Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloudflare Says Its New VPN Service Won't Slow You Down (wired.com)

Posted by msmash on from the interesting-services dept.

Cloudflare has announced that it's adding a VPN service to its 1.1.1.1 DNS resolver app. The 1.1.1.1 service, which first came to mobile back in November, currently attempts to speed up mobile data speeds by using Cloudflare's network to resolve DNS queries faster than your existing mobile network. From a report: "We wanted to build a VPN service that my dad would install on his phone," says Cloudflare CEO Matthew Prince. "If you tell him that it will make his connection more private and secure, he'd never do it. But if you tell him it will make his connection faster, make his phone's battery last longer, and make his connections more private, then it would be something he'd install."

Mobile phone users can begin signing up for the service, dubbed Warp, through Cloudflare's mobile app 1.1.1.1 on Monday; Cloudflare says it hopes the service is working Monday, but it might take a few days. Regardless, Warp is a sign of things to come for the rest of the internet. The technology that Cloudflare is betting will make Warp fast is a protocol invented by Google called QUIC, and it could one day make the rest of the internet faster and more reliable. QUIC is essentially a substitute for TCP, the venerable protocol now used for most internet connections. TCP, introduced in 1981, made reliable internet connections possible, says Jana Iyengar, who worked on QUIC for Google; Iyengar is now a distinguished engineer at the cloud computing company Fastly working to help finalize QUIC with the Internet Engineering Task Force standards body.

29 of 73 comments (clear)

  1. TL;DR: This is not a secure VPN by Anonymous Coward · · Score: 1

    > "If you tell him that it will make his connection more private and secure, he'd never do it. But if you tell him it will make his connection faster"

    So they see no value in security or privacy. Also, they are one of the silicon valley pro-censorship stalwarts.

    This is a VN, with no P.

    No thanks.

  2. Google not Googling by Anonymous Coward · · Score: 4, Interesting

    NordVPN for the win (which uses OpenVPN and can be used completely without the NordVPN apps)....

    But you have to get the adblocking version on Nord's website. Google, in their infinite wisdom, doesn't allow adblocking apps to be hosted on their app store.

    If Google is behind anything, you can bet it will have a way to serve you ads no matter what else it does. And that is a security risk. They will always chose profits over customer safety.

    1. Re:Google not Googling by ron_ivi · · Score: 3, Interesting

      NordVPN has a rather close partnership (shared office space, shared executives) with a major data mining company (Tesonet) that brags about how much data it mines.

      People from both companies have given explanations/excuses in the past - but it's still rather suspicious to me.

  3. Don't trust the great cloudwall with your DNS by themusicgod1 · · Score: 5, Insightful

    It is a gigantic honeypot.

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  4. "more private and secure" by DogDude · · Score: 4, Insightful

    "more private and secure" by running all of your traffic through Cloudflare!

    I just shot water out of my nose. Funniest thing I read all day.

    --
    I don't respond to AC's.
    1. Re:"more private and secure" by PhrostyMcByte · · Score: 4, Insightful

      The question is not how much should I trust Cloudflare as a VPN... because that one is easy. The real question is do I trust Cloudflare more than AT&T. That's a little harder to answer.

    2. Re:"more private and secure" by DogDude · · Score: 1

      Good point. While AT&T probably owns 50% (with Spectrum/Time-Warner owning roughly the other half) of the Internet in the US, I think that Cloudflare probably has traffic running from 75-95% of it.

      --
      I don't respond to AC's.
    3. Re: "more private and secure" by buchanmilne · · Score: 1

      "The question is not how much should I trust Cloudflare as a VPN... because that one is easy. The real question is do I trust Cloudflare more than AT&T."

      Why are those ypur only options? Because you don't want to set up a recursive caching DNS service (or use some network appliance that does this for you)?

