I really hate to be that guy, but I'm afraid that Cloudflare partnering with every browser to offer a VPN is just going to draw the attention of authorities, who would force them to install their censorship policies and force flow logging on all proxying services of this kind, effectively killing the purpose of such services.
There is already precedent for this happening in Russia; in that incident every VPN pulled out of the country. However if everyone enforces it, it's gonna be hard.
--
From a purely technical perspective this seems to equivalent to Apple Private Relay _iff_ the operator for the ingress and egress are two different endpoints, which it is not clear from the presentation.
In the case of APR Apple has their own servers (mask-h2.icloud.com) that accepts connections and obscures the IP <-> website mapping for their exit relay providers, who are Cloudflare, Akamai and Fastly at the moment.
If they are the same operator, because of the ClientHello permutation in Chromium based browsers[1] such as Edge, Cloudflare gets a high-entropy identifier + IP address, which, along with SNI header inspection, could be theoretically used to identify individual users.
> authorities [...] would force them to install [...] flow logging
This doesn't necessarily require Cloudflare's cooperation. Remember when the NSA tapped Google's internal network without their knowledge? SSL added and removed here :-)
The return routes are most likely in the same run but just a different strand. I think this is the way underwater cables are tapped - no need for a completely new run back.
It's from the OG PRISM slides. Previously Google's internal production network didn't use encryption, SSL/TLS was terminated at the perimeter. So the NSA simply tapped their dark fiber between data centers.
Except, Cloudflare already proxies 10% or more of all HTTP traffic (has plaintext access to most of it). If the authorities wanted to DPI away, there's already more to look at even without these VPN offerings.
> From a purely technical perspective this seems to be a slightly worse version of Apple Private Relay.
Private Relay is a well thought out design. Microsoft Edge Secure Network is merely a proxy because it is built for a different threat model: https://archive.is/pNnW5
DPI at ISPs or Cloudflare isn't really what I'm concerned about; it's the impending destruction of the VPN service model by mandating censorship and logging.
I'll be curious to see what tactics they (the political block in the West that's acting in quasi concert to enhance domestic espionage capabilities) attempt to use to accomplish it in the US given the enshrined protections we have that Europeans typically lack, which in theory should make it very difficult to censor VPNs here. The logging requirement aspect may end up being the part they can more readily get through in the US (one that will survive freedom of speech etc challenges).
VPNs aren't the solution to surveillance and censorship. Tor-style networks are better suited. Some of which are already in the process of standardization by the IETF.
> DPI at ISPs or Cloudflare isn't really what I'm concerned about
Well, ~50% content of the comment I replied to comprised of these "non-concerns".
The usability of Tor is very PGP like. Personally I never seen one or introduced to one vibrant / healthy society. Also it's trend since a long time ago, people don't really mention about Tor sites on the clear net. (Ye, I know about the hiddenwiki)
Seems to me NSA likely already have internal access at CF as they do at Apple, looking at what Snowden released + time passed, so it is a likely next step.
>However, in this case, and because of the ClientHello permutation in Chromium based browsers[1] such as Edge, Cloudflare gets a high-entropy identifier + IP address, which, along with SNI header inspection, could be theoretically used to identify individual users.
As per your own source, a different permutation is used per connection, so it's unclear how it would help to "identify individual users".
I stand corrected wrt the operators; while the diagram mentions that there is an ingress and egress component, it is not clear as to whether two different entities operate them. I've updated my comments to reflect that.
Iff they're the same operator, I assume there'd be a TLS connection between Microsoft Edge Secure and the Edge browser, and that'd be a long-lived session because of the nature of proxying traffic, which means there's a static identifier. Even if it wasn't, IP addresses may themselves be considered as sensitive enough for such identification.
> I really hate to be that guy, but I'm afraid that Cloudflare partnering with every browser to offer a VPN is just going to draw the attention of authorities
On the bright side, maybe they'll protect it with their "One more step...please wait while we verify your browser" system, which has such a high false positive rate (in my experience) that few people could actually access it.
>There is already precedent for this happening in Russia; in that incident every VPN pulled out of the country. However if everyone enforces it, it's gonna be hard.
Not only that, ISPs now close all connections which look like VPN traffic. I used to have my own OpenVPN server as a window to the free world and now it doesn't work... I wish there was some kind of open standard which doesn't leave a very obvious signature which is easy to detect by ISPs. I don't know if HTTP CONNECT can be hidden from ISPs? I guess I'm going to try Edge after all.
You could look into Shadowsocks, V2Ray and similar.
It's also been a while I've read about these topics, so I'm not sure if Russia also does entropy analysis and fingerprinting differences to block these protocols either.
