Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloudflare's 1.1.1.1 Service Launches on Android and iOS (fastcompany.com)

Posted by msmash on from the interesting-moves dept.

harrymcc writes: Content-distribution network Cloudflare has introduced iOS and Android versions of 1.1.1.1, a free service which helps shield you from snoops by replacing your standard DNS with its encrypted (and speedy) alternative. The mobile incarnation of the PC service it launched last April, the apps don't require you to do anything other than downloaded and install them, give your device permission to install a VPN, and flip a switch -- making them approachable for the masses, not just geeks.

47 of 105 comments (clear)

  1. Re: Cloudflare ROCKS! by Anonymous Coward · · Score: 3, Informative

    You really should read the article. If you have your own DNS or your own VPN this is a downgrade to your opsec. Most people don't, and they do use the ISP's DNS servers (or the telco carrier's DNS) ... and here is where the Cloudflare service really makes a difference.

    It doesn't "Hijack" anything. You either affirmatively choose to install it... or you don't. If you don't, nothing changes.

    Try reading the article for comprehension. /.reader#734

  2. Re: Cloudflare ROCKS! by Anonymous Coward · · Score: 2, Informative

    Hmn no. This service attempts to hijack my own dns. I have started blocking 1.1.1.1 on all my firewalls and routers. Both on company and personal machines.

    Yes, I agree.

    http://hightechforum.org/cloudflares-1-1-1-1-dns-does-nothing-for-privacy/

  3. They host the content by Bite+The+Pillow · · Score: 1

    If they host a lot of the content, they know what you're looking at. Now they know.. what you're looking at. Problem is what?

  4. Sick of big companies snooping your dns? by viperidaenz · · Score: 4, Insightful

    We have a simple solution!
    Install this app and give Cloudflare permission to access all of your network traffic and you can use our DNS server!

    1. Re:Sick of big companies snooping your dns? by AndrewFlagg · · Score: 1

      not to be pessimistic and cloudy.... .....and the traffic is hijacked via bad IP routes through another country.. or that closet in the hallway with no label or number in a megapop downtown san francisco where all the fiber comes in and out off.... and voila.. back to square one.. ;-)

    2. Re:Sick of big companies snooping your dns? by Known+Nutter · · Score: 1

      You should try speaking in clear, concise, and complete sentences.

      --
      Beware of the Leopard.
    3. Re:Sick of big companies snooping your dns? by viperidaenz · · Score: 3, Insightful

      I'm not sure what your point is, because you've failed at english.

      But VPN apps get access to all network traffic on your phone. they're free to inspect the data and are responsible for routing it. That's just how VPNs work.
      If you're worried about "big data" getting your data, I'm failing to see how freely giving it all to a "big data" company is going to help. Especially when the service they're offering is free. Someone is paying for it.

      Maybe they want to analyse the data to find popular websites people use that don't go through Cloudflare services, so they can better target their marking to those site operators.

    4. Re:Sick of big companies snooping your dns? by gtall · · Score: 1

      Precisely. Cloudfare must show some sort of profit for this "service". The only way I can see them turning one is monetizing the information running through their systems.

    5. Re: Sick of big companies snooping your dns? by bn-7bc · · Score: 1

      Well consider thiscenario: en user usingcloudflares dns are trying ro get to content hosted by cloudflarw, thay query the dns for recoeds that probably ar atleas cached on the server, so they get a reply in 1 rtt and initiate aconnection to the nearestserver having that content. Net result for the end user they get the content even quicker than before ehe cf did just the hosting. Cf can say wedeliver first byte quickerthan ouer competition, that is agood thing when trying to get newcpstumers. Thecost for serving as the recursicve dns for non cf records, well cheap advertising.

    6. Re: Sick of big companies snooping your dns? by viperidaenz · · Score: 1

      or more likely, they'll present data showing connection times, time to first data, data throughput, failed connection attempts, etc for the customers they're trying to win over.
      That network data can be provided by a VPN app.

    7. Re:Sick of big companies snooping your dns? by thegarbz · · Score: 1

      We have a simple solution!
      Install this app and give Cloudflare permission to access all of your network traffic and you can use our DNS server!

