Hacker News new | past | comments | ask | show | jobs | submit login
Warp – Mobile VPN (cloudflare.com)
1211 points by jgrahamc on Apr 1, 2019 | hide | past | web | favorite | 486 comments

There goes me and my co-founder's plan of disrupting the Mobile VPN market. Or may be, we still have a chance?

Anywho, congratulations Cloudflare! I long held an opinion that the VPN market was ripe for disruption when I looked at privacy policy of some of the top players. Having analysed the market, I find that its defragmented with no clear run-away winner. I hope you're able to make a headway with all the interesting innovations that you plan to offer on top of it.

Here are some ideas that I had in mind for a Mobile VPN:

1. Ability to run a dns-blacklist, tag-based blacklist, and a ip-firewall at cloudflare's end (not on the end devices). May be you could add that as an option to your wrap+ product?

2. Auto change exit IPs underneath the covers.

3. Take over the dialer and route calls over IP whenever possible.

4. Provide ability to analyze traffic on a PC.

5. Track and warn mode per app, where the traffic is analysed for a particular app to generate a report on what its doing and how much.

Basically, bring enterprise-grade security to the end consumer.

Email me: matthewatcloudflaredotcom. Perhaps you and your cofounder can help build your vision within Cloudflare? I'd love to chat.

Seeing this raises my already high opinion of Cloudflare!

> I'd love to chat.

Wow. Sure, thanks.

First, thank you for the first implementation when the app was just Ive been using it for a while.

Not sure if you can answer this question, but are the performance benefits still there in conjunction with utilizing the VPN google uses to encrypt traffic with google fi? This announcement mentions they have 2x the latency in comparison to WARP, but did not mention specifically which google VPN technology (not sure if they have multiple) but I assume something mobile related since this is a mobile application.

If I use the WARP app in conjunction with google fi, am I layering this VPN on top of the 2x latency of google fi, thus slowing down WARP VPN to gain then the other performance benefits of optimized network switching of google fi?

Neither project is open source (that I know of) so it is hard to understand how the implementations overlap or not with one another. I also am not an expert in VPNs so maybe this is not a good question, but I find myself reading Cloudflare's blogs alot and couldn't help but ask.

I’m not sure, and I think you’re kind of off-topic for this particular sub-thread, but we’ll have a ton of performance data across a matrix of device, software, and network operators. And, when we do, we’ll definitely publish it.

Very cool response!

My biggest concern with any VPN is: do I trust you? I’ve been reluctant to sign up with any of these VPN services that seem to be advertising everywhere nowadays because I don’t know what they’ll do with my internet traffic.

The CloudFlare VPN is interesting to me because they’re a large, established company with a good reputation, so I trust them more than TunnelBear or ExpressVPN or PIA or whoever’s sponsoring YouTube this week.

If there was a way you could offer a product or service that provided a compelling case for why you won’t (or better yet can’t) snoop on my internet traffic, I’m all ears. Everything else is just gravy on top.

One positive for PIA at least is that their "no logs"-policy actually has been proven multiple times by subpoenas. https://torrentfreak.com/vpn-providers-no-logging-claims-tes...

I'm not aware of any subpoenas directed at Cloudflare that was equally as useless.

So far that only applied to the DNS, I don't think many would subpoena a DNS provider.

We thought about the trust aspect of it (we have gone through numerous VPN related threads here on news.yc and r/privacy and this has been one of the top concerns). Here's how we plan to convince folks (in our own naive way) we mean business (do serveral or all among):

1. OpenSource vpn server and client, with ability to Cloud-SSH to the server and view what's running.

2. Hands-off, one-click, spin up VPN servers on a VPS of your choice under your control, Streistand/Algo style [0][1], but find a way to provide support (think AWS marketplace).

3. Make privacy-centric commitment legally binding as part of EULA/ToS (is this sufficient?).

4. Run client-side only VPN (like intra, blockada, netguard). The idea is you're still able to analyse traffic and add blacklists client-side, without having to pay for or run a VPN server.


[0] https://github.com/StreisandEffect/streisand

[1] https://github.com/trailofbits/algo

Sounds a bit like what Google / Alphabet / Jigsaw are already doing with Outline, but I still think there’s major opportunity there for a transparent and decentralized one-click service. Especially when you add in #4.

For some reason, Outline is still mega-targeted at journalists and activists when it could be so much more — it’s been an absolute joy to use so far, and being powered by Shadowsocks certainly doesn’t hurt.


Thanks. Yes, you're right. Not just Jigsaw (who are excellent, and I've been recommending their DNS app, intra, on news.yc for as long as I can remember), there are multiple other companies in this space (SecureMix, TheGuardianApp, KeepSafe, CopperheadOS, Proton mail/VPN, AdGuard), but not everyone is quite doing what I have in mind related to fighting trackers and censorship with a focus on 'one click and you're done' kind of simplicity (?)

I hope to get something ready to show you guys here on news.yc in may be 3 to 6 months from now.

Sounds like something HN readers will like, but which also would be completely commercially unviable.

True. That's the part where we might need to think hard: A business plan. We haven't thought that far yet, tbh.

Our intention is to: Put the control of the mobile device back in the hands of the consumer and empower them with simple but powerful tools. Think keybase, Stripe, or pre-2014 WhatsApp in terms of UX.

Mobile VPN is key part of that vision, including building other apps around it.

