-glo...


It's really not about privacy though, the insight needed (not that I'm saying it was easy to make this particular prediction) is that Apple is all about the Walled Garden. It can't be Tor because Apple doesn't own Tor, and so that's not inside the Walled Garden, whereas "Apple Undercover" even if it were functionally no better or worse than Tor, is magically blessed by the Apple branding. And Apple have been all about Walled Gardens for decades.


Tor has reputation problems. Lots of services block tor exit nodes because of all the abuse that comes from them.

By making it a feature for paying subscribers only, Apple probably hopes that their solution won't be interesting for criminals. (Apple will likely cooperate with law enforcement)


Using Tor would be an insane choice for 99% of Apple users.

"Oh, let me turn on undercover... why is my bank online account suspended and my PayPal banned?"


I love the moments when you can point back to an old post and say, "called that!"

(No snark, I really do love it.)

Enjoy the moment, future seer.


Hey there, can I call you? I have some questions about the future!


No offense or anything but what’s the point of making this comment outside of showing that you were right? Good prediction.


(Fair question. I just found it amusing. I'm annoyed it got voted to the top. For substantive discussion, people should look down page)


Dont. You should be proud. I made numerous prediction that turns out to be right when everyone else is calling you crazy. You should enjoy the moment of victory. And I do remember reading your comment at the time, so it is great you link it back.


Props to Apple for the design of this service. It doesn't hit all the privacy targets that long-time personal VPN users might be looking for, and it doesn't get into the game of trying to circumvent region locked content*, but otherwise it's likely to be a solid privacy improvement for almost all users in a careful and deliberate way.

I use a VPN for other reasons (downloading Ubuntu ISOs mostly) but I'll probably turn this on and leave it running on all my devices because of how transparent it appears to be. I trust Apple's onion-routing design more than I trust my VPN provider not to log things.

* I'm actually glad they don't try to get around region locks. I consume a lot of BBC content and live in the UK. I'm constantly struggling with my VPNs (with UK endpoints) being blocked because others outside the UK could be using them. It would be nice if the BBC didn't block like this, but UK residents do typically pay for the content whereas those outside the UK are unable to.


> I use a VPN for other reasons (downloading Ubuntu ISOs mostly).

This made me smile. Good one.

For context, copyright trolls recently tried to extort torrent users for downloading and sharing Ubuntu ISOs.


If you want to give context, a link to the story would be nice:

https://arstechnica.com/gadgets/2021/05/fake-dmca-takedown-n...

Importantly, OpSec (the company doing this torrent-dmca-for-hire stuff) says the DMCA itself was spoofed

> OpSec Security’s DCMA notice sending program was spoofed on Wednesday, May 26, 2021, by unknown parties across multiple streaming platforms.


...who names their company "OpSec"? Are they actively wanting to be made fun-of at the next defcon?


I mean, they're willing to work for ISPs doing torrent detection, which has been a scummy business from the start. Somehow, I would imagine they would be even less respected than the feds at defcon, since the feds actually do technically challenging things occasionally.



The emails between pirate bay and web sheriff are pretty funny.

https://web.archive.org/web/20090105141217/http://static.the...

> We shall look forward to hearing from you.

We look forward to receiving more of your so exquisitely designed HTML e-mails with the shiny wanna-be-police-star.

https://web.archive.org/web/20081221100050/http://static.the...

> Dear Frederik,

>

> Hello.

Hi! Please, learn to quote properly in your e-mail messages. You can learn from how I do - I promise you that proper quoting is not patented.


Of course it was a false flag issue, it never made sense from the beginning.


In a world where white noise[1], birdsong[2] and someone playing Beethoven on the piano[3] get copyright strikes/takedown notices - I don't think someone getting a copyright notice for downloading Ubuntu is that far fetched.

[1] https://www.bbc.com/news/technology-42580523

[2] https://news.ycombinator.com/item?id=3637124

[3] https://news.ycombinator.com/item?id=27004577


There's actually an album called Ubuntu. Quite possible some duncehead set up a bot to download all torrents with Ubuntu in the name and scrape the IPs.

https://en.wikipedia.org/wiki/Ubuntu_%28album%29


"Linux ISOs" has been slang for a very long time:

https://www.urbandictionary.com/define.php?term=Linux+ISO&am...


Anecdote from my MSc year in 2003. In the dorm room I had 10Mbps Internet connection via the University's network which was quite amazing for the time. So among the real Linux ISOs, I tormented also the other kind of ISOs. At some point the Uni NOC reached out telling me that I'm consuming lots of BW for torrents which is against the policy, at which I replied that I download Linux ISOs and I'm happy to schedule it for after midnight, outside of peak hours. After some days I get a reply that please do so from another guy who forgot to remove the quote from his previous colleague which went something like "hey we have a problem with this guy's answer"

So yes, Linux ISOs is an old thing indeed


Thanks for clarifying. I've not encountered the use before, maybe because here in the Nordics piracy has been -is- very normalized.

The other reply told about a uni tale. I've heard about a similar story about someone torrenting actual Linux ISOs on university network. That resulted in a stern warning else the student would be barred from using the network and computers. Basically an automatic fail for future studies.


The sad thing is that actual Linux ISOs are so over-mirrored that using BitTorrent generally has no benefit and may be slower.


High availability (through mirrors) is still a good thing. My experience is that torrent files are sometimes a lot faster, sometimes less so. Just as mirrors.


> trying to circumvent region locked content

Semi-related to this, but they do offer an option to pick between preserving your approximate location and using a broader location.

The example they took in one of the sessions was, if you live in San José, with the first option, you'll get an exit node near San José so you can still get local "content". With the second one, you could get an exit node in Los Angeles.

In practice in Europe, it looks a bit different. I do live in the north west of France, and with the first option I regularly get an exit node in the southwest of France (from Fastly), about 700km away (which is pretty fine by me).

With the second one however, I get exit nodes in Germany and the Netherlands (pretty much exclusively Cloudflare), which can become an issue with region locked content. I had the issue with Prime Video last week not offering me a Tennis match for which they only bought rights for in France.

Obviously it's still early and they might tighten a bit the locations outside of the US, but overall it's definitely quick and well thought out.

Last thing, all your traffic from Safari (and presumably some other Apple services ? Still unclear) whether http or https will be routed through it. Only http traffic from 3rd party apps (Firefox, curl etc) is routed through the relays, which I think is a pretty sensible default.


> It would be nice if the BBC didn't block like this, but UK residents do typically pay for the content whereas those outside the UK are unable to.

As an exiled Londoner, I would love to be able to pay to access BBC programmes. Unfortunately I can’t, so a VPN is often the only solution (well, I guess torrenting would be another one, but it’s not really better).


If only there was a way to store a user's information so that they could be identified with some sort of a login process that would indicate that they are a current valid member. It would also be impressive if this same system would allow the user to indicate that they are currently abroad to allow a temporary exemption of geofencing.

Obviously, this is something licensing agreements do not allow for, but it seems like such an obvious user friendly concept that it will never be allowed.


BritBox is a neflix-like service that has UK shows from the BBC and ITV. Decent catalog.


BBC Select is another option for BBC documentaries if you have either Amazon Prime video or an Apple TV.

https://www.bbcselect.com/


> but UK residents do typically pay for the content whereas those outside the UK are unable to.

In essence, what you're saying boils down to "it's already paid for, but nobody else can have it anyway". It's unreasonable and there is no need to make excuses for this behaviour.


It's generally down to the terms for content that networks (BBC in this case) buy licenses to. The IP owners don't want the networks to allow the whole world access to that content for the price that the network is willing to pay to show it to their region.


But also, and mostly, in reverse. The BBC is the producer and license owner of a ton of programming, and rather than offer that to the world for a subscription fee, they choose to offer it to select partners (previously mainly PBS, now Netflix and Amazon) for a licensing fee, or sometimes in a coproduction arrangement.

This is big money, up-front, with no need to build out a global delivery system or deal with millions of customers.


The BBC aren't allowed to. There are very strict terms in which the BBC can operate. So what they have to do is sell to subsidiaries like BBC America. And there in lies the licensing issues described in the GPs post.

This is one of those classic examples of something that looks really simple from an outsiders perspective but once you have to deal with the details you realise it's anything but simple. And through no fault of the BBC either, I might add. Various commercial stations and news outlets have campaigned relentlessly to shut the Beeb down. It's a miracle the service is still operating, even if their hands are tightly tied.


More generally, geographic licensing maximizes revenue without damaging brand goodwill for the vast majority of customers, so pretty much everyone is going to do it.

Hell, I thought the practice would die (or at least slow down) when Netflix started transitioning away from syndicated TV and movies; this never happened. Netflix will totally geoblock their own shows so they can, say, release a cartoon on a weekly basis in Japan but in binge-watchable chunks in America.

You will continue to see anything more premium than a high-subscriber-count YouTube channel be geoblocked until and unless one of two things happens:

- Geoblocking gets so heinous that it starts to push people away from shows and services, beyond ordinary subscriber churn. This is unlikely - the US is the biggest market for a lot of this stuff, and that's a market full of people who have no desire to watch foreign media ahead of an official release. Hell, most of us don't even have passports, and think that you can just move to another country by asking politely.

- Some country or trading bloc gets enough of a bug up their butt about getting releases late that they start amending copyright law to ban the practice. AFAIK, I've heard Australia was considering banning region locked DVD players at one point; and that the EU was considering forcing online video providers to license content on an EU-wide basis.


> the US is the biggest market for a lot of this stuff

I have a funny feeling that a very large percentage of that market comes from VPNs. Everyone I know watches the US Netflix and we aren’t in the US.


of all the streaming services, I have found Netflix to be the one that cares least about geoblocking. they appear to care on the outside to appease the production outlets, but on the inside they don't appear to block or discourage VPNs at all. unlike the BBC who actively, and aggressively, geoblock their content


> The BBC is the producer and license owner of a ton of programming

The BBC is complete license owner of virtually zero programming. Almost all (as in 99.9%+) of their content uses substantial third party copyright works where the cost implications of selling internationally still apply (just the music rights alone will drive you mad, and it's far from uncommon for BBC content that is shown in the UK to have a different soundtrack to the internationally sold version to the likes of Netflix due to the licensing cost and complexity).