      I'm ready to accept going with a new unknown than my god-fucking-awful-and-overtly-evil ISP.

    8. Re:Sick of big companies snooping your dns? by AmiMoJo · · Score: 1

      You don't have to use Cloudflare's VPN app if you don't trust it, you can just manually configure your DNS servers or use your own local VPN. DNS66 is open source and a good choice, as it also features ad blocking.

      In any case, if they are leaking data back to Cloudflare somehow it would be trivial to spot and quickly get them banned from the Play Store. I'm sure someone will check.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:Sick of big companies snooping your dns? by viperidaenz · · Score: 1

      It would be trivial to hide data in the encrypted secure dns lookups the app is primarily designed to do.

    10. Re:Sick of big companies snooping your dns? by micheas · · Score: 1

      I'm not sure how they plan on monetizing it. But, from talking to their salespeople that have been wanting me to pay $1,500 a month for their DNS service. I'd guess they are looking at this as a freemium offering. Where they will allow corporate users to have private DNS entries that are only available to their logged in users. And based on their pricing model, I'd guess that would be about $1k a month plus a per-user fee.

      --
      Work bio at MMWD
  5. No thanks by Anonymous Coward · · Score: 5, Insightful

    This isn't protecting traffic from snooping, it's exposing traffic to Cloudflare. The same company which makes a business model out of holding other people's private TLS keys. The same company which refuses to stop serving known spammers. The same company which was breaking half the internet for Tor users.

    Cloudflare is the kind of centralization we need to get away from.

    1. Re:No thanks by thegarbz · · Score: 1

      This isn't protecting traffic from snooping, it's exposing traffic to Cloudflare. The same company which...

      Yeah but you haven't mentioned anything about abusing customer data and selling it wholesale without even cursory anonymity to any 3rd party paying cash, so they sound like exactly the kind of company that I would prefer to hold my data instead of my mobile provider.

    2. Re:No thanks by AmiMoJo · · Score: 1

      It's the lesser of two evils. If you use your ISP/mobile operator's DNS server then they have a record of every query you make, and the times you visited those sites thanks to deep packet inspection (DPI). At least this way the DNS lookups and the DPI data are kept separate and can't be trivially cross referenced.

      The DPI data is getting less useful too, because due to services like Cloudflare and shared virtual servers in general it's become much harder to associate an IP address with a particular web site.

      Cloudflare gets you DNS lookups and can of course correlate with accesses to their CDN from your IP address, but it's still better than your ISP having it because your ISP also has the DHCP and billing records to tie it all directly to you. Let's not pretend that most ISPs are less evil than anything Cloudflare does either.

      So for most people it's an improvement, although obviously not as good as using a proper on-log VPN or Tor.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  6. Re:Cloudflare ROCKS! by AndrewFlagg · · Score: 1

    its funny how ass backwards our technology has been rather than how we live in our neighborhoods and walk down the streets. now technology is starting to behave like it should be like.... hey, a stranger someone lives there because the light is on, and don't know who, and what they have... unless i snoop in their mailbox and peep through their windows... no value in anonymous traffic other than traffic in itself.. ads should continue without alot of granular metrics like it used to be, much like tv and the neilsen ratings..... me likey...mikey likes it...

  7. Re: Cloudflare ROCKS! by Anonymous Coward · · Score: 1

    From your own link, the 1.1.1.1 isn't much use without also using a VPN to encrypt the IP calling it. Which... they now have added to the app, as above.

  8. How do they make money on this? by Anonymous Coward · · Score: 1

    I'm curious about their altruism.

    1. Re: How do they make money on this? by Anonymous Coward · · Score: 1

      I think it's more about vendor lock-in of sorts. The more and more people using anything from cloudflare the better for their business.

      They also get a lot of statistics and data from millions/billions of DNS requests and metadata (what times are busiest for which regions, etc).

    2. Re:How do they make money on this? by LordHighExecutioner · · Score: 1

      NSA

    3. Re:How do they make money on this? by AHuxley · · Score: 1

      The "free" use of the internet by many people gives data on the internet in real time.
      That better protects people in real time who pay for security products and services.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:How do they make money on this? by Shaix · · Score: 1

      Is there any actual proof of this? Or even any evidence at all to suggest it? Or is this just another tinfoil hat type of thing?

