Introducing Oblivious HTTP support in Swift

Oblivious HTTP is a protocol to allow a client to make requests of a server without the server being able to identify the source of those requests. Conventional HTTP requests can reveal identifying information about the client such as the originating IP address, and can allow multiple requests from the same client to be identified as originating from the same node. In contrast, Oblivious HTTP provides a secure mechanism for protecting identifying client information, achieved by combining HTTP message encryption with a trusted third party relay service, providing increased privacy to users without incurring a significant performance overhead.

→ swift.org/blog/introducing-swift-nio-oblivious-http/

Apple has introduced SwiftNIO Oblivious HTTP, a new open-source package implementing provisional support for Oblivious HTTP, enhancing client privacy by preventing servers from identifying request sources through encryption and a trusted third-party relay.

The package, part of the SwiftNIO project, supports RFC 9292 for binary HTTP serialisation and RFC 9458 for Oblivious HTTP, enabling Swift clients and servers to use these standards. It includes two libraries: ObliviousHTTP for binary HTTP encoding and ObliviousX for generalisable encryption APIs based on Hybrid Public Key Encryption (HPKE), applicable to both HTTP and other data.

This supports privacy-preserving technologies like Private Cloud Compute and DNS enhancements, with simple APIs for serialising/deserialising HTTP messages and handling encrypted data.