Oblivious HTTP

What is Oblivious HTTP?

Oblivious HTTP is defined by RFC 9458, an IETF proposed standard.

In a nutshell, Oblivious HTTP offers a way for your users to access your services without giving away any information about themselves.

The three required components are:

1. an OHTTP client library to encrypt requests
2. an OHTTP relay operated by a third party (that’s us!)
3. an OHTTP gateway to decrypt requests for your servers

Conceptually, it’s similar to a VPN. The difference is that OHTTP guarantees privacy by splitting apart the “incoming” and “outgoing” halves of the proxy into separate companies. The relay (which can see user request information like IP address) can’t see the user’s request contents, due to the encryption. The gateway (that’s your server) can decrypt the user request contents, but can’t see any user request information because all requests are forwarded through the relay server.

Further reading

• Cloudflare Privacy Gateway: a privacy preserving proxy built on Internet standards
• Mozilla’s OHTTP Explained
• RFC 9458: Oblivious HTTP
• RFC 9292: Binary Representation of HTTP Messages
• draft-ietf-ohai: Chunked Oblivious HTTP Messages
• draft-kazuho-httpbis: Incremental HTTP Messages