How does that work with wireguard though? The Neuomob thing was pitched at us as some black box “magic” you integrate into your own app which we turned down since the library source isn’t available. Is it running on the mobile VPN app or is it running between the VPN server and whatever the exit POP is?
That makes sense — I had seen it on my phone under that name and was then surprised when I pulled the link up to share it, although since I'm at 160,606 on the wait-list that hurry was probably unnecessary ;-)
Is there significant differences from stock wireguard? Can I benefit from your work on my own server?
Also I wonder how do you work with censors? For example Russia censors internet and requires that all VPN services cooperate and censor internet for Russian customers as well (probably they will ban services that won't comply). Will you cooperate or will you accept that Russian users won't be able to reach your service? I guess, that some other countries use or will use similar techniques. For example I'm from Kazakhstan, there are many banned websites and they seem to ban popular VPN and proxy services as well (I'm using my own server with OpenVPN, but obviously I'm just a small fish to bother).
The benefits to Cloudflare is they will have more entry/exit nodes on their network(s). While running your own will go through your own server in/out and even then when travelling may only add more latency. Many on here are and have been doing just that all the same.
Can the service be used with another Wireguard client (hopefully bundled into Linux distros in the future) without installing Cloudflare’s client software?
It it just me or does it sound wrong to call wireguard, the kernel module, third party software in this context? That's literally the reference implementation.
It is wrong. Warp is the third-party implementation.
It would be amazing if it could be made to work from standard wireguard, but I suppose there's a chance that if desktop versions arrive, you'll be able to extract the keys.
The only thing stopping that would be if Cloudflare broke the protocol.
We can argue about the terminology but from the perspective of the company other WireGuard clients (including the official ones) are 'third-party' in the sense that we don't control them. That makes supporting users of those clients more expensive for us (e.g. we currently have a mobile app for Warp, someone calls our support asking for help with a Linux client...)
Not supporting a configuration is much different than actively prohibiting it.
It's okay to just say, "Hey, we are running a free VPN. We're making some privacy guarantees and are trying to log as little as possible. That exposes us to being abused, which means that we have to put some limits in-place on the client."
I know this is the last thing you are worried about right now, but could you at some point look into tasker integration. Its really easy to provide a tasker interface. I would love to be able to control when 1.1.1.1 connected.
Could you elaborate why? Is it because you may not be able to field support requests and complaints from users who may have clients with issues or may have misconfigured it? Or are there other reasons too?
Would you ever make the code of the 1.1.1.1 app with Warp open source?
Exactly that: there would be a large support cost to making it work and so we'd need to think carefully about it. It's not a technical issue at all.
On the open source thing: maybe? It's hard to say. In general, we like to open source libraries and stand alone applications. And we think pretty carefully about the cost of supporting an open source community as well. Which is, I think, a thing people overlook.
Asked differently, do you plan on explicitly disallowing/banning it if people unofficially ran the reference implementation against Warp?
It would be nice to know the policy there. For those of us that do know what a VPN is, and are okay not having access to support, getting things to work without a desktop app would be nice.
I think my answer was pretty clear. We do not currently plan to allow stock WireGuard clients to use Warp. I say, currently, because things can always change.
It's important to appreciate that we have literally millions of users for the 1.1.1.1 App and we are rolling out a free VPN for them. That is a huge support and network burden that we have to deal with to make that experience work well. Yes, we use WireGuard under the hood (and have open sourced our Rust code), but the additional cost of supporting people connecting from their WireGuard clients means that we don't want to support that _today_. Please bear with us while we get through a massive roll out.
We're really happy to work with the WireGuard. We communicated with Jason throughout the process and have a ton of respect for him and the entire WireGuard community. In the short term, we need the flexibility to quickly update our code base to support the project we built it for. That's harder when you need to coordinate with people outside Cloudflare and when we need to move as fast as we plan to. However, we really believe in open source and want the WireGuard community to thrive. We licensed the code very openly (3-clause BSD) and WireGuard may choose to fork it. If they do, we'll support it and plan to contribute any improvements in our own fork back. Over the long term, we're very open to merging this back into the upstream project.
From what I understand, Jason was willing to make your guys head of a sub-project. I'm failing to see how this would hinder your development, considering you've probably got your own build and deployment systems anyway. The way you've done it feels like a 'chuck the code over the fence' style of interaction, which again - I can't see any rationale, from a project perspective (imho)
I don't think anyone on Linux setting up and tweaking WireGuard to integrate with CloudFlare's free network expects to be able to call up support and be like "hey, I need help debugging my custom client." :-) As far as network burden, you're just concerned that we'll be using too much traffic?
Thank you for clarifying. There is a big difference between supporting something, and stopping it from happening.
It's Cloudflare's service, and of course entirely Cloudflare's decision how it is permitted used. I just hope that, in the future, it will be allowed (but not necessarily *supported) to use stock clients rather than desktop apps (which many of us Linux people would dislike). :)
Are there any linux phones? I thought everybody was either on OS or some flavor of Android (....plus some WindowsPhone holdouts, I suppose). Android is vaguely based on the linux kernal, but nobody would really count that.
Well, there's at least two coming out this year. I can understand them wanting to handle the 99% of use cases first, but as I understand it they won't allow normal Wiregaurd clients to connect which is sad but entirely their call.
Is there any notable potential for people to use this for abuse? You guys tend to put up captchas for inbound Tor traffic, I assume for similar reasons.
Tor is different. We don't put up CAPTCHAs by default for Tor. We totally changed how we handle Tor years ago. But, because Tor provides anonymity, there is _a lot_ of abuse through it. A lot.
Tone note: I'm posting technically, not value-judging.
I would say "anonymity" is a fairly strong term for what's being offered here. It's going to hide your source IP, and if you don't mind CF seeing your unencrypted content (and the fact it's unencrypted kinda means that from a technical perspective, you already don't care), it may improve the amount of the connection to unencrypted content that is encrypted (and thereby block the "coffee shop" attack fairly well), but that's all. They're not going to actively strip the bajillions of other active tracking techniques being used nowadays. Your phone will still track location. Facebook will still track you on your phone every bit as much as they did before. etc.
This is part of a complicated set of measures you may be able to take to attain anonymity, but not even remotely the full package.
Again, this is a technical posting to ensure that people understand what this is and is not. This is not a criticism of the service for not being something it isn't or anything like that.
Less technically and more value-judgy (though still not much), note the title: "Introducing Warp: Fixing Mobile Internet Performance and Security" Performance was highlighted first, security second. This seems to me to be a reasonable and accurate reflection of the nature of the service.
Note that the blog post does not say "anonymity" or any similar word. We aren't trying to hide you completely from everyone (use Tor for that). We are securing and accelerating the connection between your device and Cloudflare. This is meant to deal with the reliability, performance and security challenges of using mobile Internet around the world. And we have strong privacy guarantees.
Yes, I got that. But, because CF offerings are very popular, you're going to end up with a lot of people coming from a relatively small number of IP addresses, right?
It's worth thinking about...we had this situation before with AOL. That is, a pretty large number of people in diverse geographic areas, all coming from a small number of IP addresses.