      In my case, it's a choice between trusting an American company subject to American laws/secret letters etc. vs. my local telco/ISP (we have virtual ISPs that are effectively VPNs over the incumbent's DSL+GPON network, plus various open access fibre networks, plus some full-stack close fibre networks, I'm currently on DSL), owned locally, subject only to local laws, that keeps all meta-data in-country on hardware they own and control access to, vs. my local bind caching DNS server (yes, I should probably switch to unbound, but DNS isn't a performance problem atm) with DNSSEC validation enforced. Obviously I choose the last one, but the 2nd one (trust my ISP) is much better than the first (Cloudflare).

    4. Re:"more private and secure" by thegarbz · · Score: 1

      Your traffic is running through Cloudflare anyway. It may as well do so in a way that your ISP doesn't also see it.

  5. Re:1990s vs today by Luthair · · Score: 1

    resilient against attack? Were you even alive in the 90s? The internet then had all of the problems of today and many more that we've had to hack fixes for.

  6. "battery last longer"? by scorp1us · · Score: 2

    I run a VPN on my phone already and I notice that there is substantially more battery usage with it than without. It makes sense: You're taking all that data and encrypting it. I don't know how you could encrypt the data and use LESS battery?

    Anyone have an idea?

    --
    Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
    1. Re:"battery last longer"? by dargaud · · Score: 1

      I don't root my phone, so I can't use a hosts file. But I found an app that is just as good: it replaces you dns with any you want, and you can give it a DNS that filters out known ad, spyware and other malwares (there are several). It works great and filters out this crap not only from the browser (which I was already doing with Firefox with the usual Adblock), but also from apps.

      --
      Non-Linux Penguins ?
    2. Re:"battery last longer"? by jeffasselin · · Score: 1

      Using a dedicated chip would help. Manufacturers have in fact included dedicated units in their CPUs for operations like AES encryption, but I’m not sure mobile chips include those.

      --
      If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
  7. Relevant to today by UnknowingFool · · Score: 1

    A company spokesman elaborated on their promises by affirm the company would “Never gonna give you up. Never gonna let you down. Never gonna run around and desert you.”

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  8. Re:Developed by Google by Joce640k · · Score: 1

    April fool!

    --
    No sig today...
  9. VPN Not Secure by Anonymous Coward · · Score: 1

    A guy who, by his own admission, woke up one morning and decided he didn't like what some people were saying on the Internet and decided to use his company to wipe them off the Web now wants us to trust his company with our privacy. Are you fucking kidding me you utter moron?

  10. QUIC is a bit of a nightmare by PhrostyMcByte · · Score: 4, Interesting

    All the finely-tuned network stacks out there are basically being thrown out the window... congestion management, buffering/resend, parsing, etc. are all being re-written into the QUIC protocol. The spec is so large that they had split it up into several smaller specs -- to start, things are going to be buggy, incompatible, and perform poorly. QUIC makes me nervous.

    And Google's QUIC, which was very HTTP focused, is almost unrecognizable now that it's gone through IETF, where it was split into the two protocols HTTP/3, and the generic multi-stream transport QUIC.

    1. Re:QUIC is a bit of a nightmare by grep+-v+'.*'+* · · Score: 1

      All the finely-tuned network stacks out there are basically being thrown out the window... congestion management, buffering/resend, parsing, etc. are all being re-written

      And Google's QUIC, which was very HTTP focused, is almost unrecognizable [and] split into the two protocols HTTP/3, and the generic multi-stream transport QUIC.

      So in other words: InternetD for ALL!

      Just like movies, why do something new when we can re-invent the wheel doing the same thing but with newer actors that don't know what they're doing?

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  11. Re:1990s vs today by darkain · · Score: 1

    Hey, remember that time Level-3 and Cogent had disputes and split their links, effectively making two internets!? Yeah! That was GREAT!

  12. And none of the links work by goombah99 · · Score: 1

    Already googles accelerated server pages don't work on all browsers. Even sites like Reddit are using this. THe other day a Reddit site would not work on safari for me. Needed to install chrome.

    hyperlinks that only work when you are logged into facebook and have facebook user permissions to view the page are becoming the norm.

    the world wide web is getting stove piped into cable companies. Not a web anymore.

