However, it's also true that Warp / Zero Trust doesn't use the entire Cloudflare network for their termination points, only a subset of datacenter are used. So you may be getting unlucky through saturation or even just routing to the closest CF point that terminates traffic near you. You can check your "Colocation center" that's being used. In my case, despite living near Detroit and CF's datacenter there, I'm routed through Chicago, adding 40ms to any roundtrip time.
This shouldn’t be the case: want to email me (silverlock at cloudflare) the output of https://www.cloudflare.com/cdn-cgi/trace and your company’s accountId?
This is stuff we want to address — whether directly in our control and/or where we need to ensure others are peering with us locally to help their users.
On a whim I installed and turned on Warp and suddenly my internet speed was both palpably faster and more consistent in its speed. I think it possible that one of the side effects of encrypting your traffic may be that it evades ISP traffic shaping.
Additionally I did the bog standard TTL modification, installed warp and probably one or two other things I can't recall. For whatever reason those changes allowed me to tether unlimited 4G speed data rather than being throttled down to 3G after a few gigs. This was true for T-Mobile, US Mobile's "verizon" tower mvno service as well as US Mobile's "t-mobile" tower mvno service. Can't say I was upset about it.
I don't know if Vodafone shapes their traffic but the the effect is the same when their network is having trouble for various reasons.
Even though there's no visible abuse right now, you know, Google's motto also used to be "don't be evil".
I understand that you have to comply with law enforcement, but actively attacking the users of one of your customer's websites is super rude.
It seems therefore entirely plausable that the admin handed they keys to the castle to the FBI anyway, or at least gave Cloudflare the okay to go ahead.
I can't find a shred of evidence that Cloudflare were involved directly in making the phishing page or even complying with the FBI.
We used it at a job I had and it made sense for business continuity reasons. But it is centralizing the internet and they are the gatekeepers. Not a good thing
I also don‘t really get their argument here?
Cloudflare can collect your traffic history, but can only connect that history to your originating IP + timestamp. Their official client may be able to collect more info though. But, warp is just wireguard, so you do not need to run their official client there are shell/python scripts floating around to get the keys / endpoint IPs setup for Warp to use with std. in-kernel wireguard.
Further, all the telcos in the US are known to have colluded in illegal NSA spying on Americans. Cloudflare has not been caught at this yet. So, you can look at it as a choice of exposing your browsing history to an entity that may be not be lying and actually is not snooping vs. telcos that are known to have lied and definitely have and are likely still snooping.
> Enter our own WireGuard implementation called BoringTun. The WARP application uses BoringTun to encrypt all the traffic from your device and send it directly to Cloudflare’s edge, ensuring that no one in between is snooping on what you're doing. If the site you are visiting is already a Cloudflare customer, the content is immediately sent down to your device. With WARP+ we use Argo Smart Routing to devise the shortest path through our global network of data centers to reach whomever you are talking to.
> We believe privacy is a right. We won't sell your data, ever.
"We, the people who make up this company now, but not in the future, PROMISE."
I notice they didn't say "we don't keep the data."
According to the comments, this is just wireguard. I deployed my own on a webhost and I use that, probably to the same effect. I guess I have to trust the webhost not to go snooping in my private logs, but that's a whole lot more targeted and requires a lot more effort.
Cloudflare is what Google was 20 years ago.
The cycle can only break by decentralized protocols.
I disagree. The cycle can break by breaking up the monopolies so that one company doesn't control everything, and allow free market to expand.
Competition keeps people from being evil. Evil only happens when there's no reason for them to NOT do evil things.
Google was fine until they became the top dog and nobody could even compete.
Cloudflare is already much worse. It's relentlessly centralizing the whole Internet.
When using standard SNI (SNI is used so you can have multiple domains on the same IP address) your connection to the server is not encrypted until after the hostname of the server you are requesting is sent at which point the server knows which cert to use to encrypt the rest of the traffic. So you can pull the host header out of the pre-encrypted traffic and look at which site the user is connecting too.
1) When the webserver you are accessing uses services that terminate TLS before the origin server (Cloudflare and CloudFront to name two) then the operators of those TLS terminators might be able to see which pages on that site you visit
2) You might be able to determine which page someone is accessing via side channels, for example if example.com/naughtypage.html always returns a page of a certain size which is determinable you can presume they connected to example.com/naughtypage.html if the returning data matches that size.
Well, actually it doesn't, since ping time is not particularly important to me, but in theory.
My webhost would be a terrible replacement for Cloudfare's main product, which maybe you're talking about, as it needs a worldwide presence. This product is a VPN for your phone.
Pointing out that the company will revolve is not a criticism.
I do think it's kinda funny they are trying to oust your ISP and insert themselves, as the keeper of traffic logs. Either way, I guess we're going to choose a big corporation to trust.
Lastly, I don't think your point stands, when the quote says "we won't sell your data, EVER" (my emphasis)
It's a weak promise and a valid criticism.
My online privacy is important to me. I use ad blockers too in addition to cloudflare.
A couple of things I’ve noticed along the way…
1. Switching off my wi-fi network and then rejoining later used to be an issue but seems to have resolved some time ago (mobile) 2. It seems on macOS that almost every time I login I need to update the client. 3. Usually sites can’t resolve my IP and place me hundred of miles away which is fine by me. However occasionally I run across a site that has a pretty close to home read on my location. It seems sites that leverage cloudflare cdn might see a more accurate location because they are on the same network - I’m not sure how this works technically though.