People do use that "relative" anonymity for lots of things, not all of them good. Also, it may create some issues for things like geolocation, regional content restrictions, credit card fraud detection, SMTP blacklisting, rate limiting, and so forth. Because your offering is free, and CF is well known, I'm guessing it will grow fast. Not suggesting anything change about it, just that it may create something that site owners need to react to.
I wonder how well this works when using using wifi on and accessing a corporate intranet. I discovered https://myhrportal didn't work when I pinned my DNS to 8.8.8.8.
I didn't think it would work. From my own experiences...
One day when away from the office, I pinned my wifi DNS settings to 8.8.8.8 just to try it out & compare it to the DNS I normally use at home, but then I forgot to undo it. When I got back to the office, the office Intranet was unsurprisingly inaccessible, and I removed the pinned DNS settings. I knew how to solve the problem, but less savvy folks trying out the Cloudflare product might not, which could create some confusion for IT helpdesks.
Cloudflare is concerned with the user experience of people who don't know what a VPN is, and that's why I mentioned it. Normally I would have just tried it & reported the edge case I it exists, but the app isn't usable yet, so I posed the question instead. Judging by the downvotes, I should have mentioned that in my comment above :)
Last time I used 1.1.1.1 DNS I sometimes had problems when visiting bbc.co.uk. It seemed to be trying to look up the domain on cloudflare's service for some reason. Was I the only one to have this problem? Would it be fixed now?
Not ideal for performance too, sites/APIs with regional endpoints could then be slower. Understand the privacy impact, could CloudFlare client “anonymize” edns subnet by region-ing the request based on large cloud regions? (rather than actual client subnet)
Site should load just fine without eDNS -- even "geo-specific" ones. They will just route you as if you came from your local Cloudflare PoP rather than your home IP; usually not a big difference since Cloudflare is in so many locations.
I'm not having any trouble with bbc.co.uk on 1.1.1.1, maybe it was a temporary hiccup.
(Disclosure: I work for Cloudflare but not on this product.)
Ouch. Do you know which PoP (point of presence) you're hitting? To find out, Look at the last three letters in the CF-Ray header on any response from a Cloudflare site, e.g.
curl -v cloudflare.com 2>&1 | grep -i CF-Ray
The letters should correspond to an airport code nearby the CF server you landed on. Let me know what it says.
OK, so it seems like Cloudflare in general is not serving your ISP very well for some reason. :( Hopefully our network team will be able to look into it.
It was intermittent. Sometimes it worked, sometimes it didn't. The error message given suggested it was trying and failing to find a cloudflare hosted site (which to my knowledge the BBC isn't). Unfortunately I can't remember exactly what the error said.
I'll try it again for awhile and see if I have any issues now.
Cloudflare already has an app on mobile devices - but so far it only served your DNS queries. Now the app behaves as a VPN for all your mobile traffic - all data is routed within Cloudflare's network from the moment it leaves your device, which is faster than going through the public internet.
I think it is important to notice that the traffic is first routed to Cloudflare over the public internet, so technically it is not the moment it leaves your device when it starts to get routed inside CloudFlares network and the public internet again soon after in most cases. Being faster crucially relies on having nearby access to their network from your device and from their network to the destination. Otherwise you ultimately just add some additional hops in between, making it likely to be slower in terms of latency instead. I also would not expect much of a difference performance wise if you access services already using CloudFlare as the endpoints network is likely the same there. However, this is only relevant for your argument of it supposedly being faster. Of course the packets leaving your device are encapsulated and unreadable to third party observers. After being decapsulated its not about routing your VPN traffic anymore but the packets inside which is probably what you were referring to on its own.
Yes! We're working on desktop clients as well but they'll be available a bit later than the mobile launches, as the most performance benefit is available when you're on a cell network.
I've downloaded 1.1.1.1 fresh from Google Play just now, but I don't see any "get in line" option. Buried somewhere, or Google still staggering out the latest version of the app?
I did the same and it was at the top of the screen with the big button to enable DNS. It was not labeled "Warp" or "VPN" (in keeping with the "A VPN for People Who Don’t Know What V.P.N. Stands For" theme I suppose).
TLDR Cloudflare released a privacy focused DNS resolver at 1.1.1.1, then an app for iOS and Android that set up VPN profiles to use those DNS revolvers.
Now the apps will be upgraded with Warp, an option to set up a full data VPN over WireGuard, terminating at any worldwide PoP.
This should give you super low latency to your VPN server, and also open up the possibility of local caching smarts on the device.
Basic service is free, premium service coming that’ll put you on the CF backbone for all your traffic, should take you off the public internet and speed things up.
I currently use DNS66 for ad blocking on android without root. Is there a way to do something similar while using this app?
Alternatively, I have a Xperia XA1 running a June 5, 2017 security patch. It's been my intent for a long time now to figure out how to get root without unlocking the boot loader the sony approved way (which makes the camera less functional). Anyone have any pointers on easy to exploit privilege escalations that should exist on my phone?
Could also approach from usb/wifi/bluetooth/etc instead of local userspace.
The problem specifically is that unlocking the bootloader the official way deletes drm keys stored in a "TA" partition, and that makes the camera less functional. It would be sufficient to find a vulnerability that let me back up the DRM keys - but that seems unlikely without gaining root access and I'd have more confidence that I backed up the right thing with root access.
Despite criticisms, I've been using the Brave browser on Android, which is pretty much Chrome with integrated AdBlock plus. Though there is some level of irksome override with some advertisers, it's been about the best overall experience for me. May actually switch my desktop browser at home when I build my new computer.
For browser I already use firefox, so I could easily add ublock origin (or, I suppose, adblock plus). Having a DNS level adblocker is just a nice to have for anything not browser based that decides ads are a good idea.
In all honesty it's pretty rare that I use anything not browser based that might have ads, but on principle I'd like to keep it around.
Are you Android 9 or later? If so, set up private DNS to dns.adguard.com [0]
Otherwise, you are out of luck. You cannot run the 1.1.1.1 app and run another VPN app like blockada, netguard, no-root-firewall side by side on Android (at least not supported till the latest release, Android 10).
I'd imagine they'd test the performance with say 100 users, then another 900 to make it a round 1000, then if they see the 1000 users only use 1% CPU, they could just go up to 10000 to see if it uses 10% CPU or just 5%...
And after they figure out how many servers/how much bandwidth they need, they could just bring in e.g. 100K users online at once.
They also probably want to roll out in batches to reduce the impact of bugs, not just to measure resource usage. But absolutely agree that once they get comfortable bringing in 100k at once is perfectly possible.
Sorry about that, there's an issue we're currently dealing with which hits people who had a specific version of the old 1.1.1.1 app and just updated. It should be fixed shortly.
Update: It got sorted out for me and I got my waitlist number after trying again. Now the top banner just shows me my waitlist number.
Happened to me as well, and that’s why I came looking for the canonical post on this topic to see what’s happening. I switched networks and tried, but got no waitlist number. There’s just a message saying I’m on the waitlist and the button to join the waitlist is still visible and enabled.