It is also worth noting that the BBC makes a lot less than people think, especially if you consider BBC studios to be a quasi-separate production entity now (which it is!).


GP wanted to watch BBC News in particular. I don’t think there’s any licensing issue with that, surely?


> GP wanted to watch BBC News in particular. I don’t think there’s any licensing issue with that, surely?

Ha! There's SO SO MUCH. More than you can imagine.


totally agree. I had no end of shit trying to watch BBC News channel from abroad. I'm a UK national, I own a house in the UK, I pay UK taxes, I pay your stupid TV licence fee, you're broadcasting live over 3 separate CDNs, just let me watch the fucking news. I eventually subscribed to an illegal IPTV service for that one sodding channel. I don't even need the other 17,000 channels. the BBC drove me to it


It may be worth looking at the AAISP L2TP Service[1].

They are a domestic ISP, so I guess iplayer should work over the service.

[1]: https://www.aa.net.uk/broadband/l2tp-service/


looked interesting, but is around double the price for around max 2 hours viewing per day, with no guaranty of supporting BBC streams. from experience I'll presume they know about this service and are actively blocking their subnet

I'm paying around half the price for unlimited viewing of direct streams (no faffing with client protocols) which come transcoded for home and mobile usage


Completely off-topic: great choice of name. That number is burned into my mind, and will be forever


To continue the off-topicness...

That number almost always works for store 'loyalty program' discounts too.

<local area code> 867-5309


especially at Jenny's Diner


Still more off-topic: I can only read it as 86-75-309


the joy of fitting 7 beats into a 4/4 signature


cheers ;)


Not running a vpn from your house?


the tenants wouldn't approve (they pay for elec and internet). plus I'm away for twelve months so no chance of onsite troubleshooting, physical reboots after power outages, etc.


So, you are saying that the TV license you are paying for is actually being used by the renters in the house you own. Is that a fair statement? That puts a bit of a different spin on it.


due to the timing of things, I prepaid for ten twelfths of their residence. I didn't seek recompense as I knew I would be consuming one channel. I am unaware if the tenants use a tv


It really hasn't already been paid for. For example, say you are a composer who wrote some music for a BBC series. You get paid more for something in wide release than for something released only in the UK.


> what you're saying boils down to "it's already paid for, but nobody else can have it anyway"

This is already paid for but the next show isn’t.

If the BBC were sold to the public as a soft dollar expenditure, it would be one thing. But it wasn’t. I’m not sure it could be in today’s Britain. Ignoring the freeloader problem threatens the support on which the BBC’s funding depends.

This is a debate with reasonable arguments on both sides.


Licensing issues aside, it would cost _additional_ money to actually serve all that content to a global audience (shipping bytes over the internet isn't free).


yet they deliver over 3 CDNs, yes THREE, for a maximum viewership of one country


Yes you're right, I was giving a reason more than an excuse. I don't think they should be doing it.


I wish I could pay for bbc iPlayer service outside old blighty. But they don't allow it.


This is as much to do with their content license agreements as it is BBC being disinterested. Material BBC licenses to distribute, they are limited to the UK, and content BBC licenses to foreign TV presumably can't be also distributed to that same region. There is a service BBC run which allows those outside the UK to stream some content (https://www.britbox.com/us/).


You still can in some places if I recall correctly. Notably not in US due to licensing disagreements (of course).


Like, commonwealth nations? Or just countries too small to bother with the legal fees?


Like, you can download BBC iPlayer (or could) and pay a fee. For UK license fee payers, the app and content is free.

I don't think the content was identical, but it was pretty broad. Some EU countries, maybe Canada?, at least.


smartdnsproxy.com - 2 weeks, no credit card needed. Works perfectly and you don't need to use a VPN, just one of their DNS servers.


I took a look at this, it seems the way it works is when you do a DNS lookup it does a lookup itself and rewrites the IPs before returning to you. It stores a mapping of client IP and rewritten IP to real IP and when it gets a request on the rewritten IP it looks up the original and proxies the request. Pretty cool, but I wouldn't trust it with anything unencrypted. It offers no privacy benefits.


this is showing up as a malicious site.


Why do you use a VPN to download free and publicly available iso images? (Ubuntu). Just curious.

Do you download directly from a mirror or use BitTorrent for this? (If the latter I think I kind of understand the rationale for the VPN)


“Ubuntu ISOs” is a common euphemism for pirated content like media or games.



Until a few months ago, I had never really used BitTorrent to do anything - save for about 20 minutes back in HS almost 20 years ago (!)

(I think I was running uTorrent on Windows, it was weird and I really didn't know how to use it.)

However, in order to "acquire" [this][1], torrenting was realistically the only sensible option I had. A direct download from the Internet Archive would have taken roughly 7 hours @ 100 Mb/s. The torrent file was done in an hour.

To my great surprise, the link isn't dead, so...yeah :)

Transmission CLI FTW.

[1]: https://www.caseyliss.com/2021/2/14/a-concert-for-charlottes...


13GB would take less than 20 minutes at 100Mbps. Regardless, I’m not sure why you only consider near instant downloads “sensible”. I often spent several days downloading things when I was younger.


Not so fast.

Yes, 100Mbps is ~12.5 MB/s, however when I initially tried the .mp4 link I found actual speeds to be much less, (hence the hours long wait I mentioned) so there's definitely throttling going on somewhere.

Also, don't count your chickens before they hatch. I remember downloading Flight Simulator 2002 mods over a 56K modem in my youth - anything over 10MB was a stretch - and I didn't actually have a broadband connection until I went off to college in 2005.


linux iso is code for pirated content


And here I was, still thinking Linux was "an illegal hacker operation system, invented by a Soviet computer hacker named Linyos Torovoltos, before the Russians lost the Cold War".


I think you've confused it with Lunix.


Or was Lunix confused with Linux? All satire anyhow.


My ISP throttles bittorrent traffic.


They get some by way of their portion of most Americans' cable bills from BBC America.


Which vpn do you use?


Private Internet Access.

I used to use NordVPN but found it to be much slower, less stable, worse macOS integration, not as good on the privacy front.


Do you have any thoughts on PIA vs Mullvad?


PIA is owned in a weird structure I don't understand in a jurisdiction where any legal agreements with my home country are, most likely, non-existant or untested. They also seem to have enormous amounts on money to spend on marketing or paying off torrent review sites.

Everybody recommends them, but all of these things make me uneasy.


After the recent freenode drama, best to avoid them.


FWIW, Mozilla VPN is based off Mullvad, which I've enjoyed for a year to download Linux ISOs and I've never had an issue with. Also they have one of the most anonymous of setups (accept cash, crypto, no username or passwords or personal details required, you're just given a random account number you can add credit to)

NordVPN is oversubscribed crap.

PIA was founded by Andrew Lee, the big brain behind the current Freenode drama, with help of the infamous Mark Karpeles of Mt. Gox fame. I'd rather use something else.


PIA is owned by the person who owns Freenode, afaik. I would certainly look into that before trusting them.


Yeah I used them for years before they were bought so had a lot of trust then. With the recent Freenode issues I'm not sure if I'll renew, but they do seem like one of the few VPN providers that understands privacy and isn't trying to sell shady security-theatre with poorly justified arguments.


> Props to Apple for the design of this service.

I was under the assumption that it was mostly Cloudflare Warp repackaged with a different name?


That would be an incorrect assumption. It's an onion that goes to Apple first and then to a variety of external vendors -- Fastly, Cloudflare, Akamai, and likely others.


So, the difference is that they encrypt data before they send it through?

I'm not sure if my assumption is completely incorrect. While it's onion routed, the grunt of the work seems to be done by "trusted partners".


I've been trying to point this out to people but YouTube personalities have a louder voice than anyone else so you end up with bad information.

Props to Apple for offering an (albeit low entropy) onion router on their own infrastructure. I can't imagine this is going to win them any friends in government circles but it's definitely a step in the right direction.

I'd also really like to see Apple come clean about the iCloud backup encryption debacle. A lot of people are trusting it to be something it's not and it should really be clarified on-device what it is and is not before opting in.


> I'd also really like to see Apple come clean about the iCloud backup encryption debacle

Are you referring to this article?:

https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...

It's why I only use my Apple ID for grabbing apps from the app store. I have disabled all the `cloud storage` features of iCloud. iCloud is a privacy nightmare.


Yep, exactly that.

I utterly agree that other direct-to-consumer options are in the same boat - but Apple is quite heavy-handed in it's messaging about, well, messaging being encrypted and private and no-one (including Apple) being able to read your messages. That's only true if you don't backup to iCloud.

I would expect most people on HN to be aware of all of this of course but when you're so strongly selling your privacy protections as part of your brand, it's a pretty glaring window to leave wide open.


By that logic though, Google Drive, OneDrive, AmazonS3, they are all privacy nightmares. And you might agree, but Apple is hardly alone.

And like the article says, they didn’t want to poke the bear anymore. Of course the FBI has congressional friends. It is possible that Apple saw the risk of it backfiring and making things worse as too great.


Google does end-to-end encryption of Android backups. And Apple knows how to do it too, but they intentionally restricted their implementation to only cover backups of Keychain passwords and a few other things, apparently because they don't have the courage to stand up to the FBI, according to Reuters. Strange considering their public stance against the FBI in the San Bernardino case and on privacy issues in general. Especially since iCloud backup totally defeats the highly touted end-to-end encryption in iMessage.


Yes, backups, and Apple should get on that. However, your photos in Google Photos, your location data, your uploads in Google Drive (equivalent to iCloud Drive OP is talking about), not end to end encrypted and no option for it.

