Clarification on the communication Client -> Ingress -> Egress required

Question

OleksandrStepanov OP

Created Jun ’21

Replies 1

Boosts 0

Participants 2

Hello.

There are several moments in the way how Private Relay feature works which are not clear for me.

It's declared, that Ingress proxy knows only client IP, while Egress proxy knows only the server name of the DNS request. At the same time, there is a next slide in the session, which stays that subsequent communication between the client and Egress server happens through Ingress server.

The client must share server name with Egress. How is it guaranteed in this configuration, that Ingress server can't read server name while it stays in the middle? I assume it's achieved by TLS secured connection, which is part of HTTP/3 protocol. But this position of Ingress in the middle, in theory means that Ingress can read the secured traffic between the client and Egress. Just the way how it works in MitM attack, because the certificate check on the client side is also controlled by Apple.

Could you, please, comment on that?

With regards.

Boost

Answer 1

SamHendley OP

Jul ’21

At a certain point it comes down to trust. "They" are the provider of the browser and the OS, they could be capturing every website requested, every image seen, every keystroke and tap and sending it back to their servers if they wanted to. It possible this is all a smokescreen and will somehow cheat and see the raw request but there are easier ways for them to do that.

I am assuming when they setup the QUIC connection they provide the client the public key of the egress server which the client would use to encrypt the request. So even though they control the pipe they can't possibly read the contents. It's the same basic tech that makes it possible for you to communicate safely with a website without everyone in the middle reading the contents. (Above massively simplified of course)

0