Here's what still bothers me: Cloudflare is a single company with points of presence all over the world, handling traffic for websites all over the world (including some big ones), and now trying to attract consumers worldwide to proxy their traffic through its network. That's a lot of power, and we all know the saying about power and corruption. It doesn't matter how conscientious the leadership are. I'd prefer that the temptation to abuse that power was just not there at all.
My idea of a better Internet is a return to the way the Internet was -- a large number of small providers, communicating with each other over open standard protocols. So, yes, I should switch to something other than Comcast here in my apartment. So far, I've been afraid that doing that would leave me with a truly abysmal quality of service. (I'm in Bellevue, Washington.) But at least I can avoid adding Cloudflare, with its terrifying power, to the mix.
Granted, I mostly use the Internet on a stationary computer with a cable connection at home. About the only thing I do on my phone away from a WiFi connection is request an Uber ride. And I do need that to work reliably. But it is working just fine without Warp. So, maybe Warp is just not for me. Still, for the people that would benefit, I'm afraid of how much more power they're going to be giving Cloudflare when they tap that "on" button.
We haven’t said that in a long time, but I was reminded of it while we were on our IPO Road Show. One investor we met with said:
“Here’s how I think of you: Cloudflare is to Facebook as Shopify is to Amazon.”
That resonated to me and reminded me of our earliest days and why we started the company.
So I appreciate the concern but hope there will always be more independent web because we exist than there would be if we didn’t.
It's true that a website using Cloudflare is more independent than a Facebook page, in that in the former case, the company can take their domain to another provider. But my idea of an independent Web is a large number of websites depending on a large number of high-quality hosting providers. The latter number will inevitably be smaller, but shouldn't be single-digit. That would lead to too much potential for abuse of power.
Also, the more sites are using a single provider with its black-box algorithms and heuristics, the more potential there is for bad consequences for innocent users when those things misfire. That's what worries me about the bot-fighting feature you launched on Monday.
To respond specifically to part of what you said:
> The concern was that the challenges of being online would get so hard that individual websites would give up and just move to run Facebook pages.
I don't think I understand how Cloudflare actually helps here. I think the average bar, karaoke DJ (I love karaoke), spa, or other small business that might just use a Facebook page would be served just as well by the kind of hosting provider that gives your website a single IP address pointing to a single machine. Are DDoS attacks and bots really that big of a problem? If so, I haven't run into them in the 16 years that I was the programmer and sysadmin for a small company (admittedly, online services are that company's business). Maybe we just didn't make the right enemies? Now, maybe small web hosting providers could make it even easier to set up a new website, but Cloudflare doesn't do anything about that problem anyway. If the concern is performance, maybe we need better alternatives to WordPress and Drupal, and more local hosting providers, so the website for small businesses can be closer to their mostly-local customers without using a CDN.
https://blog.cloudflare.com/ninth-circuit-rules-on-nsl-gag-o...
I'm wary about joining in on Cloudflare bashing. I like Cloudflare. But...
The mark of a responsible company is that it has plans to mitigate potential harm once it stops being responsible. At one point growing up, I would have made the same arguments you make here about Google. They're not perfect, but they're better than the alternative.
The problem is that this promise essentially boils down to, "we'll try very hard not to be bad." You can't make that promise, even if you're a good person. At some point you're going to either retire or die, and your company will be handed off to other people. Your comment doesn't make me feel any better, because it reads to me like your plan is, "things won't go wrong", and you don't know that.
I'm glad Cloudflare exists, and I do think you're doing a heck of a lot more good than harm. Cloudflare is about as close as anyone can get to an ethical company. But if this is the attitude, then Cloudflare is not a responsible company, because it's not making plans for what will happen after its owners turn evil. Cloudflare is an ally for the Open Web right now. It doesn't have a backup strategy I can see for when that changes.