A lot of things triggered this:

1. The prism/carrier-iq snafu from 7yrs back.

2. The uptick in government censorship prevelant in multiple nations (India, Turkey, Pakistan, Russia, etc).

3. Rise of app-economy and the relentless tracking behaviour that entails, esp from Facebook.

4. pi-hole and it's elegant solution to shut out trackers. Though I first saw this solution impl by Sam Hocevar (one of the VLC devs) in 2002 (?): http://sam.zoy.org/writings/internet/doubleclick.html

5. Not very many firms developing products like DuoSecurity did but for the end-consumer. There's a few I could find, like SecureMix (glasswire developer), Objective-See (LuLu Firewall), Jigsaw (primarily for journalists?), Purism, and KeepSafe.

Filtering, Adblocking, VPNs are commercially viable. More of a B2B play than B2C though

Another way would be using some trusted computing technology [1] to do that. This would be a good use case for some kind of remote attestation. (Shameless pug: I did my Ph.D. thesis on this, so if you want to discuss this point, cloudflareatvernizzisdotit ;-) )

[1] https://en.wikipedia.org/wiki/Trusted_Computing

The IPv6,IPSec and PKI together may be interesting to authenticate and encrypt traffic without any entity managing the traffic.

It could eliminate the client/server by activating the authentication and encryption with exchange of certificates by using a PKI.

It may provides a full p2p encryption in the network layer without logging your traffic somewhere or third parties. open-sourced would be awesome.

> established company with a good reputation

are you insane?

CF's reputation is terrible[1]. They are trying to MiTM the entire internet, and frustrate attempts to access some of the most important information online( including but ont limited to evidence of the holocaust, sexual health information and climate change ). They are practically a threat to humanity itself at this point - you shouldn't trust them worth anything.

[1] https://notabug.org/themusicgod1/cloudflare-tor/

The cynicism is fair and I can see where it comes from, but cloudflare CTO, jgrahamc, has replied elsewhere in this thread [0] why tor is a difficult scenario for cloudflare to handle. They did promise to make life easier for tor users but the abuse over tor is apparently relentless, according to them.

[0] https://news.ycombinator.com/item?id=19543188

> Having analysed the market, I find that its defragmented with no clear run-away winner.


That's how all of this should be.

But it shows that it's either so easy that there's no barrier to entry (I doubt it) or that no one can deliver a really convincing product.

Yep, agree. Though, I thought it was an important factor for us when we are bootstrapping to consider if we are heading straight into a monopoly that we can't defeat.

I'd look at dominating the standards used in the market rather than the market itself.

Have you already started on this concept? Myself and our team are working on some of the ideas you listed for an upcoming app (https://itunes.apple.com/us/app/guardian-firewall/id13637963...). It would be great to chat further, if you have interest in working on this concept (e-mail is will.strafach@guardianapp.com).

Designing a reasonably secure and reliable mobile VPN has been a very difficult challenge to get right. If you look at existing mobile VPNs through a tool such as Charles Proxy or Burp, you will see that none of them really appear to be designed very well. There are many unsolved technical problems with managing and scaling such services, likely avoided by existing providers due to how easy the issues are to mask. That said, Cloudflare’s cautious approach with Warp gives me some confidenxe that they really are trying to do this right.

Nice. GuardianApp is very close to what I had in mind. Great landing page, btw!

> Have you already started on this concept?

Initial stages where we have looked at OSS projects to fork for a quick prototype, with our focus being exclusively on Android, and not just limited to VPN.

> Designing a reasonably secure and reliable mobile VPN has been a very difficult challenge to get right.

Thanks for the heads-up. From usability point-of-view, I've seen my share of VPNs mess up and sink hole all traffic. On one ocassion, an app simply refused to get past its loading-screen unless I turned off VPN.

> It would be great to chat further, if you have interest in working on this concept.

Sure, thanks. I'd be sure to email you, Will.

I don't think what we're offering instantly takes over the entire VPN market. VPNs mean different things to different people and I'd imagine you can find a valuable market that provides things that we don't.

I find amusing that ‘defragmented with no clear winner’ is what I want in most cases as a customer and what most startups see as an ‘opportunity for disruption’ (read “opportunity to dominate the market”).

Please still build this product!

Indeed. A little healthy competition leads to better products all around.

> 4. Provide ability to analyze traffic on a PC.

This would be such a great feature. I hope someone makes such a VPN.

> We built Warp around WireGuard

So basically Cloudflare created an app with Cloudflare branding and set up a Wireguard server for everyone. No bad, but just check out the original:


While I am not a big fan of VPNs in general, I have to admit, that Wireguard performs exceptionally well. I tested it a week ago and the added latency is pretty much just the network latency and the bandwidth loss is minimal (so small I couldn't even measure it reliably). What I found most interesting, was that there were some use-cases when the network with Wireguard performed even better than without it (probably related to congestion control).

> So basically Cloudflare created an app with Cloudflare branding and set up a Wireguard server for everyone.

Not just one -- servers in 175 (and growing) locations spread around the world, and the app will always use the closest one to you. That's arguably a lot more important that what protocol it uses, and is not something you could easily DIY.

I mean, for DIY you only need one because you're only one user. Pick a VPS host with a data center near you... done.

For me, VPS hosts with data centers near me isn't a thing, but CloudFlare has edge locations near me.

Color me curious. Where is that? And by what definition of near? There isn't even an AWS AZ near you? A t2.micro is literally free and is bigger than the one I'm running mine on (which I'm paying for, so maybe I should swap... though, I don't think AWS has AZs closer than my current $1/mo host).

