iCloud+ Private Relay – An introduction to Apple’s new privacy service

Posted on

Starting in iOS 15, iPadOS 15, and macOS Monterey, Apple has introduced a new feature as part of their paid iCloud (now iCloud+) subscription service, called iCloud Private Relay. But what it is, and how does it work? Also, is it any different from companies offering a VPN solution? Let’s find out.

The idea behind iCloud Private Relay is to increase the privacy of your web browsing habits. When enabled, it works by proxying Safari traffic through Apple’s servers, including both DNS and web requests. DNS requests are actually routed to a third-party provider and Apple does not ‘see’ these requests.

The service shares some benefits similar to those using a traditional VPN service, like hiding your IP address and location from the website you are visiting, but it is not to be classified as a VPN service in its own right.

How does iCloud Private Relay differ from a VPN?

A traditional VPN service will encrypt all traffic over the connection so that no traffic at all can be intercepted by someone snooping the connection. The difference with Private Relay is that it only does so if you’re using the Safari app for web browsing. So all your other browser, email, and app traffic is not protected unless you also use a separate VPN service. Like a VPN service, your connection speed will appear slower than usual because the traffic has to go through additional hoops to reach its destination – so it’s worth noting.

To enable Private Relay on iOS15, ensure you have an iCloud+ subscription (i.e. you are paying for additional storage), head over to the Settings app > click your Apple ID near the top > then click iCloud and toggle the iCloud Private Relay option.

You are able to select which IP address option you would like to be associated with allowing you to mask your IP address. Some websites may think you are in a different location respectively, but this doesn’t allow you to select a different country than you live in, and therefore can’t be used as a way to trick sites into thinking you are in a different country like you can with some VPN’s.

The service is not currently available in all countries at launch, which Apple describes as being due to “regulatory reasons”. At present these are China, Russia, Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, and Uganda.

How does iCloud Private Relay affect Public Guest WiFi Providers and Captive Portals?

Our testing has shown that the service is only enabled post authentication of any public WiFi network that you may connect to, and therefore should not cause any issues with either the Captive Network Assistant (CNA) popup or the authentication journey as a whole.

For WiFi operators and service providers, you can prevent the Private Relay service from working on your network by blocking DNS requests to both mask.icloud.com and mask-h2.icloud.com respectively. If the device cannot reach these domains, then the service is disabled and not available. This is officially supported by Apple, which provided these instructions. It is also useful if you have any regulations or laws in your country where you need to ensure you retain any web browsing history in case of an official request from the authorities.

If you choose to do so, the device will still work as normal but without any traffic being proxied through Apple’s service. Safari will still function without the protection, and a notification is provided to the user to inform them of the same, so they are made aware of this.

It is also worth noting that the service should proxy both HTTP (https://) and secure HTTPs (https://) sites, which for non-secure sites will certainly be an advantage. The more we can protect our users against unsecure plain-text sites the better, as these are often what spyware and malicious sites are hosted on.
If you need any further information regarding the compatibility of Private Relay and Purple please contact our support team who will be happy to help.

© 2024 Purple. All Rights Reserved.