The Shopify analogy is actually really fitting to me. Shopify is better than Amazon, but Shopify is definitely not where I want the future of commerce to be. Many of the problems and risks inherent in Amazon's design are also inherent in Shopify -- Shopify just happens to be a more ethical company that tries harder not to exploit those flaws.
At some point in the future, once we've all centralized everything onto Shopify, that will change and Shopify will become the new Amazon. And at some point in the future, maybe even decades from now, Cloudflare will become evil. All powerful companies eventually become evil, it's inevitable.
He who fights with monsters should look to it that he himself does not become a monster. And if you gaze long into an abyss, the abyss also gazes into you.
But the idea of Cloudflare intercepting all of my traffic doesn't bother me since the alternative is simply another company (Spectrum, or my random friend's wifi, or Starbucks) intercepting all of my traffic by virtue of being my ISP. It's up to you which is the lesser of two evils.
I suppose Cloudflare may have more insight into the data being proxied if they're also managing the SSL certificates at the other end, however.
And the usual (optimal?) outcome for ownership of utility infrastructure, is that it gets held as a “public resource” by the government of the country or countries that built it; and then companies are contracted to manage it. From there, you end up with multilateral organizations weaving those pieces of infrastructure together in a top-down way (like shipping routes, or the postal system, or, hopefully one day, low-earth orbit.)
Which is far from an anarchosyndicalist mesh of interested companies, organizations, and individuals (ala the early Internet, or the HAM radio network), but we’ve never seen an ararchosyndicalist mesh successfully serving as a reliable/fault-tolerant backbone for any commercial endeavour so far, and I don’t know if it could.
And any VPN provider that hosts their servers and routes their traffic through unknown datacenters?
I'd rather trust Cloudflare that has a great track-record (+Public Canary and are on US Privacy Shield), than any random VPN provider.
I can see how some people would benefit from this kind of VPN.
Plus, (1) you can turn on/off WARP at your leisure and (2) they've explicitly committed to limited logging and not selling data which is pretty huge.
I use a small local provider where possible... but the reality is that they have to lease their lines from AT&T anyway. In general, there are very few providers out there that have capability to offer competitive services.
I don't remember the internet ever being like that.
I remember when you couldn't e-mail someone in another city without going through gateways. When you couldn't visit the majority of major web sites without downloading plug-ins. When you knew the information you wanted was out there, but couldn't get to it because it was behind obtuse, non-searchable infrastructure.
To me, the internet today isn't perfect. But it's a heck of a lot better than its romanticized distant past.
As for WARP, I'll give it a try. I don't fully trust Cloudflare, but I trust it a heck of a lot more than I trust my ISP or my cell phone provider. Long ago, both of those entities burned privacy bridges. Cloudflare hasn't done so. Yet, anyway.
I was on the web since AOL added it to their client in the mid-90s and it was never as bad as you're hinting it is.
But to do that I'd need to have replication not just across data centers but across providers. And it's hard enough getting your team to understand how one provider works. We'd have to go an awful long way toward standardizing and dare I say comodifying these companies to get there.
But as Fortune 500 companies have known for longer than Fortune has existed, if you have two vendors you can play off of each other your life tends to go a lot better. Right now almost none of us have that, and I suspect we are all a little poorer for it.
This isn't power that good intentions are going to keep straight.
> WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit.
1- https://blog.cloudflare.com/mmproxy-creative-way-of-preservi...
But for websites outside your network I don't see any obvious way how to do that. Wouldn't this being possible imply that it's possible to spoof traffic? That would open a whole can of worms for the web and even the internet at large.
But I also get your point that you don't want people to see WARP as a regular VPN to protect a users IP address from being exposed to the other side. Since it's not easy for a user to see which sites run behind CF and which ones don't while browsing they must keep this in mind. Or they can just firewall all CF IPs minus the ones used by WARP (assuming none are shared with other CF products and a list can be obtained).
Is it to support IP authenticated logins or similar?