The t2.micro is only free for a year, no? After that it's expensive vs normal providers, like aws stuff generally.

DIY has benefit of trust, but disadvantage of unique to you IP address. With 3rd party VPN you share the IP with many, much like hiding in the crowd.

I was lucky to find small paid VPN provider, that doesn't do marketing, pay for referral and stuff, and I'm sticking to it.

It's only near you when you're at home though. This works around the world.

maybe works better. But I used mine hosted in the US while I was traveling abroad in the UAE. Worked fine. I often saw better service with it turned on.

Probably all depends. I tried to use my west coast US VPN in Australia and it was atrocious. I had to deploy to AWS Sydney instead.

wouldn't be that difficult to write a script that checks geoip and launches a VPS in the region closest to your current devices public address. You could even create an iOS shortcut to allow you to do it from your iPhone

Classic HN comment. I predict that Warp will fail just as hard as Dropbox.

Several billion-dollar businesses have been built doing things that "wouldn't be that difficult".

In this case, I agree that a single VPS is usually enough for most but never underestimate the market power of making things simpler and faster.

What's the chance that there are a lot of unknown unknowns that you are not counting on?

I'd say that even the known unknown that ips and networks change routinely should make it a headache to maintain.

Not sure how hard it would be to install WireGuard fully unattended, I tried it with OpenVPN months ago and still haven’t completed it.

Once you get your script to work, you’d have to wait minutes for the VPN to spin up in a new region.

WireGuard is much easier to get configured than OpenVPN.

Check out algo: https://github.com/trailofbits/algo

I think you could bake your configuration into a custom image, so it would be fast to get a VM started (about 30 secs on GCE, not sure about EC2).

If you use stopped instances, it's even faster.

(I work at GCP so know more about GCE than EC2)


(Not implying anything, just providing a discussion point.)

If you’re traveling a lot, which is often the use case for a VPN, this immediately becomes annoying.

or a feature

sometimes people move around

I mean, I guess. But not often. If you are flying around the world, then sure, this is probably better. But if you're like the vast majority of people, then you will be in the same city most of the year.

Even if you change residences, you'll typically be in the same state. Even if you change states, you can just set it up again in, what, super conservatively, under an hour (you've already done it once so fewer missteps).

> That's arguably a lot more important that what protocol it uses

I'd disagree. Many VPN protocols suck even if the gateway is in-house. I guess there's a reason they introduced that with Wireguard specifically.

I consider myself fairly competent, and I couldn’t understand the wireguard documentation enough to setup my own install without resorting to algo [0]. There’s real value in wrapping a system like WireGuard into a product, because it democratizes technology rather than making it available only to those knowledgable enough to understand how to set it up. I think Warp is great in that regard.

[0]: https://github.com/trailofbits/algo

I was in the same boat, hopefully this will help:


It's actually very easy to set up, I don't know why the official docs make it seem super hard.

What's the reasoning behind embedding the private keys directly in the config?

Mostly convenience, since it's a "getting started" guide. I'd prefer a better way than the config file to specify devices, but unfortunately there isn't one right now. Maybe I should write a WireGuard config manager tool.

you have to store them somewhere with appropriate access rights anyway. Since the config is mainly a private key and an ip address it makes sense to not complicate the setup with another file to manage

When did Algo get WireGuard support? Used to use Streisand as it has more protocols, but WireGuard is all I would want now.

Might have to set this up again!

> I couldn’t understand the wireguard documentation enough to setup my own install without resorting to algo

Not sure what you mean. Algo has no relationship to WireGuard; it's basically a customized StrongSwan setup under the hood, which utilizes IKEv2 (not WireGuard) as the transport.

Algo does not have a relationship to Wireguard, but Trail of Bits does. We made a substantial donation to them prior to including Wireguard support in Algo. You can find us on their donation page here: https://www.wireguard.com/donations/

Algo added WireGuard support at least several months ago.

I am still trying to figure it out how to setup a Wireguard server on Kubernetes/GKE to personal use. Outline and OpenVPN clients have some problems that's why I want to try Wireguard.

You could put it in a micro VM in the same VPC as the GKE cluster, and then have a 2019-grade bastion host.

Is that even possible? I thought Wireguard was essentially a kernel module... Which is basically the only thing you can't dockerize, as the kernel is shared between all containers?

Could be mistaken though .. not sure

Cloudflare has their own implementation that runs in userspace. [1]

1 - https://github.com/cloudflare/boringtun

There is also an official user space implementation. The performance is not bad at all.

[1] https://github.com/WireGuard/wireguard-go.

> What I found most interesting, was that there were some use-cases when the network with Wireguard performed even better than without it (probably related to congestion control).

It could be the different routing.

Your ISP's routing might be sub-optimal to certain destinations. After all, it chooses routes based (at least in part) on cost, not performance.

There are commercial products that do this sort of tunneling (among other things) to lower routing latencies.

Possible but I am not exactly sure what caused the difference. I used fast.com for testing and when I increased the number of parallel connections the performance degradation was lower when using Wireguard. I assumed that it is related to congestion control as Wireguard uses UDP AFAIK and otherwise I would use TCP on the bottleneck part of the connection.

Wireguard might be using UDP, but you're still tunneling TCP on top of it. So the congestion control is still there and kicking.

The congestion control is less likely on the server side, whereas congestion control on an ISPs network is much more so.

The ISP might be doing it knowing you're connecting to Netflix. But if you do a VPN, they don't know those specific packets are going to Netflix, so they can't shape the packets.