I think market share is another sign. Does anyone use actual Android Backup, or do they use the unencrypted “backups” in G Photos and elsewhere? For that reason should the FBI care? Maybe I’m wrong but I believe actual Android Backup is much less used than iCloud and confusingly named alternative “backups” within Google apps.


Let's be really frank about it - no large company is going to offer end-to-end encryption of photos because of what kind of photos might end up on their infrastructure if they do. And honestly I don't blame them at all.

I'd just like to see Apple be more transparent with this one particular issue because it undermines so much of what they're advertising to the consumer.

A transparency label for iCloud backup showing what is and is not E2E before enabling would do. Most people (myself included) would be quite happy with photos being encrypted by an Apple-held key (I'm not worried about the police seeing my boring lunch pics, I just don't want photos of my kids being readily accessible to everyone else).

It should be made clear if they're offering E2E for some features that other settings will render it pointless is all I'm saying.


Are you really arguing that because child pornography exists, no large company should offer ETE photos?

Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?

And that photos present some of the most sensitive materials on your device:

- geo-IP location showing basically everywhere you have taken a photo in, ever since the dawn of time

- people's consensual sex tapes

- photos of passwords, account recovery codes, private keys, seed words


In the bloom filter example, what device calculates the hash inputs for the bloom filters? If it's the server, then the server needs a copy of the image to check. So is it the client? If so, how can you prevent a malicious client from forging their hashes to be those of known-safe images?

Not saying it's not possible to build an E2E image storage service that also has the protections society tends to demand. Just saying that I haven't seen anyone do it yet, because these problems are subtle.


Apple has direct-from-bootloader control over all of their hardware, unless you boot Linux on a Mac (in which case you don't get iCloud).

So a 'malicious client' doesn't need to be part of the threat model here. And also, if you really stretch your argument, that's like saying we need to outlaw Linux and open source software because malicious actors can modify the code.

The whole idea that society demands content providers compromise ETE just because of child pornography isn't something I've heard of being 'accepted as common truth' outside of this post.

Some politicians demand it, but I thought at least amongst tech, there's the recognization that strong, *unbreakable* encryption is important.

There's an implicit obligation to build services and technology that is resistant to abuse, but that isn't an argument to not implement ETE.


Thanks for the "how" - I guess if you fully control the client and server, there's some extra checks you could implement client-side based on the cryptographic root of trust.

FWIW, I wasn't really trying to make a prescriptive statement about how the world ought to be, I was more trying to describe what (I think) the perspective of these corporations has been on the matter.

In the past, I've been an encryption advocate with the knowledge that we (tech) must sacrifice some ability to appease politicians in implementing it. What you're describing sounds like an innovative way to preserve privacy and provide security for at-risk people, which is a perspective I haven't heard before.


> Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?

This is not a good argument. “Known child abuse material” is the tip of the iceberg. There’s nothing stopping people from creating new “child abuse material”, and the people who are doing that sort of thing are the ones who are more important to catch.


So because there are pedophiles, we should build backdoors in all cloud image hosting services?

Should we build backdoors in AES because there are terrorists in the world?


> So because there are pedophiles, we should build backdoors in all cloud image hosting services?

That’s not what I’m saying and I can’t possibly imagine how you could infer that in good faith.


I’m arguing that because it exists no company of Apple’s size is going to risk unknowingly hosting it, and I wouldn’t either if I were in their shoes.

I agree with you in terms of photos being some of the most private information we have, but the E2E argument doesn’t ever get won by the tech community without a guarantee of blocking/catching/preventing CP and being able to make that evidence available for prosecution.

To the arguments above: Any processing server side implies no real E2E. Any processing client side is by definition under the control of the client and subject to forgery/hacking/spoofing/tampering.


Absolutely every large company hosts an incredible amount of child pornography and abuse material.

Facebook is the largest platform for child trafficking, and Google is the world's largest resource for finding out how to commit criminal acts.

Crime always exist. We shouldn't build a techno-totalitarian surveillance state just because crime exists.

"It is better that ten guilty persons escape than that one innocent suffer".

Chinese Communists employed similar but opposite reasoning during the uprisings in Jiangxi, China in the 1930s: "Better to kill a hundred innocent people than let one truly guilty person go free".


> geo-IP location showing basically everywhere you have taken a photo in, ever since the dawn of time

Geo-IP is the process of taking an IP address and attributing an location to that IP address.

I think you meant GPS location?


I don't understand this line of reasoning. Why should photo libraries not be end-to-end encrypted?

Are you suggesting that Apple or the government should be able to search your personal photo library stored in the cloud at any time because maybe you might have child porn in there?

I understand that companies need to scan groups and social features that are used for trafficking underage porn. But do we really need to snoop into the private libraries of innocent people just because they might have illegal material?

Having access to millions of peoples photos is such a huge privacy risk that I can't think giving it up is worth while to make it slightly easier to catch a handful of criminals.


Any large company can offer E2E encryption, as long as they don't have extenuating interests that could make them liable for the way I use their services. Unless Apple is harvesting my data on the regular, they should have no problem with me being the sole keyholder for my iCloud account.


I think Apple would need to ship a different OS in China.

Cloud services offered there must store data in the country and be operated by Chinese companies. (Apple is complying with this)

But Chinese companies HAVE TO assist the authorities in obtaining systematic access to private sector data. (This is not possible with E2E for backups and photos)


Apple already does this. All Chinese iCloud data is stored in a mainland datacenter, completely owned and operated by their government. Similar setups exist in Russia and France, where Apple kowtows to local governments at any cost to turn a buck in their hometown.


Apple (and every large company in the world) already ship different features to different regions.


Look at the Reuters article they linked. iCloud backup is the issue. Usage of iCloud backup and Android backup are probably very similar (in percentage terms), why would you expect that Android backup is used less? They are pretty much equivalent features, except that one is end-to-end encrypted and the other is not. In both cases, photos are handled separately.


There are encryption options, just not with the software provided by the storage providers.


iCloud E2E would be great, even if they offer it at double their current Storage price.

But I would be happy with iOS Time Capsule. Or even sell E2E Backup solution only with an iOS Time Capsule. Great way to increase their Services Revenue.


iClouds lack of encryption basically invalidates all other promises they make.


If you believe this you have misunderstood how iCloud works.


Would you clear the misunderstanding then?


iCloud Backup works differently to all other iCloud services.

How it all works is documented: https://support.apple.com/guide/security/welcome/web


Nowhere in the linked site that I’ve been able to find does it explain clearly that iCloud backup undermines on-device encryption.

The point is that the deep compromises made inside iCloud Backup are hidden from the user and (at best) buried deep in technical documentation. So deep in fact that I can’t find any mention of it on that site at all.


Storing an essentially plain text copy of your entire phone on an Apple server is the default setting. You have to actively find the setting to enable the security feature (not having Apple give your data to any gov they want) by disabling another feature that makes no mention of security (backups). iOS is not safe.


OP is talking about the security of iCloud backups and that using this feature cancels out a lot of the end-to-end encryption that Apple talk about heavily in their marketing.

What is being misunderstood?


I assure you I haven’t, and neither has the FBI.


I have very little respect for Youtube personalities (thinking of LTT in particular) when it comes to talking about Apple in particular. They are so wedded to their "everyone, except us, is evil" perspective that their knee-jerk reaction to almost anything from Apple, privacy or otherwise is negative. (LTT spent the first bit trashing Apple for making marketing claims about the M1, instead of letting them do, then refused to back off when numbers backed up their claims, continue to trash anything with Apple and privacy, etc).

Apple is not without sin. If we get out of this entire epic lawsuit (another company not without sin) with consumers winning the ability to side-load, it's a win. But for the most part, Apple has a multi-decade history of usually working for customers in above-board ways, as opposed to Facebook, Googles and other(s).


I am running APple's betas for iOS, iPadOS, and macOS right now - I really appreciate their implementing yet more privacy.

re: non-encrypted iCloud storage: I agree with you. I keep medical and financial data encrypted (e.g., their Pages app supports encrypting documents, and you can encrypt PDFs, etc.) but I would rather they did this for me. That said, for the 90% of my files that I would post on a street corner, I find iCloud storage across my devices is handy.


But how secure is encrypted pages and PDF? My understanding was it is not useful against a determined attacker and anyone able to access your iCloud will be in this category.


The encryption used to open a file is secure while the password that controls permissions to print, etc. is not secure.


Apple won't come clean until they can sweep it under the rug like they did with the other debacles (see: keyboards). Being honest about those things undermines their "Apple knows best" image attempt.


> I can't imagine this is going to win them any friends in government circles but it's definitely a step in the right direction.

Apple already has all the friends they need in the "government circles". They're fully enrolled in PRISM and are well-known to kowtow to the demands of corrupt leadership (see: Russian iPhones, Chinese iCloud hosting)


Apple is “fully enrolled” in PRISM just like any other company with U.S. operations, because PRISM is the internal NSA source designation for material acquired via FISA warrants, and complying with FISA warrants is not optional.


You can't not comply with the government of a country unless you are a country. And the citizens of Russia and China would not appreciate that, because they actually like their governments, and don't care what you think.


> I can't imagine this is going to win them any friends in government circles but it's definitely a step in the right direction.

Quite the opposite. Governments probably already have taps to decrypted traffic.

Otherwise how come that would even be legal to run?

If someone commits a crime and government cannot find evidence, because Apple gives shielding, then isn't that making them hypothetically an accomplice?


> Otherwise how come that would even be legal to run?

Why wouldn’t it be? I was under the impression that what isn’t forbidden by law was legal by default. AFAIK, running a VPN platform isn’t illegal.

> If someone commits a crime and government cannot find evidence, because Apple gives shielding, then isn't that making them hypothetically an accomplice?

I hate this argument. It’s lazy and can be used to accuse anybody in any context, and shut down discussions that we should be having. By that standard we are all accomplices for some crimes.


>I was under the impression that what isn’t forbidden by law was legal by default.

Even beyond that, personal privacy from the government is enshrined in the 4th amendment. Just because there was some executive actions and illegal laws made does not mean the 4th amendment suddenly disappears. No person or entity has the right to dragnet all communications.


