Private Relay, introduced by Apple this year, promised users a secure internet experience. Although this feature is not as effective as a VPN in terms of security, the company aimed to save casual users the trouble of trying different VPN applications. However, it was noticed that a flaw in the feature caused a security problem.
Technology giant Apple announced the "Private Relay" feature last June, which will allow Safari users to surf the Internet more comfortably. This innovation, which came with iOS 15, offered Apple users a built-in VPN experience, although not entirely. However, it was noticed that the feature that promises a secure internet experience threatens security due to a flaw.
The security threat in question causes the IP addresses of users sent by being encrypted to be exposed by certain methods. This vulnerability has been fixed in the macOS operating system, but the situation still persists for iOS 15 users.
First things you need to know about the subject:
To understand the subject, we first need to know things like the WebRTC API, which allows real-time video and audio conversations on the browser. If you don't want this, you can skip to the next topic. The aforementioned WebRTC uses the ICE method to connect two people who will meet. This method, on the other hand, enables the information to be transferred directly to the other party without using a proxy server.
For example, let's say that Ahmet wants to talk to Mehmet. When Ahmet calls Mehmet, the information on his computer such as ICE elements, that is, IP address and port, goes to Mehmet's computer. Here, Mehmet's computer, who has tried all the ICE elements, finds the right connection, and the two computers have the opportunity to transfer images and sound directly to each other.
Because there are different ICE elements, 'Server Reflexive Candidate' is used to avoid confusion. Only the IP address and port information obtained from the STUN server are used here. This information connects Ahmet's computer to Mehmet's. We keep in mind the details of NAT and STUN terms and go directly to the problem.
NAT technology allows many devices to connect to the internet over the same IP address. The smart television, smartphone or computer connected to the modem in your home uses the same IP address in this way. However, in some cases, it is necessary to know these addresses and to be able to distinguish the devices.
At this point, STUN comes into play. Again, if we go through the example, Mehmet's IP address and port number are sent back by the STUN server when they connect, and Ahmet's computer sees this information and gets the address of the device to which it will connect. We have come to the end of the technical part. Let's move on to the problem.
Do you need to wait for Apple to fix this?
We said that STUN servers send back public addresses. In Safari, this process does not pass through the iCloud Private Relay filter. Since they do not provide any other information, we cannot say that this is a problem, but since Safari transfers the actual IP addresses to JavaScript, the only thing that falls to malicious people is to separate your beautiful real address from other addresses in ICE elements. This can be easily handled with a little practice.
Turkey (Türkçe)
Worldwide (English)