They certainly can shape any traffic you cause to transit their network. What you mean is they can't selectively shape that traffic. But then why would they want to do that?

If they can degrade your traffic from 1080p to 720p without a customer complaining, then they don't need to expand their network to support more users which increases their profit margins.

In short, because they can and they're assholes.

"Why" doesn't matter when it has already been proven that they do.

Just search through HN for any discussion of net neutrality.

Wouldn't it be appear more performant to queue latency insensitive packets separately to others?

Could also be packet-shaping/QoS on the ISP side

Sure. Especially in countries that don't have network neutrality...

I wonder what first world country would do that!

They've also written they're own client in rust https://github.com/cloudflare/boringtun

From personal experience:

When coupled with an DNS based ad blocker Wireguard can actually make your internet faster than when not using it.

More so on Android than iOS and more so on mobile than fixed, but still feels so much smoother.

you can even only forward the DNS requests and not the rest of the data so your home upload speed won't become your bottleneck.

This is precisely my setup, and I couldn't be happier. I have a lot of internal infrastructure including pi-hole, confluence and a number of self-hosted services. WireGuard lets me go anywhere on my laptop and its like I never left home, and I just keep two configurations for when I want to forward only internal IP addresses, or all my traffic.

> I have a lot of internal infrastructure including pi-hole, confluence

Confluence as in the Atlassian software? What do you use it for at home?

Torturing people

Yep. A 3€ Hetzner server with Wireguard and pi-hole. Running several private services on my server that are just available in my private network. Like an extension to my phone that's always on and working perfectly.

The only thing I was never able to get working was the IPv6 support. Oh well...

Any pointers on setup instructions for WireGuard split tunneling on iOS?

You have issues with WireGuard split tunneling in general or only on iOS ?

To make split tunneling work in WireGuard I changed AllowedIPs = in the config file into: AllowedIPs =

where is the subnet of my tunnel, and is the ip address of my home computer

this works on iOS and macos for me

Instructions for wireguard in general:


Then you'd just need to use the iOS app, I hope?

not for wireguard. but for openvpn here's a howto https://ba.net/adblock/vpn/doc/howto.html

For a business solution for this try https://ba.net/adblockvpn

Disclosure. It is my day job

Well right now this only tunnels DNS traffic so it’s not quite the same.

You can go on the wait-list for WARP+ which sounds like it’ll route everything over the VPN.

VPN does not usually add appreciable latency from the processing, unless either peer is overloaded.

It seems to me that in practice, Cloudflare's mission is not actually to build a better Internet, but to offer an alternative, proprietary network (one could call it the CloudflareNet), and convince content providers and consumers to use that network. Because I don't want any single company to have too much power, I'll stick with the standard Internet, which is not owned by any single company.

However, I realize that the problems with mobile Internet performance and reliability are real. So when HTTP/3 is stable, I'll do what I can to help it spread.

I disagree with this statement. We haven't pushed incompatible standards or any other nonsense. We've literally pushed out the latest standards and enabled more encryption (see Universal SSL making SSL free years before Let's Encrypt; see enabling IPv6; enabling HTTP/2; etc. etc.).

As for HTTP/3... so will we. See: https://blog.cloudflare.com/http-3-from-root-to-tip/, https://blog.cloudflare.com/the-road-to-quic/ and https://blog.cloudflare.com/head-start-with-quic/.

You've built a product (warp) based on Wireguard and refused to work with the upstream project - so saying that you're pushing standards is far more nuanced than you make it seem - at best.


Forking an upstream project to implement decisions without upstream’s consent is a tried and true open source software process, implemented by thousands of projects over the years. Claiming that they don’t support standards, solely because they don’t support another implementation of those standards, is incorrect and inflammatory.

> Forking an upstream project to implement decisions without upstream’s consent is a tried and true open source software process, implemented by thousands of projects over the years. Claiming that they don’t support standards, solely because they don’t support another implementation of those standards, is incorrect and inflammatory.

If upstream is doing something you don't like and refusing to work with you, sure.

When upstream actively petitions you to not fork, asks you politely to work together, and you refuse to work with them, that is far, far from a "tried and true open source software process". That creates a fissure in the community and it generally ends up poorly for everyone involved.

My comment is far from inflammatory, it's a statement of fact, and something cloudflare has refused to acknowledge or respond to. Which just further drives the point home that they aren't acting in good faith.

While the fissure you describe as a guaranteed outcome is certainly likely in many such scenarios, you're missing the point:

Implementing a standard without regard for the beliefs of other implementors is an action that supports a standard. Refusing to work with others does not implicitly harm a standard.

You assert that refusing to cooperate with another implementor is guaranteed to harm a standard. It is not guaranteed at all.

DJB has not destroyed DNS. BoringSSL has not destroyed TLS. A thousand reimplementations of standards in Rust have not destroyed a thousand standards.

You clearly believe that Cloudflare is acting in bad faith, and are constructing a worldview out of assumptions that you declare instead are facts. While I respect your right to hold those views, I do not respect your declaration of future outcomes as fact.

>DJB has not destroyed DNS.

DJB didn't fork Bind and then refuse to work with them.

>BoringSSL has not destroyed TLS

BoringSSL didn't fork OpenSSL and then refuse to work with them.

About the closest modern comparison would be OpenOffice vs. LibreOffice - which created a complete mess like I mentioned before.

