Yep. Same here. I assume they are working through the waitlist. I'm going to give them a couple days to get it sorted before asking customer support about it.
Edit: My 10GB came through. Looks like release day latency.
I'd really like to use this on my computer. The article says it uses the WireGuard protocol, can I just take the private key from my device, put it in a configuration file and use it?
They've said elsewhere[1] that they're are working on desktop apps. No time frame yet.
If you can extract the endpoints, private and public keys, it might work. It would be considered unsupported and might be considered a violation of the terms of use. Check the license agreement.
Personally, I'd feel safer using this vs any other random VPN service. At least these guys have a reputation at stake, if people discovered they were selling your data.
If you're dealing with adversarial middle-men, it could be OK. I lived in a country where everything inside the country right up to the border could be considered adversarial.
If it brings competition to the shady VPN-peddlers, and is easy to download and get going, I'll consider it a net positive, all-in-all, regardless whether I'll use it personally or not.
Really? The arbiters of the internet? You don't think that's maybe a little melodramatic?
Cloudflare has, time and time again demonstrated openness, transparency, and insight into their technical and ethical frameworks. I trust them a whole lot more than my isp or any random vpn provider.
> The arbiters of the internet? You don't think that's maybe a little melodramatic?
As someone who has browsed sites "powered by cloudflare" over Tor and been tossed into an infinite "are you human" loop, it certainly doesn't feel melodramatic.
They've also exercised power over websites based on moral outrage. Perhaps 99.999% of people agree with the morals behind this decision, and maybe it's even the right decision, but it's still an arbitrary decision made by Cloudflare.
They are also bound by US law, and other entities bound by US law have been forced to enable the exact same forms of record keeping that Cloudflare says they will keep turned off.
Cloudflare is not a neutral party. They don't even advertise themselves as a neutral party.
Were you allowing them to set cookies on your browser? If not, I don't see how they could do anything but toss you into an infinite "are you human" loop...
> As someone who has browsed sites "powered by cloudflare" over Tor and been tossed into an infinite "are you human" loop, it certainly doesn't feel melodramatic.
Since Cloudflare have their own network, would this be useful to use in countries where they have a reliable home internet but poor (bad latency/speed) links outside of the country?
For example would remote desktop from Thailand or Philippines to Europe work more reliably?
> WARP, instead, is built for the average consumer. It’s built to ensure that your data is secured while it’s in transit. So the networks between you and the applications you’re using can’t spy on you. It will help protect you from people sniffing your data while you’re at a local coffee shop. It will also help ensure that your ISP isn’t hoovering up data on your browsing patterns to sell to advertisers.
Most of those consumers aren't aware of any of that, so if you want them to use it, you'll have to pay for marketing to bring it to their attention. Is that the plan?
> Before today, there were approximately two million people on the waitlist to try WARP. That demand blew us away. It also embarrassed us. The common refrain is consumers don’t care about their security and privacy, but the attention WARP got proved to us how wrong that assumption actually is.
I feel like that misses the point though. I'd be shocked (and happily wrong) if a large portion of those 2M users are none technical average people.
If anything, all I would take from that number is that the tech crowd is perhaps larger than people give it credit for. But I highly doubt that waitlist expands highly beyond the tech crowd.
I'm not sure why I'd trust cloudflare (a company who's business it is to know all about traffic flows and usage patterns) more than a traditional back bone provider?
The article mentions that WARP is exposing the end user's IP to websites they visit. I'd be interested in how they do that, especially with HTTPS websites where they can't MITM and inject headers.
> WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit.
Great eye! We haven't figured out how to expose them yet for sites not using Cloudflare. We do have some experience solving this problem for Spectrum [1] we're hoping to lean on. The most important thing to us is users don't expect us to keep their IP private, as that is not the intent of WARP.
Not step on the toes of Netflix, Amazon Prime and other services that rely on geo location for enforcing licensing of content / geo-location based artificial scarcity of digital goods?
It sounds like cloudflare spent the time to do away with hiding ip addresses. Actively removing that feature of a VPN, which you should get for free in a wireguard implementation, seems fishy to say the least. Especially since no reasonable explanation for this was given.
From the deafening silence I'm going to take the less charitable interpretation that it's meant to enable Cloudflare to essentially sell Warp users' IPs to Cloudflare customers as an added perk.
Although Warp doesn't mask IP addresses, it should be useful for these two use cases:
1) Communicating with insecure websites (HTTP instead of HTTPS)
2) Using unsecured wireless networks (e.g. Wi-Fi at a coffee shop)
Beyond these two cases, is there any advantage to using Warp? Does Warp provide any benefits for email (secure IMAP/SMTP), file sharing (BitTorrent), or other protocols?
Thanks, this should have been obvious in hindsight.
One more for people with cell phone plans that don't adhere to net neutrality: Warp can probably bypass quality caps on video streaming.
Traditional VPNs are strictly better than Warp+, as far as I can see, but the free version of Warp is a generous offering for users who would otherwise not be using a VPN.
> WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit.
I think that's because Warp doesn't let you select the location of the server you're connecting to. Almost all VPN services have servers in different areas, and you can choose which geographic area you want an IP address from. In contrast, Warp only lets you connect to a server that's close to you.
Based on speed tests, it doesn't look like Warp is bypassed for video content.
That’s not the same thing - they could provide your IP to the site you visit in an added header or something without compromising your privacy from your ISP. That doesn’t imply they aren’t routing traffic to some websites.
> Warp and Warp+ will not route traffic data from your device through the Cloudflare network for certain Internet properties, such as over-the-top content provider websites, as determined by Cloudflare in its sole discretion.
What's the actual vulnerability when simply using an unsecured wireless network? Sure, it's easy for them to MitM you if you're using http, but if you're only using https, what's the harm?
DNS queries and the unencrypted parts of the HTTPS protocol (like SNI without recent enhancements). So passive sniffers can at least see what sites you're visiting.
Statistics from one of my websites running Argo show a 16.73% percent improvement for 32.3% of web traffic routed through Argo.
For my Google Cloud Washington based server, I see 5-15% improvement for some traffic from the EU and US East Coast and 15-30% improvement some traffic from Asia, Africa, and South America. (all according to CF statistics)
Thank you for your reply. I see that it's rather easy to do that for websites running behind CF as you terminate the traffic and can just set the corresponding header.
But for websites outside your network I don't see any obvious way how to do that. Wouldn't this being possible imply that it's possible to spoof traffic? That would open a whole can of worms for the web and even the internet at large.
But I also get your point that you don't want people to see WARP as a regular VPN to protect a users IP address from being exposed to the other side. Since it's not easy for a user to see which sites run behind CF and which ones don't while browsing they must keep this in mind. Or they can just firewall all CF IPs minus the ones used by WARP (assuming none are shared with other CF products and a list can be obtained).
Can you have an option to do that? I imagine in some cases it might be better for people (in certain regions or roles) where their IP being hidden is a core component of "Privacy First".
Warp doesn't provide anonymity, however, for some reason Netflix in my phone can stream US TV shows with Warp on while my non warped devices can not even list the show. Weird.
It seems to not be hiding IP, but it does inadvertently(?) do so for some site's detection methods I think. When I did an IP lookup, some sites reported correct while others reported one I didn't recognize (assumed its the one from WARP).
Because Netflix is not a Cloudflare client, so CF can't pass the source (client) IP. The same should happen with Google, Facebook (or anyone not behind CF infrastructure).
At least, that's the way I'm currently understanding it.
There have been some instances of this before; at least one game was implemented in Rust. But, given the length of the Warp waitlist, I'm pretty sure this is the most popular application so far. There could be things I don't know about though, at this point Rust is big enough that not everyone who uses it talks about it publicly.
I forget the status of that, you may be right! That'd be a large deploy too. The intention was to do that, for sure, I'm just not sure if it shipped or not.
I think that for Rust to really take off in that space, we'll need comprehensive, auto-generated bindings for the platform APIs. Are there any serious efforts in that area yet?
On iOS it doesn't seem to work. It's either WARP or nextdns. A quick google search taught me all "custom" dns setups on iOS require some sort of VPN-like solution (very much like the nextdns.io iOS app does).
I was openly critical of Cloudflare when they announced Warp the first time. My accusations were over-reaching, and I ultimately retracted them. But I'm still skeptical, and I still won't use Warp.
Here's what still bothers me: Cloudflare is a single company with points of presence all over the world, handling traffic for websites all over the world (including some big ones), and now trying to attract consumers worldwide to proxy their traffic through its network. That's a lot of power, and we all know the saying about power and corruption. It doesn't matter how conscientious the leadership are. I'd prefer that the temptation to abuse that power was just not there at all.
My idea of a better Internet is a return to the way the Internet was -- a large number of small providers, communicating with each other over open standard protocols. So, yes, I should switch to something other than Comcast here in my apartment. So far, I've been afraid that doing that would leave me with a truly abysmal quality of service. (I'm in Bellevue, Washington.) But at least I can avoid adding Cloudflare, with its terrifying power, to the mix.
Granted, I mostly use the Internet on a stationary computer with a cable connection at home. About the only thing I do on my phone away from a WiFi connection is request an Uber ride. And I do need that to work reliably. But it is working just fine without Warp. So, maybe Warp is just not for me. Still, for the people that would benefit, I'm afraid of how much more power they're going to be giving Cloudflare when they tap that "on" button.
When I look at friends and family, they use their phones for everything because Computer UX failed. And they will switch to whatever public WiFi is available because their expensive yet small mobile data plan.
I can see how some people would benefit from this kind of VPN.
Another commenter on this thread said that there are already VPN services with Wireguard support and easy-to-use apps. Why not recommend those to friends and family?