1) Communicating with insecure websites (HTTP instead of HTTPS)
2) Using unsecured wireless networks (e.g. Wi-Fi at a coffee shop)
Beyond these two cases, is there any advantage to using Warp? Does Warp provide any benefits for email (secure IMAP/SMTP), file sharing (BitTorrent), or other protocols?
I would dare to say you're wrong. It's one big reason I wouldn't/won't use Warp.
At least, that's the way I'm currently understanding it.
https://icanhazip.com - on CF network https://ifconfig.me - not on CF network
Last night i was testing it and geo-location was visible...
What/how can we do more to encourage corporate sponsorship (either time or money) of code that's critical to a company? There are various ways the community has tried to enable this, in different ways. Librapay and platforms like it try to make it easier (Think Patreon but less commercial). The Linux Foundation takes large corporate donations and distributes it out to a large number of projects they support. Stick a paypal email address or bitcoin address in the Readme.md as a "serverless" way to receive money.
However at the end of the day, that seems to not work. Curl is used in billions of devices but the majority of the work on it has been done by one person for 20 years.
Something is not working as we hoped.
†) specifically Open Source under the GPLv2 license ‡) https://www.linuxfoundation.org/projects/
Because that's a sensible thing to do when someone's open source project is at the very core of your commercial product?
> When was the last time someone you know paid Redhat for CentOS or Canonical for Ubuntu on principal?
Netflix and Tarsnap have donated to FreeBSD Foundation multiple times[1], and Jan Koum has donated over $1 million after selling WhatsApp[2].
Also, look at how many companies are sponsoring LetsEncrypt[3] – including Akamai and Fastly – but not Cloudflare.
[1] https://www.freebsdfoundation.org/donors/
[2] https://www.freebsdnews.com/2016/12/02/jan-koum-founder-what...
https://github.com/cloudflare/boringtun/
Which is more valuable to the community? I don’t really think you can quantify it.
https://github.com/trailofbits/algo
a small DO (Digital Ocean) instance is only $5 a month and comes with 1TB outbound bandwidth (last I checked), which ends up being cheaper than most commercial offerings.
Damn, that would be so cool.
Disclaimer: I'm an employee
P.S Regarding the 10GB, have been on the waiting list since April 1st, nothing shown up yet.
Heads up that the 10GB is also not showing up.
Edit: And the wait is over!! WARP is now available!
However I do have an issue with the marketing behind it. While not said outright, there is a clear message here that due to some unspecified magic your network performance will increase. That's clearly stretching the laws of physics, at the very least. There are also nebulous privacy statements which looks conspicuously like services that shield your identity, which does not seem to be the case here.
If the real intent here is to help underprivileged Internet users escape their great firewall, onboarding some regular users might be necessary to make the service more legitimate. However even a generous reading of this announcement does not seem to support this use case. The consumer VPN business is a questionable business at best, and this does not look different.
This is not clear to me. Few mobile users have pings to anywhere pushing up against the speed of light, and the bandwidth/loss/routing is not close to being limited by physics.
And sending traffic by way of a third party is very likely to make for a longer path, for most people in most circumstances. Not by necessity but because few have that lousy routing agreements, unless we're talking about special circumstances such as 6to4 tunnels and the like.
In this post, they say that routing over cloudflare's network can be up to 30% faster because they maintain more efficient routing information than the public network:
I'm hyped to see Rust code running on so many phones.
It takes 20 seconds for every YouTube video to load while they load instantaneous without WARP:
Cloudflare has, time and time again demonstrated openness, transparency, and insight into their technical and ethical frameworks. I trust them a whole lot more than my isp or any random vpn provider.
As someone who has browsed sites "powered by cloudflare" over Tor and been tossed into an infinite "are you human" loop, it certainly doesn't feel melodramatic.
They've also exercised power over websites based on moral outrage. Perhaps 99.999% of people agree with the morals behind this decision, and maybe it's even the right decision, but it's still an arbitrary decision made by Cloudflare.
