Oblivious HTTP
   HOME

TheInfoList



Click Here for Items Related To - Oblivious HTTP
OR:
Oblivious HTTP on:   [Wikipedia]   [Google]   [Amazon]

Oblivious HTTP (OHTTP) is an
IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...
network protocol intended to allow anonymous
HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...
transactions over the
Internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...
without revealing source
IP addresses An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface id ...
. OHTTP is documented in , published in January 2024. The working group describes it within the standard itself as "a simpler and less costly" alternative to the "more robust systems" like Prio or
Tor Tor, TOR or ToR may refer to: Places * Toronto, Canada ** Toronto Raptors * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor ...
. The standard sees itself in comparison also as inferior at "providing a stronger guarantee of anonymity". Furthermore the standard for the discovery mechanism of the mandatory connection configuration information ( RFC 9540) also outlines that a client should use an anonymizing proxy while fetching them. Thereby it makes OHTTP entirely redundant.


Mechanism

OHTTP uses a combination of message encryption and a double-proxy-relay setup, where the first proxy relay can see the source, but cannot see the destination of the encrypted message, and the second proxy can decrypt the message to forward it on to the destination, but cannot see the original source. All traffic between the source, destination and both proxies is carried over the
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protoc ...
protocol to prevent third parties from analysing or intercepting the message contents. Since neither relay, nor any third party, simultaneously knows both the source and destination address for a transaction, it would thus require the operators of both relays to collude in order to cross-correlate messages and recover the source address; if either one of the relay operators is trustworthy, privacy is preserved. However, if both relay operators collude, the security of OHTTP is compromised. The Oblivious DNS over HTTPS (ODoH) protocol uses OHTTP to carry DNS over HTTPS (DoH) traffic. However a client first needs to fetch the gateway configuration file from a well-known Path /.well-known/ohttp-gateway which is "available on the same host as the Target Resource". Rendering all of the additional security guarantees of OHTTP useless as it exposes the same information to the same potential groups of attackers as unencrypted SNI-Headers in any typical TLS connections would. This is even already pointed out by one of the standards for discovery of these mandatory configuration parameters () itself: "When clients fetch a gateway's configuration, they can expose their identity in the form of an IP address". Ironically the stated solution to this problem is the same as has already been commonly used before OHTTP standardization as well "connect via a proxy or some other IP-hiding mechanism".


Deployment

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...
contracted with
Fastly Fastly, Inc. is an American company based in San Francisco, which describes itself as a cloud computing company. Fastly provides content delivery network services, image optimization, and load balancing services. Fastly's cloud security services ...
in 2023 to provide Google with an OHTTP relay to implement its experimental anonymous advertising technology.
Cloudflare Cloudflare, Inc., is an American company that provides content delivery network services, cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, ICANN-accredited domain registration, and other se ...
's Privacy Gateway is an OHTTP service.
Apple An apple is a round, edible fruit produced by an apple tree (''Malus'' spp.). Fruit trees of the orchard or domestic apple (''Malus domestica''), the most widely grown in the genus, are agriculture, cultivated worldwide. The tree originated ...
states that its Enhanced Visual Search uses OHTTP as part of its anonymization strategy.


References

Network protocols Hypertext Transfer Protocol Cryptographic protocols Secure communication Transport Layer Security {{security-stub