The history of most of these is terrible. Many actively log / aggregate and in some cases sell your data - are based in non-US jurisdictions so no recourse. There is going to be a reason cloudflare does better - they are more trusted.
Remember, if you're not the customer, you're the product. These days, even if you're the customer, you may still be part of the product for another kind of customer.
Trust with what? Warp is specifically designed to reveal your IP address. This is as anti-privacy VPN as a VPN can be. Which is absolutely not surprising coming from a US corporation.
It's not designed to be anonymous, but it does fully encrypt all traffic coming from your device to the internet, meaning, it's great when you don't want to trust the ISP, public Wifi or even the cell provider with your traffic.
> WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit.
Early on in Cloudflare’s history when we were asked who our competition was we said Facebook. The concern was that the challenges of being online would get so hard that individual websites would give up and just move to run Facebook pages. We saw our role as providing the security and performance needed to compete without making you give in to use an all-consuming platform.
We haven’t said that in a long time, but I was reminded of it while we were on our IPO Road Show. One investor we met with said:
“Here’s how I think of you: Cloudflare is to Facebook as Shopify is to Amazon.”
That resonated to me and reminded me of our earliest days and why we started the company.
So I appreciate the concern but hope there will always be more independent web because we exist than there would be if we didn’t.
A site where mass murders are encouraged to post their killing spree videos? Where hate groups and anonymous cowards promote hate, violence and other ideas? Spare us your "" defense of the indefensible.
Why are they required to have committed a crime? Cloudflare isn't the government, why do you believe they're obligated to serve 8chan?
Cloudflare took down one website that was directly related to a major tragedy that cost people their lives. If you want to complain about that go ahead, but I don't care. I don't allow people to use my websites to spread that kind of hate, and I have no problem with Cloudflare doing the same in extreme circumstances.
The original comment had to do with whether we should trust Cloudflare more than Facebook. If they as a company want to make editorial decisions, that's fine, but the reality is that also means they are not content agnostic. Interestingly enough, they provide services for known spammers and other shady internet operations.
As to whether 8chan 'caused' those abhorrent crimes, I couldn't say, any more than 'violent video games' caused them. I view such crimes as having a root cause of some form of mental illness, which does not (imo) relieve the doers of culpability.
The point is that they are demonstrably not exactly what they claim to be, and thus some level of distrust is warranted.
> Where does Cloudflare claim to be content agnostic?
They may want to claim it, one way or the other, as part of their IPO filing so that potential investors have some idea of liability risks with the company.
Here's one of their statements about free speech from six years ago. It's essentially what I've always thought of as their brand.
It's sad to see them compromise their principles, but sometimes it only takes one little Twitter mob to make people back down. That's why it's reasonable to question their character.
My personal impression was that they did not surrender to a mob, but that the mob made them look closer to what they were hosting. I am not saying it is better, this is just my personal impression.
I have no reason to doubt that the CEO believes in free speech. Many people share this belief.
He did buckle, but we're only human. But did the pressure come from an angry mob on twitter, as most people assume, or from some guys wearing shades and an earpiece?
It is not about CF being forced to serve them, it is about balance, honestly I am fine with this take-down, but this cannot be dismissed as just being private individuals with private choices. This was obviously in their freedom to do, and it is not for me to say whether it was wrong or not (I actually quite like CF), but if stuff like this become a pattern then things become problematic.
It would either mean that the laws are insufficient or that the market is overreaching.
8chan's primary crime is not being sufficiently popular.
The Christchurch killer livestreamed the event on Facebook, and the enormous well-funded content moderation apparatus within failed to shut it down until well after the innocents were dead.
But Grandma uses Facebook, so we can't go after them.
The Wal-Mart shooter had a Twitter account, and posted plenty of content questionable enough even for the FBI to take notice.
But cousin Jake uses Twitter, so we can't go after them.
It doesn't matter what 8chan was used for, because far more popular platforms were used for far worse content. The only thing that mattered here was popularity.
quote:
There’s an unfortunate corollary to this, which is that if you try to create a libertarian paradise, you will attract three deeply virtuous people with a strong commitment to the principle of universal freedom, plus millions of scoundrels. Declare that you’re going to stop holding witch hunts, and your coalition is certain to include more than its share of witches.
No snark, but if you sincerely believe that, then there can't be a Libertarian Utopia because the libertarians are outnumbered by scoundrels 1mil to 3. Why would you take a path destined for failure?
You're right that Facebook was successfully abused by the Christchurch killer, but 8chan was being used by his community as intended, not abused.
To most people, that's why 8chan needed to be shut down, but Facebook only needs to be fixed. Why do you think that's irrelevant, and being small is the only crime?
I have searched and been unable to find anything suggesting this is true. Do you have a citation?
Another reason I don't think this is true is that I also can't find anything suggesting that the content the Christchurch killer posted is illegal (indeed, it has significant newsworthiness and academic value), and 8chan's policy was to allow anything not "illegal in the United States of America" [1] . If it didn't violate 8chan's policies, why did they take down the stream?
Where did I say they created a crime? Perhaps your lust for viewing mass murder in real-time must be slaked by 8chan, but I have no such interest. Nor should it be the go to place to encourage or host such content. Stop being obtuse.
For such cases, we should have the necessary legal tools to deal with them if the material is truly dangerous enough to be consequential. It is not the job of a corporation to decide, though I suppose they are not under any obligation to provide service, either.
I am generally against censorship, because for every case that is "obvious", there are many more that merely seem so on the surface. This is especially important in cases where you might simply disagree with how someone else thinks, since thoughts can never be allowed to become illegal or immoral; it is only actions where such judgements are applicable.
The proper approach to combating misinformation and dangerous ideas is education. By understanding why an idea is dangerous, you will also understand why it cannot inform your actions.
You and I have completely inverted ideas of what censorship is and why it is bad.
Using legal tools would be horrific. Government censors deciding what material is too dangerous for the public is exactly one of the elements of fascism.
Private entities on the open market exercising their right to not help promote ideas they object to is a good thing. It means that the more objectionable an idea is, the harder it is to publish and the smaller its reach; and the more in the gray area an idea it is, the easier it is disseminate and the wider its reach. If one of those private entities makes a mistake in judgment, that's an opportunity for a competitor.
Governments have a monopoly on violence. Its power is not kept in check by competitors, but by systems like a bill of rights. Weakening those rights to allow legal tools to control ideas would be disastrous.
Corporations have no responsibility or ability to educate everyone about misinformation. They do have a responsibility not to enable bad people to do bad things, including not promoting ideas they know are dangerous.
the point is that in every jurisdiction in the world there are already laws to stop "encouraging mass murder to post their killing spree". Governments should not interfere in censoring lawful speech. Moreover an actual court of law ruling that 8chan was an illegal site would set a precedent for such thing happening.
> They do have a responsibility not to enable bad people to do bad things, including not promoting ideas they know are dangerous.
This is literally corporate fascism if done in an extralegal way. And no, the free market is not going to care about the 1-5% of people discarded.
To quote a very nice blog[1]:
Declare that you’re going to stop holding witch hunts, and your coalition is certain to include more than its share of witches.
> Governments should not interfere in censoring lawful speech.
What's "lawful speech" today may not be lawful tomorrow if we go down this path. I don't want governments deciding (except in very narrow circumstances) what people are and are not allowed to say.
I really like the parent's idea that a company deciding to not provide service to someone they find objectionable is just a business opportunity for someone else. If no one wants to take up that opportunity, then the public has spoken. It's not ideal, but it's way better than a government making that choice through threats of force.
> What's "lawful speech" today may not be lawful tomorrow if we go down this path. I don't want governments deciding (except in very narrow circumstances) what people are and are not allowed to say.
Entirely agree and current laws already prohibit encouraging murder
> I really like the parent's idea that a company deciding to not provide service to someone they find objectionable is just a business opportunity for someone else.
Like it was in in the 20th century before civil right laws?
It is like saying that a monopoly is impossible because competitors can always emerge. It just does not work in practice.
Especially when the "competitor" become themselves target of a new witch hunt.
So what's your solution, then? If you agree that governments should not be broadly deciding what speech is ok and what is not, then how do you prevent monopolization pushing out legitimate but unpopular speech, while also allowing companies the freedom to disallow certain kinds of speech on their platforms?
Things like civil rights laws are the flip side of the same coin. I'm comfortable with laws that prohibit threats of violence. I'm comfortable with laws that ensure you can't refuse service to someone just because they're of a race you don't like. I think that's a reasonable compromise of "free speech".
But I'm not comfortable with a government requiring that a company allow their users to build something like 8chan inside their service. If Reddit didn't want to allow users to have a sub dedicated to fat shaming, I'm not comfortable with the government being able to tell Reddit that they're required to allow that sub to operate, unfettered. If Facebook wants to shut down a page or group that promotes hatred of a particular race, I'm not comfortable with the government saying they have to let it run.
So how do we solve this problem? The article you reference even suggests, at the very end, that (despite the examples of past bad behavior) all this worrying might be for nothing:
> My primary hope is that it’s just not a real problem. Certainly there has been very little in the way of speech restriction so far, and what little there has been has been against things which, on the object level, I’m happy to see gone. It’s entirely possible that we’ll escape with only a few things banned that probably deserve it. I certainly hope this is the case.
He also acknowledges that it's not great to be in a position where we have to depend on hope in order to reach a good outcome, which I agree with, but maybe that's just all we have. Legislating behavior only works up to a point. Legislating attitudes doesn't work at all.