  9. Re: Cloudflare ROCKS! by Anonymous Coward · · Score: 1

    If you aren't blocking outbound DNS from everything but your authorized DNS servers on an enterprise network via your firewall, then you are grossly incompetent and oblivious to modern attack vectors.

    And basic security principles like defense-in-depth.

  10. 1.1.1.1? by Freshly+Exhumed · · Score: 3, Funny

    How am I supposed to remember that IP address? If only there was a system to translate such IP addresses into more human-friendly names that are easier to remember...

    --
    I deny that I have not avoided attaining the opposite of that which I do not want.
    1. Re:1.1.1.1? by Cmdln+Daco · · Score: 2

      I agree. It's so archaic that they are using octal. Why can't they use hexadecimal or binary like the rest of us?

    2. Re:1.1.1.1? by fisted · · Score: 1

      Whoosh

      --
      CLI paste? paste.pr0.tips!
  11. Re:Cloudflare ROCKS! by Cmdln+Daco · · Score: 1

    Aren't they a content-providing, aka DRM type delivery vehicle?

  12. Re:Cloudflare ROCKS! by OneHundredAndTen · · Score: 4, Insightful

    Are you aware of the fact that Cloudflare has access to ALL of your DNS queries? If you do not trust your ISP, Google, etc., why would you trust Cloudflare?

  13. Re: Protect yourself from DNS attacks... apk by Anonymous Coward · · Score: 2, Informative

    Do not download this program for Linux or windows. I tried the Linux port and it opened up a command prompt and did a sudo rm -rf. I have no idea how it got my root password.

    I then tried the windows version a couple days later. Same thing except I kept seeing deltree.

    APK can not be trusted.

    First off, he isn't an American. He is a foreign adversary living in the republic of congo. He makes his money from blood diamonds by using child labor.

    Stay away from APK and all his software if you want a clean system. Beware anything that is made from APK is a virus or malware.

    Yours truly,

    Spruce Schneier

  14. Re: Quad dns by Anonymous Coward · · Score: 2, Funny

    Fuck it, we are going with 5 DNS entries.

  15. Re:Cloudflare ROCKS! by squiggleslash · · Score: 2

    It's not as useful as it once might have been. HTTPS used to be 100% secure with only hole being DNS. This would plug that... except that browsers have been migrating to SNI, a system to allow a single IP address to service multiple HTTPS sites, which means that the domain name gets exchanged in a snoopable (MITM) manner.

    With SNI becoming common, the Cloudflare service really doesn't provide much security.

    --
    You are not alone. This is not normal. None of this is normal.
  16. Re: Cloudflare ROCKS! by squiggleslash · · Score: 2

    Yes, we know that bit, what people here are saying that's a bad idea, given that if someone installs the Firefox plug in, they'll suddenly have problems accessing internal-wiki.myemployer.com, timeoff-booking-system.myemployer.com, and source-code-control-system.myemployer.com.

    Sysadmins in general also like having control over their own networks, and having random employees use third party DNS, still worse to "protect their privacy" (prevent a sysadmin from determining what they were using the network for, something they have a legitimate reason for), undermines that.

    --
    You are not alone. This is not normal. None of this is normal.
  17. Re: Cloudflare ROCKS! by bn-7bc · · Score: 1

    As far as I know cf delivers any content their coustubers want them to (any legal content that is) the use of drm or not is the costumers Âchoice but then again I might be miss informed

  18. Re: Cloudflare ROCKS! by bn-7bc · · Score: 1

    Good point put until ipv6 is absolutly evrywhere we canâ(TM)t afford the ipv4 burn rate of having avry https site on their own ip esp niw that more and more browsers flash up scary messages if you try accessing anything over http.