You may like reading about the new TSPU system in Russia [1], and discussing your issues on [2].
Try switching to 443/tcp or try a high port like 10000/udp. The first might look rather like streaming over https and the second like an encrypted RTP stream in a mad SIP n RTP session.
You can also co-exist OpenVPN on 443/tcp with a "real" web server. The usual use case for that is getting more value out of a single IP address. Put your pony fan club website up or an Ubuntu default webpage.
Another possibility is to use port knocking to open ports before the OVPN connects.
PPTP is generally believed to be broken so it might be "allowed" because it will be assumed that grabbing and storing the stream will be sufficient for later analysis. Then you put a OpenVPN inside the PPTP tunnel with proper, modern encryption.
... 53/tcp or udp might be worth trying too. 123/udp - ntp, 25/tcp - email! Basically try being weird - it may well work!
China is blocking the RoW Cloudflare since websites and web hosting services need to be officially certified by the government by way of an ICP recordal.
Many CDNs set up a China specific network which customers can use it subject to presenting their recordal; that’s what Cloudflare China is.
You should do some research on Matthew Prince, his background is very interesting. He's pretty much the only tech CEO who I could say "yeah, I trust him".
I'm not saying your concern isn't valid, it's a great point. Only that if anyone was going to run a company like Cloudflare, we're lucky it's Matthew, he's not a dumbass.
I read his wiki. Didn’t see anything of the hates three letter agencies or the American government variety. I did see this:
> In 2008, the Department of Homeland Security (DHS) contacted Unspam Technologies, asking, "Do you have any idea how valuable the data you have is?" The DHS' email served as the impetus for Cloudflare, a technology company Prince co-founded with Holloway and fellow Harvard Business School graduate Michelle Zatlyn the following year.
Which sounds like the opposite of what we would want. Cloudflare being started because a three letter agency told him that harvesting internet data is valuable. Unless his take away was “they do that too? Better try to stop it!”
> Only that if anyone was going to run a company like Cloudflare, we're lucky it's Matthew, he's not a dumbass.
This may be totally true, but it's extremely important to understand that it does not matter.
As a US-based company Cloudflare is subject to NSLs (https://en.wikipedia.org/wiki/National_security_letter) which will force them to reveal all traffic and never talk about it. There's nothing they can do to resist that, regardless of founder personality.
Combine this with the fact that Cloudflare terminates TLS traffic, so it's all in the clear within their infrastructure. It would be difficult to think of a more juicy target for intelligence agencies waving NSLs.
It'll all be classified so we'll never know (unless some future Snowden tell us). But it is logical and wise to assume all traffic passing through Cloudflare is siphoned off in cleartext to the TLAs.
So, Microsoft Edge now comes with an equivalent to Apple’s Private Relay, just without Apple as a middleman between Cloudflare and Fastly.
Neat. On the other hand… I have to hand it to Cloudflare, they’ve done a great job turning themselves into the internet’s second backbone. (AWS might as well be the third backbone.)
It seems that decentralized systems always centralize over time when it comes to mindshare, and really don’t like decentralizing. Like, once the network effects begin even slightly, it becomes irreversible quickly. Linux is still not beating Windows and Mac. Mastodon’s numbers are still tiny compared to Twitter. Bitcoin hasn’t really hurt banks. The internet started out fairly decentralized, look at it now.
I’ve come to the conclusion that people just do not like decentralized anything, period. Which is unfortunate.
> always centralize over time when it comes to mindshare
Yeah, you're absolutely right. Companies grow, and people talk about them, and get other people to try them, and they grow more, and more, until it becomes the "default" option that everyone knows, and they become entrenched by sheer power of their mindshare.
Especially in a global world where these brands become larger than life. There are brands with more global recognition and soft power than most countries out there.
Most people go with the defaults. That goes for software as much as companies. It doesn't matter how many decentralised options you have, because mindshare is what matters. Being the default in people's minds is what matters.
You need hosting? AWS. CDN? CloudFlare. Git? GitHub. Video? YouTube. And so on. There -are- options. But people aren't going to bother, when they can just... go with the default.
It's not about people not liking decentralisation, it's just much more mental effort to research and explore options when you can just go with the default.
Yes, all the proxy companies of the 2000s realized that the "Private" in "Virtual Private Network" makes for good marketing, so they all rebranded themselves as VPNs, even though they have nothing to do with actual VPNs other than using OpenVPN / Wireguard for their proxy transport.
Traditionally at Cloudflare, Birthday Week is the "release new products" week; they're not writing announcements for products that they've already shipped, but rather Birthday Week is the deadline every year for a ton of big new products that are being built.