I'm happy to see the Daily Stormer gone. I'm happy to see 8chan gone. I'm happy to see Reddit banning some subs (and honestly wish they'd ban more). I don't see the value in tolerating speech that promotes intolerance. But I'm not comfortable with the government stepping in here, and while their handling is far from perfect, the private companies aren't doing too terrible a job at it.
That is a great blogpost! It also explicitly undermines your point:
"My primary hope is that it’s just not a real problem. Certainly there has been very little in the way of speech restriction so far, and what little there has been has been against things which, on the object level, I’m happy to see gone."
> This is literally corporate fascism if done in an extralegal way.
I resolutely and absolutely oppose corporations acting extralegally. But Cloudflare and Voxility have an absolute legal right to not do business with 8chan and Epik if they so choose.
Thank you for taking time to share your perspective. However, I remain skeptical.
It's true that a website using Cloudflare is more independent than a Facebook page, in that in the former case, the company can take their domain to another provider. But my idea of an independent Web is a large number of websites depending on a large number of high-quality hosting providers. The latter number will inevitably be smaller, but shouldn't be single-digit. That would lead to too much potential for abuse of power.
Also, the more sites are using a single provider with its black-box algorithms and heuristics, the more potential there is for bad consequences for innocent users when those things misfire. That's what worries me about the bot-fighting feature you launched on Monday.
To respond specifically to part of what you said:
> The concern was that the challenges of being online would get so hard that individual websites would give up and just move to run Facebook pages.
I don't think I understand how Cloudflare actually helps here. I think the average bar, karaoke DJ (I love karaoke), spa, or other small business that might just use a Facebook page would be served just as well by the kind of hosting provider that gives your website a single IP address pointing to a single machine. Are DDoS attacks and bots really that big of a problem? If so, I haven't run into them in the 16 years that I was the programmer and sysadmin for a small company (admittedly, online services are that company's business). Maybe we just didn't make the right enemies? Now, maybe small web hosting providers could make it even easier to set up a new website, but Cloudflare doesn't do anything about that problem anyway. If the concern is performance, maybe we need better alternatives to WordPress and Drupal, and more local hosting providers, so the website for small businesses can be closer to their mostly-local customers without using a CDN.
> The latter number will inevitably be smaller, but shouldn't be single-digit.
The space Cloudflare is in could afford plenty of players, I think—more than a single-digit amount. There’s nothing about Cloudflare’s business strategy that implies/necessitates that they’d become a monopoly in a market equilibrium state. The only reason you don’t see a pack of Cloudflare clone-companies, AFAIK, is that the talent required to clone Cloudflare is rare.
(Interestingly, an ISP—especially a cellular ISP familiar with routing roaming circuits—could totally pivot into Cloudflare’s business to expand globally. I wonder why we haven’t seen that?)
> I think the average bar, karaoke DJ (I love karaoke), spa, or other small business that might just use a Facebook page would be served just as well by the kind of hosting provider that gives your website a single IP address pointing to a single machine. Are DDoS attacks and bots really that big of a problem?
I feel like the perspective you’re coming at the problem from here is already heavily influenced by the contraction and centralization that the web went through in the early 2000s. Yes, right now, businesses just want essentially an online business card, and Facebook handles that just fine. But their desires are more of an acknowledgement of the practicalities of what’s economical for them to have built and hosted in the current (or recent-historical, since it takes a while for people’s thoughts on this to shift) web landscape.
Look around the internet of the 90s. Companies didn’t used to build business-card websites. The dreams of even the most run-of-the-mill SME used to be far more grandiose. At the very least, every company who knew what the options were, wanted to host a forum for the community composed of their customers. Many of the web’s most prominent standalone forums were started back then. Why so few today? Because ambitious, dynamic, user-generated-content-filled sites like these do get hurt by spamming and DDoSing. They’re hard to run—and not just in a community-management sense, but in an ops sense.
Cloudflare’s tech (which, again, anyone could offer, not just Cloudflare) can and does provide the protection required to allow SME websites to be a little bit more ambitious again, to the point that they’re not just doing something commoditizable by Facebook.
Talent is everywhere, but a lot of people who have it don't want to move to a big city. So IMO, the next Cloudflare's developers should be as widely dispersed as its POPs.
Edit: The more recently added part of your comment is very insightful, and I hadn't thought about it that way. Still, I think we could go a lot further with old-school hosting providers if we traded PHP and Ruby for Rust, Nim, and the like. Note that I didn't mention garbage-collected languages, because lots of applications running efficiently on a shared host is incompatible with a garbage collector that really wants the whole heap to itself.
GC'd langs like golang, crystal, nim, etc. would probably be just as effective in practice, while remaining more accessible to business app developers.
.NET Core benchmarks since Span<T> have been very interesting, especially relevant to this particular discussion because ASP.NET (web stack) was a primary consumer/driver for Span<T> APIs.
I ran a small web service in the video game industry for several years, and CloudFlare was essential to our survival, as the DDoS attacks would repeat every few weeks, and at times last 6 to 12 hours at a time. CloudFlare simply ate that up, and our customers were not impacted. Today, at a different company, different industry, we use CloudFlare for similar needs, but within physical area security networks. It's essential.
Hetzner is 20 years old company with ~300 employees and ~230,000 servers. Of course on scale of AWS, Google and others it's fairly small, but CloudFlare is not all that much larger.
They do, and CloudFlare has historically been part of the reason why they have such high DDoS risks. There's a bunch of "booter" sites out there which effectively sell botnet-as-a-service DDoS attacks to gamers, and those sites have relied on CloudFlare to stay online. Without that protection their competitors would DDoS their websites offline most of the time. Also, most reputable hosting and CDN services don't allow booters because they're both highly illegal and disruptive to the entire internet. CloudFlare, on the other hand, openly permits them.
We were hit hard by Chinese IP addresses. After a while we just blocked the entire Chinese IP range. Expecting script kiddies to try to hack our system, we started out with a Federal Reserve quality hardware firewall, and I suspect the presence of that security attracted attention.
As a guess, people who are invested in games are more likely to consider themselves techy people, the competition makes everything a bit tenser and elicits more excitement, and games are explicitly online only.
I don't have a horse in this race, but observing this back and forth is reminding me of Nietzsche:
He who fights with monsters should look to it that he himself does not become a monster. And if you gaze long into an abyss, the abyss also gazes into you.
> but hope there will always be more independent web because we exist than there would be if we didn’t.
I'm wary about joining in on Cloudflare bashing. I like Cloudflare. But...
The mark of a responsible company is that it has plans to mitigate potential harm once it stops being responsible. At one point growing up, I would have made the same arguments you make here about Google. They're not perfect, but they're better than the alternative.
The problem is that this promise essentially boils down to, "we'll try very hard not to be bad." You can't make that promise, even if you're a good person. At some point you're going to either retire or die, and your company will be handed off to other people. Your comment doesn't make me feel any better, because it reads to me like your plan is, "things won't go wrong", and you don't know that.
I'm glad Cloudflare exists, and I do think you're doing a heck of a lot more good than harm. Cloudflare is about as close as anyone can get to an ethical company. But if this is the attitude, then Cloudflare is not a responsible company, because it's not making plans for what will happen after its owners turn evil. Cloudflare is an ally for the Open Web right now. It doesn't have a backup strategy I can see for when that changes.
The Shopify analogy is actually really fitting to me. Shopify is better than Amazon, but Shopify is definitely not where I want the future of commerce to be. Many of the problems and risks inherent in Amazon's design are also inherent in Shopify -- Shopify just happens to be a more ethical company that tries harder not to exploit those flaws.
At some point in the future, once we've all centralized everything onto Shopify, that will change and Shopify will become the new Amazon. And at some point in the future, maybe even decades from now, Cloudflare will become evil. All powerful companies eventually become evil, it's inevitable.
Concretely, what are you suggesting Cloudflare is doing wrong here? What responsible things should they be doing that they aren't?
The "we try very hard not to be bad" form of mitigation is scary when the company is doing dangerous things without adequate safeguards, but I don't see how you figure Cloudflare is doing that here. Ultimately, when you've done everything you can not to put people at risk and the only remaining risk is that you'll stop being trustworthy, "We try very hard not to be bad" is all you can offer. So what more do you think they should be doing that would meaningfully reduce this risk?
If they really want to mitigate risk, then they should open up their tech, and promote competition. Not in their interests, but decentralising is the only way to safeguard against potential later abuses of power.
What I'm complaining about is a lot more broad than just the specific dangers with this service -- it has to do with how Cloudflare prioritizes what it spends it time on, and what the effects are of consolidation even with good actors. I disagree that conversation can be boiled down to, "what specifically is wrong with this particular project."
But, asking for specifics is reasonable, so very briefly, I'll describe two concrete problems I have.
----
First (and biggest), IP addresses should be hidden for everyone or no one. Cloudflare is revealing IP addresses because it doesn't want its VPN to be used as a privacy tool, just as a security tool. By positioning itself as a way to keep your data encrypted, and not as a way to bypass geo-locks, it's also less likely to be blocked by other companies. Ignoring whether or not it's a good use of resources for Cloudflare to make VPNs less private, this is on its face not unreasonable.
However, when you dig into the details, IP addresses are only exposed to websites that are using Cloudflare[0]. This creates a perverse economic incentive for sites to sign up for Cloudflare, because effectively Cloudflare is holding user data captive. If you're the NYT, and you thrive on data collection, and suddenly a huge portion of your visitors have their IP addresses hidden, and you can get those IP addresses by paying Cloudflare... that's problematic. That's Cloudflare creating a problem and then letting you pay them to solve it.
Cloudflare is looking into ways to expose IP addresses everywhere. Until they figure that out, they should either avoid launching the service, or they should hide IP addresses from Cloudflare customers.