> personal privacy from the government is enshrined in the 4th amendment

Yeaaaaah, let's just pretend Snowden and Manning never happened.


I'm doing the opposite. Saying that the fed is actively engaging in illegal search and seizure is not ignoring the whistleblowers that brought the scope of the issue to light, it's acknowledging the issue.


The point is that the Constitution is largely meaningless, feel-good fluffery that has no actual bearing on which of our so-called rights are actually available to us.

It's an aspirational document in a largely lawless land, more a historical oddity than the supreme anything. If you wait for legislators and law enforcement to fix personal privacy, you've already lost... the US law enforcement culture is actively hostile towards individual rights because it makes their jobs harder. The only real difference to, say, China, is that we like to pretend otherwise. But the reality in the ground is that nobody on the grid has had meaningful privacy for decades now.


>The point is that the Constitution is largely meaningless, feel-good fluffery that has no actual bearing on which of our so-called rights are actually available to us.

IANAL but this sounds fundamentally wrong in every way I interpret it. The Constitution is a set of laws that cannot be contradicted by any other law, executive action, or judicial action, with the exception of an amendment.


It can and often has been simply ignored.


> No person or entity has the right to dragnet all communications.

Indeed. And the fact that this is not recognised as a fundamental human right is a serious limitation of the charter and universal declaration. And yet, it comes up regularly.


By the same logic, I’m the taxpayer who paid to help build the highway that the drug kingpin used to get away during a high speed chase. I’m an accomplice now.

I’m the scientist who purified the water that the criminal used to get enough strength to run away. I’m an accomplice now.


> If someone commits a crime and government cannot find evidence, because Apple gives shielding, then isn't that making them hypothetically an accomplice?

We have recent and specific case law around this. The cherry on top is it was Apple on the other side.

No, this is not how being an accomplice works in the U.S. It’s not how it works anywhere with the rule of law.


Would you have a link?



From Apple's statement[0]:

> The first assigns the user an anonymous IP address that maps to their region but not their actual location. The second decrypts the web address they want to visit and forwards them to their destination. This separation of information protects the user’s privacy because no single entity can identify both who a user is and which sites they visit.

Apple is not saying nobody can deanonymize you - they are being very careful to only state that no single entity can deanonymize you. Hence you should still assume this is not a good protection against any entity with subpoena power, or the ability to compel the cooperation of Apple and their 3rd-party egress relay providers.

[0]: https://9to5mac.com/2021/06/07/apple-icloud-private-relay-fe...


That makes me wonder whether an analysis could be done over a long period of time to determine where in the region the user isn't, and thereby narrow down where the user is.


I'm curious what the details around the anonymous IP address assignment are. Protecting copyright holders seems to be the point of the IP assignment to not break content restrictions.

Are they able to assign a set for an entire country? If so, that doesn't narrow it down all that much. However, major league sports blackouts wouldn't work, so is it by city?


They might just use randomization, which is only statistically not where the user is. It’s the intuitive approach, and easy.


Presumably they're not actually blocking the current location - just not using it to inform their selection.


> It's not clear if the API will be public for other browsers or applications to use.

Apple has already confirmed that other app traffic will go through iCloud Private Relay “no matter what networking API you're using”, with some exemptions:

> Not all networking done by your app occurs over the public internet, so there are several categories of traffic that are not affected by Private Relay.

> Any connections your app makes over the local network or to private domain names will be unaffected.

> Similarly, if your app provides a network extension to add VPN or app-proxying capabilities, your extension won't use Private Relay and neither will app traffic that uses your extension.

> Traffic that uses a proxy is also exempt.

From https://developer.apple.com/videos/play/wwdc2021/10096/.


So will this mean if I’m using Cloudflare 1.1.1.1 that I won’t get the iCloud private relay since they implement DoH as a VPN in iOS?


Not super familiar with 1.1.1.1, but I use NextDNS and it's no longer implemented as a VPN – they use the native iOS encrypted DNS feature. I wonder how iCloud Private Relay works with that.


I have the beta and it currently doesn’t appear to work.


DNSCloak still works with Private Cloud.


> All in all, a very Apple approach: They deny themselves any knowledge of a customer's DNS queries and Web traffic, so if served with a subpoena they have very little to respond with.

Maybe I am missing something but I view this is a rather genius move. They have plausible deniability + actually introduce some protection for their users.

Not sure how to read the original post though. Is it praising Apple? Is it mocking them? We don't have to be polar of course, I am just wondering.


Apple has claimed this shtick several times (as well as many other VPN companies), but it actually requires a pretty intricate software setup to pull off. The best VPN services won't even have hard drives to store logs in: that way, even individuals with a court-issued warrant can't get your info. I'd imagine there's sufficient pressure on Apple from PRISM and other governments to keep some level of rudimentary logs.


(And if Apple has logs of which IP address accessed a resource from which egress provider at a specific time, that is often enough to do what most governments are looking for... such is the limitation of two hops, and why Tor has three. I truly hope Apple has designed their system to avoid logging anything about their ingress packet flows.)


> The best VPN services won't even have hard drives to store logs in: that way, even individuals with a court-issued warrant can't get your info

Courts can compel them to log this information, so all claims about not keeping logs are just theater. The second they're ordered to by a court in the US, they will.


IANAL! The legal theory is that US courts can stop you from taking actions, but cannot compel you to take actions.

So they can stop you from deleting existing logs, but they cannot require you to collect logs you aren't already collecting.

I have no idea how well this idea has been tested in court, but that's the theory on which providers who don't even have hard drives are relying.


IANAL as well, but your first line is definitely not true. A writ of mandamus is one of many such ways a court can compel behavior, though typically a tool of last resort.

Courts order individuals, businesses and officials to take actions as a matter of course: to stand trial, to comply with subpoenas, to adhere to a contract, to make restitution, and so on.

I am not deeply familiar with lawful intercept law and case law around national security letters (what little there is), but I would not gamble anything of value on the principle that courts cannot compel someone to take actions.


Let's assume that your are right, which I think is true. While courts cannot compel companies to do some things, they can certainly compel them to do things that are a normal part of business, like producing paperwork, or in this case, logging activity.

With an NSL, they could approach a company and require them to start collecting logs and also to not communicate about the new requirement, at which point a privacy-focused company's only choice would be to either comply or stop offering the VPN service entirely without saying why.

Without an NSL, the company would be free to communicate about why it was no longer offering the VPN service, or to announce that they were going to be logging from that point on, giving people an option to stop using the service if that's a problem for them.

But not having a hard drive in place currently, that prevents the courts from getting information about any activity before the court order or NSL is issued, as far as I can tell, which I guess is what those companies are counting on.

Not an easy business to be in, in any case.


If the court did compel a VPN company to log compromising information, I'd imagine most companies would tell you. After all, you're just trying to be transparent to your consumers.


Possibly some fake "#1 is privacy" VPN company will continue their service with FBI logging for profit.


>In one move, Apple has taken onion routing from a specialized tool for hackers to something that will be in daily use on billions of devices.

Sounds like praise to me.


I think this is great, if only as a way to kill the bullshit consumer VPN business, which sells snake oil.


> I think this is great, if only as a way to kill the bullshit consumer VPN business, which sells snake oil.

Having a US megacorporation kill a whole market segment and pull it into their monopolized walled garden sure seems like an improvement. After all, they pinky promise they will not ever abuse that! /s


By this logic our computer operating systems would not improve, ever. Web browsers, built-in networking, music players, image editors, mail programs, even Solitare - all things that at one time were separate market segments.


All of those products have been improved by COMPETITION. The most critical, most important and ONLY thing that makes modern capitalism work for non-rich human beings.

Every single field you mention was thriving when there were multiple players fighting over your money and have started to become exploitative and abusive as soon as one player killed the others and started rent-seeking. Competition is crucial for market economy to work.

I find it utterly bizarre that someone educated would think that a death of market by megacorp monopoly would somehow drive improvement.


Consumer VPN isn’t a market where competition is driving better products. All of the products are the same technically - it’s a trivial service to standup. Sort of like a home security company… there are good ones, but most are garbage peddling FUD, especially fear.

The differentiation is purely marketing. Some VPN providers are basically grey market means to bypass TV blackouts. Others claim to be privacy focused, but are in fact the opposite. A few are actually privacy focused.

IMO, having megacorp(s) roll up the junk use cases actually drives meaningful competition by putting the lousy players out of business or driving consolidation in a crowded market.


Consumer VPN competition is about to heat up! I’m sure the incumbents will innovate to keep up, right?

Competition is great and works, except when it isn’t and doesn’t. Dogmas are usually bad, try to avoid them.


I think that's painting with a pretty broad brush. What's wrong with Mullvad, for example?


VPNs mostly do what they claim, but they may or may not be government or marketing honeypots, and a lot of the sales pitches around hackers and privacy aren't as interesting in the days of HTTPS. Aside from piracy and bypassing region restrictions, you're just hiding your IP address, but those change often enough already.


The issue here preference falsification:

>Preference falsification is the act of communicating a preference that differs from one's true preference. The public frequently conveys, especially to researchers or pollsters, preferences that differ from what they truly want, often because they believe the conveyed preference is more acceptable socially.

The reason why the VPN business is booming is to avoid those pesky content infringement letters, and to workaround geo restrictions.

OP is upset that they advertise themselves as privacy tools, but that's just marketing.


Yea you don't legally market your product as a tool to commit a crime but 'privacy' is pretty broad term and partially true so it works.


Who runs Mullvad?

I find it funny that people here mistrust companies like Facebook and Google, but then turn around and hand off their entire network activity to a faceless, anonymous VPN company.


I think a lot of that distinction turns on how well your network data is linked to your identity. In the case of Mullvad, you can pay them anonymously by putting cash in an envelope and just mailing it to them,[1] which lowers the trust factor involved.

[1] https://mullvad.net/en/pricing/


They still have your real IP address, which is what you were trying to hide in the first place


Have you tried answering that question? Mullvad isn't faceless and anonymous.