That's exactly their game. They want to be in a position where they can host whomever they like, no matter how spammy / scammy / attacky, and there isn't anything anyone can do about it without lots of collateral damage.
Maybe a little bit off topic. But Edge secure network is maybe the only way in egypt to have semi stable VPN. Egypt aggressively block VPN on protocol level and using combined arsenal of blocking capabilities to do that. Doing handshaking ia maybe more dangerous than visiting ISIS propaganda website in the US (when this was a thing). The only other reliable way to do it is via ssh tunneling and Tor private bridges. But these two have their own problems. I doubt that they would ban Microsoft Edge network specially that to do that now a lot of things in windows and cloudflare network will stop working which is not something that can be done.
Egyptian ISPs used to hijack DNS for all reasons (and some are scary of course). They would ban port 443 to prevent people from using DoH if they could without technically cut Egypt out of internet.
So yes normally this is not something most of people here are not going to like. But as usual reminder, the world is much bigger than US and the western Europe.
You cannot "secure" the internet by centralizing all the traffic into a specific place. Internet meant to be decentralized by its own nature. Cloudflare is just one of the companies which is trying to monopolize the whole industry by the partnerships.
I use Cloudflare WARP, and I get a ridiculous amount of "PR_END_OF_FILE_ERROR" connection errors to random websites in Firefox. You just have to keep refreshing.
Last time I experienced an issue with FireFox and WARP, it was due to a bug in FireFox, which I believe is currently unresolved. It's honestly hard to blame Cloudflare in this case.
This seems strictly inferior to what Apple is doing with Private Relay where there are two separated hops, and given that I wonder what the Privacy Pass token is actually doing here.
When will mozilla file an ftc complaint against cloufdflare? It is impossible to access important sites including their own portal from firefox at times, no matter what I disable in firefox. This is anti-compettitive and hostile against the public at large?
I wish I had a lawyer friend that can advise in this. Do I just need to get a bunch if people to submit similar complaints somehow to FTC? Sue them directly? Email the DoJ? It's an active hostility I can't avoid, what are my options?
Last time I experienced an issue with FireFox and WARP, it was due to a bug in FireFox, which I believe is currently unresolved. It's honestly hard to blame Cloudflare in this case.
62 comments
[ 24.8 ms ] story [ 1116 ms ] threadThere is already precedent for this happening in Russia; in that incident every VPN pulled out of the country. However if everyone enforces it, it's gonna be hard.
--
From a purely technical perspective this seems to equivalent to Apple Private Relay _iff_ the operator for the ingress and egress are two different endpoints, which it is not clear from the presentation.
In the case of APR Apple has their own servers (mask-h2.icloud.com) that accepts connections and obscures the IP <-> website mapping for their exit relay providers, who are Cloudflare, Akamai and Fastly at the moment.
If they are the same operator, because of the ClientHello permutation in Chromium based browsers[1] such as Edge, Cloudflare gets a high-entropy identifier + IP address, which, along with SNI header inspection, could be theoretically used to identify individual users.
[1] https://www.fastly.com/blog/a-first-look-at-chromes-tls-clie...
This doesn't necessarily require Cloudflare's cooperation. Remember when the NSA tapped Google's internal network without their knowledge? SSL added and removed here :-)
It did raise a fascinating question about where the physical tap was and how the take was routed back.
You do the tap at a hub, and you have the egress connectivity, but you're one unexpected employee away from discovery.
You do the tap in the middle of nowhere, and how do you get the data stream back?
I'd guess they went rural and just leased physically adjacent dark fiber to route out on.
> From a purely technical perspective this seems to be a slightly worse version of Apple Private Relay.
Private Relay is a well thought out design. Microsoft Edge Secure Network is merely a proxy because it is built for a different threat model: https://archive.is/pNnW5
> DPI at ISPs or Cloudflare isn't really what I'm concerned about
Well, ~50% content of the comment I replied to comprised of these "non-concerns".
As per your own source, a different permutation is used per connection, so it's unclear how it would help to "identify individual users".
Iff they're the same operator, I assume there'd be a TLS connection between Microsoft Edge Secure and the Edge browser, and that'd be a long-lived session because of the nature of proxying traffic, which means there's a static identifier. Even if it wasn't, IP addresses may themselves be considered as sensitive enough for such identification.
On the bright side, maybe they'll protect it with their "One more step...please wait while we verify your browser" system, which has such a high false positive rate (in my experience) that few people could actually access it.
Not only that, ISPs now close all connections which look like VPN traffic. I used to have my own OpenVPN server as a window to the free world and now it doesn't work... I wish there was some kind of open standard which doesn't leave a very obvious signature which is easy to detect by ISPs. I don't know if HTTP CONNECT can be hidden from ISPs? I guess I'm going to try Edge after all.