----
Secondly, while there are people here disputing Warps performance increases, let's assume that (particularly Warp+) works as advertised and really does help make slow collections faster. It's worth noting that the majority of the underlying technology beneath Warp and Argo only works for companies of Cloudflare's scale. Cloudflare itself acknowledges this:
> There are few companies that have the breadth, reach, scale, and flexibility of Cloudflare's network. We don’t believe there are any such companies that aren't primarily motivated by selling user data or advertising. We realized a few years back that providing a VPN service wouldn’t meaningfully change the costs of the network we're already running successfully. That meant if we could pull off the technology then we could afford to offer this service.[1]
This makes it much harder for users to move away from Cloudflare or switch to an alternative VPN if Cloudflare turns evil, because unless the VPN market stays diverse, it won't get the opportunity to become diverse again in the future.
Google helped wall in its AI dominance by investing heavily into AI research that relied on massive data collection for good performance. This restricted small competitors from ever being able to compete with them, because they didn't have massive databases. That dominance became self-reinforcing, because Google's AI programs are all designed to increase the size of its database. At the same time, Google garnered good will by Open Sourcing its underlying technology, despite the fact that the technology was useless to potential competitors without large data sets.
In the same way, Cloudflare is able to wall in its dominance by primarily researching technologies that require a network of Cloudflare's scale in order to work. In effect, Cloudflare is investing a lot of effort into technologies that only work for big companies. Google can claim, "it's not our fault that we have the most data, what do you want us to do?" Cloudflare can claim, "it's not our fault that we have the biggest network. There's no switch we can flip to make the network size not matter, it's just the logistics of cost." But if a technology or service results in a natural monop...
There is a fundamental difference between Google and Cloudflare. Cloudflare has a real business that is based on paying customers. Google never had that. It was founded in 1998 and AdWords was introduced in 2000. Cloudflare is already 10 years old and not showing any sign that it will change its business model. As far as I am concerned, they are a trusted vendor and I will trust them with my business unless they change up.
Could you add Privacy restrictions? I'd like to see a maximum 18 month data retention, and some restriction on changing the terms: promise to never change them, or only change with 6 month public notice... idk
We’ve promised logs deleted after no more than 24 hours. We don’t want personally identifiable information; we think of it as a toxic asset. Here are the privacy guarantees we’ve made for 1.1.1.1 and WARP: https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...
How do you protect yourselves from becoming part of the USA's internet surveillance network? You're exposed to National Security Letters and you lost the case with the Ninth.
Ironically, the U.S. is the safest place from the USA's surveillance network, when no warrant whatsoever is required to collect information by hacking into a foreign entity.
The NSA was tapping glass of inter-DC links of all the major online players without their permission on US soil.
Not only that, the NSA was undermining NIST-approved algorithms by giving dishonest advice, thereby compromising the security of US institutions that used those algorithms:
> Ironically, the U.S. is the safest place from the USA's surveillance network
Only in the sense that one has the strongest theoretical argument for a legal remedy against surveillance after it happens, not in the sense that one is actually safe from being subjected to it in the first place, and only even then if one excluded “i’ll scratch your back if you scratch mine” from the other five eyes members when you say “U.S. surveillance network”.
The "I'll scratch your back if you scratch mine" theory has been written about ad nauseam, but isn't substantiated. The U.S. government can get the information faster by using the warrant power enumerated in the Constitution.
> The U.S. government can get the information faster by using the warrant power enumerated in the Constitution.
Not without presenting probable cause that the surveillance would produce evidence of a crime to a judge it can't.
Of course it can (and is well documented to have, on many occasions) just ignore the statutory and Constitutional restrictions on domestic surveillance. And that will probably, in most cases, be easier than going to a third party. Information sharing is most likely to be efficient when the other agency had a targeted surveillance operation already in place covering a target of interest, rather than in the naive “on demand” form.
The fact that this names four companies and remains an effective analogy is deeply troubling. There should be so many actors in all of these spaces that listing them would be a challenge.
I agree using Cloudflare proxy (or really any VPN) gives the company a lot of power.
But the idea of Cloudflare intercepting all of my traffic doesn't bother me since the alternative is simply another company (Spectrum, or my random friend's wifi, or Starbucks) intercepting all of my traffic by virtue of being my ISP. It's up to you which is the lesser of two evils.
I suppose Cloudflare may have more insight into the data being proxied if they're also managing the SSL certificates at the other end, however.
I can believe that Cloudflare's current leadership are currently more conscientious than, say, Comcast's. But, especially post-IPO, what is that actually worth? I think that, worldwide, it's likely that Cloudflare is already bigger than Comcast. So, unless I'm given evidence to the contrary, I think Comcast is the lesser evil.
If size is your only criteria then you might be right, but look at the company policies on privacy. Cloudflare has some pretty specific customer-oriented privacy policies. Comcast's policies are specifically set up to sell you and your information. That's a meaningful distinction and one with some (not much, but some) legal weight in the US.
I'm consistently amazed at how many people [on HN...] over-estimate the size/scale of Cloudflare.
Comcast is a huge, multi-billion $ operation with global contracts and broadcasting capabilities, and > 184,000 employees globally (that's more than Google, and even MSFT).
That's not to say that we shouldn't be wary of Cloudflare for many other reasons; but that they have more influence over the Internet than one of the world's largest consumer & corporate ISPs is definitely "a take".
How many websites have you visited that are hosted or proxied by Comcast? The fact that Cloudflare is now mediating the connection on both ends is what makes it frightening.
After some googling, it's very unclear how popular their CDN service is. Based on some of their marketing, seems like it might be focussed more on the video delivery side, which would also make sense given that it's Comcast. (If it indeed is an enterprise video delivery service, they may only have a handful of very large customers)
If this is accurate, it seems like Comcast also controls the data end-to-end (being both an ISP and CDN).
According to [0] between 5 and 10% of all websites use Cloudflare. Even using the lower number, I'm pretty sure that neither 5% of websites are hosted by Comcast nor that they serve 5% of internet users. This gives Cloudflare already a much larger potential to monitor/censor than Comcast has. I am not saying that they actively do so, just pointing out that they do have the scale and market share to do so.
What is more, in contrast to said Comcast, they also have the ability to access unencrypted traffic for those 5-10% percent.
Is your legal relationship with Cloudfare the same as with your ISP? Is Cloudfare liable for the same things as the ISP? Genuinely asking, I have no clue, just a vague sense that it's not apples to apples.
Very good point... Cloudflare is probably considered a third party according to the law... so no warrant is needed to get all of your data that is 6 months or older... a bit like your email hosted in the cloud: https://newspunch.com/government-can-read-any-email-over-six...
How would your “better Internet” work when it reaches an ocean? Maybe this doesn’t matter to you, as someone who lives in the US and mostly access websites hosted in the US; but for the majority of the world, getting access to “the Internet” is more about tapping into the millisecond-latency backbone of submarine cables, than it is about last-mile residential ISPs. Those submarine cables form a natural monopoly, there’s no escaping that. They’re utility infrastructure, like country-spanning bridges.
And the usual (optimal?) outcome for ownership of utility infrastructure, is that it gets held as a “public resource” by the government of the country or countries that built it; and then companies are contracted to manage it. From there, you end up with multilateral organizations weaving those pieces of infrastructure together in a top-down way (like shipping routes, or the postal system, or, hopefully one day, low-earth orbit.)
Which is far from an anarchosyndicalist mesh of interested companies, organizations, and individuals (ala the early Internet, or the HAM radio network), but we’ve never seen an ararchosyndicalist mesh successfully serving as a reliable/fault-tolerant backbone for any commercial endeavour so far, and I don’t know if it could.
I'm not sure how being headquartered in 2, 20 or 200 countries is going to make a difference, can you please explain? At most, those would be satellite or region offices, which in the end will report to a central HQ.
I think it's extremely clear that mwcampbell is pointing to being 'headquartered in a single country' as one of the aspects they don't like about a single company having too much power. It's clear they're not advocating more headquarters for companies with too much power, they're advocating more companies each with less power.
Submarine cables absolutely are not a monopoly, natural or otherwise. It’s the ocean, it’s pretty fucking big, and lots of companies and countries pay more cable every day.
the way the Internet was -- a large number of small providers, communicating with each other over open standard protocols
I don't remember the internet ever being like that.
I remember when you couldn't e-mail someone in another city without going through gateways. When you couldn't visit the majority of major web sites without downloading plug-ins. When you knew the information you wanted was out there, but couldn't get to it because it was behind obtuse, non-searchable infrastructure.
To me, the internet today isn't perfect. But it's a heck of a lot better than its romanticized distant past.
As for WARP, I'll give it a try. I don't fully trust Cloudflare, but I trust it a heck of a lot more than I trust my ISP or my cell phone provider. Long ago, both of those entities burned privacy bridges. Cloudflare hasn't done so. Yet, anyway.
I was on the web since AOL added it to their client
I was online before there was AOL, or a web, and before there was an internet, back when it was dozens of networks, with varying degrees of interconnectivity.
it was never as bad as you're hinting it is.
It was bad. You had to be there. (Think an e-mail from the east coast of the United States taking 10 days to reach Norway. For many destinations, snail mail was faster.)
I'd like to be in a world where if Cloudflare or AWS is down my websites and the sites I enjoy are still up.
But to do that I'd need to have replication not just across data centers but across providers. And it's hard enough getting your team to understand how one provider works. We'd have to go an awful long way toward standardizing and dare I say comodifying these companies to get there.
But as Fortune 500 companies have known for longer than Fortune has existed, if you have two vendors you can play off of each other your life tends to go a lot better. Right now almost none of us have that, and I suspect we are all a little poorer for it.
sure... but I'd trust Cloudflare over Comcast anyday.