Except even THAT is a bad comparison because LibreOffice only forked when they were FORCED to fork.

I was unable to parse this reply in the context of "do forks harm standards?" as we're discussing in this thread. What standard came to harm as a result of LibreOffice forking from OpenOffice?

Can/has anyone from CloudFlare commented? This refusal to work with WireGuard has left a bitter taste in my mouth from a company that I otherwise like.

Here's what I posted to our blog when this question came up:


We communicated with Jason throughout the process and have a ton of respect for him and the entire WireGuard community. In the short term, we need the flexibility to quickly update BoringTun's code base to support the project we built it for. That's harder when you need to coordinate with people outside Cloudflare and when we need to move as fast as we plan to. However, we really believe in Open Source and want the WireGuard community to thrive. We licensed the code very openly (3-paragraph BSD) and WireGuard may choose to fork it. If they do, we'll support it and plan to contribute any improvements in our own fork back. Over the long term, I think we're very open to merging this back into the upstream project.

I guess that doesn't make sense to me. If Jason offered you your own sub-project to run with, why can't you "move fast"?

>I thought the invitation to put their engineers as the head of a WireGuard subproject was a cool invitation, but alas.


I mean no offense, but the response comes off as corporate approved PR. "We need to move fast" when you haven't actually even tried engaging with the parent project and have no idea whether or not it would prohibit "moving fast" is disingenuous IMO.

Presumably there’s still overhead involved in being part of the WireGuard organization, no? If there wasn’t, then the only difference between being in it and not is branding.

More importantly, without having already tried it, it’s hard to predict how much overhead there will be.

Since CloudFlare had a (self-imposed) deadline, working fast had to take priority over optics. After all, the project can always be folded into the WireGuard organization later.

Oh, I missed that comment, thank you. That makes sense.

Hmm, I have seen that post, do you mean a specific comment? The only relevant one I can see is the license one, which has a reply from Jason.

EDIT: eastdakota filled me in, thanks John.

No worries; thanks for letting me know.

From what I can see (correct me if I’m wrong) this is an implementation of the WireGuard protocol in Rust.

WireGuard is written as Kernel Module in C, with a GPL licence; BoringTun is a user space program written in Rust with an MIT licence.

So it’s not really even a fork.

Fair point. I especially appreciate that even Workers is based on a W3C standard, when it could have been a proprietary API.

However, Cloudflare has also adopted and promoted at least one standard that adds complexity for dubious benefit, specifically DNSSEC, which tptacek has repeatedly criticized (e.g. [1]).

Moreover, Cloudflare is encouraging both providers and consumers to bypass the public Internet as much as possible in favor of Cloudflare's network and proprietary protocol(s). For providers, this is done through Argo and especially Argo Tunnel. And now for consumers, Warp is replacing the standard TCP with a proprietary protocol built on UDP.

Now that Cloudflare has proprietary replacements for the standard Internet on both sides, it can start taking advantage of network effects to make its proprietary network attractive to still more providers and consumers. As Cloudflare's power grows, it becomes harder to escape any future abuses of that power, as well as honest mistakes on Cloudflare's part.

I realize the standard Internet sucks in some ways, and Cloudflare is doing something about that. But I think the right answer is to improve the standards-based Internet, not offer a proprietary replacement. I suppose that's not compatible with running a VC-backed business, though.

[1]: https://news.ycombinator.com/item?id=10553371

DNSSEC is a standard. We literally adopted and promoted a standard. That is not about your original comment about us trying to take over the Internet or something. And we work hard on the standards-based Internet pushing HTTP/2, IPv6, QUIC, TLS 1.3, ...

Exactly what is this supposed to mean? It's a "standard"? So what? Lots of bad things have been standardized. You have to justify the work on the merits; you can't simply appeal to IETF standardization as intrinsically good. TLS Heartbeat was a standard, and it was not intrinsically good.

This thread was about Cloudflare becoming some proprietary network with its own protocols and doing evil stuff. I was pointing out that when OP said we'd implemented and promoted DNSSEC (and named you) that we were not implementing something we'd invented but a standard.

I don't think Cloud Flare is implementing a lot of scary proprietary stuff outside the IETF process, but the influence that it has on the IETF process is a legitimate question to ask.

Touché on DNSSEC. That only confused things. But the rest of my comment still stands.

I get where you are coming from but I think there's a significant headwind to us doing something weirdly proprietary. If we were to create some two-tier Internet then our clients (who have web/API servers) would start having part of their audience/consumers get poorer performance or security or something. So we'd be sticking a finger in the eye of the people who pay us.

Hmm, I didn't consider that angle. Maybe I'm just a cynic, a byproduct of the 90s Microsoft monopoly and Linux backlash.

Nothing wrong with some cynicism. And I totally understand the concern, but one thing people always miss with Cloudflare is... follow the money. We get paid by people with web servers and API servers. We have to do things that keep them happy.

> one thing people always miss with Cloudflare is... follow the money

I think that applies almost anywhere. One could say "don't trust Google or Facebook with personal data" merely based on the fact that almost all of their money comes from advertising.

And thanks for the interesting exchange!

I wish all internet disagreements were this wholesome and respectful <3

> DNSSEC, which tptacek has repeatedly criticized

FWIW, tptacek's argument in that thread seems to be premised on certificate pinning being widely deployed[1], which it's not, and it seems at this point like it never will be[2].

[1]: https://news.ycombinator.com/item?id=10553608

[2]: https://groups.google.com/a/chromium.org/forum/#!msg/blink-d...