It's also been a while I've read about these topics, so I'm not sure if Russia also does entropy analysis and fingerprinting differences to block these protocols either.
You may like reading about the new TSPU system in Russia [1], and discussing your issues on [2].
[1] https://censoredplanet.org/tspu
[2] http://ntc.party
You can also co-exist OpenVPN on 443/tcp with a "real" web server. The usual use case for that is getting more value out of a single IP address. Put your pony fan club website up or an Ubuntu default webpage.
Another possibility is to use port knocking to open ports before the OVPN connects.
PPTP is generally believed to be broken so it might be "allowed" because it will be assumed that grabbing and storing the stream will be sufficient for later analysis. Then you put a OpenVPN inside the PPTP tunnel with proper, modern encryption.
... 53/tcp or udp might be worth trying too. 123/udp - ntp, 25/tcp - email! Basically try being weird - it may well work!
https://www.scientificamerican.com/article/russia-is-trying-...
https://www.cloudflare.com/application-services/products/chi...
Many CDNs set up a China specific network which customers can use it subject to presenting their recordal; that’s what Cloudflare China is.
Not blocking cloudflare China?
I'm not saying your concern isn't valid, it's a great point. Only that if anyone was going to run a company like Cloudflare, we're lucky it's Matthew, he's not a dumbass.
> In 2008, the Department of Homeland Security (DHS) contacted Unspam Technologies, asking, "Do you have any idea how valuable the data you have is?" The DHS' email served as the impetus for Cloudflare, a technology company Prince co-founded with Holloway and fellow Harvard Business School graduate Michelle Zatlyn the following year.
Which sounds like the opposite of what we would want. Cloudflare being started because a three letter agency told him that harvesting internet data is valuable. Unless his take away was “they do that too? Better try to stop it!”
Is there something else you’re referring to?
This may be totally true, but it's extremely important to understand that it does not matter.
As a US-based company Cloudflare is subject to NSLs (https://en.wikipedia.org/wiki/National_security_letter) which will force them to reveal all traffic and never talk about it. There's nothing they can do to resist that, regardless of founder personality.
Combine this with the fact that Cloudflare terminates TLS traffic, so it's all in the clear within their infrastructure. It would be difficult to think of a more juicy target for intelligence agencies waving NSLs.
It'll all be classified so we'll never know (unless some future Snowden tell us). But it is logical and wise to assume all traffic passing through Cloudflare is siphoned off in cleartext to the TLAs.
Neat. On the other hand… I have to hand it to Cloudflare, they’ve done a great job turning themselves into the internet’s second backbone. (AWS might as well be the third backbone.)
It seems that decentralized systems always centralize over time when it comes to mindshare, and really don’t like decentralizing. Like, once the network effects begin even slightly, it becomes irreversible quickly. Linux is still not beating Windows and Mac. Mastodon’s numbers are still tiny compared to Twitter. Bitcoin hasn’t really hurt banks. The internet started out fairly decentralized, look at it now.
I’ve come to the conclusion that people just do not like decentralized anything, period. Which is unfortunate.
Yeah, you're absolutely right. Companies grow, and people talk about them, and get other people to try them, and they grow more, and more, until it becomes the "default" option that everyone knows, and they become entrenched by sheer power of their mindshare.
Especially in a global world where these brands become larger than life. There are brands with more global recognition and soft power than most countries out there.
Most people go with the defaults. That goes for software as much as companies. It doesn't matter how many decentralised options you have, because mindshare is what matters. Being the default in people's minds is what matters.
You need hosting? AWS. CDN? CloudFlare. Git? GitHub. Video? YouTube. And so on. There -are- options. But people aren't going to bother, when they can just... go with the default.
It's not about people not liking decentralisation, it's just much more mental effort to research and explore options when you can just go with the default.
It's only 5GB for free. Microsoft doesn't have a paid option yet so we'll have to wait and see what that costs.
Egyptian ISPs used to hijack DNS for all reasons (and some are scary of course). They would ban port 443 to prevent people from using DoH if they could without technically cut Egypt out of internet.
So yes normally this is not something most of people here are not going to like. But as usual reminder, the world is much bigger than US and the western Europe.
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1734110
This seems strictly inferior to what Apple is doing with Private Relay where there are two separated hops, and given that I wonder what the Privacy Pass token is actually doing here.
I wish I had a lawyer friend that can advise in this. Do I just need to get a bunch if people to submit similar complaints somehow to FTC? Sue them directly? Email the DoJ? It's an active hostility I can't avoid, what are my options?
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1734110