Oblivious HTTP (OHTTP)
Что такое Oblivious HTTP (OHTTP)?
Oblivious HTTP (OHTTP)An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
Oblivious HTTP (OHTTP), specified in RFC 9458 (2024), is a privacy-preserving relay protocol for HTTP requests. The client encrypts the inner request with HPKE (Hybrid Public-Key Encryption, RFC 9180) using the gateway server's public key, then sends the encrypted payload over a normal TLS connection to a separate relay server. The relay decrypts only the outer envelope, sees the client's IP but not the request, and forwards the encrypted payload to the gateway; the gateway decrypts and processes the request, sees the request and response, but never sees the client's IP. This split-trust model means no single party knows both 'who' and 'what'. Use cases include Apple Private Relay-style web access, DNS over Oblivious HTTP, telemetry pipelines (Mozilla, Cloudflare), 'private prefetch proxy' deployments, and certificate-revocation lookups. The companion 'oblivious DoH' (ODoH, RFC 9230) is an OHTTP-style relay specific to DNS resolution. OHTTP requires the client to trust that the relay and gateway are run by non-colluding parties, which is the central operational assumption.
● Примеры
- 01
An operating system fetches certificate-revocation status via OHTTP so that revocation lookups cannot be tied to user IPs by either the CA or the network operator alone.
- 02
A telemetry pipeline ships product-usage events through OHTTP, routing through a Fastly relay to a vendor's gateway, ensuring the vendor cannot tie events to client IPs.
● Частые вопросы
Что такое Oblivious HTTP (OHTTP)?
An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP). Относится к категории Сетевая безопасность в кибербезопасности.
Что означает Oblivious HTTP (OHTTP)?
An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
Как работает Oblivious HTTP (OHTTP)?
Oblivious HTTP (OHTTP), specified in RFC 9458 (2024), is a privacy-preserving relay protocol for HTTP requests. The client encrypts the inner request with HPKE (Hybrid Public-Key Encryption, RFC 9180) using the gateway server's public key, then sends the encrypted payload over a normal TLS connection to a separate relay server. The relay decrypts only the outer envelope, sees the client's IP but not the request, and forwards the encrypted payload to the gateway; the gateway decrypts and processes the request, sees the request and response, but never sees the client's IP. This split-trust model means no single party knows both 'who' and 'what'. Use cases include Apple Private Relay-style web access, DNS over Oblivious HTTP, telemetry pipelines (Mozilla, Cloudflare), 'private prefetch proxy' deployments, and certificate-revocation lookups. The companion 'oblivious DoH' (ODoH, RFC 9230) is an OHTTP-style relay specific to DNS resolution. OHTTP requires the client to trust that the relay and gateway are run by non-colluding parties, which is the central operational assumption.
Как защититься от Oblivious HTTP (OHTTP)?
Защита от Oblivious HTTP (OHTTP) обычно сочетает технические меры и операционные практики, как описано в определении выше.
Какие есть другие названия Oblivious HTTP (OHTTP)?
Распространённые альтернативные названия: OHTTP, RFC 9458.
● Связанные термины
- network-security№ 374
DNS over HTTPS (DoH)
Протокол, шифрующий DNS-запросы, перенося их внутри HTTPS, что не даёт наблюдателю на пути читать или изменять разрешения.
- network-security№ 376
DNS over TLS (DoT)
Протокол, шифрующий DNS-запросы в выделенной TLS-сессии и защищающий их от прослушивания и подмены в сети.
- network-security№ 375
DNS over QUIC (DoQ)
A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC.
- network-security№ 557
HTTPS
HTTP, передаваемый поверх соединения, защищённого TLS, что обеспечивает конфиденциальность, целостность и аутентификацию сервера в веб-трафике.
- privacy№ 960
Privacy Sandbox
Google's umbrella initiative for replacing third-party cookies and cross-site identifiers with privacy-preserving alternatives — Topics, Protected Audience (FLEDGE), Attribution Reporting, and on-device APIs — under heavy regulatory and competitor scrutiny.
- network-security№ 1279
TLS (Transport Layer Security)
Стандартизованный IETF криптографический протокол, обеспечивающий конфиденциальность, целостность и аутентификацию трафика между двумя сетевыми приложениями.