Avatar
jb55 1y ago

“Network relays are built on the modern and standardized MASQUE protocols and can be used to proxy all TCP and UDP traffic”

Holy shit! It’s not just web requests. This is way better than your standard VPN. It also obfuscates traffic through http so it’s harder to tell that you’re even using it. TIL nostr:npub1dd9znw7585wsam4d8p84ztdmtywwjsrayld6fzk4fvqdn5hpju4st5xe7p also uses this. This is the way we can make nostr network traffic private without requiring people to run VPNs.

https://support.apple.com/en-ca/guide/deployment/dep91a6e427d/web nostr:note12efx0sark9qhdnstu7ucacv399j60juz3ukjvzztvpzg2avtnr0qd5ceua

Reply to this note

Please Login to reply.

Discussion

Avatar
YawningGoat 1y ago

I thought when they introduced this it was just for Safari - does it work within apps as well? Will this require an iCloud subscription?

Avatar
jb55 1y ago

It’s a protocol, we can set up our own MASQUE relays and use them within the app. I’m not sure if you can use apple’s. If you can it makes sense to use that for users who have an iCloud subscription . nostr:npub1t0nyg64g5vwprva52wlcmt7fkdr07v5dr7s35raq9g0xgc0k4xcsedjgqv says you might not be able to. cc nostr:npub1yevrvtp3xl42sq06usztudhleq8pdfsugw5frgaqg6lvfdewfx9q6zqrkl

Avatar
jb55 1y ago

I will chat with carl and maybe we can use nostr:npub1dd9znw7585wsam4d8p84ztdmtywwjsrayld6fzk4fvqdn5hpju4st5xe7p somehow?

Avatar
YawningGoat 1y ago

I think Cloudflare WARP also uses MASQUE if you wanted to try it out for now with Notedeck on Android and Desktop

Avatar
jb55 1y ago

I was about to google that, thanks!

Avatar
Dan Gould 1y ago

The difficulty with proxying arbitrary traffic like Apple does is that an attacker can flood DoS traffic behind protection. That’s why OHTTP specs 1:1 relay server to gateway server. OHTTP could even work for general Nostr if it were available over WebTransport instead of WebSocket.

Avatar
jb55 1y ago

since masque can proxy arbitrary traffic I don’t see why you couldn’t do a websocket connection over it ?

Avatar
jb55 1y ago

I can see the entry ohttp node needing authentication and payment to use , blinded signatures/tokens/passes ?

Avatar
Dan Gould 1y ago

afaiu WebSocket unfortunately isn’t actually HTTP, but a hack to get TCP communication working that breaks out of HTTP semantics. MASQUE requires data to be sent in HTTP.

Avatar
jb55 1y ago

This is not what the apple docs says, and its not what I have been reading.

From apple docs: “Network relays are built on the modern and standardized MASQUE protocols and can be used to proxy all TCP and UDP traffic”

Avatar
jb55 1y ago

Also:

https://blog.cloudflare.com/unlocking-quic-proxying-potential

Avatar
Dan Gould 1y ago

I think I confused MASQUE requirements with OHTTP requirements. Big if true.

Avatar
cryptowolf 1y ago

if the operating system is compromised and proprietary like iOS, then the network level security doesn't help.

Avatar
pukka 1y ago

Love your dedication!

Avatar
jb55 1y ago

It’s gonna be important for damus autopilot mode (outbox). Otherwise its a privacy nightmare

Avatar
pukka 1y ago

How can us plebs help?

Avatar
Gzuuus 1y ago

Just an apple thing?

Avatar
jb55 1y ago

nope, this should work anywhere. Its a work in progress open protocol

Avatar
Gzuuus 1y ago

Thanks! I will read further 👀

Avatar
Toshi 1y ago

So you can use apples private relay in your App? Is that what you are saying?

Avatar
jb55 1y ago

Either theirs or our own

Avatar
Toshi 1y ago

That would be great.

Avatar
Nick Klockenga 1y ago

I wish Apple would build into iOS a way to allow users to configure individual apps to force network traffic over their relays (iCloud Private Relay) and not just limit it to Safari.

Avatar
jb55 1y ago

That would be cool

Avatar
techfeudalist 1y ago

Apple controls both the OS and the proxy. They can access the decryption key whenever they want. In a perfect world the OS would be open source and verifiable.

There’s no competitive reason to keep the OS closed source. Keeping it closed just ensures that state hackers have more attack vectors.

Probably just worried about public researchers seeing the number of bugs in it.

Avatar
jb55 1y ago

There are two proxies, they don’t control the exit node

Avatar
DETERMINISTIC OPTIMISM 🌞 1y ago

Obscura depends on SGX, prob pointless against state actors. Still great improvement.

Avatar
jb55 1y ago

Interesting, gonna chat with carl, curious why they need that. Maybe if they control both the masque nodes

Avatar
Obscura VPN 1y ago

Glad you came down this rabbit hole too 😆

Strong obfuscation is key for IP privacy protocols. It also helps that QUIC is UDP, so we avoid the TCP-over-TCP problem: https://blog.carldong.me/2023/05/03/why-do-vpns.html