Now that I see people from Cloudflare have responded, I’ll just wait and see.
> 1. We don't write user-identifiable log data to disk;
That's great... but you do log user-identifiable info? How I read that is "we log things that can identify you but just keep it in memory for X amount of time".
Myself and other privacy-minded folks would like to know more details there, especially as this is a freemium service.
True. But that doesn't preclude you from offering the same amount of privacy. I suppose they want to catch abusers or find some other way of monetizing it, but that has nothing to do with the demographic they're chasing.
The short answer is we really don't want to have data. We store bits of it for aggregate analysis and debugging, but the goal is to not be able to map traffic to individual people as quickly as possible.
Cloudflare, are there plans for ad blocking? Currently using AdGuard DNS and it works well. Router-level ad-blocking would be an attractive premium option.
Same concern here. I use the open source dns66 app with cloudflare dns so I get the best of ad blocking/content filtering and fast connections. I love the idea of improving my privacy and theoretically performance for the connections I want to make, but not at the expense of that functionality.
That is not something which has factored into the conversation on our (Cloudflare's) end. The bigger issue is even as we make technical improvements, we very much don't want to create a separate Internet. The minute we begin adding, removing, or changing content when it comes through Warp those questions begin to be asked.
You also don't want to be in the business of determining which ads are "good" and which are "bad" and being tastemakers in any way, so probably a smart choice to stay out of the ad game.
A good add on though might be a way for people to run their own service on a Cloudflare worker that gets hit with each request to 1^4, which would allow them to run their own ad blocker.
I think he's asking because you can't easily combine DNS services. If you're using a service to block ads via dns then you aren't using 1.1.1.1. If you want to use 1.1.1.1 then you need to either host your own forwarding dns server or forego ad blocking.
There's a lot of dissing of competition (they drain your battery, "all suck", slow down your internet) without a single datapoint.
Personally I find the performance of PIA fine. I just ran a test through fast.com and got 42 mbps on 4g through PIA mobile VPN in NYC. (Weirdly, when I turn off the VPN and test I'm only getting around 2 Mbps.) Latency is a bit higher than direct, but not enough for me to agree with their blanket statement that all VPNs suck.
Anything that uses the Android built in IPsec VPN is going to be fine unless the app really goes out of it's way to be crappy. This uses Wireguard in userspace so is likely actually a battery drain. Less than OpenVPN at least.
While it might use more power I've been using Wireguard on my phone for 6 months or so now and the performance is way better than IPSec, especially on spotty connections such a mobile!
I wonder how the increase in performance might offset the difference in battery drain between both protocols. If wireguard uses a bit more battery to achieve a task quicker the extra idle time achieved might off-set any increase in power usage.
Using the speed test app I get 65 direct and 58 using the NYC setting in PIA. Ping is 31 ms for PIA vs 28 direct.
I look forward to testing with Warp once it's released, but I don't see how it could be much better than the status quo. PIA has lots of servers all over the place, cloudflare might have a bigger network but the delta should be negligible.
I am a bit surprised that fast would get throttled though.
It's been pretty common and a big part of why Netflix created the service iirc. ISPs have been throttling netflix as a negotiating tactic when creating peering agreements for upstream traffic or deploying more content servers. The whole process has been really horrible imho. Some mobile providers do it to force lower quality streams, that in fairness are probably more appropriate for small/mobile devices. 1080p-4K are probably overkill on a 5-6" device.
The question is, on a 5" screen will you really notice the difference between a 1080p stream and a 720p stream for video? Especially considering the 720p may be higher bits per pixel than the 1080p stream. I'd rather have a 720p stream at 3/4 the bitrate of a 1080p stream, which is often the case as there are multiple levels for a given resolution.
Then again, I don't always notice even on a larger screen from a better 720p stream and a poorer (relatively) 1080p stream. I often notice the difference from 1080p to 4K though, which is a slightly bigger bump on a much larger screen.
Netflix will never even try to show you 4K on a mobile device. The ISPs know this. They just want to throttle Netflix so that you'll prefer the ISPs streaming service to Netflix.
> I am a bit surprised that fast would get throttled though.
Fast.com runs its tests against the actual servers that stream Netflix to you. It uses the same selection algorithms as actual Netflix. The whole point of it was so that you use Fast.com and then call your ISP and say you did a speed test and aren't getting anything close to the speed that they advertised.
On the back end they can't tell the difference between a Fast.com speed test and actually playing Netflix, and that was the point. So if they are going to throttle one they have to throttle both.
Where do you get the idea this is DNS over VPN only?
> Any unencrypted connections are encrypted automatically and by default.
> Unfortunately, a lot of the Internet is still unencrypted. For that, Warp automatically adds encryption from your device to the edge of Cloudflare’s network
It reads to me like all your traffic goes through your service, not just DNS.
It seems to me that in practice, Cloudflare's mission is not actually to build a better Internet, but to offer an alternative, proprietary network (one could call it the CloudflareNet), and convince content providers and consumers to use that network. Because I don't want any single company to have too much power, I'll stick with the standard Internet, which is not owned by any single company.
However, I realize that the problems with mobile Internet performance and reliability are real. So when HTTP/3 is stable, I'll do what I can to help it spread.
I disagree with this statement. We haven't pushed incompatible standards or any other nonsense. We've literally pushed out the latest standards and enabled more encryption (see Universal SSL making SSL free years before Let's Encrypt; see enabling IPv6; enabling HTTP/2; etc. etc.).
Those "cloudflare loading" screens that come up when visiting some low-traffic sites. It's probably more common for people using privacy blockers and browser containers to block tracking. I see it at least a few times per day and I get captchas on almost any site that uses them (regardless of being behind cloudflare).
... or individual browsers taking small steps to preserve their privacy.
I obviously don't know how many Cloudflared sites I visit that don't pop up the nag. And Cloudflare's nag is certainly nicer than Google's more pervasive help-us-build-a-T-800 or Akamai's "just get lost". But that mode seemingly activates on light browsing just because it's coming from a slightly-less-trackable VPS address (non-shared), and that is a problem.
I'd just like to mention that this service saved me once. I have a small low-end box and one of the sites I hosted (that belonged to a YouTube personality) was DDOS'ed for a while, it kept taking the server down. A combination of crafty server configuration and enabling the "Under Attack" mode helped me deal with it.
I don't have the numbers, but from what I've heard the amount of legitimate traffic from TOR is rather small compared to the heaps of bots and abuse.
Yes there's the argument that TOR provides protection for those in apressive states, but given the pros/cons of blocking TOR altogether I can at least understand the reasoning.
Fair point. I especially appreciate that even Workers is based on a W3C standard, when it could have been a proprietary API.
However, Cloudflare has also adopted and promoted at least one standard that adds complexity for dubious benefit, specifically DNSSEC, which tptacek has repeatedly criticized (e.g. [1]).
Moreover, Cloudflare is encouraging both providers and consumers to bypass the public Internet as much as possible in favor of Cloudflare's network and proprietary protocol(s). For providers, this is done through Argo and especially Argo Tunnel. And now for consumers, Warp is replacing the standard TCP with a proprietary protocol built on UDP.