Doesn't a consumer VPN keep my ISP from building a data profile on me?

Yes, I get that now my VPN provider can build that data profile, but I am certain that my ISP is a vile monopoly that has corrupted the regulators that are supposed to represent me.


I have Sonic, so I trust my ISP more than a random VPN provider. Even if you have AT&T, they have a legal team that makes they provide a lot of opt-outs. I don't trust that they work, but there are a lot more eyes on them than a VPN provider.


what is bullshit about it


Have you noticed all the ads say “Hackers can spy on your connection when you log into your bank at Starbucks.”

That’s complete FUD. HTTPS completely avoids this issue (especially with a bank). Very few websites use HTTP now.

While VPNs do have their valid use (preventing your ISP from spying, changing geolocation, and private networks for eg, work), most of the marketing is spreading misinformation.


I've seen stats for a couple of the biggest VPNs. Massive majority of their traffic is just switching geolocation restrictions (US Netflix and similar).

They don't tend to advertise that. Some do, but it's not their main message, because "prevent ISPs from spying" is cleaner.

iCloud+ does not solve this, so there will be a sustained need for VPNs, particularly those that invest effort into into avoiding Netflix blacklists.


> They don't tend to advertise that.

IME of podcast advertising they all advertise this very openly.


> “Hackers can spy on your connection when you log into your bank at Starbucks.”

I've also heard this from a reputable news source (NPR) in the past few years, even though it hasn't been true for banks for at least 15 years, ~5 for most websites.


I've never understood how a VPN doesn't get too carried away to pull a MITM with some central cert


Because if you used a central cert, every device would have to whitelist that cert, and just clocking the lock icon in your browser would reveal it.


Many consumer VPNs install a client, and it would be trivial to ship a new trusted certificate with it.


This is true, but note that, for example, on iOS an application can't do that without prompting. Now, most people would probably hit “Approve” if one of their security products said it was necessary.


> Many consumer VPNs install a client, and it would be trivial to ship a new trusted certificate with it.

A lot of browsers have their own root chain, and also now do certificate pinning, so will (IIRC) only accept specifically designated certs for particular sites (doesn't Google/Chrome/Gmail do this?).


That wouldn’t change that clicking the lock icon in your browser would show the same certificate on every website, and that this certificate was universally valid. Pretty obvious…


> show the same certificate on every website

Not really, because, you can use on-demand certificate issuance.

Hell, if you really want to, you can even name your certificates the same as existing certificates and the only way to detect the forgery would be to compare the actual public keys (and who does THAT).

I feel like I'm writing an evil roadmap here, but, you can even do multiple root certs with different names and trust them all, do a whole "fake" PKI infrastructure which would be impossible to detect unless you were comparing the actual keys.


> I feel like I'm writing an evil roadmap here, but, you can even do multiple root certs with different names and trust them all, do a whole "fake" PKI infrastructure which would be impossible to detect unless you were comparing the actual keys.

Yeah, just imagine being beholden to some federal statue impropriety (easiest in taxes) and running one of the these vpn organizations...


If and when browsers start requiring pre-certificate transparency logging, anything like this should no longer be possible to pull off, since none of the fake certificates would be able to contain a stapled pre-certificate "signoff" from a trusted CT log.


On the other hand, a lot of VPNs provide proprietary client software (even though all the major OSes have built-in support for the common VPN protocols such as IPSec, L2TP, etc) so they could very well sneak the root cert in there too.


You’re “protecting” yourself against Starbucks monitoring you by establishing a secure connection to a grey market entity with more of an interest in your activity.


Internet reselling doesn’t have nearly as much privacy as internet resellers suggest

If you are only hiding from your local network and ISP its fine

If you want to do that and change your location to a website it’s fine

If you are hiding from any government for a civil or criminal charge it is not fine

If you are hiding from any government intelligence so nobody knows anything it is not fine

It doesnt matter what “no logging” claims the internet reseller has, this is not verifiable and can also change at any moment


So far, partners of Apple I’ve seen the service forwarding to are CloudFlare, Akamai, and Fastly. There may be more but those are the ones I’ve seen and heard.


Wait a second, didn't the Fastly breakage happen the day after WWDC? What are the chances that the one client was Apple and their config was for this service :)


> The routing uses two hops; Apple provides the first, and "independent third parties" (not yet specified) provide the second.

This isn’t true though, they have specified who the independent third parties will be: CloudFlare Warp, Fastly, and Akamai. See here: https://www.barrons.com/articles/fastly-stock-outage-think-a...


My guess is one of the major reasons for having the exit nodes in the same geo location as entry nodes is to have continuous operations in China. Without this constraint, they would have allowed chinese consumers to access the free web, which would ban them instantaneously.

I don't think Apple cares as much about video content providers, though.


That’s not the reason. In China, Myanmar, Egypt, and several other countries this service will not be available at all. Those customers will just have regular old iCloud.

A more likely reason is that video streaming services with georestrictions like Netflix, Amazon, or BBC would have lost their minds.


It wouldn't have been too hard to just implement this feature for chinese customers if that was the only driver.

But I agree that making the exit node in the same country probably goes beyond video content providers, it avoids all sorts of potential legal, diplomatic and practical issues.


> I don't think Apple cares as much about video content providers, though.

Not being able to watch Netflix, Amazon Video etc. in Safari seems like something Apple would in fact care about.


Not if it gets them banned in those countries.


HBO is blocking Private Relay regardless.


Only for now. When it rolls out widely, Apple's sheer scale will most likely force the issue.


I doubt it, unless HBO and Apple are able to come to some assurance on it.


I don’t think this service is being offered in China, period.


Apple also isn't in the business of people bypass region restrictions. This seems focused on privacy.


Apple has always given in to China's demands. A few years ago they even moved their entire Asian iCloud datacenter to the China mainland after the government issued some vague complaints about "nationalism" and "security".


This is interesting. I think overall I approve as it benefits people by default.

It does mean you now have to trust Apple since that's the first hop. However you're already doing this when you spin up your AWS Lightsail Wireguard instance, say. AWS can see ingress and egress traffic and so you just need AWS to not be part of your threat model. Same here. Though I dont see this as too much of a problem since it applies to devices and services where you've already made this explicit choice.

The app limitation thing is a shame and hopefully there will be an API at a later date.

The exit node choice based on exit-locality kinda makes me think Apple either:

- Want to restrict this service being (ab)used for geolocked content (Netflix etc)

- Want to speed up the service by providing the closest exit node (Performance)

Of course given all the FBI cases, you also have to consider other possibilties for the creation of this service.


Craig Federighi, on the most recent episode of The Talk Show with John Gruber [0] about 47 minutes into the episode, talked about this and I think both your assumptions are correct. For the first one I'm sure they didn't want to deal with the complexity of picking an exit location nor did they want to be a party to getting around geo-locking and so this gave them the best of both worlds, no UI and no issue with geo-blocking. For the second point I think that is also the reason as well as it's often helpful if a website knows your general location (For relevant recommendations, CDN routing, etc) but we'd prefer if the website didn't know exactly where we are coming from (IP-wise) which can be used for tracking/ads.

[0] https://daringfireball.net/thetalkshow/2021/06/11/ep-316


> your AWS Lightsail Wireguard instance

This will still be your fixed IP, not adding much to your privacy.


This is great. I hope this spurs Google to make their VPN (https://one.google.com/about/vpn) more widely available. A few audiences they could expand it to: any ChromeOS device, any Pixel phone, any Android phone, any mobile Chrome user, any Chrome user.


Because Google is definitely the most trustworthy company when it comes to data governance and respecting user privacy. No chance they'd use it to put you into a FLoC-type thing, benefiting their own advertising business while shutting out competitors.

Google, the engineering company, always plays second fiddle to Google, the advertising company.


I trust Google and Apple 100x more (low estimate) than I do Comcast/Verizon, AT&T, etc.


I don’t trust google and apple equally. I trust google about the same level as comcast/etc.

apple having less advertising influence is more trustworthy, I think, in terms of privacy. don’t lump google in with them.

Meanwhile apple has many many anti consumer anti competitive policies so while I may trust my privacy with them more, I wouldn’t trust them to fight for my privacy rights in the long run.


Meanwhile even Google's employees don't know what data Google collects, how to turn it off, and de-google their phones. A thread with unsealed documents: https://twitter.com/jason_kint/status/1398353211220807682


I agree on the Apple, but not on Google. AT&T, Comcast, Verizon, Deutschetelekom, British Telecom, NTT, etc. Have spent the last 15 to 20 years being absolutely deskilled by people leaving for better jobs in the hyperscalers. If you’re worried about any telecom carrier looking at your traffic then all you need to do is make sure that encrypted client hello and DNS over HTTPS are used by the devices that you have. The products that they use to do deep packet inspection are all falling apart at this point and since they have no internal technologist they are busy asking vendors to fix it for them, and the vendors can’t fix it either.

Worrying about the carriers was really hot for a while especially post Snowden, but it’s really not a genuine threat.


True.


To be fair, Apple's software has always played second fiddle to their hardware. I trust Apple with a VPN about as much as I do Google.


They don't have an inherent conflict of interest the way Google does (advertising vs privacy in the same company). The App Store makes them plenty of money, and if anything, enhancing user "privacy" by limiting access of other adtech vendors only strengthens their walled garden and increases revenue. Even something like Fortnite or the Epic store... as long as they can dictate their entire stack from hardware to software (very much unlike Google + OEMs + third-party stores), they'll have a huge advantage over Google in terms of being able to limit your personal info being used by third parties, while still retaining it for their own use.


A lot of people think of VPN as escaping Google mega-giga-tracking schemes. So growing their own would be doomed to fail.


They’ll release that as a Chrome app.


Does anyone have pointers to info/articles about the countries that are on the "no VPN" capability list?

Some of them make sense to me, i.e. China which has a long history of censoring their citizens.

But in particular, I'm trying to find out why South Africa is on that list seeing as I live there.

