24 comments

[ 3.3 ms ] story [ 71.2 ms ] thread
Ehm, I hope DNS isn't going to my local DNS if I have private relay enabled...

I don't quite get the tone. Fuck cloudflare, but I don't think DoH is an issue here.

100% - sounds more like user error tbh, iirc Private Relay doesn't get enabled automatically at all?
> iirc Private Relay doesn't get enabled automatically at all?

That's incorrect, private relay -did- get enabled automatically on all my machines without my express permission or consent. Same goes for the "hide my email" functionality recent macOS versions have included in the mail app.

I've found I have to regularly monitor the configuration setting for iCloud-related services in System Preferences as Apple has a bad habit of auto-enabling new features like Private Relay without explicit user consent. Just because I want ONE app to use iCloud Drive for file sharing across devices seems to indicate to macOS that I want to automatically allow every other app (BY DEFAULT) to be allowed to use iCloud Drive. Such is definitely not the case, I can assure you.

"Live text" where macOS automatically reads the text in images to make it selectable (as if anyone asked for that) also represented a privacy nightmare like the above services, so that along with iCloud private relay and hide my email are all on the list of IMMEDIATE disables after every new macOS install for me.

And the amount of times I've had to again re-disable the auto-uploading of the Desktop & Documents folders on my parents macOS machines is pretty disturbing and quite frustrating for my parents too, who also never wanted a huge bulk of the files on their machines to suddenly be offloaded to Apple's cloud without their explicit consent.

> where macOS automatically reads the text in images to make it selectable (as if anyone asked for that)

I saw a lot of excited people on Twitter when that feature was first enabled. For example for students, having images of books or posters be automatically copyable and searchable is very useful.

That's fine, so just make it a right-click menu service item versus automatically enabling it globally for every image across the entire OS by default for everyone. I know lots of security folks who find it useful storing malware code as an image for reference since that was relatively safe to keep around since it couldn't be accidentally executed and/or being flagged by anti-virus apps. Suddenly macOS was reading that code and introducing a whole new avenue for security vulnerabilities.
Proxying DNS is very sensible for 99.99% of users of Private Relay who don’t know a damn thing about DNS. Proxying HTTP traffic but then broadcasting all domains you connect to in clear text on port 53 so that your ISP could scoop them all up would be very stupid.

One could argue for an option to use one’s own DoH server of choice, but Apple isn’t known for giving options to the 0.01%.

Also, if you don’t trust their DNS (or their DNS provider of choice under the hood), why would you trust your HTTP traffic with them anyway?

> Also, if you don’t trust their DNS (or their DNS provider of choice under the hood), why would you trust your HTTP traffic with them anyway?

Right. It's not clear whether the article author realizes that iCloud Private Relay uses Cloudflare essentially and not just for DNS. From Apple's iCloud Private Relay Overview: "The second internet relay is operated by third-party partners who are some of the largest content delivery networks (CDNs) in the world."

I trust my dns. I have no idea what apple has done with their closed source software that clearly doesn't respect my wishes
To the OP, Private Relay is more than just tracker blocking it is a full-on VPN service that operates similar to an Onion router / TOR connection

Do a “what’s my IP” when it is enabled and you’ll see either a Cloudflare or Akamai IP.

CloudFlare already has it's hands on unsettlingly large amount of global internet traffic, so why Apple would think anyone would be ok with them also seeing VPN traffic without user consent is beyond me.
You consent to it when you turn on Private Relay. (It’s off by default.)
That's wrong, it is NOT off by default for everyone as I had to disable it on all my machines and I never explicitly enabled it (and never would).
Weird, I’ve never seen or even heard of that before now.
It’s opt in. I never used it and don’t plan to and all my devices have it disabled.
(comment deleted)
Am I missing something, or is this literally Private Relay working exactly as intended?

I can’t find the source right now, but remember reading (on an Apple site) that it proxies all HTTP/HTTPs requests, all DNS (including non-Safari) queries, and all in-app HTTP requests (on iOS).

The site isn't currently loading. I get this:

> You need to be logged in to see this content. If you have an account on Dreamwidth Studios, you can log in using it. Or, if you have an account on a site that supports OpenID, you may log in using OpenID.

Here's a cached version:

https://archive.ph/jeBLA

TL;DR: it's a feature of iCloud Private Relay. Turn off private relay if you don't want a private relay.