  19. Ipv6 not secured by bn-7bc · · Score: 1

    This works only for ipv4 traffic (the vpn part) so if the network ypu connect to is dual stacked only 44 traffic will be secured and since most apps use ipv6 as defaulr when avalable a significant portion ofyour traffic will not use the vpn, how could cloudflare miss this? Itâ(TM)s not like these pople donâ(TM)t know about nerworking is it

    1. Re: Ipv6 not secured by Zero__Kelvin · · Score: 1

      Please substantiate your claim that "Most apps use IPv6". Show your work, especially referring to the ISO model. (You fucking idiot)

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  20. Re: Give your device permission to install a VPN by bursch-X · · Score: 3, Funny

    You downloaded an VPN app that now has the gall to ask to install a VPN - inconceivable.

    --
    There are two rules for success:
    1. Never tell everything you know.
  21. Re: Cloudflare ROCKS! by andydread · · Score: 1
    Yes internal hosts will fail. As them trying to "protect their privacy"

    Guess what?? It won't work if a competent sysadmin blocks all outgoing DNS queries from the LAN except the DNS server on the LAN that they should be using.

    So, what will happen when random employee installs said App?
    Their internet on their mobile device will not work after installing the app and they will then remove it. Problem solved.

  22. Re: Cloudflare ROCKS! by andydread · · Score: 1

    [citation needed]

  23. Marketing by DaMattster · · Score: 1

    I use this on my Android 8.1 device simply because it's convenient. As for my home network, I run my own DNS servers so I really don't have to worry much about DNS traffic being snooped by my ISP. If I were so inclined, I could also run all of my home network traffic over a VPN to my own cloud servers. But this initiative by CloudFlare is nothing more than a gimmick to make money. Instead of your ISP selling your data, CloudFlare now gets the piece of the pie.

  24. I'll explain why the "vpn" by gl4ss · · Score: 1

    You need to insert the dns because you can't configure a custom dns on a gprs/2g/4g connection on phones. so what to do? well create a local vpn and intercept the dns there. the vpn doesn't need to "go" anywhere.

    You cannot filter/block the dns requests otherwise on the phone itself. this situation sucks and is deliberate. this is a janky workaround to combat that.

    This idea of doing filtering like this is years old. there's a bunch of apps like this on play store.

      - on a related note, samsung for example has actual api's to configure the actual firewall, those apis aren't free to use but behind a licensing deal(your phone check the developers key when you use an app that has done the licensing with samsung).

    or, of course, you could just root your phone. I mean that would be the most sensible thing to do. you can't configure these vpn's to be "always on" anyways - and fucking android lets some built in stuff bypass the always on vpn setting anyways.

    --
    world was created 5 seconds before this post as it is.
  25. Re:Cloudflare ROCKS! by AmiMoJo · · Score: 3, Insightful

    Because most people have to trust someone with their DNS queries, especially when on mobile networks. Given a choice of unencrypted DNS queries to your scummy mobile provider's servers or encrypted ones to Cloudflare, you are probably better off with the latter.

    At least Cloudflare can't tie up the request with cell location data and sell that information to nearby businesses.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  26. Isn't this just... by mccrew · · Score: 1

    Isn't this just trading in one snoop with a different snoop?

    --
    Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
  27. Re:Cloudflare ROCKS! by squiggleslash · · Score: 1

    I'm glad to hear that! I've been wondering if there would have been a way to at least use some form of adhoc encryption to exchange the hostname with the server, and then verified afterwards that the encryption wasn't compromised, eg:

    Client: Send me the public part of an encryption key
    Server: 1234
    Client: (Encrypted using 1234)www.hostname.com
    Server: (Key for www.hostname.com)
    Client: (Creates session using www.hostname.com's key)You sent me 1234 to use to encrypt the hostname, was that valid?
    Server: Yep, that's the one I use today.

    The only problem I can see is if multiple servers serve the same site, then you'd have to make sure the key used to encrypt the hostname is the same on each server (if it allows different keys for different TCP sessions then the attacker can just break the connection the first time they try to connect after faking being the server to get the hostname.)

    --
    You are not alone. This is not normal. None of this is normal.
  28. Re:Cloudflare ROCKS! by mshieh · · Score: 1

    Because I have no idea who the ISP is when I travel.

    If I'm at home, this is probably overkill.

    If I use google without dnssec or dns-over-https, then it's easy to see which sites I visit.