What is Oblivious HTTP?

Oblivious HTTP is defined by RFC 9458, an IETF proposed standard.

In a nutshell, Oblivious HTTP offers a way for your users to access your services without giving away any information about themselves.

The three required components are:

1. an OHTTP client library to encrypt requests
2. an OHTTP relay operated by a third party (that’s us!)
3. an OHTTP gateway to decrypt requests for your servers

Conceptually, it’s similar to a VPN. The difference is that OHTTP guarantees privacy by splitting apart the “incoming” and “outgoing” halves of the proxy into separate companies. The relay (which can see user request information like IP address) can’t see the user’s request contents, due to the encryption. The gateway (that’s your server) can decrypt the user request contents, but can’t see any user request information because all requests are forwarded through the relay server.

Mozilla has also written a great OHTTP explainer with more detail.

Who designed the Oblivious HTTP standard?

The original RFC was a collaboration between Mozilla and Cloudflare. Other major companies using and offering OHTTP services include Apple, Google, Microsoft, and Fastly.

How hard is it to set up OHTTP?

It’s pretty similar to setting up a reverse proxy service or a VPN. You need to run an OHTTP Gateway service to accept encrypted requests, and put an OHTTP Client into your software to encrypt those requests before they get sent to our relay.

How secure is it?

Cloudflare has done a formal analysis of the privacy properties of Oblivious HTTP, and the results seem very promising for security and privacy.

Why are you offering this?

The process of setting up a relay with Cloudflare or Fastly requires weeks of enterprise contract negotiation, one-off server configuration, and a floor of thousands of dollars per month with no way to scale service along with your needs. Oblivious Network is the first true cloud offering for OHTTP relays, allowing you to start within seconds and scale up your service as needed.

Is your service trustworthy and secure?

Absolutely. But the great thing about OHTTP is that you don’t have to trust us. The OHTTP standard guarantees that we can never see the contents of any requests or responses. Everything is fully encrypted so that only your clients and gateway can decrypt the contents of your traffic.

What is Oblivious HTTP used to do?

Apple

• Private Cloud Compute uses OHTTP to ensure users can’t be connected to their cloud compute requests.
• iCloud Private Relay anonymizes internet traffic coming from Apple devices, providing VPN-like privacy.
• Enhanced Visual Search in Photos uses OHTTP to ensure landmarks in user photos can be identified without revealing the user’s location.

Google

• The FLEDGE project uses OHTTP relays from Fastly to display targeted ads while keeping individual users anonymous.
• The Safe Browsing API (with a third-party OHTTP relay) allows software to verify domain safety without identifying the users trying to visit the domains.

Microsoft

• Azure AI Confidential Inferencing (with a third-party OHTTP relay) uses OHTTP to ensure user identity is not connected with any specific inference workload.

Mozilla

• In Firefox, Prio user analytics go through a Fastly OHTTP Relay to be collected by Divvi Up, ensuring that no individual user information can be extracted from analytics data.

Divvi Up

• Divvi Up is a project from the makers of Let’s Encrypt to use OHTTP to offer privacy preserving telemetry and federated machine learning. Customers provide their own OHTTP Relays.

Flo Health

• Makes period tracking software with an “anonymous mode” powered by Cloudflare OHTTP relays to ensure its users can’t be identified.

Payjoin

• The Payjoin library is a proposed extension to Bitcoin uses OHTTP to preserve user privacy while combining bitcoin transactions to increase speed and reduce fees. Customers provide their own OHTTP relays.

Lorica

• The Private Pursuit™ Platform uses OHTTP to add end-user privacy to AI and analytics workloads.