Connect with us

Hi, what are you looking for?


What is Apple Private Relay and is it worse than a VPN?

What is Apple Private Relay and is it worse than a VPN?


(Edit: This article has been updated with comments from various VPN providers)

Apple announced several important new privacy features at its annual WWDC 2021 development conference. Most important – and controversial – is “private paging,” a technology that enables users to browse the web without revealing their real IP address, making it difficult for websites to track their web browsing activities.

The feature is one of several additions to your upcoming Apple iCloud+ account. Plus, existing iCloud accounts will be upgraded at no additional cost, which means you can take advantage of the special migration feature for as little as $0.99 per month with 50GB of cloud storage.

This doesn’t necessarily mean it’s time to ditch your VPN subscription; far from it. There are a number of reasons for this, and we’ll go over them later, but one of the main ones is that a private relay won’t protect all of your traffic: it covers Safari, Apple’s web browser, and insecure connections only (applications that use HTTP instead of HTTPS.)

More importantly, technology has other problems as well, which become more apparent when you look under the hood.

How does Apple Private Relay work?

Private Relay is easy to use, with no in-app hassles that you’ll see with a regular VPN. Simply sign in to your iPhone, iPad, or Mac with an iCloud+ subscription, enable Private Relay in iCloud settings, and the technology will begin protecting your Safari activities. When you next connect to a website, Private Relay randomly chooses two servers to handle your traffic.

Your device makes a fast and secure QUIC/HTTP3 connection from the Internet to the first server, Ingress, operated by Apple. The connection is authenticated via a technology called RSA Blinded Signatures, which gives you access without having to submit a username, password or any account details at all – no password manager here. The Ingress agent doesn’t even know what website you’re visiting, as this information is encrypted on your device. Read our primer on proxy servers.

This is how Private Relay uses multiple proxies to hide your real IP address (Image credit: Apple)

You can still be identified by your IP address, so the entry proxy replaces it with an approximate geographic location. If you have a Staten Island IP address, for example, it might simply use “New York.” (Alternatively, you can tell Private Relay to pick an IP address from your country and timezone, giving it a much larger selection of IP addresses to choose from.)

The Ingress agent now makes an encrypted connection to the exit proxy, and passes it to your request. This second server is operated by an independent content provider, not Apple and likely a partner CDN provider, ensuring there is no way of knowing who is making any particular request.

The Egress agent then decrypts your request, to see which website you are visiting. This is the separation of knowledge that keeps your privacy: the access agent knows little about who you are (your IP address), but not what you do; The exit agent knows what you’re doing, but knows nothing of who you are.

Private Relay replaces your exact IP address with one from your region or country (Image credit: Apple)

The Egress proxy doesn’t know your IP address, but it must pass something to the website you’re trying to visit, to make sure it can display the translated content. To achieve this, the exit proxy looks at the approximate location that received it (“New York”), and assigns you a random IP address from a group in your approximate area. Manhattan? I will do it.

This approach allows websites to get an adequate idea of ​​your location to display relevant content, but not to identify you. The IP address they see changes every time you visit, and your real IP is not revealed. All they know is that the connection was made via an Egress proxy, so they send their content back in encrypted form to that address, and it’s routed back to the Ingress Proxy, and then back to you.

Private migration has many benefits (Image credit: Apple)

private relay network

Sign up for a VPN and you’ll want to check all kinds of details about the network: how many servers, how many sites, who’s running it, and more. Unfortunately, Apple has never released any details, not even who is running the website-facing side of the network, but other sources offer some key clues.

Users running Private Relay on the iOS 15 beta reported that their IP addresses were assigned to Cloudflare, for example, a strong signal of at least one provider.

Although Apple did not name the providers it works with, there were some clues in the WWDC presentation (Image source: Apple)

There is another clue in an Apple developer video, which shows that Private Relay uses Oblivious DoH (ODoH.) This is a new DNS standard that encrypts requests to ensure that when connected to a Private Relay, the first server (the login proxy) cannot see the website you are trying to access mechanism. It’s an entirely new technology developed by Apple, Cloudflare and Fastly, another large CDN provider that will make a lot of sense as a private migration partner.

A recently published report speculates that Akamai is Apple’s third provider, and suggests that the Private Relay link is behind the stock price hikes for all three companies. If this is true, then this is good news.

These are CDN giants β€” Akamai alone has over 300,000 servers in over 130 countries β€” and adding Cloudflare and Fastly to the mix should ensure you’re never far from a private relay server. This is one or two times higher than any VPN provider out there.

Can you trust Apple Private Relay?

The Private Relay design looks good to us, but is it good enough? Tor also uses a system where your communications are routed through multiple relays. But while Apple stops at two, Tor falls behind at three, and there could be a lot more. It’s all run by volunteers too, which greatly reduces the chance that anyone can track what you’re doing, and we’ve seen arguments that this makes Tor more secure than Private Relay.