Plus, (1) you can turn on/off WARP at your leisure and (2) they've explicitly committed to limited logging and not selling data which is pretty huge.
I use a small local provider where possible... but the reality is that they have to lease their lines from AT&T anyway. In general, there are very few providers out there that have capability to offer competitive services.
This is exactly my scepticism. Also, they always happen to be rooted in the US where my data has no rights and come with a general cultural lack of understanding of consumer protections.
This isn't power that good intentions are going to keep straight.
I switched it on this morning and switched it off again after 10 minutes. It was so slow I couldn’t load web pages or send messages on WhatsApp. Maybe too many people joining in a short time.
Yes but this is unlikely given CF's response. If they were short on capacity they wouldn't turn on two million people in one day and then ask for bug reports.
So, pay money to the unaccountable de facto internet police in the age of "HTTPS everywhere" for a VPN that "will not hide your IP address from the websites you visit"?
It's not April Fools... Is this SV's version of "pull my finger"?
There are scenarios where you may be more concerned about the folks running (or not running) the local network that you are operating on than the larger surveillance operation.
Just wanted to say Thank You. I could only wish this was released a little sooner, but better late than Never. The Hong Kong people desperately need something like this to avoid ISP monitoring. I wonder if something similar is planned for Windows and Mac?
P.S Regarding the 10GB, have been on the waiting list since April 1st, nothing shown up yet.
We're working our way through the waitlist now, hoping to get to everyone today. If you have an up-to-date version of the 1.1.1.1 app running you'll get a push notification when we are ready for you to opt-into WARP.
Thank you! I have been waiting since April and also on the Testflight beta. Have been looking forward to recommending this to my friends and family that needs a casual VPN for those use cases where they are visiting a unfamiliar hotspot.
Super excited to give this a few month paid trial. I've seen time and time again that Cloudflare takes the value of privacy seriously. Alternative VPNs seem to be running on AWS or GCP anyways.
I spend a lot of time outside the USA and have privacy concerns a bit beyond USAs typical data collection. I've been enjoying the 1.1.1.1 app since April without issues.
I'd love to see the speed comparison examples soon!
Same for me. Uninstalled because of this. I feel for those people that won’t understand that the app that says they will get faster speed is the one slowing them down.
Can someone explain the difference between warp and warp+? I’ve read the blog and the App Store description, both of which completely fail to identify the difference.
Hopefully I can! WARP uses a protocol called WireGuard to secure your Internet traffic. Your encrypted traffic flows over that protocol to the closest Cloudflare data center before it is released onto the public Internet.
WARP+ takes that one step further. Rather than releasing your traffic directly onto the Internet, we use all the data we have from our Argo product [1] to route your traffic to _another_ Cloudflare data center via the route over the Internet with the best possible performance. That data center will be closer to your traffic's destination, hopefully improving the performance. In effect your traffic will bypass Internet congestion and slow links with the goal of better time-to-first-byte performance.
Why should a user pay $4.99/month for Warp+ when they can pay less than that for a traditional VPN that masks their IP address? Does the performance benefit make up for the relatively weaker privacy?
If you are hoping to mask your IP you should probably use a traditional VPN and not WARP. WARP doesn't compete with VPNs, it is for everyone who would or could never use a VPN.
For me, it’s a trust issue: it’s quite hard to evaluate VPN providers so many people might prefer to use a company with substantial visibility and other businesses at risk if they break their privacy guarantees.
Most use a VPN to add a layer of anonymity (hidden IP) and to circumvent geo blocking.
All this does is hide unencrypted traffic from the local network and maybe give a moderate speedup, but one that will probably be restricted to non-Cloudflare properties. For other properties, especially high-traffic ones with their own fancy routing logic, this will probably be more detrimental than helpful.
Admittedly a lot of people also just use VPNs because of the countless ads telling them that the Web is terribly insecure without one. I don't see this being much of a success without big ad spending.
I'm in the (likely) target demographic for this (and just signed up for the paid version). I don't care about true anonymity or geo-blocking - what I care about is that Verizon/Comcast both do HEAVY traffic shaping to suit them, not me. I.e. I'm promised "720p" video quality on Netflix when streaming over LTE and yet, for some strange reason that goly gee I can't quite understand (/s) it's never very good and always slow, even with full signal.
I'd rather just encrypt all my traffic and let Cloudflare make the routing decisions - that alone is worth an extra $5/month.
I don't understand how "Warp" would help you in the long run - wouldn't we expect Verizon et. al to treat cloudflare endpoints as "suspect" or "throttle-worthy" ?
TOR endpoints are discriminated against by many endpoints and providers - why not Warp endpoints ?
Does WARP block access to websites that Cloudflare has specifically denied a platform to their other services? It only makes sense that if they refused to do business with a website because they are "an environment that revels in violating [the spirit of anti-hate law]" that they would also prevent end-users from accessing it under the same grounds, no?
How I see it: a well operated VPN service for whenever you trust Cloudflare more than the internet connection you’re currently on (coffee shop or airport wifi, co-working space, random mobile ISP when traveling or even at home, …).
Compare this to the current best alternative: difficult to evaluate VPNs ranging from paid to free & non-trivial to set up.
Not saying there are no alternatives but even for me it is not easy to tell which ones are actually better or in the same ballpark (@ trust, speed, ops-skills, …) let alone for the longtail of users who would be better off with something like Cloudflare than with a random shady VPN or nothing.
If I were to use a VPN I'd stick with providers with proven track records of responding to court orders with empty logs, not the company with a CEO who capriciously kicks sites off their platform in response to online mobs.
I'd also feel very uneasy with continuing to feed the consolidation of the internet's traffic. Giving full control of your phone's routing to Cloudflare is sold as improving performance, but what it also does is give Cloudflare a lot of flexibility to pay less in transit costs and have a stronger position for peering agreements. Today that might be good in preventing ISP shakedowns, but very bad tomorrow if ISPs have to pay Cloudflare for the privilege of accessing the majority of the internet.
This is funny to me because CF's previous reputation was that they'd do business with anyone no matter how scummy. They're notorious for selling to both sides when criminal gangs were DDoS'ing each other. But they terminate service for a grand total of two sites and suddenly they're "capricious".
Sorry but when it comes to VPN providers you have to have a pristine track record, not a couple whoopsies here and there. And I doubt that grand total is going to stay stuck at two when they're hiring Antifa supporters/members.
As far as I know, CloudFlare are still willing to provide service to all of the DDoS services that let anyone with a few dollars knock any company which doesn't buy from CloudFlare off the internet. They just don't have the excuse that they're doing it out of some kind of belief in free speech anymore.
This is incorrect. WARP is the VPN, WARP+ is a series of routing enhancements designed to improve performance. Sorry for the confusion, clearly we need to explain it better.
Ah. I turned on WARP, then googled "what is my ip?" and it is returning the IP address that I had before turning on WARP. Is that not the intended behavior?
edit: read your other comments and see this is (in some circumstances) intended behavior. I don't think you should claim WARP is a VPN if you aren't offering privacy from the endpoint. Perhaps the app should say "your browsing traffic is now private" rather than "your internet is private."
385 comments
[ 3.9 ms ] story [ 135 ms ] thread(Though I haven't tried it. So far I haven't received the 10gb Argo credits described, despite being on the waiting list for yonks)
Edit: My 10GB came through. Looks like release day latency.
If you can extract the endpoints, private and public keys, it might work. It would be considered unsupported and might be considered a violation of the terms of use. Check the license agreement.
1: https://community.cloudflare.com/t/warp-desktop/79072
That answer is correct, but official word is here https://news.ycombinator.com/item?id=21071258
(Not my Twitter account, just saw it on my timeline)
If it brings competition to the shady VPN-peddlers, and is easy to download and get going, I'll consider it a net positive, all-in-all, regardless whether I'll use it personally or not.
Cloudflare has, time and time again demonstrated openness, transparency, and insight into their technical and ethical frameworks. I trust them a whole lot more than my isp or any random vpn provider.
As someone who has browsed sites "powered by cloudflare" over Tor and been tossed into an infinite "are you human" loop, it certainly doesn't feel melodramatic.
They've also exercised power over websites based on moral outrage. Perhaps 99.999% of people agree with the morals behind this decision, and maybe it's even the right decision, but it's still an arbitrary decision made by Cloudflare.
They are also bound by US law, and other entities bound by US law have been forced to enable the exact same forms of record keeping that Cloudflare says they will keep turned off.
Cloudflare is not a neutral party. They don't even advertise themselves as a neutral party.
Pick the evil you're most comfortable with.
https://privacypass.github.io/
For example would remote desktop from Thailand or Philippines to Europe work more reliably?
Most of those consumers aren't aware of any of that, so if you want them to use it, you'll have to pay for marketing to bring it to their attention. Is that the plan?
> Before today, there were approximately two million people on the waitlist to try WARP. That demand blew us away. It also embarrassed us. The common refrain is consumers don’t care about their security and privacy, but the attention WARP got proved to us how wrong that assumption actually is.
If anything, all I would take from that number is that the tech crowd is perhaps larger than people give it credit for. But I highly doubt that waitlist expands highly beyond the tech crowd.
Happy to be wrong, though :)
> WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit.
https://icanhazip.com - on CF network https://ifconfig.me - not on CF network
1- https://blog.cloudflare.com/mmproxy-creative-way-of-preservi...
Is it to support IP authenticated logins or similar?
It sounds like cloudflare spent the time to do away with hiding ip addresses. Actively removing that feature of a VPN, which you should get for free in a wireguard implementation, seems fishy to say the least. Especially since no reasonable explanation for this was given.