Edit: In [1], Apple is quoted as saying, "We respect national laws wherever we operate" but did not elaborate further.

[1] https://mybroadband.co.za/news/internet/400893-apple-will-no...


Another reason could also be that the servers operate in the same nation that you are from. If Apple or no suitable partner has servers in South Africa, that could also be a reason.

And, of course it could be politics. The South African government, I wouldn’t know, but it could be possible that they wouldn’t let tech companies from the US build servers in their nation.


Apple said it also will not offer "private relay" in Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda and the Philippines.

https://www.reuters.com/world/china/apples-new-private-relay...


I hope it'll not bring captcha hell, as Google does for using VPNs. Twitter is simply blocking my VPN provider. eBay sends scary email every time I login.


Because Apple is so large and well respected, issues will be blamed on whoever is putting up the captcha, not Apple.


This will come down to reputation. VPN providers which don't do a good job managing abuse from their networks get blocked a lot more readily than better run networks, and in this case they'd be able to make pretty strong assurances that they can link activity to a single user.


You can disable the captcha by paying the site a 30 % cut of the purchase price of the Apple device and the subscription./s


My experience with this so far was... mixed.

- This breaks DNS resolution for company-internal domains.

- This routes all my traffic through CloudFlare or another CDN I might or might not trust (yes, the IP is hidden, but not the data)

- it significantly slows down my internet access on my location.

- it tends to turn itself on again without my intervention

especially the last point is very problematic for me


To use it you're clearly using early beta software. Clearly it isn't going to "turn itself on again".

I turned it on and actually forgot I did. Performance is decent here. I mean of course it's going to be worse than native, but that's the compromise.

As to trusting Cloudflare -- what do you mean? You understand your connection is still TLS end-to-end encrypted (presuming that's what we're talking about), right? I mean...presuming the site your talking to isn't using Cloudflare SSL. In no way does this reduce that security. If you're talking about HTTP, well everyone in between can already see that.


> Clearly it isn't going to "turn itself on again"

Why is it so clear? An iPhone hotspot turns itself off as soon as a device disconnects, with no option to leave it on, presumably for security or battery reasons.


> To use it you're clearly using early beta software. Clearly it isn't going to "turn itself on again".

Of course I’m talking about the beta version. But I can assure you that once I found out that it interferes with internal DNS, I turned it off (it’s on by default on the current betas) and a day later it was back on.

That’s what I meant with „it turns itself on again“


[Clearly not turn itself on.]

Funny story, I was shocked and quite annoyed that an iPhone automatically turns on Wifi and stuff every day by itself - even if you turn it off...

Still dont know how to actually turn it off


If you tap the wifi button in your controll center it just turns it off for 24 hours or when you switch locations. If you turn it off in the Settings App then it stays off.


if you disable from quick menu, it turns back on. if you disable from settings, it doesn’t


And when you do so it does flash a message along the lines of “Disconnecting nearby wifi until tomorrow”.

Which makes it pretty clear it’s not a wifi kill switch but just a “my current connection is shit, let me use cellular” button.


yeah, but even so, it’s one of these occasions where an os symbol has been altered to change behaviour without the user’s consent or control

it’s not quite as egregious, but it reminds me of how a lot of desktop apps now just minimise to tray rather than actually ending the process when you click the close button. discord is probably the worst offender for that, since it’s not (that I’m aware) a customisable behaviour


The control center wifi control always worked this way. It wasn't "altered", that is a primary feature of its functionality.

Apple gains nothing from your WiFi re-engaging. But many users do because, as another comment mentioned, people turn it off in control center because their connection is temporarily shit, or more likely just accidentally. Then they get to end of month and they have a monster cell overage.

Someone was using control center wrong (despite it very clearly indicating the use of the button). It's a learning experience.


no, you’re wrong. it started working this way in iOS 11. You can look it up if you like


Control Center was added in iOS 11. Yeah, it didn't exist before then, so sure it "changed" from non-existent to existing.

No, I'm not wrong. I'm actually completely right. Control Center has always been a temporary toggle.


Again, that’s not true. Control centre, or some incarnation of it, has been around at least since iOS 6. It just sounds like you haven’t used an iPhone for very long

In case you’re just entirely misunderstanding what we’re talking about, I’m referring to being able to turn off the wifi when you swipe up from the bottom of the screen. This has been a feature since I’ve used an apple device, which is since iOS 5 or 6. Whether it’s been called “control centre” or not is irrelevant. That’s not even what I referred to it as in my first comment.


Discords behaviour is customisable (at least on Windows).

Settings > app settings - Window settings > close button - minimize to tray.

Turning this off causes Discord to quit completely when clicking the red X in the top right.


If you disable it from the control center thingie overlay it even states that is only for this day ...

If you disable it from settings, it stays off.


It directs to an Apple server, then CloudFlare, so considering it’s basically a double VPN speed decreases have been reasonable.

The fact they can see unencrypted HTTP data is a downside with all VPNs. At least you have the double hop going in your favor.

As for turning on by itself, it’s annoying, but it is the very first developer-only preview so I’m not complaining yet.


> This breaks DNS resolution for company-internal domains.

Is this not the case for any VPN or proxying service? In fact, it could even be a security flaw if your internal domains were accessible on external VPN style endpoints?


Also it’s developer preview 1. People like the OP who gripe about bugs on such an unfinished product are the reason why Apple doesn’t make those first builds available to anyone but their registered developers for the first month.


I have of course reported the issues using the feedback app, but judging by previous experiences with other apple betas, I wouldn’t hold my hopes up of any of this getting fixed.

There’s value in talking about issues early as it allows admins of corporate networks to make adjustments to their infrastructure (like introducing split dns rather than just have *.internal.example.com resolve to internal addresses) to be prepared for the eventual launch of this feature in September


> Is this not the case for any VPN or proxying service?

No, it's not.

> In fact, it could even be a security flaw if your internal domains were accessible on external VPN style endpoints?

It would be, but then this is not something that happens on a network configured in the way you describe.


"No, it's not"

The root's observation is that it doesn't use the machine configured DNS. The overwhelming majority of VPNs also don't use the machine configured DNS. Maybe not "any", but if you're using a VPN you're generally going to want your DNS going over it as well.

But it is worth noting if you're on a corporate network, or if you use a DNS solution like NextDNS -- when you turn on PR those no longer play a part, at least to Safari traffic.


I use NordVPN. It specifically has an opt-in setting to use locally discovered DNS in favor of their in-network DNS. This is crucial since out-of-network DNS can leak activity.

I’m not sure what kind of network you believe I described, but would be useful to have a clearer explanation from you.


It is for any VPN client that routes DNS traffic through the VPN as well as HTTP and other web traffic. It's not out of the ordinary for this to happen.


"yes, the IP is hidden, but not the data"

Using TLS it certainly should be.


Does it work like an https proxy (with CONNECT) or a socks proxy?

Because if it is instead actually unwrapping the connection somehow (eg. mitm) then they would be able to see the content, and that seems like a huge no-go -- both for the users, AND for apple as I would think it would open them up to liability.

note: they certainly would be able to see unencrypted http traffic regardless though.


> it tends to turn itself on again without my intervention

This is listed as a known issue in the release notes


> This breaks DNS resolution for company-internal domains.

Why would it? The WWDC developer video clearly states that it’s only for public domains.


I believe the DNS requests are routed through their ingress proxy, so there's no chance to hit an internal split horizon DNS server.


> the IP is hidden, but not the data

Isn't the great majority of your traffic HTTPS?


Does Apple preserve the client source IP in the request (similar to Cloudflare's VPN) or will the server only see the IP of the exit node?


The whole point of the service is to hide the client source IP.


Not necessarily. I thought it was mainly about encrypting traffic in untrusted networks. Cloudflare already does it like this in their VPN service.


Correct. I guess it wasn't really obvious from the linked mail. The introduction video at https://developer.apple.com/videos/play/wwdc2021/10096/ is a lot clearer.


Not sure why you said correct, as it's both. A big part of private relay -- I would say the most significant part -- is to allow people to talk to websites without giving up their personal IP (and from that pretty tight geolocation, and with fingerprinting a correlation with loads of other data they collect). Apple makes a big deal about it being about maintaining privacy, not just against snooping of traffic -- which is unlikely -- but against fingerprinting and targeting from the services and sites you connect to.

And to answer the original guy, no Apple does not add any headers or details to tell the destination what your IP address is. They just see that they're talking to an exit node somewhere approximal of your general region.


Interested to see how iCloud+ VPN works later.


So I seem to be completely missing... what is this actually for? What's the value proposition for the average consumer?

It doesn't replace a VPN into your company's or university's network (for accessing private resources).

It's not for accessing streaming TV in different regions.

HTTPS is already secure.

In theory it seems like it could be used for illegal torrent downloading, but given that Apple is in the media business, something tells me they'll do their best to block torrenting.

And for things like videoconferencing, it will almost certainly degrade performance to a degree (latency, bandwidth, or both).

The only thing left seems to be your ISP and/or coffee shop WiFi being able to track what IP addresses you communicate with. Instead, they don't, but Apple does. Is that really a benefit, or a benefit any average consumer cares about?


It provides VPN-style protection against your ISP and does also protect you against IP address tracking. This means you and people in your household have one fewer data point that links you.


Is this like Cloudflare Warp then?

https://1.1.1.1/


the beta seems to be using Warp actually.


I was curious how they would actually implement this, if it's actually onion routing that's pretty cool.

I wonder what advantage this gives over using NextDNS?


NextDNS is encrypted DNS. DNS is like using your neighbor across the street for all your directions, except you have to shout.

"YO, WHERE'S THE GROCERY STORE AGAIN? ALSO AFTER THAT I'M VISITING THE STRIP CLUB, AGAIN."

NextDNS turns that shout into a signal/telegram message, to a different neighbor. There's still a neighbor involved, but at least the neighborhood doesn't get to hear anymore.

