Apple's iCloud+ “VPN”

Interesting. I thought I recalled talking about this on HN previously:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10355868" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10355868</a><p><pre><code> _-__--- on Oct 8, 2015 | parent | favorite | on: Verizon revives &quot;zombie cookie&quot; device tracking on... Tor as an OS-level feature may not spark the best reaction. It&#x27;s been given a bad name (&quot;deep web,&quot; silk road, etc) in mass media and many people don&#x27;t understand it enough to think of it as anything other than bad. I think that it&#x27;d be cool to have, but I don&#x27;t think that Apple would ever implement it. jameshart on Oct 8, 2015 [–] Agree, it&#x27;s phenomenally unlikely, but then again there is a part of me which could actually imagine Apple doing something like it. They wouldn&#x27;t use Tor, of course, they&#x27;d build a proprietary equivalent, and then come out on a black stage to &#x27;introduce Apple Undercover, a revolutionary enhancement to personal network privacy and security&#x27;.</code></pre>

Props to Apple for the design of this service. It doesn&#x27;t hit all the privacy targets that long-time personal VPN users might be looking for, and it doesn&#x27;t get into the game of trying to circumvent region locked content*, but otherwise it&#x27;s likely to be a solid privacy improvement for almost all users in a careful and deliberate way.<p>I use a VPN for other reasons (downloading Ubuntu ISOs mostly) but I&#x27;ll probably turn this on and leave it running on all my devices because of how transparent it appears to be. I trust Apple&#x27;s onion-routing design more than I trust my VPN provider not to log things.<p>* I&#x27;m actually glad they don&#x27;t try to get around region locks. I consume a lot of BBC content and live in the UK. I&#x27;m constantly struggling with my VPNs (with UK endpoints) being blocked because others outside the UK could be using them. It would be nice if the BBC didn&#x27;t block like this, but UK residents do typically pay for the content whereas those outside the UK are unable to.

I&#x27;ve been trying to point this out to people but YouTube personalities have a louder voice than anyone else so you end up with bad information.<p>Props to Apple for offering an (albeit low entropy) onion router on their own infrastructure. I can&#x27;t imagine this is going to win them any friends in government circles but it&#x27;s definitely a step in the right direction.<p>I&#x27;d also really like to see Apple come clean about the iCloud backup encryption debacle. A lot of people are trusting it to be something it&#x27;s not and it should really be clarified on-device what it is and is not before opting in.

From Apple&#x27;s statement[0]:<p>&gt; The first assigns the user an anonymous IP address that maps to their region but not their actual location. The second decrypts the web address they want to visit and forwards them to their destination. This separation of information protects the user’s privacy because no single entity can identify both who a user is and which sites they visit.<p>Apple is not saying nobody can deanonymize you - they are being very careful to only state that no single entity can deanonymize you. Hence you should still assume this is not a good protection against any entity with subpoena power, or the ability to compel the cooperation of Apple and their 3rd-party egress relay providers.<p>[0]: <a href="https:&#x2F;&#x2F;9to5mac.com&#x2F;2021&#x2F;06&#x2F;07&#x2F;apple-icloud-private-relay-feature-china&#x2F;" rel="nofollow">https:&#x2F;&#x2F;9to5mac.com&#x2F;2021&#x2F;06&#x2F;07&#x2F;apple-icloud-private-relay-fe...</a>

&gt; It&#x27;s not clear if the API will be public for other browsers or applications to use.<p>Apple has already confirmed that other app traffic will go through iCloud Private Relay “no matter what networking API you&#x27;re using”, with some exemptions:<p>&gt; Not all networking done by your app occurs over the public internet, so there are several categories of traffic that are not affected by Private Relay.<p>&gt; Any connections your app makes over the local network or to private domain names will be unaffected.<p>&gt; Similarly, if your app provides a network extension to add VPN or app-proxying capabilities, your extension won&#x27;t use Private Relay and neither will app traffic that uses your extension.<p>&gt; Traffic that uses a proxy is also exempt.<p>From <a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;videos&#x2F;play&#x2F;wwdc2021&#x2F;10096&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;videos&#x2F;play&#x2F;wwdc2021&#x2F;10096&#x2F;</a>.