They are also bound by US law, and other entities bound by US law have been forced to enable the exact same forms of record keeping that Cloudflare says they will keep turned off.
Cloudflare is not a neutral party. They don't even advertise themselves as a neutral party.
If it brings competition to the shady VPN-peddlers, and is easy to download and get going, I'll consider it a net positive, all-in-all, regardless whether I'll use it personally or not.
If you can extract the endpoints, private and public keys, it might work. It would be considered unsupported and might be considered a violation of the terms of use. Check the license agreement.
That answer is correct, but official word is here https://news.ycombinator.com/item?id=21071258
(Not my Twitter account, just saw it on my timeline)
Companies like InfoUSA can convert 95% of US IP addresses to physical addresses and household resident names. By inserting themselves in the network between users and websites, Cloudflare will soon be able to get a chunk of InfoUSA's advertising profits.
Remember, if you aren't paying for it then you are the product.
Stay away from Cloudflare WARP and use a real VPN.
> What WARP Is Not
> From a technical perspective, WARP is a VPN. But it is designed for a very different audience than a traditional VPN. WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit. If you’re looking for that kind of high-security protection then a traditional VPN or a service like Tor are likely better choices for you.
> WARP, instead, is built for the average consumer. It’s built to ensure that your data is secured while it’s in transit. So the networks between you and the applications you’re using can’t spy on you.
Isn't that what ssl does already lol? What a load of sham.
Just like how “but they can see your email” isn’t enough of a deterrent to convince the majority of people to switch from free gmail (hotmail, yahoo, etc.) to a paid service with actual privacy, “Cloudflare can see your traffic” is unlikely to convince people who are more worried about nebulous sniffers and scammers at their local coffee shops than giant internet infrastructure companies.
That said, I'm very ambivalent about Cloudflare.
On the one hand, I love them because they're doing a lot of cool stuff (shoutout to kentonv whose sandstorm project I loved, who works there now), and even own a bit of their stock.
On the other hand, them being an infrastructure company but also wading into what travels over their pipes makes me uncomfortable. I get that 8chan was horrible (and Stormfront before that, IIRC), but it shows more discretion than I'd like that that level of the stack. They seemed to be more hands-off in the past, so I wonder if the IPO changed that at all.
A policy question: forbidding 8chan as a Cloudflare customer is one thing, but what if someone was using Warp and tried to load wherever it is they moved to? Would Warp block that?
I wish we could have an actual conversation about the 8chan thing, but the public debate is far too emotionally charged for me to touch. :(
Another problem is 1.1.1.1 suddenly disconnected when I'm not browsing the internet, like watching videos or reading something on my phone.
Hope you guys fix these problems soon.
EDIT: Anyone in Barcelona want to go axe throwing in an hour?
WARP+ takes that one step further. Rather than releasing your traffic directly onto the Internet, we use all the data we have from our Argo product [1] to route your traffic to _another_ Cloudflare data center via the route over the Internet with the best possible performance. That data center will be closer to your traffic's destination, hopefully improving the performance. In effect your traffic will bypass Internet congestion and slow links with the goal of better time-to-first-byte performance.
I recently purchased Adblock by Futuremind from AppStore, since I got really worried about my privacy. It has some features like local proxy DNS and setting up new rules. I keep my VPN on all day.
Before that, I used to use Hotspot Shield since that was free. I used to get only one server viz. USA.
I see internet speaks highly of NordVPN but that’s a whopping $85 which kinda burns a hole in my pocket. They claim that PWC has done an audit on them and confirmed that they don’t save users data.
Would someone here kindly guide me on the most reliable VPN out there, for iOS?
Thanks in advance for sorting me out :)
I use Mullvad VPN which supports both OpenVPN and Wireguard(which is the reason I use Mullvad) and costs 5 euros per month. You can use something like Bitcoin to pay if you want anonymity.
5 euros/ month sounds expensive but does it give a bigger bang for your buck?