Now that Cloudflare has proprietary replacements for the standard Internet on both sides, it can start taking advantage of network effects to make its proprietary network attractive to still more providers and consumers. As Cloudflare's power grows, it becomes harder to escape any future abuses of that power, as well as honest mistakes on Cloudflare's part.
I realize the standard Internet sucks in some ways, and Cloudflare is doing something about that. But I think the right answer is to improve the standards-based Internet, not offer a proprietary replacement. I suppose that's not compatible with running a VC-backed business, though.
DNSSEC is a standard. We literally adopted and promoted a standard. That is not about your original comment about us trying to take over the Internet or something. And we work hard on the standards-based Internet pushing HTTP/2, IPv6, QUIC, TLS 1.3, ...
I get where you are coming from but I think there's a significant headwind to us doing something weirdly proprietary. If we were to create some two-tier Internet then our clients (who have web/API servers) would start having part of their audience/consumers get poorer performance or security or something. So we'd be sticking a finger in the eye of the people who pay us.
Nothing wrong with some cynicism. And I totally understand the concern, but one thing people always miss with Cloudflare is... follow the money. We get paid by people with web servers and API servers. We have to do things that keep them happy.
> one thing people always miss with Cloudflare is... follow the money
I think that applies almost anywhere. One could say "don't trust Google or Facebook with personal data" merely based on the fact that almost all of their money comes from advertising.
Exactly what is this supposed to mean? It's a "standard"? So what? Lots of bad things have been standardized. You have to justify the work on the merits; you can't simply appeal to IETF standardization as intrinsically good. TLS Heartbeat was a standard, and it was not intrinsically good.
This thread was about Cloudflare becoming some proprietary network with its own protocols and doing evil stuff. I was pointing out that when OP said we'd implemented and promoted DNSSEC (and named you) that we were not implementing something we'd invented but a standard.
I don't think Cloud Flare is implementing a lot of scary proprietary stuff outside the IETF process, but the influence that it has on the IETF process is a legitimate question to ask.
FWIW, tptacek's argument in that thread seems to be premised on certificate pinning being widely deployed[1], which it's not, and it seems at this point like it never will be[2].
No. I like pinning (which is widespread outside of browser applications) and certainly it's better than DNSSEC, but my argument holds together just fine without it.
It hardly matters at this point, though. DNSSEC is a dead letter. It's over. Stick a fork in it. It'll be around indefinitely for performative nerds to performatively noodle with --- lots of dead IETF protocols are! --- but Cloud Flare is likely to be the largest company ever to use it (and they're the exception that proves the rule, since they sell DNSSEC services).
You've built a product (warp) based on Wireguard and refused to work with the upstream project - so saying that you're pushing standards is far more nuanced than you make it seem - at best.
Forking an upstream project to implement decisions without upstream’s consent is a tried and true open source software process, implemented by thousands of projects over the years. Claiming that they don’t support standards, solely because they don’t support another implementation of those standards, is incorrect and inflammatory.
> Forking an upstream project to implement decisions without upstream’s consent is a tried and true open source software process, implemented by thousands of projects over the years. Claiming that they don’t support standards, solely because they don’t support another implementation of those standards, is incorrect and inflammatory.
If upstream is doing something you don't like and refusing to work with you, sure.
When upstream actively petitions you to not fork, asks you politely to work together, and you refuse to work with them, that is far, far from a "tried and true open source software process". That creates a fissure in the community and it generally ends up poorly for everyone involved.
My comment is far from inflammatory, it's a statement of fact, and something cloudflare has refused to acknowledge or respond to. Which just further drives the point home that they aren't acting in good faith.
Can/has anyone from CloudFlare commented? This refusal to work with WireGuard has left a bitter taste in my mouth from a company that I otherwise like.
We communicated with Jason throughout the process and have a ton of respect for him and the entire WireGuard community. In the short term, we need the flexibility to quickly update BoringTun's code base to support the project we built it for. That's harder when you need to coordinate with people outside Cloudflare and when we need to move as fast as we plan to. However, we really believe in Open Source and want the WireGuard community to thrive. We licensed the code very openly (3-paragraph BSD) and WireGuard may choose to fork it. If they do, we'll support it and plan to contribute any improvements in our own fork back. Over the long term, I think we're very open to merging this back into the upstream project.
I mean no offense, but the response comes off as corporate approved PR. "We need to move fast" when you haven't actually even tried engaging with the parent project and have no idea whether or not it would prohibit "moving fast" is disingenuous IMO.
Presumably there’s still overhead involved in being part of the WireGuard organization, no? If there wasn’t, then the only difference between being in it and not is branding.
More importantly, without having already tried it, it’s hard to predict how much overhead there will be.
Since CloudFlare had a (self-imposed) deadline, working fast had to take priority over optics. After all, the project can always be folded into the WireGuard organization later.
While the fissure you describe as a guaranteed outcome is certainly likely in many such scenarios, you're missing the point:
Implementing a standard without regard for the beliefs of other implementors is an action that supports a standard. Refusing to work with others does not implicitly harm a standard.
You assert that refusing to cooperate with another implementor is guaranteed to harm a standard. It is not guaranteed at all.
DJB has not destroyed DNS. BoringSSL has not destroyed TLS. A thousand reimplementations of standards in Rust have not destroyed a thousand standards.
You clearly believe that Cloudflare is acting in bad faith, and are constructing a worldview out of assumptions that you declare instead are facts. While I respect your right to hold those views, I do not respect your declaration of future outcomes as fact.
I was unable to parse this reply in the context of "do forks harm standards?" as we're discussing in this thread. What standard came to harm as a result of LibreOffice forking from OpenOffice?
Sure. What makes anyone use cloudflarenet if you're using different standards? You start by owning the market (which you're moving towards, and in a very good position to do), and then start making changes. All speculation, of course, but I agree with the gp that this is a very real possibility.
I too dislike amp, but I don't see this as cloudflare's fault. If anything they're offering a competitor to google who we typically criticize for creating and abusing amp.
I agree. And considering many of Google's competitors, like Microsoft, have had to support AMP as well, I recognize that AMP support is an unfortunate necessity in dealing in a world where it exists.
Hence the ;) face, it's meant as a friendly jab, not a critical accusation. jgrahamc is awesome.
> If they cannot then it is not the internet. It's more akin to a 'web' only service.
CGNAT means that the same is true of "mobile" connections in general, so it's not like Warp is changing anything for the worse here. Though the Tor network does allow you to host a .onion-linked service over such a connection, but that - while quite handy - seems more like a special case to me.
The problem is, this can still totally remind people of EEE (Embrace, extend, extinguish [1]). And appears to be not incompatible with it. And even if EEE is not your current strategy [2], the trouble is, it may become so in future, even against your best wishes today. COOs/CEOs change, as well as kings do. Today's Benevolent Dictator may get ousted by some sneaky hostile takeover in future, or even just take an unplanned sabbatical in Tibet for reinvigorating their mojo. And may get replaced with a less enlightened one. That's kinda why e.g. people from countries with a history of communist or other authoritarian/totalitarian rule are sometimes wary of creeping surveillance tech even when their country is fully democratic now. A switch to a new authoritarian regime can sometimes happen surprisingly easy even in an apparent democracy. Many countries in the world seem to have given policy mandate to populist-ish chiefs recently, who knows how this will work out further down the line. That's why people fear centralisation of control and of power over infrastructure.
