Oblivious HTTP (OHTTP)
O que é Oblivious HTTP (OHTTP)?
Oblivious HTTP (OHTTP)An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
Oblivious HTTP (OHTTP), specified in RFC 9458 (2024), is a privacy-preserving relay protocol for HTTP requests. The client encrypts the inner request with HPKE (Hybrid Public-Key Encryption, RFC 9180) using the gateway server's public key, then sends the encrypted payload over a normal TLS connection to a separate relay server. The relay decrypts only the outer envelope, sees the client's IP but not the request, and forwards the encrypted payload to the gateway; the gateway decrypts and processes the request, sees the request and response, but never sees the client's IP. This split-trust model means no single party knows both 'who' and 'what'. Use cases include Apple Private Relay-style web access, DNS over Oblivious HTTP, telemetry pipelines (Mozilla, Cloudflare), 'private prefetch proxy' deployments, and certificate-revocation lookups. The companion 'oblivious DoH' (ODoH, RFC 9230) is an OHTTP-style relay specific to DNS resolution. OHTTP requires the client to trust that the relay and gateway are run by non-colluding parties, which is the central operational assumption.
● Exemplos
- 01
An operating system fetches certificate-revocation status via OHTTP so that revocation lookups cannot be tied to user IPs by either the CA or the network operator alone.
- 02
A telemetry pipeline ships product-usage events through OHTTP, routing through a Fastly relay to a vendor's gateway, ensuring the vendor cannot tie events to client IPs.
● Perguntas frequentes
O que é Oblivious HTTP (OHTTP)?
An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP). Pertence à categoria Segurança de rede da cibersegurança.
O que significa Oblivious HTTP (OHTTP)?
An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
Como funciona Oblivious HTTP (OHTTP)?
Oblivious HTTP (OHTTP), specified in RFC 9458 (2024), is a privacy-preserving relay protocol for HTTP requests. The client encrypts the inner request with HPKE (Hybrid Public-Key Encryption, RFC 9180) using the gateway server's public key, then sends the encrypted payload over a normal TLS connection to a separate relay server. The relay decrypts only the outer envelope, sees the client's IP but not the request, and forwards the encrypted payload to the gateway; the gateway decrypts and processes the request, sees the request and response, but never sees the client's IP. This split-trust model means no single party knows both 'who' and 'what'. Use cases include Apple Private Relay-style web access, DNS over Oblivious HTTP, telemetry pipelines (Mozilla, Cloudflare), 'private prefetch proxy' deployments, and certificate-revocation lookups. The companion 'oblivious DoH' (ODoH, RFC 9230) is an OHTTP-style relay specific to DNS resolution. OHTTP requires the client to trust that the relay and gateway are run by non-colluding parties, which is the central operational assumption.
Como se defender contra Oblivious HTTP (OHTTP)?
As defesas contra Oblivious HTTP (OHTTP) costumam combinar controles técnicos e práticas operacionais, conforme detalhado na definição acima.
Quais são outros nomes para Oblivious HTTP (OHTTP)?
Nomes alternativos comuns: OHTTP, RFC 9458.
● Termos relacionados
- network-security№ 374
DNS over HTTPS (DoH)
Protocolo que cifra as consultas DNS transportando-as dentro de HTTPS, impedindo que observadores em rota leiam ou alterem as resoluções.
- network-security№ 376
DNS over TLS (DoT)
Protocolo que cifra as consultas DNS dentro de uma sessão TLS dedicada, protegendo-as de escutas e adulterações na rede.
- network-security№ 375
DNS over QUIC (DoQ)
A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC.
- network-security№ 557
HTTPS
HTTP transportado sobre uma ligação protegida por TLS, fornecendo confidencialidade, integridade e autenticação do servidor para o tráfego web.
- privacy№ 960
Privacy Sandbox
Google's umbrella initiative for replacing third-party cookies and cross-site identifiers with privacy-preserving alternatives — Topics, Protected Audience (FLEDGE), Attribution Reporting, and on-device APIs — under heavy regulatory and competitor scrutiny.
- network-security№ 1279
TLS (Transport Layer Security)
Protocolo criptográfico padronizado pelo IETF que fornece confidencialidade, integridade e autenticação ao tráfego entre duas aplicações em rede.