This service with Mozilla utilizes OHTTP, whereas iCloud Private Relay uses MASQUE.
OHTTP is ideally suited for privacy enablement of APIs, whereas MASQUE is more for general purpose traffic.
OHTTP has similarities to MASQUE in that it uses a two hop proxy design where each proxy only knows part of the total requestor / request information. And in both cases these proxies must be operated by separate entities that do not collude.
However, the key difference is that in OHTTP the end destination is known, because there is a 1-1-1 mapping between OHTTP Relay -> OHTTP Gateway -> Target. This could become more generalized in future revisions to OHTTP, but right now it's all hardcoded behavior.
For more about OHTTP at Fastly, I wrote a blog post a while back at [1]. There is also the IETF draft spec at [2].
>However, the key difference is that in OHTTP the end destination is known, because there is a 1-1-1 mapping between OHTTP Relay -> OHTTP Gateway -> Target. This could become more generalized in future revisions to OHTTP, but right now it's all hardcoded behavior.
So the Relay knows the requested URL? That’s not masked by the client?
The Relay doesn't know the requested URL or the request body -- but it does know the next-hop destination (the OHTTP Gateway), and by virtue of the way most OHTTP services are currently deployed this tells you the destination service. It does not tell you the specific details of what is being asked for / returned by that service.
OHTTP encapsulates a complete request, so the 1-1-1 mapping isn't right. The target can be any resource, but it generally should be on the same host/origin as the gateway. The gateway sees the request and the response, so there are very few cases where you would trust it to handle requests for any URL.
Yes, that's true. However in practice most deployments that I've worked on are a relay which maps all requests to a gateway which maps all requests to a target. It's not an inherent property of the protocol, and I expect that to evolve over time.
These services are implemented in different parts of Fastly's production stack, but they share the same global infrastructure footprint and a lot of the same people/teams are involved with both.
would that be true for providers that aren't Fastly? why would there be a different implementation for non-fastly? or are they the sole providers for private relay?
