Oblivious HTTP (OHTTP)
Was ist Oblivious HTTP (OHTTP)?
Oblivious HTTP (OHTTP)An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
Oblivious HTTP (OHTTP), specified in RFC 9458 (2024), is a privacy-preserving relay protocol for HTTP requests. The client encrypts the inner request with HPKE (Hybrid Public-Key Encryption, RFC 9180) using the gateway server's public key, then sends the encrypted payload over a normal TLS connection to a separate relay server. The relay decrypts only the outer envelope, sees the client's IP but not the request, and forwards the encrypted payload to the gateway; the gateway decrypts and processes the request, sees the request and response, but never sees the client's IP. This split-trust model means no single party knows both 'who' and 'what'. Use cases include Apple Private Relay-style web access, DNS over Oblivious HTTP, telemetry pipelines (Mozilla, Cloudflare), 'private prefetch proxy' deployments, and certificate-revocation lookups. The companion 'oblivious DoH' (ODoH, RFC 9230) is an OHTTP-style relay specific to DNS resolution. OHTTP requires the client to trust that the relay and gateway are run by non-colluding parties, which is the central operational assumption.
● Beispiele
- 01
An operating system fetches certificate-revocation status via OHTTP so that revocation lookups cannot be tied to user IPs by either the CA or the network operator alone.
- 02
A telemetry pipeline ships product-usage events through OHTTP, routing through a Fastly relay to a vendor's gateway, ensuring the vendor cannot tie events to client IPs.
● Häufige Fragen
Was ist Oblivious HTTP (OHTTP)?
An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP). Es gehört zur Kategorie Netzwerksicherheit der Cybersicherheit.
Was bedeutet Oblivious HTTP (OHTTP)?
An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
Wie funktioniert Oblivious HTTP (OHTTP)?
Oblivious HTTP (OHTTP), specified in RFC 9458 (2024), is a privacy-preserving relay protocol for HTTP requests. The client encrypts the inner request with HPKE (Hybrid Public-Key Encryption, RFC 9180) using the gateway server's public key, then sends the encrypted payload over a normal TLS connection to a separate relay server. The relay decrypts only the outer envelope, sees the client's IP but not the request, and forwards the encrypted payload to the gateway; the gateway decrypts and processes the request, sees the request and response, but never sees the client's IP. This split-trust model means no single party knows both 'who' and 'what'. Use cases include Apple Private Relay-style web access, DNS over Oblivious HTTP, telemetry pipelines (Mozilla, Cloudflare), 'private prefetch proxy' deployments, and certificate-revocation lookups. The companion 'oblivious DoH' (ODoH, RFC 9230) is an OHTTP-style relay specific to DNS resolution. OHTTP requires the client to trust that the relay and gateway are run by non-colluding parties, which is the central operational assumption.
Wie schützt man sich gegen Oblivious HTTP (OHTTP)?
Schutzmaßnahmen gegen Oblivious HTTP (OHTTP) kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für Oblivious HTTP (OHTTP)?
Übliche alternative Bezeichnungen: OHTTP, RFC 9458.
● Verwandte Begriffe
- network-security№ 374
DNS over HTTPS (DoH)
Protokoll, das DNS-Anfragen verschlüsselt, indem es sie über HTTPS transportiert und so verhindert, dass On-Path-Beobachter sie lesen oder manipulieren.
- network-security№ 376
DNS over TLS (DoT)
Protokoll, das DNS-Anfragen in einer dedizierten TLS-Sitzung verschlüsselt und so vor Abhören und Manipulation auf der Leitung schützt.
- network-security№ 375
DNS over QUIC (DoQ)
A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC.
- network-security№ 557
HTTPS
HTTP, das über eine TLS-geschützte Verbindung läuft und so Vertraulichkeit, Integrität und Server-Authentizität für Webverkehr bereitstellt.
- privacy№ 960
Privacy Sandbox
Google's umbrella initiative for replacing third-party cookies and cross-site identifiers with privacy-preserving alternatives — Topics, Protected Audience (FLEDGE), Attribution Reporting, and on-device APIs — under heavy regulatory and competitor scrutiny.
- network-security№ 1279
TLS (Transport Layer Security)
Das von der IETF standardisierte Kryptoprotokoll, das Vertraulichkeit, Integrität und Authentizität für den Verkehr zwischen zwei Netzwerkanwendungen liefert.