I’ve never encountered a censorship situation or any website that was inaccessible. I have run into issues where steaming sites want you to turn off VPN but this isn’t consistent. I also run into issues occasionally when jumping on a hotel wi-fi or like a Lowes or Home Depot where they want you to agree to terms and likely want to snoop your traffic.
"Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot."
And, then I am encouraged to enable js so google can provide me a series of captchas to solve.
It used to work better than a VPN terminating at my own VPS, but now Warp netblocks appear to have a worse reputation than even a colocrossing/low-end box vps.
Per Cloudflare's FAQ, sites behind cloudflare see your original IP, other sites do not yet:
https://developers.cloudflare.com/warp-client/known-issues-a...
https://blog.cloudflare.com/geoexit-improving-warp-user-expe...
This has a surely intentional side effect of incentivizing sites that want to see the real client IP to be behind CloudFlare as well.
Source: https://developers.cloudflare.com/warp-client/known-issues-a...
How would you candidly compare guarantees/expectations of Mullvad VPN vs your Cloudflare Warp VPN with respect to:
- privacy, but also
- performance.
As a side note, I really value using a certain popular torrent box VM service for $10/mo is that they provide SSH and OpenVPN. I’ve used that VPN a lot when I worked in GCC countries (Saudi Arabia, UAE, Bahrain) to help me get around national HTTP blocklists. Most every other VPN I tried was blocked, or would get blocked after a certain # of GB sent in a certain timespan. I think the torrent box servers were located in minor data centers which weren’t on their list of “high potential risk” so they bypassed the otherwise pretty thorough blocks.
The server I used was also located in the United States which helped a ton with proper localization and accessing my bank accounts/etc which were otherwise sometimes more difficult to use from other countries.
The interface for configuring the content policies is really easy to use too.
I also really like the browser isolation feature too - I use it to access links from emails I feel suspicious about.
I am all for even more big companies having even bigger networks. As long as they cannot stop new players from emerging and getting bigger, these centralization vs distributed trade offs are largely academic.
Tl;dr: You have negotiating power based on the number of end clients you connect to the network.
And connectivity is an extremely high capital, low margin, and predatory industry.
Consequently, "build useful services, that cause more people to connect through you, that then allows you to favorably peer and lower your costs" is Cloudflare's strategic business model.
So yes, they would very much like the entire Internet to run through them. Or more accurately, terminate to their customers.
Related question: given this obviously generates logs, what are CloudFlare doing to protect log data in transit within its own network from similar attacks to the Google-NSA episode? ( https://www.washingtonpost.com/world/national-security/nsa-i... )
The client software implementations are poor and unreliable. Any possible performance gain will be wiped out by constantly needing to debug issues.
the saying is overused and mostly misleading, unfortunately.
"APNIC's research group held the IP addresses 1.1.1.1 and 1.0.0.1. While the addresses were valid, so many people had entered them into various random systems that they were continuously overwhelmed by a flood of garbage traffic. APNIC wanted to study this garbage traffic but any time they'd tried to announce the IPs, the flood would overwhelm any conventional network."
https://labs.apnic.net/?p=1127
Interestingly, we are now 4 years into this 5 year experiment.
Looks like Cloudflare are about to make a sizable "donation" to APNIC.
Edit: Out of curiosity I searched in some Chinese tech forums. Apparently it works, but it is so slow, not really useful for any serious use.
Now maybe CF have a more efficient route here or there but really I can’t believe that for most people it’ll be faster.
As for security or privacy I can’t imagine they’re much safer than browsing most HTTPS sites directly. There’s nothing to say they’ll be able to resist a secret US government subpoena for records either.
WARP was built on the philosophy that even people who don’t know what “VPN” stands for should be able to still easily get the protection a VPN offers. For those of us unfortunately very familiar with traditional corporate VPNs, something better was needed. Enter our own WireGuard implementation called BoringTun.
The WARP application uses BoringTun to encrypt all the traffic from your device and send it directly to Cloudflare’s edge, ensuring that no one in between is snooping on what you're doing.
> In a number of cases, if the origin site you are communicating with cannot determine who you are and where you are from, it cannot serve locale-relevant content to you (that is, anything related to a customized user experience, such as language or regional configurations). Sites inside Cloudflare’s network are able to see this information. If a site is showing you your IP address, chances are they are in our network. Most sites outside our network, however, are unable to see this information and instead see the nearest egress server to their server. We are working to see if in the future we can find a way to more easily share this information with a limited number of sites outside Cloudflare’s network, where it is relevant to both parties.
Given that Cloudflare has recently announced that a site’s operators promoting doxxing is an acceptable use of that same Cloudflare network (their backtracking on grounds of imminent threats to human life in one situation does not make this any less their policy), I cannot in good conscience promote Warp to anyone.
I'm sure that the traffic analysis it unlocks for them is incredibly valuable. But I'll never use this.
I'm not sure if its related, but I had some DNS resolution when I switched on WARP. I know that 1.1.1.1 is DNS over SSL, some ISP don't like that? I don't remember which applications had issues(guessing it might be steam client, I could be wrong)
Also, never noticed a significant gain in network speed or reliability either. I don't use it anymore, but will give it a try again.
ughghg scroll jank nausea
forget ad blockers I need a css blocker
There’s no reason to believe this. This is the same company that publicly stated their principled position relating to the culture of free speech and then flip-flopped not even 3 days later.
It’s not about that issue but rather that this company has lost credibility and should not be trusted with any promises. Keep at arms length.
You can't change the exit node (the server that web sites see), and is free, unlike most commercial VPN providers.