No. I like pinning (which is widespread outside of browser applications) and certainly it's better than DNSSEC, but my argument holds together just fine without it.

It hardly matters at this point, though. DNSSEC is a dead letter. It's over. Stick a fork in it. It'll be around indefinitely for performative nerds to performatively noodle with --- lots of dead IETF protocols are! --- but Cloud Flare is likely to be the largest company ever to use it (and they're the exception that proves the rule, since they sell DNSSEC services).

FWIW, you guys have also pushed this nonsense: https://www.amp.cloudflare.com/

So one could argue you are both pushing the latest standards and the latest nonsense. ;)

I too dislike amp, but I don't see this as cloudflare's fault. If anything they're offering a competitor to google who we typically criticize for creating and abusing amp.

I agree. And considering many of Google's competitors, like Microsoft, have had to support AMP as well, I recognize that AMP support is an unfortunate necessity in dealing in a world where it exists.

Hence the ;) face, it's meant as a friendly jab, not a critical accusation. jgrahamc is awesome.

Sure. What makes anyone use cloudflarenet if you're using different standards? You start by owning the market (which you're moving towards, and in a very good position to do), and then start making changes. All speculation, of course, but I agree with the gp that this is a very real possibility.

The problem is, this can still totally remind people of EEE (Embrace, extend, extinguish [1]). And appears to be not incompatible with it. And even if EEE is not your current strategy [2], the trouble is, it may become so in future, even against your best wishes today. COOs/CEOs change, as well as kings do. Today's Benevolent Dictator may get ousted by some sneaky hostile takeover in future, or even just take an unplanned sabbatical in Tibet for reinvigorating their mojo. And may get replaced with a less enlightened one. That's kinda why e.g. people from countries with a history of communist or other authoritarian/totalitarian rule are sometimes wary of creeping surveillance tech even when their country is fully democratic now. A switch to a new authoritarian regime can sometimes happen surprisingly easy even in an apparent democracy. Many countries in the world seem to have given policy mandate to populist-ish chiefs recently, who knows how this will work out further down the line. That's why people fear centralisation of control and of power over infrastructure.

[1]: https://en.wikipedia.org/wiki/Embrace,_extend_and_extinguish

[2]: But then, sorry how this sounds, but pessimists tend to think, EEE perpetrators wouldn't publicly admit to it either...

Okay. How does a user who is using Cloudflare's Warp accept incoming connections to a port?

If they cannot then it is not the internet. It's more akin to a 'web' only service.

> If they cannot then it is not the internet. It's more akin to a 'web' only service.

CGNAT means that the same is true of "mobile" connections in general, so it's not like Warp is changing anything for the worse here. Though the Tor network does allow you to host a .onion-linked service over such a connection, but that - while quite handy - seems more like a special case to me.

Yes. Most mobile connections are not real internet connections. I agree.

What about web sites hosted on or proxied by CF with nag screens and captchas blocking my IP?

I like and use though.

We don't host web sites. What nag screens are you talking about?

Those "cloudflare loading" screens that come up when visiting some low-traffic sites. It's probably more common for people using privacy blockers and browser containers to block tracking. I see it at least a few times per day and I get captchas on almost any site that uses them (regardless of being behind cloudflare).

That's "I'm Under Attack Mode" which is used by sites (mostly smaller ones) to protect against small DDoS attacks or scrapers.

... or individual browsers taking small steps to preserve their privacy.

I obviously don't know how many Cloudflared sites I visit that don't pop up the nag. And Cloudflare's nag is certainly nicer than Google's more pervasive help-us-build-a-T-800 or Akamai's "just get lost". But that mode seemingly activates on light browsing just because it's coming from a slightly-less-trackable VPS address (non-shared), and that is a problem.

I'd just like to mention that this service saved me once. I have a small low-end box and one of the sites I hosted (that belonged to a YouTube personality) was DDOS'ed for a while, it kept taking the server down. A combination of crafty server configuration and enabling the "Under Attack" mode helped me deal with it.

Great. Glad to hear it!

Captchas. Cloudflare made Tor unusable.

This might have changed but in the past it made using Tor for anything beyond onion sites extremely annoying.

Though admittedly, if you get a lot of requests from one ip and you can't really know if they are legit or not, what would you do?

I don't have the numbers, but from what I've heard the amount of legitimate traffic from TOR is rather small compared to the heaps of bots and abuse.

Yes there's the argument that TOR provides protection for those in apressive states, but given the pros/cons of blocking TOR altogether I can at least understand the reasoning.

I'd be interested to see your evidence for such a statement and better understand what exactly makes you think Cloudflare's mission is to build a proprietary network?

Pretty much most if not all of Cloudflare's services and work suggest the complete opposite to me.

Like other commenters, Cloudflare for me is probably one of the only companies I truly trust. I'm not saying that because I'm a big user of there services in fact is the only service I actively use.

To any Cloudflare leadership or staff who are still watching this subthread, I'm sorry I publicly questioned your motives and integrity the way I did. I should have been skeptical without saying that I think your mission is something other than what you say it is. I wouldn't want some random person on the Internet to publicly say, or at least imply, that I'm a liar. So I shouldn't have done that to you. If I could give up the upvotes I got for that comment (and keep the downvotes), I would.

Mind you, I'm still skeptical. I probably won't use Warp on my phone, or Cloudflare on my personal site. But I should have been more careful about how I expressed that skepticism in public. None of us want a world where we all assume the worst in each other without strong evidence. So again, I'm sorry.

