Oblivious HTTP (OHTTP) is an IETF network protocol intended to allow anonymous HTTP transactions over the Internet without revealing source IP addresses.[1] OHTTP is documented in RFC 9458, published in January 2024.[2] The RFC says "Oblivious HTTP is simpler and less costly than more robust systems, like Prio [PRIO] or Tor [DMS2004], which can provide stronger guarantees at higher operational costs."[2]
Mechanism
editOHTTP uses a combination of message encryption and a double-proxy-relay setup, where the first proxy relay can see the source, but cannot see the destination of the encrypted message, and the second proxy can decrypt the message to forward it on to the destination, but cannot see the original source. All traffic between the source, destination and both proxies is carried over the HTTPS protocol to prevent third parties from analysing or intercepting the message contents.[3]
Since neither relay, nor any third party, simultaneously knows both the source and destination address for a transaction, it would thus require the operators of both relays to collude in order to cross-correlate messages and recover the source address; if either one of the relay operators is trustworthy, privacy is preserved. However, if both relay operators collude, the security of OHTTP is compromised.[4]
Deployment
editCloudflare's Privacy Gateway, released in 2022, is an OHTTP service.[4]
Google contracted with Fastly in 2023 to provide Google with an OHTTP relay to implement its experimental anonymous advertising technology.[5][6] Google also uses a Fastly OHTTP relay as part of its Google Safe Browsing service.[7][8]
In 2023, Mozilla started using Fastly's OHTTP service as part of collecting Firefox performance metrics without identifying information about individual users.[9]
Apple states that its Enhanced Visual Search uses OHTTP as part of its anonymization strategy.[10] Apple published support for OHTTP for its Swift programming language in 2024.[11]
Related work
editThe Oblivious DNS over HTTPS (ODoH) protocol carries DNS over HTTPS (DoH) traffic.[3]
References
edit- ^ "Oblivious HTTP (ohttp): Charter for Working Group". IETF Datatracker. Retrieved 2025-03-04.
- ^ a b Thomson, Martin; Wood, Christopher A. (January 2024). "RFC 9458: Oblivious HTTP". IETF. ISSN 2070-1721. Retrieved 18 August 2025.
- ^ a b "Oblivious HTTP (OHTTP) explained". Mozilla Support. January 2025. Retrieved 18 August 2025.
- ^ a b Wood, Christopher; Hoyland, Jonathan (2022-10-27). "Stronger than a promise: proving Oblivious HTTP privacy properties". Cloudflare. Retrieved 18 August 2025.
- ^ "Fastly wins major Google deal ahead of cookie death". The Stack. 2023-03-15. Retrieved 2025-03-04.
- ^ Kuhn, Simon (2023-03-15). "Enabling privacy on the Internet with Oblivious HTTP". Fastly. Retrieved 2025-08-19.
- ^ Bawa, Jasika; Lu, Xinghui; Li, Jonathan; Wozniak, Alex (March 14, 2024). "Real-time, privacy-preserving URL protection". Google Online Security Blog. Retrieved 2025-08-19.
- ^ Amadeo, Ron (2024-03-15). "Google says Chrome's new real-time URL scanner won't invade your privacy". Ars Technica. Retrieved 2025-08-19.
- ^ Holley, Bobby (October 12, 2023). "Built for privacy: Partnering to deploy Oblivious HTTP and Prio in Firefox | The Mozilla Blog". Mozilla Distilled. Retrieved 2025-08-19.
- ^ "About Enhanced Visual Search in Photos - Apple Support (JO)". Apple Support. February 12, 2025. Retrieved 2025-03-04.
- ^ Benfield, Cory (2024-08-21). "Introducing Oblivious HTTP support in Swift". Swift. Apple. Retrieved 2025-08-19.
 | This Internet-related article is a stub. You can help Wikipedia by expanding it. |
 | This computer security article is a stub. You can help Wikipedia by expanding it. |