&gt; <i>All in all, a very Apple approach: They deny themselves any knowledge of a customer&#x27;s DNS queries and Web traffic, so if served with a subpoena they have very little to respond with.</i><p>Maybe I am missing something but I view this is a rather genius move. They have plausible deniability + actually introduce some protection for their users.<p>Not sure how to read the original post though. Is it praising Apple? Is it mocking them? We don&#x27;t have to be polar of course, I am just wondering.

I think this is great, if only as a way to kill the bullshit consumer VPN business, which sells snake oil.

So far, partners of Apple I’ve seen the service forwarding to are CloudFlare, Akamai, and Fastly. There may be more but those are the ones I’ve seen and heard.

&gt; The routing uses two hops; Apple provides the first, and &quot;independent third parties&quot; (not yet specified) provide the second.<p>This isn’t true though, they have specified who the independent third parties will be: CloudFlare Warp, Fastly, and Akamai. See here: <a href="https:&#x2F;&#x2F;www.barrons.com&#x2F;articles&#x2F;fastly-stock-outage-think-apple-51623269551" rel="nofollow">https:&#x2F;&#x2F;www.barrons.com&#x2F;articles&#x2F;fastly-stock-outage-think-a...</a>

My guess is one of the major reasons for having the exit nodes in the same geo location as entry nodes is to have continuous operations in China. Without this constraint, they would have allowed chinese consumers to access the free web, which would ban them instantaneously.<p>I don&#x27;t think Apple cares as much about video content providers, though.

This is interesting. I think overall I approve as it benefits people by default.<p>It does mean you now have to trust Apple since that&#x27;s the first hop. However you&#x27;re already doing this when you spin up your AWS Lightsail Wireguard instance, say. AWS can see ingress and egress traffic and so you just need AWS to not be part of your threat model. Same here. Though I dont see this as too much of a problem since it applies to devices and services where you&#x27;ve already made this explicit choice.<p>The app limitation thing is a shame and hopefully there will be an API at a later date.<p>The exit node choice based on exit-locality kinda makes me think Apple either:<p>- Want to restrict this service being (ab)used for geolocked content (Netflix etc)<p>- Want to speed up the service by providing the closest exit node (Performance)<p>Of course given all the FBI cases, you also have to consider other possibilties for the creation of this service.

This is great. I hope this spurs Google to make their VPN (<a href="https:&#x2F;&#x2F;one.google.com&#x2F;about&#x2F;vpn" rel="nofollow">https:&#x2F;&#x2F;one.google.com&#x2F;about&#x2F;vpn</a>) more widely available. A few audiences they could expand it to: any ChromeOS device, any Pixel phone, any Android phone, any mobile Chrome user, any Chrome user.

Does anyone have pointers to info&#x2F;articles about the countries that are on the &quot;no VPN&quot; capability list?<p>Some of them make sense to me, i.e. China which has a long history of censoring their citizens.<p>But in particular, I&#x27;m trying to find out why South Africa is on that list seeing as I live there.<p>Edit: In [1], Apple is quoted as saying, &quot;We respect national laws wherever we operate&quot; but did not elaborate further.<p>[1] <a href="https:&#x2F;&#x2F;mybroadband.co.za&#x2F;news&#x2F;internet&#x2F;400893-apple-will-not-launch-feature-to-hide-online-identity-in-south-africa-or-china.html" rel="nofollow">https:&#x2F;&#x2F;mybroadband.co.za&#x2F;news&#x2F;internet&#x2F;400893-apple-will-no...</a>

I hope it&#x27;ll not bring captcha hell, as Google does for using VPNs. Twitter is simply blocking my VPN provider. eBay sends scary email every time I login.

My experience with this so far was... mixed.<p>- This breaks DNS resolution for company-internal domains.<p>- This routes all my traffic through CloudFlare or another CDN I might or might not trust (yes, the IP is hidden, but not the data)<p>- it significantly slows down my internet access on my location.<p>- it tends to turn itself on again without my intervention<p>especially the last point is very problematic for me

So I seem to be completely missing... what is this actually <i>for</i>? What&#x27;s the value proposition for the average consumer?<p>It doesn&#x27;t replace a VPN into your company&#x27;s or university&#x27;s network (for accessing private resources).<p>It&#x27;s not for accessing streaming TV in different regions.<p>HTTPS is already secure.<p>In theory it seems like it could be used for illegal torrent downloading, but given that Apple is in the media business, something tells me they&#x27;ll do their best to block torrenting.<p>And for things like videoconferencing, it will almost certainly degrade performance to a degree (latency, bandwidth, or both).<p>The only thing left seems to be your ISP and&#x2F;or coffee shop WiFi being able to track what IP addresses you communicate with. Instead, they don&#x27;t, but Apple does. Is that really a benefit, or a benefit any average consumer cares about?

Is this like Cloudflare Warp then?<p><a href="https:&#x2F;&#x2F;1.1.1.1&#x2F;" rel="nofollow">https:&#x2F;&#x2F;1.1.1.1&#x2F;</a>

I was curious how they would actually implement this, if it&#x27;s actually onion routing that&#x27;s pretty cool.<p>I wonder what advantage this gives over using NextDNS?

Correct me if I’m wrong, but as I understand it a two-hop onion network is still trivially breakable with (two) warrants, especially since both Apple and Cloudflare&#x2F;etc., are US companies. Which would make it a VPN in the duck-type sense.

Here is a simple question: Why is there only one &quot;Tor&quot;.<p>Why haven&#x27;t there been more onion routing projects. (Maybe there have been and I am just not aware.)<p>Perhaps the same reason(s) we never saw widespread adoption of remote proxies, despite their usefulness in many situations.<p>Although in some respects onion routing seems quite an improvement over &quot;simple&quot; proxies.

I&#x27;m currently running the beta and this doesn&#x27;t work on my router (provided by one of the largest ISP&#x27;s in the UK). When I go to settings it displays a message that the router is unsupported by private relay. Hopefully it&#x27;s something they can fix before launch but if not I wonder how many other routers are unsupported?

&gt; or you can view it as a concession to reality: If Apple didn&#x27;t do this, the video providers would block their exit nodes, as they do with any VPN provider that gets large enough for them to notice.<p>I seriously doubt any reasonable video streaming service would cut off such a huge chunk of their user base just because they are using an iPhone.

Actually surprised how this only shows up on HN now.<p>Expected this to take the top spot right after the keynote.

So far the two different third parties I’ve seen are Cloudflare and Akamai. Has worked relatively well here, besides the fact that some bug has made it so it turns back on randomly, which isn’t a big deal.

I&#x27;m curious how they are securing the feature that keeps you in the same region. Since that feature encourages content providers to not block, it would be a desirable target to work around.

What&#x27;s are the differences between a VPN and an onion router approach? Could anyone explain or link to an article?

Does anybody know, how iCloud+ VPN would compare with Cloudflare WARP in terms of better privacy protection.

Apple should release a token for the routing nodes to stake and get slashed for poor quality connectivity

Not being able to circumvent region locked content makes it only 50% useful for me unfortunately. I often end up using Epic browser which has a built in proxy from other countries to watch region locked content. I would recommend it for non-confidential stuff.

Does this compare to NextDNS[1]. I moved from Pi Hole[2] to NextDNS and I&#x27;m happy with it.<p>1. <a href="https:&#x2F;&#x2F;nextdns.io" rel="nofollow">https:&#x2F;&#x2F;nextdns.io</a><p>2. <a href="https:&#x2F;&#x2F;pi-hole.net" rel="nofollow">https:&#x2F;&#x2F;pi-hole.net</a>

I’m literally using VPNs just to get around geo-blocking.<p>Still, this is interesting.

I liked this little article as it reminds me of when the Web was still young and mainly just text with no formatting or graphics yet. Takes me right back to 1991!

