Weighing any perceived privacy benefit against the privacy of using Google's proxy

[bradisbell]

This proposal appears to harm privacy by effectively routing all of a user's traffic through Google. Am I understanding this correctly?

We are considering using 2 hops for improved privacy. A second proxy would be run by an external CDN, while Google runs the first hop. This ensures that neither proxy can see both the client IP address and the destination. CONNECT & CONNECT-UDP support chaining of proxies.

Even though the content is encrypted, the network addresses cannot be. Google's proxy then becomes a potential place data can be aggregated, even if the user's authentication tokens are secure.

How is this concern addressed?

[dvorak42]

In the two hop proxy model, the first hop (controlled by Google) only sees the source client IP and a request to connect to the second hop, while the second hop (controlled by an external CDN) only sees a tuple on the first hop (proxy IP + port) and the destination IP. For the response back from the origin, the second hop is able to forward the response to the first hop proxy+port associated with the request and doesn't need to learn anything about the original client IP (and the first hop just returns the response to the client, without learning anything about the destination IP). In this way, the first hop only learns the client IP and the second hop, while the second hop only learns the destination IP.

Some of the techniques we're using to support this multiple hop proxying is described in various MASQUE documents being developed in the IETF (https://datatracker.ietf.org/wg/masque/documents/).

Let us know if this addresses your concerns or if there's further clarification we can provide.