I doubt this is a leak, it very much sounds like Apple is using QUIC to connect home and make the API work.<p>Not respecting the system firewall does seem like a flaw, but Apple has had a history of bypassing attempts at filtering network traffic. Firewalls have been blocked from working and Apple services have been made unblockable in later APIs. I'm not surprised in the slightest that Apple also bypasses your VPN to call home.<p>I don't know if this is a problem, though. If you buy Apple, you let Apple make the decisions for you, that's how the entire ecosystem is designed. You must trust Apple unconditionally and accept traffic sent home to adhere to their privacy settings, or you should not run macOS at all. Try to run Windows or Linux on it if you've bought your computer for the hardware quality, though the M1 makes that nearly impossible without sacrificing user experience.
Seems annoying, but any application can work around any firewall rules pretty trivially provided they can get at least one type of connection out to the internet. TCP, UDP, DNS... anything. Just need that one connection and it can be turned into a tunnel.<p>The private relay feature is worth being aware of, but it's irritating for users to deal with overzealous and clueless admins who think that locking down systems by disabling features like this can "increase security". It just ends up getting in the way of getting work done without any real benefit.
The headline implies that normal user traffic bypasses the firewall. When in fact, it's only apple system traffic. Still not great, but way less bad than if the VPN was actually bypassed for all traffic:<p>"It is worth noting that Private Relay (mostly) disables itself as soon as any firewall rule is added to PF (the system firewall on macOS devices). The Mullvad VPN app does add firewall rules. Once you connect the Mullvad app, Private Relay announces that it has disabled itself. We see no correlation between user traffic and the leaking packets. We believe they are just some heartbeat signal calling home to Apple. We do not know what information is transmitted to Apple, but since the destination is Apple servers, it is a strong signal to your local network and ISP that you might be a macOS user."
I’m unsure how a VPN and private relay would be expected to operate concurrently?<p>What happens if you enable two VPNs concurrently today?<p>Private relay and VPNs serve significantly different purposes - private relay is very clearly http[s] focused to the extent that I recall it doesn’t cover most traffic?
Does disabling Private Relay[1] on a DNS-level prevent this?<p>[1] <a href="https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/" rel="nofollow">https://developer.apple.com/support/prepare-your-network-for...</a>
it's probably just out of band housekeeping for the private relay link.<p>> We do not know what information is transmitted to Apple, but since the destination is Apple servers, it is a strong signal to your local network and ISP that you might be a macOS user.<p>isn't this trivially evident with all your traffic being tunneled back to apple as well?
System VPN is a privileged process and it's quite possible that it uses raw networking, for efficiency or other implementation reasons. You'd also see that any Linux process with CAP_NET_RAW "ignores" iptables. It's good to keep in mind the inherent limitations of in-system software firewalls.
Ugh - I appreciat the spirit of what they are doing, but it’s yet another example of the best of intentions getting flattend by unintended second order effects.<p>At least it’s still beta!
Posting this on a burner account for obvious reasons but I was able to bypass Cloudflare’s IP based restrictions using Apple’s iCloud relay when my connection was being relayed through one of their POPs. As far as I can tell the issue is fixed now but I’m unsure if they ever notified customers.<p>The product seems to be fraught with security issues for Apple customers and others.
Well I will be turning this off when it's out of beta and I'm prompted to use it. I already cloak my traffic with a self-hosted VPN+VPS box that I control. And using Mullvad combined with Private Relay would be redundant and overkill. Just turn it off if using a VPN client.
That’s why you always carry your personal pocket-cellular WiFi modem with custom firewall settings.<p>Then turn on Airport mode on your cellphone.<p>Sign on to your WiFi.<p>IP address Privacy, pretty much assured (assuming you have your own backend WireGuard and remote VPS-based gateway. )
Private relay seems to be fraught with privacy and security issues. I was able to use private relay to bypass IP based restrictions to all sites using one of the CDNs that private relay uses.