I'd be interested to see your evidence for such a statement and better understand what exactly makes you think Cloudflare's mission is to build a proprietary network?
Pretty much most if not all of Cloudflare's services and work suggest the complete opposite to me.
Like other commenters, Cloudflare for me is probably one of the only companies I truly trust. I'm not saying that because I'm a big user of there services in fact 1.1.1.1 is the only service I actively use.
This pearl clutching is getting out of control. The existence of cloudflare is totally orthogonal to your ability to self-host content on the internet. They don't have any power, except over their customers and those customers customers. If you don't want to use them, then don't. No one is stopping you.
I would almost argue the contrary: Cloudflare makes self-hosting more possible, when you're going up against the large cloud hosting empires like Amazon and Google and Microsoft. You may not be hosting on one of those, but you can slap a little Cloudflare in front of yours to give your own server similar levels of robustness... and you can always turn it back off if they ever become a problem, since you aren't using proprietary APIs and services to power your server.
If anything, I've kinda been hoping Cloudflare would realize self-hosting and decentralization is what they should be supporting and pushing, as it's when using their CDN makes the most sense. And obviously, Amazon and Google and Microsoft all have their own CDN capabilities, so the less people using their cloud services, the better for Cloudflare.
To any Cloudflare leadership or staff who are still watching this subthread, I'm sorry I publicly questioned your motives and integrity the way I did. I should have been skeptical without saying that I think your mission is something other than what you say it is. I wouldn't want some random person on the Internet to publicly say, or at least imply, that I'm a liar. So I shouldn't have done that to you. If I could give up the upvotes I got for that comment (and keep the downvotes), I would.
Mind you, I'm still skeptical. I probably won't use Warp on my phone, or Cloudflare on my personal site. But I should have been more careful about how I expressed that skepticism in public. None of us want a world where we all assume the worst in each other without strong evidence. So again, I'm sorry.
If you don't trust them with a binary, you shouldn't trust them just because they posted source code somewhere. If they don't have the bandwidth to manage this as an open source project this is the right call.
There are plenty of companies who have released their source code but don't support it in the same way a typical community driven project like other open source projects do.
This is especially true for certain privacy and security focused applications. For example, Signal release their code, have quite a lot of users, and don't report an unmanageable overhead due to having released their source code.
It's not just a matter of trusting their intentions, it's a matter of knowing that their code matches their intentions. I trust OpenSSL (mostly, these days) and I always trusted the intentions of the developers, but if their code was not open it would not be half as secure today.
Because that doesn't really work. We put the code out there and people start working on it. You think we're going to be able to _not_ look at what's people are doing?
I just signed up. cloudflare is on the short list of Internet companies that I trust (with the usual small bit of doubt and skepticism!). With just a few reservations, I also trust G Suite, Firefox, and a few hosting companies I do business with.
I have been supporting FSF, ACLU, etc. for years, but the practical considerations that prompted me to be a bit more trusting are Cloud Search in GSuite, Cloudflare offering HTTPS to help get the web more secure, and a deep appreciation for having Firefox available (containers are so easy to use and make me feel more secure in my use of the web).
I trust Cloudflare to do their best, generally respect privacy, and not act maliciously.
I don't trust cloudflare to not make mistakes (like Cloudbleed). I don't trust myself to not make mistakes. I don't think there is anyone I trust not to make mistakes. It's just not a reasonable criteria.
Companies are made of people and people inevitably screw up. Cloudbleed made Cloudflare more trustworthy in my eyes simply because of how they handled their (very large, very unfortunate) mistake.
I have to mostly agree... Cloudflare has actively participated with a lot of communities to bring better CDN options to open-source projects who otherwise would be overloaded. I'm not sure how much I actually trust GSuite, ironically preferring Office365 to it as there are huge, gaping holes in it's usefulness, specifically group email tethered to a horribly broken secondary interface (groups) and the fact that the product as a whole has languished a lot.
I'm in a position where I do appreciate Google's software, Chrome/V8 and resulting node and electron as downstream projects. However, my trust of Google is waning in light of their incredibly divisive culture all around and a lot of their practices, cover ups and just poor form in the sun-setting of "don't be evil."
I don’t disagree about Google. I really just use their paid services (GSuite, Music/no ad YouTube, purchase books and movies). I mostly switched to DuckDuckGo years ago, and I run all Google properties through a single Firefox container.
While this might improve user experience for some, I don't see the greater value in a VPN solution like this.
It's the fast path to replacing the decentralized internet with a few proprietary CDNs. I'm much more excited about those projects that actually try to fix the raised issues:
Unencrypted connections -> TLS / Letsencrypt
TCP sucks on mobile/roaming devices -> QUIC & HTTP/3
Cloudflare pushed out free TLS years before Let's Encrypt and we are actively working on and supporting QUIC and HTTP/3. But QUIC/HTTP/3 aren't here today, not everyone is using HTTPS and there are other worries in coffee shops etc. hence a VPN service makes sense.
There is a bit of a difference between LetsEncrypt and Cloudflare TLS termination though... one is TLS for everyone, the other is TLS for Cloudflare customers (paying or not). For instance can an Iranian website use Cloudflare TLS? I would wager not. (ironic as they probably need secure transport the most).
I'm not saying Cloudflare isn't doing good things for the Internet but it's a bit disingenuous to equate the 2 efforts.
Cloudflare could have done LetsEncrypt, but as a CDN that would make no business sense - which is why we need LetsEncrypt, so they can continue to do the things that don't make good business sense for Cloudflare.
CF is at the mercy of the CAs (DigiCert/Comodo), and at least based on LetsEncrypt's stance [0], they should be OK to issue .ir certificates as long as the customer is not a Gov't entity. The only issue is that these CA's are just playing it safe by not issuing any .ir domains, making CF also unable to issue .ir.
I believe CF is working on LetsEncrypt certificates, at least based on letsencrypt.org being included in the 'automatic' CAA records[1].
Should Cloudflare go evil in some way then I would guess other services would pick up the ball and would keep delivering the same level of service as this one.
There’s a lot of claims about how mobile internet sucks and this makes it not suck. But then it’s revealed it’s a WireGuard based VPN. What I don’t understand is how my internet will be so much faster than any other use of WireGuard?
1. When you use WireGuard as a VPN your device is connecting to wherever you happen to have hosted your server. Cloudflare's PoPs are located in 165 different Internet exchanges and ISPs, giving you a pretty good chance to be closer to you wherever you are in the world.
2. We (Cloudflare) have tech through our Mobile SDK product which can optimize the actual way the Internet TCP traffic is mapped into UDP.
3. We also have Argo, a technology for optimizing the routing of packets through the Internet which will be released as Warp+.
499 comments
[ 3.3 ms ] story [ 361 ms ] threadAlso, this post is relevant: https://blog.cloudflare.com/boringtun-userspace-wireguard-ru...
