Explainer: TLS, VPN and Private Relay

In the 1990s those who had access to the web normally connected to sites using the Hypertext Transfer Protocol, HTTP. That takes us to URLs starting with http:// and is normally performed through port 80. Everything is conducted in full view of any eavesdropper, who would easily know exactly which site we connect to, and full contents of all exchanges. When there were a few thousand users who were mostly known to one another, and no one was worried about online security or privacy, that seemed fine. It would also be good to use if you wanted to connect to your bank’s website to check on their current interest rates, but you really wouldn’t want to use it to access your bank account online.

Then in 1994, Netscape’s Navigator browser introduced the Secure Sockets Layer (SSL) protocol, which was intended to bring security. Secure connections are made to URLs starting with https:// through port 443 by default, for their encrypted exchanges. Early versions proved flawed and quickly evolved into what’s now known as Transport Layer Security (TLS), although some persist in still referring to it as SSL, which has long since gone.

On its own, TLS should provide reliable protection by encrypting the contents of all exchanges between your Mac and the server. It does so using the server’s security certificate, which is used to generate a short-term session key for encryption. When everything is set up correctly, this provides good assurance that an eavesdropper shouldn’t have access to any of the contents of the messages sent by either end of the connection.

TLS should be completely safe for you to use to transfer money between bank accounts online without any risk of a third-party getting details of those accounts. However, it makes no attempt to prevent them from knowing of that connection. If you wanted to take money out of a secret bank account in Switzerland, for example, using TLS doesn’t stop anyone from discovering exactly when you connected to that bank’s online services.

Various schemes have been used to prevent others from learning of your full online and browsing activities, the most widely used being a Virtual Private Network (VPN). What this effectively does is extend your local network to a remote server, which makes onward connections for you. An eavesdropper then only sees your Mac connecting to the VPN server, and that server making a huge number of onward connections on behalf of all its clients. VPN is more generic, and is often used to give those working from home or remote locations direct access to a corporate network. Provided that all connections are encrypted, it should prove a robust way of making secure and untraceable connections.

Using a VPN to protect the privacy of your connections is dependent on the security and privacy of the VPN service provider, though. They could keep detailed logs of all the connections you make over their service, and provide those to someone who you don’t want to know about accessing your secret bank account. Your online activities could also still be tracked using cookies, or by device fingerprinting.

With macOS Monterey and iOS/iPadOS 15, Apple introduced a different approach which it calls Private Relay. This isn’t intended to compete directly with VPN services, but it’s primarily aimed at limiting the precision of location information which websites can obtain from your connections. In the course of doing that, it makes your IP address more private, and it becomes much harder to track.

This is performed using two relay servers, the first of which only knows your IP address but not that of the URL you’re connecting to. The second server, operated separately from Apple, doesn’t know your IP address but does know the URL you’re connecting to. The destination server then knows you only through a proxy IP address, which can either be allocated within your current country and time zone, or a wider region.

Private Relay makes an eavesdropper’s task a great deal more difficult. They can readily see your Mac’s connections to the relay service, but shouldn’t be able to trace them beyond there. Apple’s servers providing the first relay don’t know destination URLs, and those providing the second relay only know your proxy IP address, which could come from an area containing millions of IP addresses. For the moment, though, we don’t know how robust this proves in real life use.

VPN and Private Relay have come a long way from original HTTP in protecting both the contents of online exchanges and your identity and online activity. But neither is perfect, and all rely on precise implementation of complicated protocols and settings. In the end, there’s also a great deal still left to trust.

Further reading

HTTP (Wikipedia)
HTTPS (Wikipedia)
iCloud+ Private Relay

3Comments

Add yours

1

Norm on March 5, 2022 at 1:29 pm

Can you discuss how Private Relay works with geolocked services like entertainment streaming services such as Hulu, Netflix or Amazon Prime?

Presently it takes both a VPN plus a way to spoof GPS location data to use streaming services subscriptions outside the geofence.

This becomes even more important in the new environment of authoritarian governments blocking its citizens access to content the government doesn’t want its citizens to view.

LikeLiked by 1 person
- 2
  
  hoakley on March 5, 2022 at 10:01 pm
  
  Thank you.
  I do look at this in the article about Private Relay that I linked to above.
  The service gives you two options: one ensures that the proxy IP address is from your country and time zone, so should work with such services, although it gives a bit more potentially useful location info away. The other is from a larger area, which is more likely to fail with locked services.
  Apple accepts that some services may still not work, hence the service remains in beta while they tune that.
  I have heard of some who do still have problems, and have to turn it off, but that’s a small proportion now.
  Howard.
  
  LikeLike
- 3
  
  John Gilbert on March 6, 2022 at 3:36 am
  
  It doesn’t. Private Relay is not a way of avoiding commercial or governmental restrictions. That is why its location preferences are limited to those in your country.
  
  Private Relay does not replace a consumer VPN service when you want to evade commercial restrictions. It is purely a way of making it harder for eavesdroppers or web sites (along with their tracking partners) to use your IP address as an identification.
  
  LikeLiked by 1 person

Share this:

Like this:

Related