This seems logical in theory, but there is a catch. Having Tor servers provided by volunteers rather than large companies might seem attractive, and that doesn’t make them more trustworthy. Security researcher nusenu has been tracking Tor relays since 2020, and a recent blog post reported that β€œ25% of Tor network exit capacity attacks Tor users” using various attacks.

The Private Relay two-server approach, where Apple always controls Ingress Proxy, while running another large second company, can still be seen as problematic. If you don’t trust either, you probably won’t be swayed by Apple’s privacy promises.

Everyone running Private Relay is likely to be under US jurisdiction as well, and we’ve seen users’ concerns that any anonymity will disappear once the first arrest or subpoena arrives.

Is this realistic though? Not only does Apple promise not to sign in, it says the design makes that impossible. Ingress proxy does not know who you are outside of the IP address, or the site you are trying to access, so there is no way for Apple to spy on you; The Egress proxy knows the location, but nothing about you, not the IP. Only your device knows it all.

You don’t have to automatically trust Apple to realize the impact on its reputation if this turns out to be wrong, and it does hand over user data as soon as it’s requested. It would be farewell to any claims about privacy expertise, and the greatest gift you could ever give to Google and Microsoft. Nobody can know for sure, but it seems to us that this is a very big incentive for Apple to be very, very, very sure that Private Relay is working as promised.

Traffic passes through two servers before it reaches your destination site (Image credit: Apple)

A look at Apple Private Relay performance

Using Private Relay requires more encryption and routes your traffic through two additional servers before it reaches its destination, indicating some performance success. But Apple said there will be little effect on speed: Could that be true?

If your ISP throttles some type of traffic – video, for example – the additional encryption bypasses that, instantly improving speeds. Using Private Relay for fast UDP-based HTTP/3 is a plus, and should help offset extra server hops.

And while passing your traffic through two additional servers should affect speeds, Private Relay isn’t like a regular double-hop VPN, where perhaps one cheap VPS server in a data center somewhere connects to another.

CDN providers like Cloudflare and Akamai use powerful hardware, smart routing, and all sorts of other technologies to reduce milliseconds here and there, and that will keep your overhead to a minimum. Presenting data securely and with minimal delay is what they do.

Put it all together and expect to see some impact on speed, although less than what you might get from a VPN. There are a lot of factors to consider – your location, demand for nearby servers, your device and network – and we’ll have to wait until the release date to find out for sure.

Private relay connections are encrypted and only your device can see the whole picture (Image credit: Apple)

What are the benefits of Apple Private Relay?

Private Relay improves VPNs in several ways.

Incorporating it into the operating system reduces any technical hassles. You don’t need to launch an app, figure out which settings work best, or remember to connect before doing anything sensitive. Sign up for iCloud+, check the box to turn the technology on, and it just works.

The two-server approach, each operated by a different company, means you no longer have to trust that your provider is delivering on their privacy promises. The VPN server gets your account details upon authentication, and then sees everything you do online, making it very easy to log your activities.

An intelligent secure code system allows users to connect to Private Relay without providing any account or other details (Image credit: Apple)

With Private Relay, Apple can’t associate an online action with an account, so it can’t record what you’re doing. And all your website sees is the randomly chosen Egress Proxy IP address, leaving no room for any online action to be connected to you again.

We’re glad to see Private Relay encrypted DNS and protecting unsecured HTTP connections by default. Most VPNs do the same thing, but it’s good to know that these potential data leaks will be communicated.

We can’t describe Safari’s Private Relay protection as anything other than a weakness, but it does have one positive side: it won’t cause problems with banking, payment, or other apps that you might complain about if you’re using a VPN. (Safari traffic may still be blocked by PayPal and others, as they are looking to use IP addresses as a record of identity, but we’ll have to wait and see if private relaying is affected more or less by VPNs.)

You don’t have to choose between using a Private Relay or a VPN, though: you can turn on both. Apple explains that “if your app provides a network extension to add VPN or app proxy capabilities, your extension will not use a Private Relay and you will not use app traffic that uses your extension.” Proxy traffic also ignores the private relay, and your applications work just as they did before.

Unlike regular VPNs, Private Relay doesn’t let you choose a location (Image credit: NordVPN)

What are the limits of Apple Private Relay?

Although Private Relay is technically very smart, it is all about security and privacy, and it will never fully compete with a commercial VPN.

There is no option to choose another location, for example. This is by design. Private Relay chooses the location of incoming and outgoing agents, and it is these servers working together that decide your final IP address. There is no way to do this within the current system.

It doesn’t look like this will change in the future either. Apple developer…

Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *



AnyConnect certificate-based authentication. Cisco community πŸ‘¨β€πŸ’» The information in this document is based on the following software and hardware versions: ASA 5510 running software...


AnyConnect: Install a self-signed certificate as a trusted source πŸ‘¨β€πŸ’» kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...


ITProPortal . Portal πŸ‘¨β€πŸ’» We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...


Top 5 Free AV Packages – πŸ‘Œ Bitdefender Antivirus Free Edition best interface Positives Works on Windows 7 and 8.1 Very easy to use...