    Now we get a transport protocol that requires specialized drivers or browsers to use.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:And none of the links work by Highdude702 · · Score: 1

      AMP pages suck, but you don't have to use them.

  13. Weaponizing congestion control by WaffleMonster · · Score: 1

    The technology that Cloudflare is betting will make Warp fast is a protocol invented by Google called QUIC, and it could one day make the rest of the internet faster and more reliable.

    Most operators I know are blocking QUIC because it's way too aggressive.

    When a single QUIC session intentionally consumes twice the bandwidth of the sum total of 20 TCP sessions over a bandwidth constrained link Huston we have a problem. Not a small problem but a massive unsustainable one.

    1. Re:Weaponizing congestion control by WaffleMonster · · Score: 1

      Congestion is the fault of the network operator. There are literally no excuses. They don't need to build or buy more bandwidth than their customers actually use, so overcommitting their network is acceptable, but only up to the point where there is congestion on a regular basis. Then they need to provide more bandwidth. If they don't, then their customers are not getting what they paid for.

      When I say "congestion" it's not necessarily a bad thing like being stuck in rush hour traffic type of congestion. What I'm talking about is universal. Congestion is applicable globally in every network regardless of whether you believe anyone is at fault for the characteristics of the network.

      Nowhere is bandwidth infinite and so over any given route between peers one path will act to constrain rate of information able to be transmitted between peers. Even under the best possible outcome where I buy 20mbit/s service and my ability to send and receive information is limited to 20mbit/s I paid for congestion control plays a critical role.

      Congestion machinery in stream transports is the mechanism which infers the available capacity of the channel in order to optimally utilize capacity. Too little data results in unused capacity. Too much results in reduced capacity due to congestion.

      If over my 20mbit pipe I have 20 users. 19 using TCP and one using QUIC assume all downloading at once and assumed 20 mbit link is exclusive constraint on performance.

      In this case the single QUIC user's download rate is ~13.5mbit/s and each of each of the remaining 19 users is ~0.35mbit/sec.

      Same scenario except the operator wisely elects to block QUIC. Each of the 20 users consume 1mbit/sec.

      QUIC is a significant threat to operators. The best solution is simply to block it.

  14. Re: TL;DR: This is not a secure VPN by omnichad · · Score: 1

    If you consider private to mean between you and the site you wanted to reach, then no. It's not private. If you want to welcome Cloudflare to have access to this data, you can have that - but you can't call it private.

  15. On the other hand, it's full of experience by Cyberax · · Score: 1

    On the other hand, QUIC was carefully designed with all the past experience of network protocol failures. So it tries very hard to avoid even the possibility of ossification.

    TCP is bad because it's basically set in stone. It's not possible to change a single bit in the TCP/IP spec without breaking untold millions of badly designed middleboxes.

  16. Has China already blocked it? by Nocturrne · · Score: 1

    Anyone tested this on the dark side of the planet yet?

  17. Re: TL;DR: This is not a secure VPN by Highdude702 · · Score: 1

    Actually, you're encrypted from your network to the VPN server. Owned by CloudFlare. Then it decrypts and exits kind of like ToR which is why the US government runs tons of exit nodes. You do know how a VPN and tunneling works right?

  18. Re: TL;DR: This is not a secure VPN by Highdude702 · · Score: 1

    It will also add encryption from your device to the edge of Cloudflare's network for traffic that is not fully encrypted.

    It is literally talking about https and non https web shit. Anything else done and all of your DNS queries can be recorded. You are not reading through the legalese. You must not understand how the data transfer works, and are their prime target. GLHF. Just don't tell others their wrong.

  19. Re: TL;DR: This is not a secure VPN by Highdude702 · · Score: 1

    I never claimed they could see everything you do. I was simply stating you were wrong about it being private and then went on to show the flaws in your theory.