Oblivious HTTP (OHTTP)
¿Qué es Oblivious HTTP (OHTTP)?
Oblivious HTTP (OHTTP)An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
Oblivious HTTP (OHTTP), specified in RFC 9458 (2024), is a privacy-preserving relay protocol for HTTP requests. The client encrypts the inner request with HPKE (Hybrid Public-Key Encryption, RFC 9180) using the gateway server's public key, then sends the encrypted payload over a normal TLS connection to a separate relay server. The relay decrypts only the outer envelope, sees the client's IP but not the request, and forwards the encrypted payload to the gateway; the gateway decrypts and processes the request, sees the request and response, but never sees the client's IP. This split-trust model means no single party knows both 'who' and 'what'. Use cases include Apple Private Relay-style web access, DNS over Oblivious HTTP, telemetry pipelines (Mozilla, Cloudflare), 'private prefetch proxy' deployments, and certificate-revocation lookups. The companion 'oblivious DoH' (ODoH, RFC 9230) is an OHTTP-style relay specific to DNS resolution. OHTTP requires the client to trust that the relay and gateway are run by non-colluding parties, which is the central operational assumption.
● Ejemplos
- 01
An operating system fetches certificate-revocation status via OHTTP so that revocation lookups cannot be tied to user IPs by either the CA or the network operator alone.
- 02
A telemetry pipeline ships product-usage events through OHTTP, routing through a Fastly relay to a vendor's gateway, ensuring the vendor cannot tie events to client IPs.
● Preguntas frecuentes
¿Qué es Oblivious HTTP (OHTTP)?
An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP). Pertenece a la categoría de Seguridad de red en ciberseguridad.
¿Qué significa Oblivious HTTP (OHTTP)?
An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
¿Cómo funciona Oblivious HTTP (OHTTP)?
Oblivious HTTP (OHTTP), specified in RFC 9458 (2024), is a privacy-preserving relay protocol for HTTP requests. The client encrypts the inner request with HPKE (Hybrid Public-Key Encryption, RFC 9180) using the gateway server's public key, then sends the encrypted payload over a normal TLS connection to a separate relay server. The relay decrypts only the outer envelope, sees the client's IP but not the request, and forwards the encrypted payload to the gateway; the gateway decrypts and processes the request, sees the request and response, but never sees the client's IP. This split-trust model means no single party knows both 'who' and 'what'. Use cases include Apple Private Relay-style web access, DNS over Oblivious HTTP, telemetry pipelines (Mozilla, Cloudflare), 'private prefetch proxy' deployments, and certificate-revocation lookups. The companion 'oblivious DoH' (ODoH, RFC 9230) is an OHTTP-style relay specific to DNS resolution. OHTTP requires the client to trust that the relay and gateway are run by non-colluding parties, which is the central operational assumption.
¿Cómo defenderse de Oblivious HTTP (OHTTP)?
Las defensas contra Oblivious HTTP (OHTTP) combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.
¿Cuáles son otros nombres para Oblivious HTTP (OHTTP)?
Nombres alternativos comunes: OHTTP, RFC 9458.
● Términos relacionados
- network-security№ 374
DNS over HTTPS (DoH)
Protocolo que cifra las consultas DNS transportándolas dentro de HTTPS, evitando que un observador en la ruta pueda leer o modificar las búsquedas.
- network-security№ 376
DNS over TLS (DoT)
Protocolo que cifra las consultas DNS dentro de una sesión TLS dedicada, protegiéndolas de escuchas y manipulaciones en la red.
- network-security№ 375
DNS over QUIC (DoQ)
A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC.
- network-security№ 557
HTTPS
HTTP transportado sobre una conexión protegida por TLS, que aporta confidencialidad, integridad y autenticación del servidor al tráfico web.
- privacy№ 960
Privacy Sandbox
Google's umbrella initiative for replacing third-party cookies and cross-site identifiers with privacy-preserving alternatives — Topics, Protected Audience (FLEDGE), Attribution Reporting, and on-device APIs — under heavy regulatory and competitor scrutiny.
- network-security№ 1279
TLS (Transport Layer Security)
Protocolo criptográfico estandarizado por el IETF que aporta confidencialidad, integridad y autenticación al tráfico entre dos aplicaciones en red.