If they include DNS in the onion routing scheme, it turns into a game of telephone, where the neighbor doesn't know you anymore.

Your traffic, and directions become more private.


Correct me if I’m wrong, but as I understand it a two-hop onion network is still trivially breakable with (two) warrants, especially since both Apple and Cloudflare/etc., are US companies. Which would make it a VPN in the duck-type sense.


It depends, whether they do no logs. There are many VPN providers in the US which don’t have logs, so that if they are subpoenaed, they have nothing to give.

The beauty of Apple’s double hop is that if one partner was hacked, secretly wiretapped, or had lied about not keeping logs, your connection would still be private.

But, that assumes that nobody on this network is keeping logs. If they are, then it could be theoretically possible to piece them together. However considering Apple’s marketing with privacy, it would be interesting to see whether they keep logs on each endpoint or not.


> There are many VPN providers in the US which don’t have logs

Many claim they don't have logs, and my understanding is that it has been sometimes revealed that they do have logs. Also, how do you run a server without logs? Many think those claims are BS.


What would the logs contain?

I believe everything is encrypted on device before being sent to Apple.


Timestamp, source and destination ip addresses, username. In the case of the exit node, url.


We don’t know that Apple keeps logs. These are things they could theoretically keep, but we don’t know if they store them or not.


If they don’t clearly state ‘no logs’ then its unlikely they are not logging. My bet is they’re logging everything, because they have no advantage in not logging.


Only the timestamp and username would be available from Apple.


Source IP address and next-hop IP address would be as well.


Source on the next hop address?

Apple doesn’t know where you’re going.


They shouldn't know about the end destination, but they'll know your traffic was sent to eg. Cloudflare or whatever.


I would think they batch together all the IPs and pass it off.

It's in Apple's best interest to keep the bare minimum information they need from their end-user.


> It depends, whether they do no logs

Courts can compel them to keep logs.


That’s the beauty of this. Party 2 only knows Apple’s IP. Apple doesn’t know what site you’re visiting.

So how do you assemble “all traffic to this site” even by subpoenaing both parties?


To party 1: "Give us a netflow log of all of this user's traffic." To party 2: "Give us a list of all outbound connections matching this netflow list of inbound proxying requests."

It would work the other way around as well (going from visited sites to a given Apple id). If you can monitor all nodes in an onion routing network, you can deanonymize everybody.


Well, here’s the catch. Even if logs were kept, the 2nd party as far as we know does not have a unique identifier passed onto it.

This means that Apple’s logs would say this user authenticated and passed some encrypted stuff to Fastly, and Fastly would say that it received requests from Apple, without an identifier to match it up against the first request.

Once this scales and Apple has millions of requests incoming, there will be no way to conclusively prove that two requests are the same.

In which case a double subpoena is again useless. And this assuming they keep logs - if they don’t keep logs, which is more likely, it’s even more useless.

This also aligns with something we currently know. Apple says they can’t see your requests. This implies that they just pass data along in an encrypted format to their partners. So all Apple does is make it so their partners don’t know your device, and the partners ensure Apple doesn’t know your request.

Ultimately, even if logs were kept, there would have to be a unique identifier of some sort that was passed on to the second server from the first server to break the system. You decide the odds that they did that. Sounds a lot like an IP Address, in which case why not just build a classic VPN?


Surely some "unique" identifier is required for each TCP session between Apple and the exit node so that Apple knows where to send the data it gets back, even if it's just the port on which Apple connect to the exit node as with standard TCP session management.


How would that help you identify all of a particular users interactions (rather than one)? Why would you expect them to log it?


If Apple logged (incoming IP from user, outgoing port to exit node) pairs for each session, and the exit node logged all requests, this should be sufficient to associate all requests with a given user IP, right? Or am I misunderstanding you?

I wouldn’t expect them to log it, personally, I think that can only lead to headaches down the line. My reason for responding is just that I disagree that there is no way for another party to associate all requests even if Apple & exit node both fully cooperate and keep logs.


We are thinking about this the same way. Individual sessions don't do you much good, but there is traceability iff both parties keep complete logs. Which seems unlikely unless coerced.


If your threat model includes state level actors, there is no commercially available solution that will make you 100% safe. This is about privacy from private corporations and making it more difficult and more costly for governments to get your data. But the latter is always possible when you use the web.


>If your threat model includes state level actors

My personal threat model doesn't include state level actors, but if it did I would certainly differentiate between a solution that the NSA can break with some expense and one that my local police department can break with a warrant.

My actual threat model is advertisers, so I think the Apple solution is quite elegant and will serve me well. It shouldn't be conflated with TOR though.


Here is a simple question: Why is there only one "Tor".

Why haven't there been more onion routing projects. (Maybe there have been and I am just not aware.)

Perhaps the same reason(s) we never saw widespread adoption of remote proxies, despite their usefulness in many situations.

Although in some respects onion routing seems quite an improvement over "simple" proxies.


You need lots of nodes to make it secure, performance is low even by VPN standards, and it’s dangerous to run a node. Unless you have some likely way to change one of those it’s going to be really hard to get volunteers – and payment is worse because most customers will expect better service.


The more nodes you have participating the more secure an onion system tends to be. Since the Tor network can carry most kinds of traffic, the motivation to avoid a fork is strong.


> The more nodes you have participating the more secure an onion system tends to be.

Tor isn't very large as it is, and (I would guess) it's the largest. If another onion routing network didn't grow the audience, you would have two even smaller networks.

> the Tor network can carry most kinds of traffic

Isn't Tor limited to routing TCP? That would rule out QUIC, for example.


Maybe could chain the networks together. An exit node on one onion routing network might automatically send traffic to another onion routing network.


If I recall correctly, I2P uses some sort of onion routing.


I'm currently running the beta and this doesn't work on my router (provided by one of the largest ISP's in the UK). When I go to settings it displays a message that the router is unsupported by private relay. Hopefully it's something they can fix before launch but if not I wonder how many other routers are unsupported?


> or you can view it as a concession to reality: If Apple didn't do this, the video providers would block their exit nodes, as they do with any VPN provider that gets large enough for them to notice.

I seriously doubt any reasonable video streaming service would cut off such a huge chunk of their user base just because they are using an iPhone.


I expect they would just show a message "to view our content, download our app - Safari is not supported"


But when you download the app: “please use safari to pay for subscriptions” :)


Actually surprised how this only shows up on HN now.

Expected this to take the top spot right after the keynote.


So far the two different third parties I’ve seen are Cloudflare and Akamai. Has worked relatively well here, besides the fact that some bug has made it so it turns back on randomly, which isn’t a big deal.


I'm curious how they are securing the feature that keeps you in the same region. Since that feature encourages content providers to not block, it would be a desirable target to work around.


yeah I was thinking about how difficult it might be to spoof your location prior to the Apple Router, and have it come out the other side nicely laundered


What's are the differences between a VPN and an onion router approach? Could anyone explain or link to an article?


A VPN is a middleman that accepts your traffic and forwards it, hiding who you are to servers. An onion router is like a VPN but instead of 1 middleman, the middleman is a whole random network of middlemen, and those middlemen also hand off to other middlemen.


What I don’t get is why people don’t regard Onion Routers as a form of VPN. It’s still uses a virtual private network, just more of them. a network of networks.

Surely TOR is a type of VPN?

Maybe there’s some details I’m missing. I’m no expert


Really mostly convention. Yes you could label it that way, but people consider it to be enough of it's own thing to not do so. (+ there is some value in not conflating the two because they do have different threat models etc and users should treat them differently too)


This is a great summary, thanks


Does anybody know, how iCloud+ VPN would compare with Cloudflare WARP in terms of better privacy protection.


Don’t forget that neither is a pure VPN, though that’s not always a bad thing — Private Relay is better than a VPN because onion routing means “no one party”[1] can correlate your connections and identity.

However WARP, being more like a VPN, requires you to trust Cloudflare to not log DNS lookups / the servers you connect to and associate that with your origin IP.

Why do I hesitate to call WARP a real VPN? It reveals your actual IP address to websites you visit via X-Forwarded-For. [2]

Also I think the fact that iCloud Private Relay will be built-in makes it more private than WARP — more users’ traffic will come out of each node.

[1]: Obviously this is imperfect because the Apple (which knows your IP) and third-party (which knows the network traffic) nodes will likely be in the same jurisdiction as each other, subject to the same laws, as mentioned by other commenters.

[2]: https://twitter.com/eastdakota/status/1176987146177196032

edit: typo, line break, clarified Private Relay concept


Apple should release a token for the routing nodes to stake and get slashed for poor quality connectivity


Not being able to circumvent region locked content makes it only 50% useful for me unfortunately. I often end up using Epic browser which has a built in proxy from other countries to watch region locked content. I would recommend it for non-confidential stuff.


Does this compare to NextDNS[1]. I moved from Pi Hole[2] to NextDNS and I'm happy with it.

1. https://nextdns.io

2. https://pi-hole.net


No. NextDNS and Pi-Hole serve DNS requests and are mainly used for ad blocking and content restrictions on your network. They don't tunnel or redirect your actual internet traffic the way a VPN does.


Shameless self-plug: NextDNS does not, but ControlD does do that - https://controld.com


Your service seems to support the same features as your provider -- are you 1:1 reselling or do you add stuff?


Not sure what you mean by that. The features are not the same, see https://kb.controld.com/compare


It says on your page you use Windscribe, they have this page

https://windscribe.com/features/robert

Sorry, purely a curiosity I didn't mean to come across as calling you out


ControlD uses transparent proxies in combination with DNS to do things you can't do with a VPN. Like this: https://twitter.com/ControlDNS/status/1358267260465463297

It's also made by the same team as Windscribe.


This is the correct observation.

- A nextDNS user having that same question answered by official team


Just curious, are you on the free tier? Just wondering if 300k queries per month is sufficient for the average person. I have no reference to base that number on.