I'd also feel very uneasy with continuing to feed the consolidation of the internet's traffic. Giving full control of your phone's routing to Cloudflare is sold as improving performance, but what it also does is give Cloudflare a lot of flexibility to pay less in transit costs and have a stronger position for peering agreements. Today that might be good in preventing ISP shakedowns, but very bad tomorrow if ISPs have to pay Cloudflare for the privilege of accessing the majority of the internet.
Most of those consumers aren't aware of any of that, so if you want them to use it, you'll have to pay for marketing to bring it to their attention. Is that the plan?
> Before today, there were approximately two million people on the waitlist to try WARP. That demand blew us away. It also embarrassed us. The common refrain is consumers don’t care about their security and privacy, but the attention WARP got proved to us how wrong that assumption actually is.
If anything, all I would take from that number is that the tech crowd is perhaps larger than people give it credit for. But I highly doubt that waitlist expands highly beyond the tech crowd.
Happy to be wrong, though :)
Most use a VPN to add a layer of anonymity (hidden IP) and to circumvent geo blocking.
All this does is hide unencrypted traffic from the local network and maybe give a moderate speedup, but one that will probably be restricted to non-Cloudflare properties. For other properties, especially high-traffic ones with their own fancy routing logic, this will probably be more detrimental than helpful.
Admittedly a lot of people also just use VPNs because of the countless ads telling them that the Web is terribly insecure without one. I don't see this being much of a success without big ad spending.
Might work out just fine for CF, but I will pass.
I'd rather just encrypt all my traffic and let Cloudflare make the routing decisions - that alone is worth an extra $5/month.
TOR endpoints are discriminated against by many endpoints and providers - why not Warp endpoints ?
(registering a `wg` generated public key with CF)
api=https://api.cloudflareclient.com/v0i1909051800
ins() { vrb=$1; shift; curl -s -H 'user-agent:' -H 'content-type: application/json' -X "${vrb}" "${api}/$@"; }
sec() { ins "$@" -H 'authorization: Bearer '"${reg[1]}"''; }
cfg=($(if [[ -e "${usr}" ]]; then
reg=($(cat "${usr}"))
test "${#reg[@]}" -eq 2
sec GET "reg/${reg[0]}"
else
reg=($(ins POST "reg" -d '{"install_id":"","tos":"'"$(date -u +%FT%T.000Z)"'","key":"'"${pub}"'","fcm_token":"","type":"ios","locale":"en_US"}' |
jq -r '.result|.id+" "+.token'))
test "${#reg[@]}" -eq 2
echo "${reg[@]}" >"${usr}"
sec PATCH "reg/${reg[0]}" -d '{"warp_enabled":true}'
fi | jq -r '.result.config|(.peers[0]|.public_key+" "+.endpoint.v4)+" "+.interface.addresses.v4'))
test "${#cfg[@]}" -eq 3(Though I haven't tried it. So far I haven't received the 10gb Argo credits described, despite being on the waiting list for yonks)
Edit: My 10GB came through. Looks like release day latency.
On PIA, which costs me around $3/month when I buy yearly, I get around 75MBPS, it does hide IP, and I can select the country and region I want. Also it's available on my computer and on multiple devices at once.
I don't see the value of WARP+ at $4.99/month. Less features and slower.
* Comcast without WARP: 460 Mbps
* Comcast with WARP: 30 Mbps
* T-Mobile without WARP: 500 Kbps
* T-Mobile with WARP: 600 Kbps
* Hi3G (Carrier Aggregation) without WARP+: 39 Mbps
* Hi3G (Carrier Aggregation) with WARP+: 39 Mbps
* Hi3G without WARP+: 12 Mbps
* Hi3G with WARP+: 32 MbpsAs I ask elsewhere in this comment section, I don't see why "warp" endpoints won't be discriminated against the same way TOR endpoints are.
Warp endpoints will most likely not face the same kind of "discrimination". However, Warp does not provide any anonymity, which is the main reason people use Tor.