1- https://github.com/cloudflare/boringtun
2- https://blog.cloudflare.com/mobile-sdk-acceleration/
3- https://www.cloudflare.com/products/argo-smart-routing/
Switched the account so it wouldn't be confusing who was commenting.
Also I wonder how do you work with censors? For example Russia censors internet and requires that all VPN services cooperate and censor internet for Russian customers as well (probably they will ban services that won't comply). Will you cooperate or will you accept that Russian users won't be able to reach your service? I guess, that some other countries use or will use similar techniques. For example I'm from Kazakhstan, there are many banned websites and they seem to ban popular VPN and proxy services as well (I'm using my own server with OpenVPN, but obviously I'm just a small fish to bother).
It would be amazing if it could be made to work from standard wireguard, but I suppose there's a chance that if desktop versions arrive, you'll be able to extract the keys.
The only thing stopping that would be if Cloudflare broke the protocol.
It's okay to just say, "Hey, we are running a free VPN. We're making some privacy guarantees and are trying to log as little as possible. That exposes us to being abused, which means that we have to put some limits in-place on the client."
There's nothing unreasonable about that at all.
Would you ever make the code of the 1.1.1.1 app with Warp open source?
On the open source thing: maybe? It's hard to say. In general, we like to open source libraries and stand alone applications. And we think pretty carefully about the cost of supporting an open source community as well. Which is, I think, a thing people overlook.
Embrace, extend, extinguish!
It would be nice to know the policy there. For those of us that do know what a VPN is, and are okay not having access to support, getting things to work without a desktop app would be nice.
It's important to appreciate that we have literally millions of users for the 1.1.1.1 App and we are rolling out a free VPN for them. That is a huge support and network burden that we have to deal with to make that experience work well. Yes, we use WireGuard under the hood (and have open sourced our Rust code), but the additional cost of supporting people connecting from their WireGuard clients means that we don't want to support that _today_. Please bear with us while we get through a massive roll out.
[1]https://lists.zx2c4.com/pipermail/wireguard/2019-March/00404...
From what I understand, Jason was willing to make your guys head of a sub-project. I'm failing to see how this would hinder your development, considering you've probably got your own build and deployment systems anyway. The way you've done it feels like a 'chuck the code over the fence' style of interaction, which again - I can't see any rationale, from a project perspective (imho)
I don't think anyone on Linux setting up and tweaking WireGuard to integrate with CloudFlare's free network expects to be able to call up support and be like "hey, I need help debugging my custom client." :-) As far as network burden, you're just concerned that we'll be using too much traffic?
It's Cloudflare's service, and of course entirely Cloudflare's decision how it is permitted used. I just hope that, in the future, it will be allowed (but not necessarily *supported) to use stock clients rather than desktop apps (which many of us Linux people would dislike). :)
Good luck with the massive deployment!
1. VPN from mobile device to the nearest Cloudflare PoP.
2. Use Cloudflare backbone to connect to the nearest exit PoP to destination.
3. Between entry and exit PoPs, do all sorts of optimisations that are possible, like:
3a. Jumbo frames, custom/advanced form of TCP congestion control, multipath, fast-open.
3b. Custom transport protocol (quic, sctp, etc).
3c. Custom compression and error correction schemes.
4. Reverse CDN: Proxy HTTP/S requests and serve content from cache.
5. Peer CDN: serve content from nearby devices?
Something like AWS Silk [0] or Google Chrome FlyWheel [1] but on steroids.
Easier said than done, I guess.
[0] https://news.ycombinator.com/item?id=3215778
[1] https://news.ycombinator.com/item?id=9441372
It'd be interesting to see a response from Cloudflare (unless there is one an I've missed it)
Well, there's at least two coming out this year. I can understand them wanting to handle the 99% of use cases first, but as I understand it they won't allow normal Wiregaurd clients to connect which is sad but entirely their call.
I would say "anonymity" is a fairly strong term for what's being offered here. It's going to hide your source IP, and if you don't mind CF seeing your unencrypted content (and the fact it's unencrypted kinda means that from a technical perspective, you already don't care), it may improve the amount of the connection to unencrypted content that is encrypted (and thereby block the "coffee shop" attack fairly well), but that's all. They're not going to actively strip the bajillions of other active tracking techniques being used nowadays. Your phone will still track location. Facebook will still track you on your phone every bit as much as they did before. etc.
This is part of a complicated set of measures you may be able to take to attain anonymity, but not even remotely the full package.
Again, this is a technical posting to ensure that people understand what this is and is not. This is not a criticism of the service for not being something it isn't or anything like that.
Less technically and more value-judgy (though still not much), note the title: "Introducing Warp: Fixing Mobile Internet Performance and Security" Performance was highlighted first, security second. This seems to me to be a reasonable and accurate reflection of the nature of the service.
It's worth thinking about...we had this situation before with AOL. That is, a pretty large number of people in diverse geographic areas, all coming from a small number of IP addresses.
People do use that "relative" anonymity for lots of things, not all of them good. Also, it may create some issues for things like geolocation, regional content restrictions, credit card fraud detection, SMTP blacklisting, rate limiting, and so forth. Because your offering is free, and CF is well known, I'm guessing it will grow fast. Not suggesting anything change about it, just that it may create something that site owners need to react to.
One day when away from the office, I pinned my wifi DNS settings to 8.8.8.8 just to try it out & compare it to the DNS I normally use at home, but then I forgot to undo it. When I got back to the office, the office Intranet was unsurprisingly inaccessible, and I removed the pinned DNS settings. I knew how to solve the problem, but less savvy folks trying out the Cloudflare product might not, which could create some confusion for IT helpdesks.
Cloudflare is concerned with the user experience of people who don't know what a VPN is, and that's why I mentioned it. Normally I would have just tried it & reported the edge case I it exists, but the app isn't usable yet, so I posed the question instead. Judging by the downvotes, I should have mentioned that in my comment above :)
So geo-specific things will break... BBC.com should load though since its for out-of-UK people
I'm not having any trouble with bbc.co.uk on 1.1.1.1, maybe it was a temporary hiccup.
(Disclosure: I work for Cloudflare but not on this product.)
I am getting more than 300ms difference to google.com
https://pastebin.com/raw/QnbWXU1a
I posted the issue (bad route) on the community forum a few months ago.
https://community.cloudflare.com/t/high-ping-sri-lanka/15276...
I'll try it again for awhile and see if I have any issues now.
Cloudflare do not use the EDNS Client Subnet extension:
https://tools.ietf.org/html/rfc7871
You are right to say that can potentially affect geo-located services. But that is not to say that 1.1.1.1 doesn’t support EDNS:
https://tools.ietf.org/html/rfc6891
Will warp be available on desktop machines at some point?
Now the apps will be upgraded with Warp, an option to set up a full data VPN over WireGuard, terminating at any worldwide PoP.
This should give you super low latency to your VPN server, and also open up the possibility of local caching smarts on the device.
Basic service is free, premium service coming that’ll put you on the CF backbone for all your traffic, should take you off the public internet and speed things up.