1) Communicating with insecure websites (HTTP instead of HTTPS)
2) Using unsecured wireless networks (e.g. Wi-Fi at a coffee shop)
Beyond these two cases, is there any advantage to using Warp? Does Warp provide any benefits for email (secure IMAP/SMTP), file sharing (BitTorrent), or other protocols?
One more for people with cell phone plans that don't adhere to net neutrality: Warp can probably bypass quality caps on video streaming.
Traditional VPNs are strictly better than Warp+, as far as I can see, but the free version of Warp is a generous offering for users who would otherwise not be using a VPN.
https://news.ycombinator.com/item?id=21070988
C
Based on speed tests, it doesn't look like Warp is bypassed for video content.
> Warp and Warp+ will not route traffic data from your device through the Cloudflare network for certain Internet properties, such as over-the-top content provider websites, as determined by Cloudflare in its sole discretion.
https://www.cloudflare.com/application/terms
"Over-the top content provider websites" most likely include Netflix, Hulu, Prime Video, etc.
https://en.wikipedia.org/wiki/Over-the-top_media_services
If this is the case, then Warp would not be helpful for evading speed caps for video on mobile data plans.
Statistics from one of my websites running Argo show a 16.73% percent improvement for 32.3% of web traffic routed through Argo.
For my Google Cloud Washington based server, I see 5-15% improvement for some traffic from the EU and US East Coast and 15-30% improvement some traffic from Asia, Africa, and South America. (all according to CF statistics)
I don't understand the statistic. Is that the best 32.3%? Is the worst 32.3% 16.73% worse?
But for websites outside your network I don't see any obvious way how to do that. Wouldn't this being possible imply that it's possible to spoof traffic? That would open a whole can of worms for the web and even the internet at large.
But I also get your point that you don't want people to see WARP as a regular VPN to protect a users IP address from being exposed to the other side. Since it's not easy for a user to see which sites run behind CF and which ones don't while browsing they must keep this in mind. Or they can just firewall all CF IPs minus the ones used by WARP (assuming none are shared with other CF products and a list can be obtained).
I would dare to say you're wrong. It's one big reason I wouldn't/won't use Warp.
Last night i was testing it and geo-location was visible...
At least, that's the way I'm currently understanding it.
I'm hyped to see Rust code running on so many phones.
I'm surprised, but pleased that you can use WARP without 1.1.1.1 DNS. Hopefully thats not a bug.
Back to nextdns then, has more value to me.
Here's what still bothers me: Cloudflare is a single company with points of presence all over the world, handling traffic for websites all over the world (including some big ones), and now trying to attract consumers worldwide to proxy their traffic through its network. That's a lot of power, and we all know the saying about power and corruption. It doesn't matter how conscientious the leadership are. I'd prefer that the temptation to abuse that power was just not there at all.
My idea of a better Internet is a return to the way the Internet was -- a large number of small providers, communicating with each other over open standard protocols. So, yes, I should switch to something other than Comcast here in my apartment. So far, I've been afraid that doing that would leave me with a truly abysmal quality of service. (I'm in Bellevue, Washington.) But at least I can avoid adding Cloudflare, with its terrifying power, to the mix.
Granted, I mostly use the Internet on a stationary computer with a cable connection at home. About the only thing I do on my phone away from a WiFi connection is request an Uber ride. And I do need that to work reliably. But it is working just fine without Warp. So, maybe Warp is just not for me. Still, for the people that would benefit, I'm afraid of how much more power they're going to be giving Cloudflare when they tap that "on" button.
I can see how some people would benefit from this kind of VPN.
On facebook you are the product in the sense that they sell access to your eyes.
On linkedin you are the product in the sense of aiming to the network effect (and also for ads I imagine)
If I am the product on warp in the sense that websites hosted on cloudflare are faster it is not that bad.
(it is your choice to trust them or not, but that truism just says that the profit needs to come somewhere and you should be aware of it)
And any VPN provider that hosts their servers and routes their traffic through unknown datacenters?
I'd rather trust Cloudflare that has a great track-record (+Public Canary and are on US Privacy Shield), than any random VPN provider.
The bigger VPN providers also offer Wireguard and a simple UI (Basically click the map and you're connected).
https://twitter.com/saurik/status/1176893448445558784
His provided script is cache.saurik.com/twitter/wgcf.sh
It's not designed to be anonymous, but it does fully encrypt all traffic coming from your device to the internet, meaning, it's great when you don't want to trust the ISP, public Wifi or even the cell provider with your traffic.
be careful what you wish for.
Your entire IP address or a mask to an approximate location?
> WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit.
We haven’t said that in a long time, but I was reminded of it while we were on our IPO Road Show. One investor we met with said:
“Here’s how I think of you: Cloudflare is to Facebook as Shopify is to Amazon.”
That resonated to me and reminded me of our earliest days and why we started the company.
So I appreciate the concern but hope there will always be more independent web because we exist than there would be if we didn’t.
But it's ok, 8chan is a 'hate site,' right? We all know which ones those are.
Cloudflare took down one website that was directly related to a major tragedy that cost people their lives. If you want to complain about that go ahead, but I don't care. I don't allow people to use my websites to spread that kind of hate, and I have no problem with Cloudflare doing the same in extreme circumstances.
As to whether 8chan 'caused' those abhorrent crimes, I couldn't say, any more than 'violent video games' caused them. I view such crimes as having a root cause of some form of mental illness, which does not (imo) relieve the doers of culpability.
The point is that they are demonstrably not exactly what they claim to be, and thus some level of distrust is warranted.
Where does Cloudflare claim to be content agnostic?
They may want to claim it, one way or the other, as part of their IPO filing so that potential investors have some idea of liability risks with the company.
It's sad to see them compromise their principles, but sometimes it only takes one little Twitter mob to make people back down. That's why it's reasonable to question their character.
https://blog.cloudflare.com/cloudflare-and-free-speech/
He did buckle, but we're only human. But did the pressure come from an angry mob on twitter, as most people assume, or from some guys wearing shades and an earpiece?
It would either mean that the laws are insufficient or that the market is overreaching.
The Christchurch killer livestreamed the event on Facebook, and the enormous well-funded content moderation apparatus within failed to shut it down until well after the innocents were dead.
But Grandma uses Facebook, so we can't go after them.
The Wal-Mart shooter had a Twitter account, and posted plenty of content questionable enough even for the FBI to take notice.
But cousin Jake uses Twitter, so we can't go after them.
It doesn't matter what 8chan was used for, because far more popular platforms were used for far worse content. The only thing that mattered here was popularity.
And 8chan didn't have it.
they want those people there
this is where they radicalize each other
quote: There’s an unfortunate corollary to this, which is that if you try to create a libertarian paradise, you will attract three deeply virtuous people with a strong commitment to the principle of universal freedom, plus millions of scoundrels. Declare that you’re going to stop holding witch hunts, and your coalition is certain to include more than its share of witches.
To most people, that's why 8chan needed to be shut down, but Facebook only needs to be fixed. Why do you think that's irrelevant, and being small is the only crime?
Another reason I don't think this is true is that I also can't find anything suggesting that the content the Christchurch killer posted is illegal (indeed, it has significant newsworthiness and academic value), and 8chan's policy was to allow anything not "illegal in the United States of America" [1] . If it didn't violate 8chan's policies, why did they take down the stream?
[1]: http://web.archive.org/web/20190805065011/https://8ch.net/fa...
https://news.ycombinator.com/newsguidelines.html
I am generally against censorship, because for every case that is "obvious", there are many more that merely seem so on the surface. This is especially important in cases where you might simply disagree with how someone else thinks, since thoughts can never be allowed to become illegal or immoral; it is only actions where such judgements are applicable.
The proper approach to combating misinformation and dangerous ideas is education. By understanding why an idea is dangerous, you will also understand why it cannot inform your actions.
Using legal tools would be horrific. Government censors deciding what material is too dangerous for the public is exactly one of the elements of fascism.
Private entities on the open market exercising their right to not help promote ideas they object to is a good thing. It means that the more objectionable an idea is, the harder it is to publish and the smaller its reach; and the more in the gray area an idea it is, the easier it is disseminate and the wider its reach. If one of those private entities makes a mistake in judgment, that's an opportunity for a competitor.
Governments have a monopoly on violence. Its power is not kept in check by competitors, but by systems like a bill of rights. Weakening those rights to allow legal tools to control ideas would be disastrous.
Corporations have no responsibility or ability to educate everyone about misinformation. They do have a responsibility not to enable bad people to do bad things, including not promoting ideas they know are dangerous.
> They do have a responsibility not to enable bad people to do bad things, including not promoting ideas they know are dangerous.
This is literally corporate fascism if done in an extralegal way. And no, the free market is not going to care about the 1-5% of people discarded.
To quote a very nice blog[1]:
Declare that you’re going to stop holding witch hunts, and your coalition is certain to include more than its share of witches.
[1] https://slatestarcodex.com/2015/07/22/freedom-on-the-central...
What's "lawful speech" today may not be lawful tomorrow if we go down this path. I don't want governments deciding (except in very narrow circumstances) what people are and are not allowed to say.
I really like the parent's idea that a company deciding to not provide service to someone they find objectionable is just a business opportunity for someone else. If no one wants to take up that opportunity, then the public has spoken. It's not ideal, but it's way better than a government making that choice through threats of force.
Entirely agree and current laws already prohibit encouraging murder
> I really like the parent's idea that a company deciding to not provide service to someone they find objectionable is just a business opportunity for someone else.
Like it was in in the 20th century before civil right laws?
It is like saying that a monopoly is impossible because competitors can always emerge. It just does not work in practice.