I'd love to get my non-tech family on this.
Even this blog post is confusing "From a technical perspective, WARP is a VPN." Then contrasts WARP with a "traditional VPN"
Still, it's quite exciting that Cloudflare's finally released Warp, and that the waitlist for Warp was so long.
https://adguard.com/en/adguard-dns/overview.html
Unfortunately this is only possible on wifi on iOS. On Android 9+ you can set custom DNS on both mobile and wifi.
This is an interesting design choice.
I'm sure the idea here is to reduce the number of abuse complaints directed to Cloudflare, but it also seems to significantly reduce the value of the service.
I'm excited to try WARP, but without IP masking, I'll need to keep paying for a commercial VPN service. If I'm already paying for a commercial VPN, I don't see why I'd ever use WARP.
That said, I definitely trust Cloudflare more than PIA/NordVPN/etc. Some more "bulletproof" providers like Mullvad are probably even more trustworthy, but I don't think Cloudflare is going to mine (or sell) my data.
At this point, I'm just not sure what use-case WARP would really fill for me.
It's not a good option for you, since you already have a VPN, but you can recommend the free version of Warp to people who want to be more secure but don't want to pay for a VPN subscription.
Warp+ is less defensible.
* I read that cloudflare generates a unique id for each install and the purpose was to track referrals. Consider adding an option to opt out of the unique id tracking since some users will be concerned about it.
* Any plans to add an option to use an ip from cloudflare instead of my ip address being visible to the websites I visit, at least on the paid plan? I know this opens a can of worms dealing with abuse of the service which could lead to certain ip addresses belonging to cloudflare being blacklisted.
For example would remote desktop from Thailand or Philippines to Europe work more reliably?
:-D
I wish they provided a desktop version, or at least to change all the traffic from my central MikroTik router to use Warp.
The IP discovery is currently only available for CF websites: https://news.ycombinator.com/item?id=21070828
Question: is there an OSX version? Or am I just blind? :)
I'm surprised, but pleased that you can use WARP without 1.1.1.1 DNS. Hopefully thats not a bug.
Warp essentially shields where you are going. The only folks knowing where you go are you, your destination, and Warp.
Warp+ also gives you access to a private, faster network.
As soon as it feels stable I'm telling my activist brother-in-law in Venezuela to install it and enable WARP. Personally I trust Cloudflare above any ISP. I see myself installing it over holidays to the rest of the family there.
I understand and celebrate HN's high level discussion about concentration of power on the internet and its effects. But at the same time I want to celebrate a geeky company, releasing something cool, with a free tier – and an evident openness about its plans and how it works. Congrats on the launch!
kudos @ launching, have been waiting for this
How I see it: a well operated VPN service for whenever you trust Cloudflare more than the internet connection you’re currently on (coffee shop or airport wifi, co-working space, random mobile ISP when traveling or even at home, …).
Compare this to the current best alternative: difficult to evaluate VPNs ranging from paid to free & non-trivial to set up.
Not saying there are no alternatives but even for me it is not easy to tell which ones are actually better or in the same ballpark (@ trust, speed, ops-skills, …) let alone for the longtail of users who would be better off with something like Cloudflare than with a random shady VPN or nothing.
I spend a lot of time outside the USA and have privacy concerns a bit beyond USAs typical data collection. I've been enjoying the 1.1.1.1 app since April without issues.
I'd love to see the speed comparison examples soon!
I'll definitely be using this as I can only connect to my house via IPv6 and my mobile provider doesn't offer it. This means that I can just toggle on the VPN for when I need IPv6 connectivity.
Any idea why iOS apps seem to not want to update using Warp? I’ve noticed the same when using other VPNs (including on Android).
I disabled Warp this morning after the Apple App Store wouldn’t update apps.
I'd probably give WARP a shot but I'm not willing to give up DNS66 to switch over
I try to avoid Cloudflare if I have an option because they are getting too big.