You definitely should not apologize for being skeptical while at the same time being reasonable.

The standard internet is Google's playground.

Having worked in an ISP, only one thing mattered to costumers, and only one thing: YouTube.

> Because I don't want any single company to have too much power,

Yes. Agreed. But if not Cloudflare as a pushback alternative to those trying to own the internet, then who?

It seems to me the "standard internet" is getting smaller and smaller. What other options do we have?

This pearl clutching is getting out of control. The existence of cloudflare is totally orthogonal to your ability to self-host content on the internet. They don't have any power, except over their customers and those customers customers. If you don't want to use them, then don't. No one is stopping you.

I would almost argue the contrary: Cloudflare makes self-hosting more possible, when you're going up against the large cloud hosting empires like Amazon and Google and Microsoft. You may not be hosting on one of those, but you can slap a little Cloudflare in front of yours to give your own server similar levels of robustness... and you can always turn it back off if they ever become a problem, since you aren't using proprietary APIs and services to power your server.

If anything, I've kinda been hoping Cloudflare would realize self-hosting and decentralization is what they should be supporting and pushing, as it's when using their CDN makes the most sense. And obviously, Amazon and Google and Microsoft all have their own CDN capabilities, so the less people using their cloud services, the better for Cloudflare.

Fyi - I don't have a problem with them.

VPNs are "trust me" security, and Cloudflare certainly has a better reputation than many VPN services, so, in that regard, Cloudflare's entry is welcome, but...

I've been using Tor as a privacy-friendly VPN, so Cloudflare getting into this business will make it feel a bit different, every time I see an error Web page that says Cloudflare is blocking a Tor exit node from viewing a page that Cloudflare hosts.

Perhaps Cloudflare could figure out how to block competitor Tor less (even if there's abuse coming in through Tor)? That might be difficult, but an excellent show of good faith.

An interesting trick - if Cloudflare allows it - would be Device -> Tor -> This -> Internet. Tor provides anonymity, this provides protection against exit nodes maliciously modifying traffic (you can find a number of examples of this just by searching).


Routing VPNs through Tor is a great way to avoid site discrimination against Tor users. But there are two key problems. One is that you degrade Tor anonymity, because Tor can't switch circuits (normally at ~10 minute interval). And also because you typically must pay for VPN services.

The other problem is that Tor only routes TCP traffic. So when you use TCP-based VPNs routed through Tor, and are using HTTPS or some other TCP flavor, you get the TCP-in-TCP horrors. There's too much error correction.

So yes, Cloudflare would need to allow Warp via Tor. Or maybe even better, Warp via Tor via Warp. And also it would need to protect Tor anonymity.

Cool idea, though :)

> Warp via Tor via Warp

Warp would see all your incoming packets and all your outgoing packets, so why bother with Tor?

Good point. I was getting carried away, there.

But still, if it were done right, that's not necessarily true. I mean, I can have two accounts with some VPN service. I connect to server1.vpn.com using one account. Then I connect to the Tor network via that VPN tunnel. And then I connect to server2.vpn.com via Tor, using the other account. Even better, I connect to server2.onion, using the other account.

Even then, Cloudflare could easily do traffic correlation. But as it is now, the NSA can easily do traffic correlation. So hey.

> Perhaps Cloudflare could figure out how to block competitor Tor less (even if there's abuse coming in through Tor)? That might be difficult, but an excellent show of good faith.

they are: https://blog.cloudflare.com/cloudflare-onion-service/

Indeed, we've gone to great lengths already to make the experience over Tor less painful -- for example supporting Proxy Pass: https://blog.cloudflare.com/cloudflare-supports-privacy-pass... in addition to the onion service that rrix20 mentioned.

Basically run Tails as the host OS

then setup a computer at various data centers/locations around the world that you can route your traffic through (its a VPN now)

and then either

1) run a Virtual Machine in that which connects through VPN

2) run a remote machine which connects to the outside through VPN

>TCP, the foundational protocol of the Internet, was never designed for a mobile environment.

Amusingly, this is actually not true. TCP was originally developed to run on an inter-network over two networks: the ARPANET which has the reliability characteristics of a "traditional" network, and an extremely mobile network with lots of packet loss: ship-to-ship packet radio.

TCP today seems very poorly suited for the mobile environment, but it was in fact originally designed for mobile.

In fact, I'd argue that it is a good fit even today. What wasn't designed for mobile is the Http protocol. HTTP2 solves most of the problems with mobile without changing out TCP. QUIC provides a few benefits, but by and large not many.

BTW, HTTP3 is actually mostly QUIC (or rather "HTTP-over-QUIC").


My interpretation of “not designed for mobile” is mobile devices, not mobile network. In particular, TCP is not designed for a scenario where the device keeps leaving old networks and joining new ones, or where a device routinely has 2 network interfaces where one has better performance than the other but which one is better changes frequently.

Ships, as mobile devices, frequently entered and left packet radio range with each other, or might have multiple other ships in range and have to select which ship to send their packets to.

That would be equivalent to the server going offline and back online, as opposed to the route constantly changing.

We're talking about a packet-switched network. The other ships aren't your destination - some server on land is your destination.

Multipath-TCP is designed for precisely that.

I may be wrong but isn't Multipath TCP pretty darn new and rarely used? At least on iOS you have to explicitly opt into it, either using the new Network framework for raw networking or a special configuration for URLSession, and also requires an entitlement to even do (no idea why). AFAIK the only Multipath TCP that my iPhone regularly actually uses is Siri.