&gt;why don&#x27;t VPN providers implement a onion router<p>ProtonVPN does.

I&#x27;m curious how does the second hop work? are the third parties contracted by Apple to provide the service? What&#x27;s in it for them?

Does this mean that all DDoS mitigation techniques need to exist before the exit node of this traffic? Which in turn mean, that everyone needs to outsource their DDoS mitigation to Apple.<p>Also the corollary would be, that anyone who is able to bypass the protection mechanisms Apple has in place to control DDoS, can use it to DDoS a service like Google, Microsoft and get the entire service banned for all iCloud+ users. Right?

&quot;...why don&#x27;t VPN providers implement a onion router..&quot;<p>Pretty sure Nord already does. Probably others.

sounds awesome! tor as a system service with a professionally managed network. beyond making ad tracking harder, i wonder what sorts of new application spaces this may open up. i can already think of one! (and no, it&#x27;s not some shady illegitimate&#x2F;illegal bs)

&gt; An big tradeoff for some is that the exit node is always chosen to be in the same geo location as the entry node. You can view this as a sop to the various on-line video providers<p>How could it be a &quot;sop&quot; to video services, isn&#x27;t it exactly what they want, no more no less?

Does it mean iOS devices in China can go across GFW with Apple&#x27;s VPN?

I think the title should be: Apple&#x27;s iCloud+ &quot;TOR-esque&quot;

Where are the Apple VPN exit points?<p>I wish there was a non-dubious VPN service with an exit in a non GDPR country, or at least one with internet privacy. I rolled a strongswan VPN through AWS EC2 but all the egress points are in countries that can be exposed.

Isn’t iCloud+ “VPN” (Private Relay) just white-labled Cloudflare Warp? Is “onion router” a new development or is Jerry overzealously inferring there’s more than meets the eye here?

It just re routes traffic to your nearest Fastly pop and mixes traffic up with everyone else nearby.

Apple in a few months to VPN&#x27;s: give us 30% share if you want to serve as exit node to Apple iCloud+ VPN.<p>Two part strategy as always:<p>1. Get yourself in-between of an already functioning system, by force if needed 2. Abuse your market position to gain millions of users, make it super easy to use this as default, and make existing players compete for their 70% share of what they already were earning.<p>- Enjoy new billions on top of existing trillions

<a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;videos&#x2F;play&#x2F;wwdc2021&#x2F;10096&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;videos&#x2F;play&#x2F;wwdc2021&#x2F;10096&#x2F;</a><p>A pretty decent overview of the scope of the product.<p>As mentioned in the video, the service also is involved if your app does HTTP over port 80, offering at least some marginal level of improvement. Otherwise it leaves your app traffic as is.<p>As to Mail, the linked comment mentions that but I don&#x27;t remember it being a part of the solution (nor does it seem feasible that it could be). Apple offers privacy improvements in mail, but not via the private relay.

I don’t really mind paying few bucks for privacy. But I think Apple in the process is gonna kill a lot VPN providers. While I don’t care right now I hope it doesn’t make Apple a monopoly.

This could also mean now major companies security teams have even more incentive to track onion routing users and to check their pattern of traffic to ensure they are legitimate Apple users and not some tor user instead of just blanket-blocking every tor user. This could make tor less secure in the long term if more open source&#x2F;closed source projects (NSA notwithstanding) are started and dedicated to analyzing and delayering tor traffic.

Potentially, this provides troves of data to the exit node operators (CloudFlare, Fastly, Akamai, ...). Yes, it&#x27;s the same with all VPNs and ISPs, but I think users should be made aware that now instead of your ISP analyzing the data, an even bigger and more capable corporation is. And if Apple is controlling the entire onion chain (I would be surprised if they weren&#x27;t), they have even more data available, mainly with a corresponding IP of yours. In the net sum, you are hiding the transmitted data from your ISP and the IP from the sites you visit, but you are handing over all this information to a centralized place - Apple and exit node providers. Potentially, they can use the information to connect the dots more easily and fully than any ISP or site ever could.