Especially when the "competitor" become themselves target of a new witch hunt.
Things like civil rights laws are the flip side of the same coin. I'm comfortable with laws that prohibit threats of violence. I'm comfortable with laws that ensure you can't refuse service to someone just because they're of a race you don't like. I think that's a reasonable compromise of "free speech".
But I'm not comfortable with a government requiring that a company allow their users to build something like 8chan inside their service. If Reddit didn't want to allow users to have a sub dedicated to fat shaming, I'm not comfortable with the government being able to tell Reddit that they're required to allow that sub to operate, unfettered. If Facebook wants to shut down a page or group that promotes hatred of a particular race, I'm not comfortable with the government saying they have to let it run.
So how do we solve this problem? The article you reference even suggests, at the very end, that (despite the examples of past bad behavior) all this worrying might be for nothing:
> My primary hope is that it’s just not a real problem. Certainly there has been very little in the way of speech restriction so far, and what little there has been has been against things which, on the object level, I’m happy to see gone. It’s entirely possible that we’ll escape with only a few things banned that probably deserve it. I certainly hope this is the case.
He also acknowledges that it's not great to be in a position where we have to depend on hope in order to reach a good outcome, which I agree with, but maybe that's just all we have. Legislating behavior only works up to a point. Legislating attitudes doesn't work at all.
I'm happy to see the Daily Stormer gone. I'm happy to see 8chan gone. I'm happy to see Reddit banning some subs (and honestly wish they'd ban more). I don't see the value in tolerating speech that promotes intolerance. But I'm not comfortable with the government stepping in here, and while their handling is far from perfect, the private companies aren't doing too terrible a job at it.
"My primary hope is that it’s just not a real problem. Certainly there has been very little in the way of speech restriction so far, and what little there has been has been against things which, on the object level, I’m happy to see gone."
> This is literally corporate fascism if done in an extralegal way.
I resolutely and absolutely oppose corporations acting extralegally. But Cloudflare and Voxility have an absolute legal right to not do business with 8chan and Epik if they so choose.
you know this doesnt actually stop the murders right? does it feel better to get outraged at the site instead of the murderer?
It's the digital equivalent to a No Shirt, No Shoes... No service sign.
It's true that a website using Cloudflare is more independent than a Facebook page, in that in the former case, the company can take their domain to another provider. But my idea of an independent Web is a large number of websites depending on a large number of high-quality hosting providers. The latter number will inevitably be smaller, but shouldn't be single-digit. That would lead to too much potential for abuse of power.
Also, the more sites are using a single provider with its black-box algorithms and heuristics, the more potential there is for bad consequences for innocent users when those things misfire. That's what worries me about the bot-fighting feature you launched on Monday.
To respond specifically to part of what you said:
> The concern was that the challenges of being online would get so hard that individual websites would give up and just move to run Facebook pages.
I don't think I understand how Cloudflare actually helps here. I think the average bar, karaoke DJ (I love karaoke), spa, or other small business that might just use a Facebook page would be served just as well by the kind of hosting provider that gives your website a single IP address pointing to a single machine. Are DDoS attacks and bots really that big of a problem? If so, I haven't run into them in the 16 years that I was the programmer and sysadmin for a small company (admittedly, online services are that company's business). Maybe we just didn't make the right enemies? Now, maybe small web hosting providers could make it even easier to set up a new website, but Cloudflare doesn't do anything about that problem anyway. If the concern is performance, maybe we need better alternatives to WordPress and Drupal, and more local hosting providers, so the website for small businesses can be closer to their mostly-local customers without using a CDN.
The space Cloudflare is in could afford plenty of players, I think—more than a single-digit amount. There’s nothing about Cloudflare’s business strategy that implies/necessitates that they’d become a monopoly in a market equilibrium state. The only reason you don’t see a pack of Cloudflare clone-companies, AFAIK, is that the talent required to clone Cloudflare is rare.
(Interestingly, an ISP—especially a cellular ISP familiar with routing roaming circuits—could totally pivot into Cloudflare’s business to expand globally. I wonder why we haven’t seen that?)
> I think the average bar, karaoke DJ (I love karaoke), spa, or other small business that might just use a Facebook page would be served just as well by the kind of hosting provider that gives your website a single IP address pointing to a single machine. Are DDoS attacks and bots really that big of a problem?
I feel like the perspective you’re coming at the problem from here is already heavily influenced by the contraction and centralization that the web went through in the early 2000s. Yes, right now, businesses just want essentially an online business card, and Facebook handles that just fine. But their desires are more of an acknowledgement of the practicalities of what’s economical for them to have built and hosted in the current (or recent-historical, since it takes a while for people’s thoughts on this to shift) web landscape.
Look around the internet of the 90s. Companies didn’t used to build business-card websites. The dreams of even the most run-of-the-mill SME used to be far more grandiose. At the very least, every company who knew what the options were, wanted to host a forum for the community composed of their customers. Many of the web’s most prominent standalone forums were started back then. Why so few today? Because ambitious, dynamic, user-generated-content-filled sites like these do get hurt by spamming and DDoSing. They’re hard to run—and not just in a community-management sense, but in an ops sense.
Cloudflare’s tech (which, again, anyone could offer, not just Cloudflare) can and does provide the protection required to allow SME websites to be a little bit more ambitious again, to the point that they’re not just doing something commoditizable by Facebook.
Talent is everywhere, but a lot of people who have it don't want to move to a big city. So IMO, the next Cloudflare's developers should be as widely dispersed as its POPs.
Edit: The more recently added part of your comment is very insightful, and I hadn't thought about it that way. Still, I think we could go a lot further with old-school hosting providers if we traded PHP and Ruby for Rust, Nim, and the like. Note that I didn't mention garbage-collected languages, because lots of applications running efficiently on a shared host is incompatible with a garbage collector that really wants the whole heap to itself.
In fact, I can't find any matching that description.
It is pointless if you have a small pipe. Pipe jamming attacks are way too common and small vendors are almost always unable to cope with that.
They are to the kinds of websites that Cloudflare takes an active stance in deciding whether to serve/protect/censor or not.
He who fights with monsters should look to it that he himself does not become a monster. And if you gaze long into an abyss, the abyss also gazes into you.
I'm wary about joining in on Cloudflare bashing. I like Cloudflare. But...
The mark of a responsible company is that it has plans to mitigate potential harm once it stops being responsible. At one point growing up, I would have made the same arguments you make here about Google. They're not perfect, but they're better than the alternative.
The problem is that this promise essentially boils down to, "we'll try very hard not to be bad." You can't make that promise, even if you're a good person. At some point you're going to either retire or die, and your company will be handed off to other people. Your comment doesn't make me feel any better, because it reads to me like your plan is, "things won't go wrong", and you don't know that.
I'm glad Cloudflare exists, and I do think you're doing a heck of a lot more good than harm. Cloudflare is about as close as anyone can get to an ethical company. But if this is the attitude, then Cloudflare is not a responsible company, because it's not making plans for what will happen after its owners turn evil. Cloudflare is an ally for the Open Web right now. It doesn't have a backup strategy I can see for when that changes.
The Shopify analogy is actually really fitting to me. Shopify is better than Amazon, but Shopify is definitely not where I want the future of commerce to be. Many of the problems and risks inherent in Amazon's design are also inherent in Shopify -- Shopify just happens to be a more ethical company that tries harder not to exploit those flaws.
At some point in the future, once we've all centralized everything onto Shopify, that will change and Shopify will become the new Amazon. And at some point in the future, maybe even decades from now, Cloudflare will become evil. All powerful companies eventually become evil, it's inevitable.
The "we try very hard not to be bad" form of mitigation is scary when the company is doing dangerous things without adequate safeguards, but I don't see how you figure Cloudflare is doing that here. Ultimately, when you've done everything you can not to put people at risk and the only remaining risk is that you'll stop being trustworthy, "We try very hard not to be bad" is all you can offer. So what more do you think they should be doing that would meaningfully reduce this risk?
But, asking for specifics is reasonable, so very briefly, I'll describe two concrete problems I have.
----
First (and biggest), IP addresses should be hidden for everyone or no one. Cloudflare is revealing IP addresses because it doesn't want its VPN to be used as a privacy tool, just as a security tool. By positioning itself as a way to keep your data encrypted, and not as a way to bypass geo-locks, it's also less likely to be blocked by other companies. Ignoring whether or not it's a good use of resources for Cloudflare to make VPNs less private, this is on its face not unreasonable.
However, when you dig into the details, IP addresses are only exposed to websites that are using Cloudflare[0]. This creates a perverse economic incentive for sites to sign up for Cloudflare, because effectively Cloudflare is holding user data captive. If you're the NYT, and you thrive on data collection, and suddenly a huge portion of your visitors have their IP addresses hidden, and you can get those IP addresses by paying Cloudflare... that's problematic. That's Cloudflare creating a problem and then letting you pay them to solve it.
Cloudflare is looking into ways to expose IP addresses everywhere. Until they figure that out, they should either avoid launching the service, or they should hide IP addresses from Cloudflare customers.
----
Secondly, while there are people here disputing Warps performance increases, let's assume that (particularly Warp+) works as advertised and really does help make slow collections faster. It's worth noting that the majority of the underlying technology beneath Warp and Argo only works for companies of Cloudflare's scale. Cloudflare itself acknowledges this:
> There are few companies that have the breadth, reach, scale, and flexibility of Cloudflare's network. We don’t believe there are any such companies that aren't primarily motivated by selling user data or advertising. We realized a few years back that providing a VPN service wouldn’t meaningfully change the costs of the network we're already running successfully. That meant if we could pull off the technology then we could afford to offer this service.[1]
This makes it much harder for users to move away from Cloudflare or switch to an alternative VPN if Cloudflare turns evil, because unless the VPN market stays diverse, it won't get the opportunity to become diverse again in the future.
