Comment by mortenjorck

15 days ago

> Long story short: now both Sign in with Apple and Hide My Email aliases are going to be issued on the @private.icloud.com subdomain. This makes it much easier to ban all aliases without affecting non-relay mailboxes on iCloud mail.

Could someone clarify why having Sign in with Apple and Hide My Email on the same domain would make a blanket ban easier rather than harder? What am I missing?

Before, the emails were "me@icloud.com", the default for all apple users. There was no way to distinguish normal emails from generated private emails.

Now, they will be "blah@private.icloud.com", so it will be easy to ban the generated/private email that reduces the ability to associate logins across services.

Unclear why Apple would shoot themselves in this way; I hope it's not Ternus complying with anti-privacy.

  • Now, they will be "blah@private.icloud.com"

    I've been in the ecosystem long enough to have .iCloud.com, .me, .mobileme.com, iTunes.com, and probably one or two more addresses all assigned by various Apple services over the years before they started unifying the systems.

    They all work, and independently of one another.

    I wonder if all the domains will be migrated, and how namespace collisions will be handled.

    • Apple stated legacy aliases will work as is:

      > Existing addresses on the legacy domains will continue to work and forward mail to users without interruption.

  • maybe to avoid getting their legitimate email servers banned by other servers since they host (i.e. being exploited) a growing number of spam accounts.

    • For most online businesses, blocking Apple email servers sounds like a good way to kill off the portion of your customer base that has the most money to spend.

  • But it’s not? Like if they block that subdomain, they will completely block Sign in with Apple.

    • Many web sites and apps do not use Sign in with Apple. And they could block the domain for account creation with email without blocking the domain for account creation with Sign in with Apple. This would not make sense unless Apple changed what personal information Sign in with Apple provided probably. But they could.

  • I see – somehow the Apple UI for this gave me the mistaken impression that privaterelay.appleid.com was the domain used by the alias, but I see now that it was always just icloud.com.

Apple was generating (something)@icloud.com whenever you used that service. Now, it will use (something)@private.icloud.com instead. So you can ban this subdomain instantly, knowing people will be "hiding" with this service by default.

It's like blocking anondaddy, simplelogin etc but not protonmail.

I guess their thought process is, both alias and non-alias accounts use @icloud.com

You were always able to reserve a normal icloud email address just like you would a GMail account, so banning all icloud email addresses would be banning non-alias Apple customers

That being said, I'm not convinced anyone who wanted to ban aliases couldn't have already. The alias emails look weird enough I'm guessing you could ban them with few false positives.

  • > The alias emails look weird enough I'm guessing you could ban them with few false positives.

    While this is true not all of them been weird. Some can be just word + number + word without dots or underscores.

    Also blanket banning whole domains is just much easier and already done for temporary emails. No false positives.

    • The point of the article is previously banning Apple's temp domain would create many false positives (all the normal Apple registered emails that chose @icloud.com during setup)