Desktop versions coming as well.
Alternatively, I have a Xperia XA1 running a June 5, 2017 security patch. It's been my intent for a long time now to figure out how to get root without unlocking the boot loader the sony approved way (which makes the camera less functional). Anyone have any pointers on easy to exploit privilege escalations that should exist on my phone?
Could also approach from usb/wifi/bluetooth/etc instead of local userspace.
The problem specifically is that unlocking the bootloader the official way deletes drm keys stored in a "TA" partition, and that makes the camera less functional. It would be sufficient to find a vulnerability that let me back up the DRM keys - but that seems unlikely without gaining root access and I'd have more confidence that I backed up the right thing with root access.
Unfortunately AFAIK all community run mods for Android require bootloader to be unlocked.
In all honesty it's pretty rare that I use anything not browser based that might have ads, but on principle I'd like to keep it around.
Otherwise, you are out of luck. You cannot run the 1.1.1.1 app and run another VPN app like blockada, netguard, no-root-firewall side by side on Android (at least not supported till the latest release, Android 10).
[0] https://news.ycombinator.com/item?id=18788410
https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-set...
Sounds interesting though!
I'd imagine they'd test the performance with say 100 users, then another 900 to make it a round 1000, then if they see the 1000 users only use 1% CPU, they could just go up to 10000 to see if it uses 10% CPU or just 5%...
And after they figure out how many servers/how much bandwidth they need, they could just bring in e.g. 100K users online at once.
Just does it over and over.
Edit: It's fixed and I'm on the waitlist.
Happened to me as well, and that’s why I came looking for the canonical post on this topic to see what’s happening. I switched networks and tried, but got no waitlist number. There’s just a message saying I’m on the waitlist and the button to join the waitlist is still visible and enabled.
Now that I see people from Cloudflare have responded, I’ll just wait and see.
[1] https://blog.apnic.net/2018/04/02/apnic-labs-enters-into-a-r...
Tried VPNs at some point. It was a slower and more error prone Internet experience. For doubtful privacy gains.
It would awesome to have static IPs as well.
That's great... but you do log user-identifiable info? How I read that is "we log things that can identify you but just keep it in memory for X amount of time".
Myself and other privacy-minded folks would like to know more details there, especially as this is a freemium service.
I don't think their target audience includes those people (privacy minded folks.)
The short answer is we really don't want to have data. We store bits of it for aggregate analysis and debugging, but the goal is to not be able to map traffic to individual people as quickly as possible.
A good add on though might be a way for people to run their own service on a Cloudflare worker that gets hit with each request to 1^4, which would allow them to run their own ad blocker.
Making it a plugin that you could plug another app into might be cool, though?
Personally I find the performance of PIA fine. I just ran a test through fast.com and got 42 mbps on 4g through PIA mobile VPN in NYC. (Weirdly, when I turn off the VPN and test I'm only getting around 2 Mbps.) Latency is a bit higher than direct, but not enough for me to agree with their blanket statement that all VPNs suck.
I look forward to testing with Warp once it's released, but I don't see how it could be much better than the status quo. PIA has lots of servers all over the place, cloudflare might have a bigger network but the delta should be negligible.
I am a bit surprised that fast would get throttled though.
Then again, I don't always notice even on a larger screen from a better 720p stream and a poorer (relatively) 1080p stream. I often notice the difference from 1080p to 4K though, which is a slightly bigger bump on a much larger screen.
Fast.com runs its tests against the actual servers that stream Netflix to you. It uses the same selection algorithms as actual Netflix. The whole point of it was so that you use Fast.com and then call your ISP and say you did a speed test and aren't getting anything close to the speed that they advertised.
On the back end they can't tell the difference between a Fast.com speed test and actually playing Netflix, and that was the point. So if they are going to throttle one they have to throttle both.
But this only sends DNS over the VPN so it won’t use much power at all. 99% of your traffic does not route via the VPN with this app.
> Any unencrypted connections are encrypted automatically and by default.
> Unfortunately, a lot of the Internet is still unencrypted. For that, Warp automatically adds encryption from your device to the edge of Cloudflare’s network
It reads to me like all your traffic goes through your service, not just DNS.
The blog led me to their "1.1.1.1 app", which I installed and found created a VPN on my iOS device that only tunneled DNS traffic.
This "warp" thing, which is not released you can only go on a waiting list for, will apparently tunnel all traffic.
My apologies for the error.
Interesting to see competition heat up at the VPN level.
However, I realize that the problems with mobile Internet performance and reliability are real. So when HTTP/3 is stable, I'll do what I can to help it spread.
As for HTTP/3... so will we. See: https://blog.cloudflare.com/http-3-from-root-to-tip/, https://blog.cloudflare.com/the-road-to-quic/ and https://blog.cloudflare.com/head-start-with-quic/.
I like and use 1.1.1.1 though.
I obviously don't know how many Cloudflared sites I visit that don't pop up the nag. And Cloudflare's nag is certainly nicer than Google's more pervasive help-us-build-a-T-800 or Akamai's "just get lost". But that mode seemingly activates on light browsing just because it's coming from a slightly-less-trackable VPS address (non-shared), and that is a problem.
This might have changed but in the past it made using Tor for anything beyond onion sites extremely annoying.
Yes there's the argument that TOR provides protection for those in apressive states, but given the pros/cons of blocking TOR altogether I can at least understand the reasoning.
However, Cloudflare has also adopted and promoted at least one standard that adds complexity for dubious benefit, specifically DNSSEC, which tptacek has repeatedly criticized (e.g. [1]).
Moreover, Cloudflare is encouraging both providers and consumers to bypass the public Internet as much as possible in favor of Cloudflare's network and proprietary protocol(s). For providers, this is done through Argo and especially Argo Tunnel. And now for consumers, Warp is replacing the standard TCP with a proprietary protocol built on UDP.
Now that Cloudflare has proprietary replacements for the standard Internet on both sides, it can start taking advantage of network effects to make its proprietary network attractive to still more providers and consumers. As Cloudflare's power grows, it becomes harder to escape any future abuses of that power, as well as honest mistakes on Cloudflare's part.
I realize the standard Internet sucks in some ways, and Cloudflare is doing something about that. But I think the right answer is to improve the standards-based Internet, not offer a proprietary replacement. I suppose that's not compatible with running a VC-backed business, though.
[1]: https://news.ycombinator.com/item?id=10553371
I think that applies almost anywhere. One could say "don't trust Google or Facebook with personal data" merely based on the fact that almost all of their money comes from advertising.
And thanks for the interesting exchange!
FWIW, tptacek's argument in that thread seems to be premised on certificate pinning being widely deployed[1], which it's not, and it seems at this point like it never will be[2].
[1]: https://news.ycombinator.com/item?id=10553608
[2]: https://groups.google.com/a/chromium.org/forum/#!msg/blink-d...
It hardly matters at this point, though. DNSSEC is a dead letter. It's over. Stick a fork in it. It'll be around indefinitely for performative nerds to performatively noodle with --- lots of dead IETF protocols are! --- but Cloud Flare is likely to be the largest company ever to use it (and they're the exception that proves the rule, since they sell DNSSEC services).
https://news.ycombinator.com/item?id=19500725
If upstream is doing something you don't like and refusing to work with you, sure.
When upstream actively petitions you to not fork, asks you politely to work together, and you refuse to work with them, that is far, far from a "tried and true open source software process". That creates a fissure in the community and it generally ends up poorly for everyone involved.
My comment is far from inflammatory, it's a statement of fact, and something cloudflare has refused to acknowledge or respond to. Which just further drives the point home that they aren't acting in good faith.
EDIT: eastdakota filled me in, thanks John.
https://blog.cloudflare.com/boringtun-userspace-wireguard-ru...
We communicated with Jason throughout the process and have a ton of respect for him and the entire WireGuard community. In the short term, we need the flexibility to quickly update BoringTun's code base to support the project we built it for. That's harder when you need to coordinate with people outside Cloudflare and when we need to move as fast as we plan to. However, we really believe in Open Source and want the WireGuard community to thrive. We licensed the code very openly (3-paragraph BSD) and WireGuard may choose to fork it. If they do, we'll support it and plan to contribute any improvements in our own fork back. Over the long term, I think we're very open to merging this back into the upstream project.
>I thought the invitation to put their engineers as the head of a WireGuard subproject was a cool invitation, but alas.
https://lists.zx2c4.com/pipermail/wireguard/2019-March/00404...
I mean no offense, but the response comes off as corporate approved PR. "We need to move fast" when you haven't actually even tried engaging with the parent project and have no idea whether or not it would prohibit "moving fast" is disingenuous IMO.
More importantly, without having already tried it, it’s hard to predict how much overhead there will be.
Since CloudFlare had a (self-imposed) deadline, working fast had to take priority over optics. After all, the project can always be folded into the WireGuard organization later.
Implementing a standard without regard for the beliefs of other implementors is an action that supports a standard. Refusing to work with others does not implicitly harm a standard.
You assert that refusing to cooperate with another implementor is guaranteed to harm a standard. It is not guaranteed at all.
DJB has not destroyed DNS. BoringSSL has not destroyed TLS. A thousand reimplementations of standards in Rust have not destroyed a thousand standards.
You clearly believe that Cloudflare is acting in bad faith, and are constructing a worldview out of assumptions that you declare instead are facts. While I respect your right to hold those views, I do not respect your declaration of future outcomes as fact.
DJB didn't fork Bind and then refuse to work with them.
>BoringSSL has not destroyed TLS
BoringSSL didn't fork OpenSSL and then refuse to work with them.
About the closest modern comparison would be OpenOffice vs. LibreOffice - which created a complete mess like I mentioned before.
Except even THAT is a bad comparison because LibreOffice only forked when they were FORCED to fork.
WireGuard is written as Kernel Module in C, with a GPL licence; BoringTun is a user space program written in Rust with an MIT licence.
So it’s not really even a fork.
So one could argue you are both pushing the latest standards and the latest nonsense. ;)
Hence the ;) face, it's meant as a friendly jab, not a critical accusation. jgrahamc is awesome.
If they cannot then it is not the internet. It's more akin to a 'web' only service.
CGNAT means that the same is true of "mobile" connections in general, so it's not like Warp is changing anything for the worse here. Though the Tor network does allow you to host a .onion-linked service over such a connection, but that - while quite handy - seems more like a special case to me.
[1]: https://en.wikipedia.org/wiki/Embrace,_extend_and_extinguish
[2]: But then, sorry how this sounds, but pessimists tend to think, EEE perpetrators wouldn't publicly admit to it either...
Pretty much most if not all of Cloudflare's services and work suggest the complete opposite to me.
Like other commenters, Cloudflare for me is probably one of the only companies I truly trust. I'm not saying that because I'm a big user of there services in fact 1.1.1.1 is the only service I actively use.
Yes. Agreed. But if not Cloudflare as a pushback alternative to those trying to own the internet, then who?
It seems to me the "standard internet" is getting smaller and smaller. What other options do we have?
If anything, I've kinda been hoping Cloudflare would realize self-hosting and decentralization is what they should be supporting and pushing, as it's when using their CDN makes the most sense. And obviously, Amazon and Google and Microsoft all have their own CDN capabilities, so the less people using their cloud services, the better for Cloudflare.
Having worked in an ISP, only one thing mattered to costumers, and only one thing: YouTube.
Mind you, I'm still skeptical. I probably won't use Warp on my phone, or Cloudflare on my personal site. But I should have been more careful about how I expressed that skepticism in public. None of us want a world where we all assume the worst in each other without strong evidence. So again, I'm sorry.
https://1.1.1.1
This is especially true for certain privacy and security focused applications. For example, Signal release their code, have quite a lot of users, and don't report an unmanageable overhead due to having released their source code.
It's not just a matter of trusting their intentions, it's a matter of knowing that their code matches their intentions. I trust OpenSSL (mostly, these days) and I always trusted the intentions of the developers, but if their code was not open it would not be half as secure today.
I have been supporting FSF, ACLU, etc. for years, but the practical considerations that prompted me to be a bit more trusting are Cloud Search in GSuite, Cloudflare offering HTTPS to help get the web more secure, and a deep appreciation for having Firefox available (containers are so easy to use and make me feel more secure in my use of the web).
I don't trust cloudflare to not make mistakes (like Cloudbleed). I don't trust myself to not make mistakes. I don't think there is anyone I trust not to make mistakes. It's just not a reasonable criteria.
I'm in a position where I do appreciate Google's software, Chrome/V8 and resulting node and electron as downstream projects. However, my trust of Google is waning in light of their incredibly divisive culture all around and a lot of their practices, cover ups and just poor form in the sun-setting of "don't be evil."
It's the fast path to replacing the decentralized internet with a few proprietary CDNs. I'm much more excited about those projects that actually try to fix the raised issues:
Unencrypted connections -> TLS / Letsencrypt
TCP sucks on mobile/roaming devices -> QUIC & HTTP/3
I'm not saying Cloudflare isn't doing good things for the Internet but it's a bit disingenuous to equate the 2 efforts. Cloudflare could have done LetsEncrypt, but as a CDN that would make no business sense - which is why we need LetsEncrypt, so they can continue to do the things that don't make good business sense for Cloudflare.
I believe CF is working on LetsEncrypt certificates, at least based on letsencrypt.org being included in the 'automatic' CAA records[1].
0: https://community.letsencrypt.org/t/issuance-criteria-for-ir...
1: https://support.cloudflare.com/hc/en-us/articles/11500031083...
Which, incidentally, allows you freer access to the open Internet.
1. When you use WireGuard as a VPN your device is connecting to wherever you happen to have hosted your server. Cloudflare's PoPs are located in 165 different Internet exchanges and ISPs, giving you a pretty good chance to be closer to you wherever you are in the world.
2. We (Cloudflare) have tech through our Mobile SDK product which can optimize the actual way the Internet TCP traffic is mapped into UDP.
3. We also have Argo, a technology for optimizing the routing of packets through the Internet which will be released as Warp+.