Google helped wall in its AI dominance by investing heavily into AI research that relied on massive data collection for good performance. This restricted small competitors from ever being able to compete with them, because they didn't have massive databases. That dominance became self-reinforcing, because Google's AI programs are all designed to increase the size of its database. At the same time, Google garnered good will by Open Sourcing its underlying technology, despite the fact that the technology was useless to potential competitors without large data sets.
In the same way, Cloudflare is able to wall in its dominance by primarily researching technologies that require a network of Cloudflare's scale in order to work. In effect, Cloudflare is investing a lot of effort into technologies that only work for big companies. Google can claim, "it's not our fault that we have the most data, what do you want us to do?" Cloudflare can claim, "it's not our fault that we have the biggest network. There's no switch we can flip to make the network size not matter, it's just the logistics of cost." But if a technology or service results in a natural monop...
https://blog.cloudflare.com/ninth-circuit-rules-on-nsl-gag-o...
Poppycock:
* https://blog.cryptographyengineering.com/2019/09/24/looking-...
* https://en.wikipedia.org/wiki/Room_641A
The NSA was tapping glass of inter-DC links of all the major online players without their permission on US soil.
Not only that, the NSA was undermining NIST-approved algorithms by giving dishonest advice, thereby compromising the security of US institutions that used those algorithms:
* https://en.wikipedia.org/wiki/Dual_EC_DRBG
Only in the sense that one has the strongest theoretical argument for a legal remedy against surveillance after it happens, not in the sense that one is actually safe from being subjected to it in the first place, and only even then if one excluded “i’ll scratch your back if you scratch mine” from the other five eyes members when you say “U.S. surveillance network”.
Not without presenting probable cause that the surveillance would produce evidence of a crime to a judge it can't.
Of course it can (and is well documented to have, on many occasions) just ignore the statutory and Constitutional restrictions on domestic surveillance. And that will probably, in most cases, be easier than going to a third party. Information sharing is most likely to be efficient when the other agency had a targeted surveillance operation already in place covering a target of interest, rather than in the naive “on demand” form.
But the idea of Cloudflare intercepting all of my traffic doesn't bother me since the alternative is simply another company (Spectrum, or my random friend's wifi, or Starbucks) intercepting all of my traffic by virtue of being my ISP. It's up to you which is the lesser of two evils.
I suppose Cloudflare may have more insight into the data being proxied if they're also managing the SSL certificates at the other end, however.
Xfinity: $52 B revenue 2017
Comcast holdings (the parent of xfinity, couldn't find numbers for xfinity): 184,000 employees
Cloudflare: < $ 0.2 B revenue 2018, several thousand employees (looks like less than 2000)
Comcast is a huge, multi-billion $ operation with global contracts and broadcasting capabilities, and > 184,000 employees globally (that's more than Google, and even MSFT).
That's not to say that we shouldn't be wary of Cloudflare for many other reasons; but that they have more influence over the Internet than one of the world's largest consumer & corporate ISPs is definitely "a take".
After some googling, it's very unclear how popular their CDN service is. Based on some of their marketing, seems like it might be focussed more on the video delivery side, which would also make sense given that it's Comcast. (If it indeed is an enterprise video delivery service, they may only have a handful of very large customers)
If this is accurate, it seems like Comcast also controls the data end-to-end (being both an ISP and CDN).
[0] https://www.comcasttechnologysolutions.com/
[1] https://www.comcasttechnologysolutions.com/sites/default/fil...
[0] https://www.wired.com/story/cloudflare-spectrum-iot-protecti....
Unless I'm given evidence to the contrary, I will adamantly say it is silly to say Comcast is the lesser evil.
The law is wrong in this case, of course.
And the usual (optimal?) outcome for ownership of utility infrastructure, is that it gets held as a “public resource” by the government of the country or countries that built it; and then companies are contracted to manage it. From there, you end up with multilateral organizations weaving those pieces of infrastructure together in a top-down way (like shipping routes, or the postal system, or, hopefully one day, low-earth orbit.)
Which is far from an anarchosyndicalist mesh of interested companies, organizations, and individuals (ala the early Internet, or the HAM radio network), but we’ve never seen an ararchosyndicalist mesh successfully serving as a reliable/fault-tolerant backbone for any commercial endeavour so far, and I don’t know if it could.
The vast majority of companies have their HQ in a single country. This is due to the base function that the HQ serves for a corporation. [0][1]
[0]http://www.investopedia.com/terms/c/corporate-headquarters.a...
[1]https://en.wikipedia.org/wiki/Corporate_headquarters#Locatio...
I don't remember the internet ever being like that.
I remember when you couldn't e-mail someone in another city without going through gateways. When you couldn't visit the majority of major web sites without downloading plug-ins. When you knew the information you wanted was out there, but couldn't get to it because it was behind obtuse, non-searchable infrastructure.
To me, the internet today isn't perfect. But it's a heck of a lot better than its romanticized distant past.
As for WARP, I'll give it a try. I don't fully trust Cloudflare, but I trust it a heck of a lot more than I trust my ISP or my cell phone provider. Long ago, both of those entities burned privacy bridges. Cloudflare hasn't done so. Yet, anyway.
I was on the web since AOL added it to their client in the mid-90s and it was never as bad as you're hinting it is.
I was online before there was AOL, or a web, and before there was an internet, back when it was dozens of networks, with varying degrees of interconnectivity.
it was never as bad as you're hinting it is.
It was bad. You had to be there. (Think an e-mail from the east coast of the United States taking 10 days to reach Norway. For many destinations, snail mail was faster.)
But to do that I'd need to have replication not just across data centers but across providers. And it's hard enough getting your team to understand how one provider works. We'd have to go an awful long way toward standardizing and dare I say comodifying these companies to get there.
But as Fortune 500 companies have known for longer than Fortune has existed, if you have two vendors you can play off of each other your life tends to go a lot better. Right now almost none of us have that, and I suspect we are all a little poorer for it.
Plus, (1) you can turn on/off WARP at your leisure and (2) they've explicitly committed to limited logging and not selling data which is pretty huge.
I use a small local provider where possible... but the reality is that they have to lease their lines from AT&T anyway. In general, there are very few providers out there that have capability to offer competitive services.
This isn't power that good intentions are going to keep straight.
It's not April Fools... Is this SV's version of "pull my finger"?
There are scenarios where you may be more concerned about the folks running (or not running) the local network that you are operating on than the larger surveillance operation.
P.S Regarding the 10GB, have been on the waiting list since April 1st, nothing shown up yet.
Edit: And the wait is over!! WARP is now available!
China Government: "Here, hold my beer..."
Heads up that the 10GB is also not showing up.
I spend a lot of time outside the USA and have privacy concerns a bit beyond USAs typical data collection. I've been enjoying the 1.1.1.1 app since April without issues.
I'd love to see the speed comparison examples soon!
It takes 20 seconds for every YouTube video to load while they load instantaneous without WARP:
https://streamable.com/9tp1k
I'd love to get my non-tech family on this.
WARP+ takes that one step further. Rather than releasing your traffic directly onto the Internet, we use all the data we have from our Argo product [1] to route your traffic to _another_ Cloudflare data center via the route over the Internet with the best possible performance. That data center will be closer to your traffic's destination, hopefully improving the performance. In effect your traffic will bypass Internet congestion and slow links with the goal of better time-to-first-byte performance.
1- https://www.cloudflare.com/products/argo-smart-routing/
Most use a VPN to add a layer of anonymity (hidden IP) and to circumvent geo blocking.
All this does is hide unencrypted traffic from the local network and maybe give a moderate speedup, but one that will probably be restricted to non-Cloudflare properties. For other properties, especially high-traffic ones with their own fancy routing logic, this will probably be more detrimental than helpful.
Admittedly a lot of people also just use VPNs because of the countless ads telling them that the Web is terribly insecure without one. I don't see this being much of a success without big ad spending.
Might work out just fine for CF, but I will pass.
I'd rather just encrypt all my traffic and let Cloudflare make the routing decisions - that alone is worth an extra $5/month.
TOR endpoints are discriminated against by many endpoints and providers - why not Warp endpoints ?
kudos @ launching, have been waiting for this
How I see it: a well operated VPN service for whenever you trust Cloudflare more than the internet connection you’re currently on (coffee shop or airport wifi, co-working space, random mobile ISP when traveling or even at home, …).
Compare this to the current best alternative: difficult to evaluate VPNs ranging from paid to free & non-trivial to set up.
Not saying there are no alternatives but even for me it is not easy to tell which ones are actually better or in the same ballpark (@ trust, speed, ops-skills, …) let alone for the longtail of users who would be better off with something like Cloudflare than with a random shady VPN or nothing.
I'd also feel very uneasy with continuing to feed the consolidation of the internet's traffic. Giving full control of your phone's routing to Cloudflare is sold as improving performance, but what it also does is give Cloudflare a lot of flexibility to pay less in transit costs and have a stronger position for peering agreements. Today that might be good in preventing ISP shakedowns, but very bad tomorrow if ISPs have to pay Cloudflare for the privilege of accessing the majority of the internet.
Even this blog post is confusing "From a technical perspective, WARP is a VPN." Then contrasts WARP with a "traditional VPN"
edit: read your other comments and see this is (in some circumstances) intended behavior. I don't think you should claim WARP is a VPN if you aren't offering privacy from the endpoint. Perhaps the app should say "your browsing traffic is now private" rather than "your internet is private."