I was on the free tier but hit 300k requests in roughly 25 days. My primary smartphone, laptop, and parents' smartphones. Upgraded to NextDNS, happy customer for an year but jumped ship to pihole. Have two pihole devices on the Tailscale network. NextDNS was great. Checks all of my requirements. Just wanted to support open source software. I donate to pihole often instead.


I'm on the free tier and haven't hit the cap.

I've also found that I still get creepily-targeted advertising, which is presumably based on IP. For example, I watched a youtube video in Firefox Focus on my iPhone. Later that day, I saw a youtube recommendation for a very similar video (on a topic that I do not ever engage with, except for the single video earlier that days) on my laptop, in Safari.

I use NextDNS on both devices. It's nice, but it's not a silver bullet.


I'm on the paid tier. I pay the yearly subscription. Our family of four (2 kids) easily hit 1+ Million queries a month.


Oh, that's interesting. What convinced you to switch? Not having to host it yourself or some specific features?


More of Not Hosting it Myself. NextDNS is cheap enough and does the work really well. Part of my lifestyles simplification, especially when it comes to critical services.

Had few instances where some websites do not work when ad scripts are blocked. I had to debug while traveling and my wife is not too keen on tinkering with the Raspberry Pis.

NextDNS have similar issues, lots of newsletter unsubscription just fails. For NextDNS, I can just ask my wife, "Click that Shield Icon and Disable for sometime." For Mobile devices, "Open NextDNS and slide the Disable button."


i'm not the OP but I think it might be the issue with exposing pi-hole to the internet to access the dns outside of your home network. nextdns is cheap, i'm using it on all my devices, without the hassle to expose pi-hole to the internet.


I’m literally using VPNs just to get around geo-blocking.

Still, this is interesting.


I liked this little article as it reminds me of when the Web was still young and mainly just text with no formatting or graphics yet. Takes me right back to 1991!


>why don't VPN providers implement a onion router

ProtonVPN does.


I'm curious how does the second hop work? are the third parties contracted by Apple to provide the service? What's in it for them?


I presume the answer is “money”


Yes but how?


By paying them for the services utilized. You think Cloudflare and Akamai are doing it for free? Really?


No, I do not. You didn't read my original comment, I asked if apple selecting them and are they paying them.


Does this mean that all DDoS mitigation techniques need to exist before the exit node of this traffic? Which in turn mean, that everyone needs to outsource their DDoS mitigation to Apple.

Also the corollary would be, that anyone who is able to bypass the protection mechanisms Apple has in place to control DDoS, can use it to DDoS a service like Google, Microsoft and get the entire service banned for all iCloud+ users. Right?


Apple has sort of addressed this with only having it work with Safari and other apps that implement the API, rather than system-wide as something you can connect to. It’s probably going to take a lot of reverse engineering before hackers figure out the API and how to get third party devices to connect and authenticate, if at all. If you can’t get third party devices to connect, you are missing the first D in DDOS.


There is also almost certainly an authentication mechanism in place, even if you were to reverse engineer the API. You'd need a bunch of paid iCloud accounts to have a DDoS be at all feasible with this service.

Additionally, Cloudflare themselves, one of Apple's third party partners, offer DDoS protection services. Because they see all the exit traffic, they'd be able to detect the DDoS and block it.


That's why this concern seemed weird to me; the exit nodes ARE the DDoS protection services.

I can't see Cloudflare putting themselves in the position of needed to protect their clients from themselves ...


Otherwise, by the poster’s logic, why hasn’t CloudFlare been a DDoS vector?


Why are you assuming this can, and will, be readily used as a DDoS vector?


"...why don't VPN providers implement a onion router.."

Pretty sure Nord already does. Probably others.


sounds awesome! tor as a system service with a professionally managed network. beyond making ad tracking harder, i wonder what sorts of new application spaces this may open up. i can already think of one! (and no, it's not some shady illegitimate/illegal bs)


> An big tradeoff for some is that the exit node is always chosen to be in the same geo location as the entry node. You can view this as a sop to the various on-line video providers

How could it be a "sop" to video services, isn't it exactly what they want, no more no less?


What video services really want is for each user to be identifiable by IP address. This doesn't quite give them that, but it does region-lock them.


Why do they want that though? They can still remember you, right, since you’re logged in?


Not all media sites require one to be logged in.

However, there are many reasons why a video service might want each user to be individually identifiable by IP.

- Many media items are contractually region-locked

- The same user from too many simultaneous IPs might mean shared credentials, a perceived loss of revenue

- The same user from geographically disparate IPs might also mean shared credentials, even if not simultaneous.

I'm sure there are more.


We were talking about video streaming services though, they usually require a log in, and in any case they’ll have a cookie so they know who you are.

Region locking is fine right, that’s exactly what Cloud+ provides, same thing with your third point.

As to the second one, I don’t know how big the simulated regions are but i suppose it will look like different houses at least. I’m sure netflix will think of something though.


> We were talking about video streaming services though

Were we? I read "on-line video providers," which could as easily be the BBC or YouTube as Netflix. It seems like your most recent comment is the first one to mention streaming.


Those are all video streaming sites.


Okay, and several of them don't require logins. So I'm not sure what your objection was about.

In any case, I think I've answered the question.


Does it mean iOS devices in China can go across GFW with Apple's VPN?


1) the egress would still be in China 2) regardless of #1, iCloud Relay will not be available in China (as well as other countries)


I think the title should be: Apple's iCloud+ "TOR-esque"


Apple Routing


Where are the Apple VPN exit points?

I wish there was a non-dubious VPN service with an exit in a non GDPR country, or at least one with internet privacy. I rolled a strongswan VPN through AWS EC2 but all the egress points are in countries that can be exposed.


Isn’t iCloud+ “VPN” (Private Relay) just white-labled Cloudflare Warp? Is “onion router” a new development or is Jerry overzealously inferring there’s more than meets the eye here?


It just re routes traffic to your nearest Fastly pop and mixes traffic up with everyone else nearby.


It specifically goes through an Apple proxy first and fastly (or other partners like Akamai and Cloudflare) don't see the incoming IP address.


Apple in a few months to VPN's: give us 30% share if you want to serve as exit node to Apple iCloud+ VPN.

Two part strategy as always:

1. Get yourself in-between of an already functioning system, by force if needed 2. Abuse your market position to gain millions of users, make it super easy to use this as default, and make existing players compete for their 70% share of what they already were earning.

- Enjoy new billions on top of existing trillions


This goes against my general distrust of giant corporations, but I trust Apple a lot more than I do the extremely shady VPN companies infesting the internet


https://developer.apple.com/videos/play/wwdc2021/10096/

A pretty decent overview of the scope of the product.

As mentioned in the video, the service also is involved if your app does HTTP over port 80, offering at least some marginal level of improvement. Otherwise it leaves your app traffic as is.

As to Mail, the linked comment mentions that but I don't remember it being a part of the solution (nor does it seem feasible that it could be). Apple offers privacy improvements in mail, but not via the private relay.


https://developer.apple.com/wwdc21/10085

Privacy Relay is also discussed in the privacy pillars video for a few minutes, starting at 24m30s.


To be exact, the video says that it includes all insecure HTTP traffic, so if you use HTTPS for now you are saved.


I don’t really mind paying few bucks for privacy. But I think Apple in the process is gonna kill a lot VPN providers. While I don’t care right now I hope it doesn’t make Apple a monopoly.


It won’t harm VPN providers, I don’t think, for a few reasons.

- VPNs are actually less private than iCloud+ double hop design, but could be much faster due to only having a single hop.

- Unlike a VPN, you can’t choose the location of the server you exit at, and the exit server cannot be in a different nation. If you are in the US, iCloud+‘s relays are in the US. No circumventing georestrictions here.

- Apple does not market their service as a VPN and never said it is one. For most customers, they don’t know this is a VPN substitute because it doesn’t call itself one. So if you have “VPN” in your mind, this isn’t something you think of as an option.


Additionally, this only works for port 80 traffic from apps. Other traffic is not run through this, so a VPN would still be useful in those scenarios.


To clarify: port 80 and 443 (TLS connections), right? Or is TLS traffic only routed through the private relay in Safari, not other apps?


All traffic in Safari goes through relay. However, in 3rd party apps, all traffic over 80 goes through relay and traffic over 443 is exempt. There is going to be an API though for if you want your 3rd party app’s 443 to go over the relay if you desire.


Not in beta1. I tcpdump'ed traffic from Firefox. HTTP/80 traffic is perfectly visible and not pushed to mask.icloud.com


Wait, so no HTTPS?


Everyone I know who uses a VPN doesn't really care about Privacy with a big P (i.e. state actors etc), they either use it to get around geo-blocks or to conceal their use of BitTorrent and maybe porn sites and this only seems to cover the last of those.


This could also mean now major companies security teams have even more incentive to track onion routing users and to check their pattern of traffic to ensure they are legitimate Apple users and not some tor user instead of just blanket-blocking every tor user. This could make tor less secure in the long term if more open source/closed source projects (NSA notwithstanding) are started and dedicated to analyzing and delayering tor traffic.


Potentially, this provides troves of data to the exit node operators (CloudFlare, Fastly, Akamai, ...). Yes, it's the same with all VPNs and ISPs, but I think users should be made aware that now instead of your ISP analyzing the data, an even bigger and more capable corporation is. And if Apple is controlling the entire onion chain (I would be surprised if they weren't), they have even more data available, mainly with a corresponding IP of yours. In the net sum, you are hiding the transmitted data from your ISP and the IP from the sites you visit, but you are handing over all this information to a centralized place - Apple and exit node providers. Potentially, they can use the information to connect the dots more easily and fully than any ISP or site ever could.


This is not quite correct though - entry side and exit side are specifically and intentionally not operated by same entities. So Apple knows who you are but doesn’t know what you’re looking for or where you’re going - your traffic is passed straight through to the exit layer. Exit layer operator knows what you’re looking for and where you are going but doesn’t know who you are or where you’re coming from.


The exit node operator can extract useful information even without knowing your IP, especially until Encrypted Client Hello (ECH) is ubiquitous.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: