Explainer: TLS, VPN and Private Relay

In the 1990s those who had access to the web normally connected to sites using the Hypertext Transfer Protocol, HTTP. That takes us to URLs starting with http:// and is normally performed through port 80. Everything is conducted in full view of any eavesdropper, who would easily know exactly which site we connect to, and full contents of all exchanges. When there were a few thousand users who were mostly known to one another, and no one was worried about online security or privacy, that seemed fine. It would also be good to use if you wanted to connect to your bank’s website to check on their current interest rates, but you really wouldn’t want to use it to access your bank account online.

Then in 1994, Netscape’s Navigator browser introduced the Secure Sockets Layer (SSL) protocol, which was intended to bring security. Secure connections are made to URLs starting with https:// through port 443 by default, for their encrypted exchanges. Early versions proved flawed and quickly evolved into what’s now known as Transport Layer Security (TLS), although some persist in still referring to it as SSL, which has long since gone.

On its own, TLS should provide reliable protection by encrypting the contents of all exchanges between your Mac and the server. It does so using the server’s security certificate, which is used to generate a short-term session key for encryption. When everything is set up correctly, this provides good assurance that an eavesdropper shouldn’t have access to any of the contents of the messages sent by either end of the connection.

TLS should be completely safe for you to use to transfer money between bank accounts online without any risk of a third-party getting details of those accounts. However, it makes no attempt to prevent them from knowing of that connection. If you wanted to take money out of a secret bank account in Switzerland, for example, using TLS doesn’t stop anyone from discovering exactly when you connected to that bank’s online services.

Various schemes have been used to prevent others from learning of your full online and browsing activities, the most widely used being a Virtual Private Network (VPN). What this effectively does is extend your local network to a remote server, which makes onward connections for you. An eavesdropper then only sees your Mac connecting to the VPN server, and that server making a huge number of onward connections on behalf of all its clients. VPN is more generic, and is often used to give those working from home or remote locations direct access to a corporate network. Provided that all connections are encrypted, it should prove a robust way of making secure and untraceable connections.

Using a VPN to protect the privacy of your connections is dependent on the security and privacy of the VPN service provider, though. They could keep detailed logs of all the connections you make over their service, and provide those to someone who you don’t want to know about accessing your secret bank account. Your online activities could also still be tracked using cookies, or by device fingerprinting.

With macOS Monterey and iOS/iPadOS 15, Apple introduced a different approach which it calls Private Relay. This isn’t intended to compete directly with VPN services, but it’s primarily aimed at limiting the precision of location information which websites can obtain from your connections. In the course of doing that, it makes your IP address more private, and it becomes much harder to track.

This is performed using two relay servers, the first of which only knows your IP address but not that of the URL you’re connecting to. The second server, operated separately from Apple, doesn’t know your IP address but does know the URL you’re connecting to. The destination server then knows you only through a proxy IP address, which can either be allocated within your current country and time zone, or a wider region.

Private Relay makes an eavesdropper’s task a great deal more difficult. They can readily see your Mac’s connections to the relay service, but shouldn’t be able to trace them beyond there. Apple’s servers providing the first relay don’t know destination URLs, and those providing the second relay only know your proxy IP address, which could come from an area containing millions of IP addresses. For the moment, though, we don’t know how robust this proves in real life use.

VPN and Private Relay have come a long way from original HTTP in protecting both the contents of online exchanges and your identity and online activity. But neither is perfect, and all rely on precise implementation of complicated protocols and settings. In the end, there’s also a great deal still left to trust.

Further reading

HTTP (Wikipedia)
HTTPS (Wikipedia)
iCloud+ Private Relay