![]() INVISV servers only see packets from some IP address we log nothing about the traffic we see, but unlike a VPN we have nothing meaningful to log in the first place as we have no visibility into the traffic itself – this is the strength of the MPR architecture. INVISV Relay ensures that application data is routed through the intermediate TLS-encrypted MASQUE layers to protect user data and metadata. This conversion from packet stream to byte stream is key to being able to support unmodified apps, because from an app’s standpoint, it’s sending a TLS connection straight to the destination server with end-to-end encryption. Traffic comes into the Relay userspace TCP/IP stack from the Android Linux kernel as packets and then leaves as byte streams, but no decryption or data manipulation takes place (and it can’t, because the data is all in TLS streams). The way to do this translation from packet stream to byte stream involves a classic technique: to run a TCP/IP stack in userspace (of which there are many, such as gVisor and picoTCP). (While there is an early draft for supporting something called CONNECT-IP in MASQUE, it is not yet fully baked or supported in partner networks or server implementations.) The kernel then turns those bytes into distinct packets of encrypted data and routes those packets to the Relay app, but we then need to put those packets into HTTPS tunnels, which are byte-stream oriented not packet-oriented. So, how can we put TLS-encrypted traffic, which is in the form of TCP/IP packets that are about to exit the phone, into more TLS tunnels? There’s a fundamental mismatch here from a networking perspective: Android apps encrypt their data using TLS and hand that encrypted data to the Android Linux kernel via a TCP socket. But doing this isn’t straightforward, because to make INVISV Relay general-purpose, we wanted to avoid requiring app developers to change their apps to use INVISV Relay and/or only support a select few apps. From there, your network traffic (itself encrypted end-to-end by your browser or other app) is sent to Fastly via TLS-encrypted HTTPS tunnels using the IETF MASQUE specification. When INVISV Relay is first turned on, it establishes a TLS-encrypted tunnel from your phone through an INVISV server (by default the one that is likely to be fastest) to the Fastly server nearest to it. To ensure that all traffic from the phone uses Relay, the INVISV app uses functionality that was originally designed in Android for VPNs – all this does is route all data packets into the app, which then becomes responsible for getting those packets out to the Internet in a privacy-preserving manner. ![]() In this post we detail how we created INVISV Relay. ![]() Multi-Party Relays (MPRs) such as INVISV Relay (Android) and Apple’s iCloud Private Relay (iOS) provide practical privacy for connecting to the Internet.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |