Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloudflare Says Its New VPN Service Won't Slow You Down (wired.com)

Posted by msmash on from the interesting-services dept.

Cloudflare has announced that it's adding a VPN service to its 1.1.1.1 DNS resolver app. The 1.1.1.1 service, which first came to mobile back in November, currently attempts to speed up mobile data speeds by using Cloudflare's network to resolve DNS queries faster than your existing mobile network. From a report: "We wanted to build a VPN service that my dad would install on his phone," says Cloudflare CEO Matthew Prince. "If you tell him that it will make his connection more private and secure, he'd never do it. But if you tell him it will make his connection faster, make his phone's battery last longer, and make his connections more private, then it would be something he'd install."

Mobile phone users can begin signing up for the service, dubbed Warp, through Cloudflare's mobile app 1.1.1.1 on Monday; Cloudflare says it hopes the service is working Monday, but it might take a few days. Regardless, Warp is a sign of things to come for the rest of the internet. The technology that Cloudflare is betting will make Warp fast is a protocol invented by Google called QUIC, and it could one day make the rest of the internet faster and more reliable. QUIC is essentially a substitute for TCP, the venerable protocol now used for most internet connections. TCP, introduced in 1981, made reliable internet connections possible, says Jana Iyengar, who worked on QUIC for Google; Iyengar is now a distinguished engineer at the cloud computing company Fastly working to help finalize QUIC with the Internet Engineering Task Force standards body.

73 comments

  1. Developed by Google by Anonymous Coward · · Score: 0

    Do not want, on principle.

    1. Re:Developed by Google by Joce640k · · Score: 1

      April fool!

      --
      No sig today...
  2. 1990s vs today by Anonymous Coward · · Score: 0

    1990s: internet is decentralized and resilient against attack
    Today: nearly all traffic goes through one company

    1. Re:1990s vs today by Luthair · · Score: 1

      resilient against attack? Were you even alive in the 90s? The internet then had all of the problems of today and many more that we've had to hack fixes for.

    2. Re:1990s vs today by Anonymous Coward · · Score: 0

      The internet then had all of the problems of today

      Hah! Good one!

      You forgot to add "April Fools" though.

    3. Re:1990s vs today by darkain · · Score: 1

      Hey, remember that time Level-3 and Cogent had disputes and split their links, effectively making two internets!? Yeah! That was GREAT!

    4. Re:1990s vs today by Anonymous Coward · · Score: 0

      You mean like the current HE-Cogent broken ipv6 connectivity?

  3. What about desktops? by Anonymous Coward · · Score: 0

    Can we use this VPN service on our desktops too? Currently I use PIA as my VPN so if this is better, I'll switch.

    1. Re:What about desktops? by Anonymous Coward · · Score: 0

      Already looked and saw no mention of it but thanks anyway, Sherlock.

    2. Re:What about desktops? by Anonymous Coward · · Score: 0

      Currently it is mobile only.

      The site for this is actually https://1.1.1.1, not the primary cloudflare site.

  4. TL;DR: This is not a secure VPN by Anonymous Coward · · Score: 1

    > "If you tell him that it will make his connection more private and secure, he'd never do it. But if you tell him it will make his connection faster"

    So they see no value in security or privacy. Also, they are one of the silicon valley pro-censorship stalwarts.

    This is a VN, with no P.

    No thanks.

  5. Google not Googling by Anonymous Coward · · Score: 4, Interesting

    NordVPN for the win (which uses OpenVPN and can be used completely without the NordVPN apps)....

    But you have to get the adblocking version on Nord's website. Google, in their infinite wisdom, doesn't allow adblocking apps to be hosted on their app store.

    If Google is behind anything, you can bet it will have a way to serve you ads no matter what else it does. And that is a security risk. They will always chose profits over customer safety.

    1. Re:Google not Googling by ron_ivi · · Score: 3, Interesting

      NordVPN has a rather close partnership (shared office space, shared executives) with a major data mining company (Tesonet) that brags about how much data it mines.

      People from both companies have given explanations/excuses in the past - but it's still rather suspicious to me.

  6. Don't trust the great cloudwall with your DNS by themusicgod1 · · Score: 5, Insightful

    It is a gigantic honeypot.

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  7. Re: sounds gay by Anonymous Coward · · Score: 0

    No thanks

  8. Ha!Ha!Ha? by Anonymous Coward · · Score: 0

    A VPN that doesn't slow you down? What are they getting out of it?

    captcha - struck

    1. Re:Ha!Ha!Ha? by nospam007 · · Score: 0

      "A VPN that doesn't slow you down? "

      They have the full Internets cached in a truck in front of your house.

    2. Re:Ha!Ha!Ha? by Anonymous Coward · · Score: 0

      I'll take two, because, you know.

  9. "more private and secure" by DogDude · · Score: 4, Insightful

    "more private and secure" by running all of your traffic through Cloudflare!

    I just shot water out of my nose. Funniest thing I read all day.

    --
    I don't respond to AC's.
    1. Re:"more private and secure" by Anonymous Coward · · Score: 0

      We just weren't getting enough information about you from your DNS queries alone, so we decided to vacuum up all your Internet traffic with our new VPN.

      For those of you with something to sell, watch for our soon to be announced Advertising Service to a captive audience we know everything about!

    2. Re:"more private and secure" by PhrostyMcByte · · Score: 4, Insightful

      The question is not how much should I trust Cloudflare as a VPN... because that one is easy. The real question is do I trust Cloudflare more than AT&T. That's a little harder to answer.

    3. Re:"more private and secure" by DogDude · · Score: 1

      Good point. While AT&T probably owns 50% (with Spectrum/Time-Warner owning roughly the other half) of the Internet in the US, I think that Cloudflare probably has traffic running from 75-95% of it.

      --
      I don't respond to AC's.
    4. Re: "more private and secure" by buchanmilne · · Score: 1

      "The question is not how much should I trust Cloudflare as a VPN... because that one is easy. The real question is do I trust Cloudflare more than AT&T."

      Why are those ypur only options? Because you don't want to set up a recursive caching DNS service (or use some network appliance that does this for you)?

      In my case, it's a choice between trusting an American company subject to American laws/secret letters etc. vs. my local telco/ISP (we have virtual ISPs that are effectively VPNs over the incumbent's DSL+GPON network, plus various open access fibre networks, plus some full-stack close fibre networks, I'm currently on DSL), owned locally, subject only to local laws, that keeps all meta-data in-country on hardware they own and control access to, vs. my local bind caching DNS server (yes, I should probably switch to unbound, but DNS isn't a performance problem atm) with DNSSEC validation enforced. Obviously I choose the last one, but the 2nd one (trust my ISP) is much better than the first (Cloudflare).

    5. Re:"more private and secure" by Anonymous Coward · · Score: 0

      This exactly.

      And Cloudflare, through its position as a CDN, already knows and WILL know what sites you're visiting, at the least the sites who are their clients. So using them as your VPN offers them a little more data than they were already getting.

      ATT, Comcast, Verizon and the rest - they don't NEED to know anything about what you're visiting using their tubes.

      So yeah, I'm inclined to give them a go.

    6. Re:"more private and secure" by thegarbz · · Score: 1

      Your traffic is running through Cloudflare anyway. It may as well do so in a way that your ISP doesn't also see it.

  10. "battery last longer"? by scorp1us · · Score: 2

    I run a VPN on my phone already and I notice that there is substantially more battery usage with it than without. It makes sense: You're taking all that data and encrypting it. I don't know how you could encrypt the data and use LESS battery?

    Anyone have an idea?

    --
    Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
    1. Re:"battery last longer"? by Anonymous Coward · · Score: 0

      What if they don't actually do any encryption and filter ads (while replacing a few of them with ads they sold instead). Maybe Cloudflare's VPN is nothing more than a ad replacing proxy.

    2. Re:"battery last longer"? by dargaud · · Score: 1

      I don't root my phone, so I can't use a hosts file. But I found an app that is just as good: it replaces you dns with any you want, and you can give it a DNS that filters out known ad, spyware and other malwares (there are several). It works great and filters out this crap not only from the browser (which I was already doing with Firefox with the usual Adblock), but also from apps.

      --
      Non-Linux Penguins ?
    3. Re:"battery last longer"? by jeffasselin · · Score: 1

      Using a dedicated chip would help. Manufacturers have in fact included dedicated units in their CPUs for operations like AES encryption, but I’m not sure mobile chips include those.

      --
      If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
    4. Re:"battery last longer"? by Anonymous Coward · · Score: 0

      Yeah, don't encrypt. Because cloudflares dad (the target audience) doesnt care about security or privacy.

  11. THANX BUT NO THANX!!! by Anonymous Coward · · Score: 0

    Running all cellphone & internet traffic thru any private company's servers???

    Protecting all criminals' cellphone & internet communication from law enforcement???
    (Because, IMHO, the people who are always really obsessed w/ "privacy" are criminals & NOT general public (who, on the contrary, want/like to help law enforcement)!!!)

    THANX BUT NO THANX!!!

    1. Re:THANX BUT NO THANX!!! by Anonymous Coward · · Score: 0

      What cell provider isn't a private company?

  12. Relevant to today by UnknowingFool · · Score: 1

    A company spokesman elaborated on their promises by affirm the company would “Never gonna give you up. Never gonna let you down. Never gonna run around and desert you.”

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  13. Re:TL;DR: This is not a secure VPN by Anonymous Coward · · Score: 0

    Would you mind explaining exactly how this isn't a VPN? How is it not private?

  14. If it makes his connections faster... by Anonymous Coward · · Score: 0

    ...then why lie to him and tell him it makes them more private?

  15. VPN Not Secure by Anonymous Coward · · Score: 1

    A guy who, by his own admission, woke up one morning and decided he didn't like what some people were saying on the Internet and decided to use his company to wipe them off the Web now wants us to trust his company with our privacy. Are you fucking kidding me you utter moron?

  16. QUIC is a bit of a nightmare by PhrostyMcByte · · Score: 4, Interesting

    All the finely-tuned network stacks out there are basically being thrown out the window... congestion management, buffering/resend, parsing, etc. are all being re-written into the QUIC protocol. The spec is so large that they had split it up into several smaller specs -- to start, things are going to be buggy, incompatible, and perform poorly. QUIC makes me nervous.

    And Google's QUIC, which was very HTTP focused, is almost unrecognizable now that it's gone through IETF, where it was split into the two protocols HTTP/3, and the generic multi-stream transport QUIC.

    1. Re:QUIC is a bit of a nightmare by Anonymous Coward · · Score: 0

      Whaddyamean, IPv6 rollout was smooth.. oh wait.

    2. Re:QUIC is a bit of a nightmare by Anonymous Coward · · Score: 0

      Reminds me slightly of systemd!

    3. Re:QUIC is a bit of a nightmare by grep+-v+'.*'+* · · Score: 1

      All the finely-tuned network stacks out there are basically being thrown out the window... congestion management, buffering/resend, parsing, etc. are all being re-written

      And Google's QUIC, which was very HTTP focused, is almost unrecognizable [and] split into the two protocols HTTP/3, and the generic multi-stream transport QUIC.

      So in other words: InternetD for ALL!

      Just like movies, why do something new when we can re-invent the wheel doing the same thing but with newer actors that don't know what they're doing?

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  17. Switching DNS Servers? Watch browser certs! by Anonymous Coward · · Score: 0

    I used a free DNS server for a while until I got a lot of certificate errors in the browser,
    indicating that they were trying to intercept my HTTPS traffic. Dropped them in about
    30 seconds. Something to watch out for.

    Plus don't forget even if all your browsing is HTTPS, and they don't try to
    intercept it, DNS providers will have a record of all the dns (a.b.c.com) addresses
    you visit.

  18. Arrg... And I'll bet 10 bucks... by Anonymous Coward · · Score: 0

    they're ignoring the source ip/port information in every packet so they're
    going to have the same nightmare through firewalls that VOIP has.
    Wonderful.

  19. Re: TL;DR: This is not a secure VPN by Anonymous Coward · · Score: 0

    Duh. Cloudflare logs every site you access via name lookup.

    Privacy, much?

  20. And none of the links work by goombah99 · · Score: 1

    Already googles accelerated server pages don't work on all browsers. Even sites like Reddit are using this. THe other day a Reddit site would not work on safari for me. Needed to install chrome.

    hyperlinks that only work when you are logged into facebook and have facebook user permissions to view the page are becoming the norm.

    the world wide web is getting stove piped into cable companies. Not a web anymore.

    Now we get a transport protocol that requires specialized drivers or browsers to use.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:And none of the links work by Highdude702 · · Score: 1

      AMP pages suck, but you don't have to use them.

  21. Other things Matthew Prince promises... by neo-mkrey · · Score: 0

    never to cum in your mouth.

  22. Weaponizing congestion control by WaffleMonster · · Score: 1

    The technology that Cloudflare is betting will make Warp fast is a protocol invented by Google called QUIC, and it could one day make the rest of the internet faster and more reliable.

    Most operators I know are blocking QUIC because it's way too aggressive.

    When a single QUIC session intentionally consumes twice the bandwidth of the sum total of 20 TCP sessions over a bandwidth constrained link Huston we have a problem. Not a small problem but a massive unsustainable one.

    1. Re:Weaponizing congestion control by Anonymous Coward · · Score: 0

      Congestion is the fault of the network operator. There are literally no excuses. They don't need to build or buy more bandwidth than their customers actually use, so overcommitting their network is acceptable, but only up to the point where there is congestion on a regular basis. Then they need to provide more bandwidth. If they don't, then their customers are not getting what they paid for.

    2. Re:Weaponizing congestion control by WaffleMonster · · Score: 1

      Congestion is the fault of the network operator. There are literally no excuses. They don't need to build or buy more bandwidth than their customers actually use, so overcommitting their network is acceptable, but only up to the point where there is congestion on a regular basis. Then they need to provide more bandwidth. If they don't, then their customers are not getting what they paid for.

      When I say "congestion" it's not necessarily a bad thing like being stuck in rush hour traffic type of congestion. What I'm talking about is universal. Congestion is applicable globally in every network regardless of whether you believe anyone is at fault for the characteristics of the network.

      Nowhere is bandwidth infinite and so over any given route between peers one path will act to constrain rate of information able to be transmitted between peers. Even under the best possible outcome where I buy 20mbit/s service and my ability to send and receive information is limited to 20mbit/s I paid for congestion control plays a critical role.

      Congestion machinery in stream transports is the mechanism which infers the available capacity of the channel in order to optimally utilize capacity. Too little data results in unused capacity. Too much results in reduced capacity due to congestion.

      If over my 20mbit pipe I have 20 users. 19 using TCP and one using QUIC assume all downloading at once and assumed 20 mbit link is exclusive constraint on performance.

      In this case the single QUIC user's download rate is ~13.5mbit/s and each of each of the remaining 19 users is ~0.35mbit/sec.

      Same scenario except the operator wisely elects to block QUIC. Each of the 20 users consume 1mbit/sec.

      QUIC is a significant threat to operators. The best solution is simply to block it.

    3. Re:Weaponizing congestion control by Anonymous Coward · · Score: 0

      If you want fairness on your network, you're better off managing that with QoS than relying on the "aggressiveness" or lack thereof of protocols. Someone who wants to use a bigger share of the bandwidth can just use multiple TCP streams. This is also a standard workaround for TCP's tendency to not fully utilize high latency high bandwidth links, which is one of the reasons why QUIC is more aggressive. With QoS you can define the granularity of the "flows", whether you treat logical connections separately or count all connections belonging to a device as one, and neither QUIC nor multiple TCP streams can escape that aggregate accounting.

      But neither blocking QUIC nor QoS is an acceptable method for working around congestion, and by congestion I mean that someone paid for X Mbps bandwidth and can only transmit or receive less than X.Mbps.

  23. Re: TL;DR: This is not a secure VPN by Anonymous Coward · · Score: 0

    Their VPN service is encrypted.

    So again, how is this not private?

  24. Re: TL;DR: This is not a secure VPN by omnichad · · Score: 1

    If you consider private to mean between you and the site you wanted to reach, then no. It's not private. If you want to welcome Cloudflare to have access to this data, you can have that - but you can't call it private.

  25. Re: TL;DR: This is not a secure VPN by Anonymous Coward · · Score: 0

    You're going to have to do better than that. How is it not private? The VPN connection is encrypted. All Cloudflare would be able to see is that you connected to their VPN, but nothing beyond that.

    Do you have proof to show otherwise? It sounds more to me like your opinion is hatred fueled rather than fact fueled.

  26. On the other hand, it's full of experience by Cyberax · · Score: 1

    On the other hand, QUIC was carefully designed with all the past experience of network protocol failures. So it tries very hard to avoid even the possibility of ossification.

    TCP is bad because it's basically set in stone. It's not possible to change a single bit in the TCP/IP spec without breaking untold millions of badly designed middleboxes.

  27. Has China already blocked it? by Nocturrne · · Score: 1

    Anyone tested this on the dark side of the planet yet?

  28. Hosts do a BETTER JOB locally... apk by Anonymous Coward · · Score: 0

    See subject: Via APK Hosts File Engine 2.0++ 64-bit for Linux/BSD h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

    Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER/NATIVELY 4 less!!

    Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & complexity leads to exploit!

    * 1 of a kind in GUI 4 Linux/BSD!

    BEST PART: U CONTROL IT! Want to do a job RIGHT? Do it urself.

    APK

    P.S.=> Protects vs. scripts/trackers (kernelmode faster vs. usermode slower NoScript vs. 3rd party script)/ads/DNS request tracking + redirect poisoned or downed DNS/botnets/malware download/malcript/email malpayload

  29. MacOS version now available, too... apk by Anonymous Coward · · Score: 0

    See subject: APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

    Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

    Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

    * ONLY 1 of its kind in GUI 4 MacOS!

    STOPS JEWGLE & all other kike advertisers!

    APK

    P.S.=> Protects against ALL known & unknown vulnerabilities. Now supports port filters in hosts. My work is world-class & China copied it because they can't do better. I am God's gift to Slashdot... apk

  30. MacOS version now available, too... apk by Anonymous Coward · · Score: 0

    See subject: APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

    Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

    Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

    * ONLY 1 of its kind in GUI 4 MacOS!

    STOPS JEWGLE & all other kike advertisers!

    APK

    P.S.=> Protects against ALL known & unknown vulnerabilities. Now supports port filters in hosts. My work is world-class & China copied it because they can't do better. I am God's gift to Slashdot... apk

  31. MacOS version now available, too... apk by Anonymous Coward · · Score: 0

    See subject: APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

    Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

    Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

    * ONLY 1 of its kind in GUI 4 MacOS!

    STOPS JEWGLE & all other kike advertisers!

    APK

    P.S.=> Protects against ALL known & unknown vulnerabilities. Now supports port filters in hosts. My work is world-class & China copied it because they can't do better. I am God's gift to Slashdot... apk

  32. Re: TL;DR: This is not a secure VPN by Highdude702 · · Score: 1

    Actually, you're encrypted from your network to the VPN server. Owned by CloudFlare. Then it decrypts and exits kind of like ToR which is why the US government runs tons of exit nodes. You do know how a VPN and tunneling works right?

  33. Assignment URTH... apk by Anonymous Coward · · Score: 0

    "In response to nuclear warhead placed in sub-orbit United States today launching SUB-ORBITAL platform https://tech.slashdot.org/comm... w/ MULTI-WARHEAD capacity: Purpose - To maintain balance of power"....

    * StarTrek TOS "Assignment URTH"...

    APK

    P.S.=> I'll be honest w/ you all & tell you I've had the BEST April 1 I've ever had today - wish you ALL the same, even trolls... apk

  34. Re: TL;DR: This is not a secure VPN by Anonymous Coward · · Score: 0

    Wrong, it's end to end encrypted. Cloudflare would would obviously know when you connect to their network but they don't have access to anything you transmit or receive over that network.

    "Warp respects end-to-end encryption and doesn’t require you to install a root certificate or give Cloudflare any way to see any encrypted Internet traffic. It will also add encryption from your device to the edge of Cloudflare's network for traffic that is not fully encrypted."

    Go read a book on networking, because you have no clue what you are talking about, junior.

  35. This must be a goddamn joke! by Anonymous Coward · · Score: 0

    Everyone who've read https://notabug.org/themusicgo... know this!

  36. Re: TL;DR: This is not a secure VPN by Highdude702 · · Score: 1

    It will also add encryption from your device to the edge of Cloudflare's network for traffic that is not fully encrypted.

    It is literally talking about https and non https web shit. Anything else done and all of your DNS queries can be recorded. You are not reading through the legalese. You must not understand how the data transfer works, and are their prime target. GLHF. Just don't tell others their wrong.

  37. Re: TL;DR: This is not a secure VPN by Anonymous Coward · · Score: 0

    HTTPS is an encrypting protocol and I don't know why you pretend that it's not.

    You handwave information that contradicts you.

    You move goalposts from "Cloudflare can see everything you do" to "Cloudflare can see where you connect".

    You still haven't provided a single shred of proof to back up your ridiculous, emotionally-driven claims.

    I'll accept your post as tacit admission that you don't know what you are talking about.

  38. Re: TL;DR: This is not a secure VPN by Highdude702 · · Score: 1

    I never claimed they could see everything you do. I was simply stating you were wrong about it being private and then went on to show the flaws in your theory.

  39. Who wouldn't use ex. CIA honeypot VPN? by Anonymous Coward · · Score: 0

    With Cloudflare's past as a CIA honeypot, who the hell wouldn't want to use their VPN? Thank you for the offer, but I will stay with the European alternatives.