Which is to say, it still feels largely experimental.

You're absolutely correct, it's new, not in mainline Linux kernel yet etc.

I just mentioned it as it's a cool project and in time will help address some of the limitations you mention.

I'd wager that the Super Secret Plan is geared towards further centralizing the Internet. Preferably on Cloud Flare's infrastructure.

This is one part of a tug-of-war that's going on in recent years between Internet network operators and cloud providers, with the cloud providers slowly but surely winning.

For better or worse, we are moving away from a distributed Internet composed of many autonomous networks into a future in which the only job of the ISPs is to connect homes and offices to the local POPs (Points Of Presence) of the large cloud providers.

Why do you need connectivity to other networks when you can get Google (w/ Youtube & GCE) and Facebook from a local POP? Add to that all the sites and services that reside on Amazon, Azure, Cloud Flare, Akamai, and maybe a few more large clouds/CDNs, and you don't need a public Internet anymore. Imagine the security and performance benefits of that!

I don’t think this would fly for a number of reasons, but CloudFlare isn’t exactly a world leader or even a household name. They’re a newcomer in this space and for once they’re actually open with their community (us). If CloudFlare is the villain, then are CenturyLink & Comcast the heroes? By my estimation, we’re more likely to see any kind of doomsday scenario like that executed by cable companies and telcos — which already have a natural monopoly in most localities. I don’t see CloudFlare as having anywhere close to that reach.

No one is the villain here, it's not that simple.

These are companies that respond to market pressures. Routing around the network operators (both figuratively and literally) makes a lot of sense for large cloud providers. Especially so if there are no network neutrality rules in place to enforce free access to consumers (as opposed to consumer ISPs demanding payment for pushing content to their subscribers).

Also, the content from Google, Facebook and a couple other cloud providers is what consumers actually want. I've seen internal numbers from a European mobile provider that show that >80% of consumer traffic is to/from either Facebook or Youtube. So are the consumers villains?

> Also, the content from Google, Facebook and a couple other cloud providers is what consumers actually want.

What content from Google and Facebook? If you are referring to YouTube and Instagram - that's one part of the total internet content consumed. Hard to totally ignore the news sites, blogs and streaming services.

The vast majority of which are hosted in the public cloud (AWS, GCP, Azure) or behind content delivery networks like Cloudflare or Akamai.

The centralization of the internet and death of the “end to end” ethos is very real unfortunately.

Is it still 80% if you filter out passive (streaming) and non-human (heartbeats, tracking, analytics) traffic?

If you measured that by doing a count() and group by on the domains of a traffic log, it would be easy to draw a conclusion that doesn't meaningfully reflect real user activity.

There is a big difference between traffic numbers of youtube and surfing the net. I may have a documentary open in the background while I read dozens of other websites.

CloudFlare is definitely large enough to raise concerns about centralization of the Internet. You don't have to be a household name for that (e.g. Akamai isn't either). Their site says that their infrastructure "powers nearly 10% of all Internet requests".

They aren't a villain, they're an illustration of market forces currently favoring centralization. Like CenturyLink and Comcast, for that matter.

I don't think CloudFlare is a newcomer. They're big in the CDN market.

"big in the CDN market" is very different to "has enough pull to significantly centralize the internet like Google or Amazon".

CDNs are literally the other thing (aside from Public Cloud providers) that are centralizing the internet.

You statement is the exact opposite of reality.

That’s a very harsh dismissal and I don’t think it holds up well because it ignores the difficulty of switching. You can switch CDNs quickly, without needing any user actions, whereas it’s considerably more work to switch cloud providers and even harder to get users to switch their usage.

Here's the issue that everything fights when talking about Centralization vs Decentralization.

Centralization is far easier to manage. A single entity has the ability to control all routes and all the pieces of the network. The structure can become faster, mesh-networks are notoriously slow. By using a VPN + Argo cloudflare has control over how your data is routed, and can make sure it skips slow network segments, is peered well, etc.

Decentralization doesn't require trust if implemented correctly. This is it's biggest selling point IMO. If implemented correctly (which is hard to do) it can have better uptime, as we aren't relying on any single entity. But, with meshnetworks as an example, a specific route could be slower then the others, and there's often not much you can do about it. Decentralization if not implemented correctly is a nightmare on so many levels. There's nobody to appeal to if an issue occurs. If trust isn't implemented correctly (current state of ISPs) then we have multiple parties who can spy/modify your communications.

Of course centralization is easier. The problem is that it's centralized.

Or put another way - decentralization may be able to offer greater resilience and reachability - but it will never result in better performance or stability.

Contemplating this makes me happy that HN (among other sites I frequent) doesn't use one of these big providers (though it used to use Cloudflare). May it always stay that way.

I might have triggered the divorce :) https://news.ycombinator.com/item?id=17399783

This is still better than only having competition at the ISP level since it's easy to switch VPN's. Building a network like Cloudflare is no easy task, but neither is building a mobile network or installing fiber.

While not in itself neutral, it seems like it should help to preserve the competition that network neutrality is supposed to enable, since it's easy for small organizations to hook up with Cloudflare and they do encryption where they can.

I'm reminded of Galbraith's theory of countervailing power, which seems like a more realistic approach than always thinking in terms of centralization versus decentralization:


Also, consider how companies try to commoditize their complements, which having competition at different layers tends to do:


I just signed up. cloudflare is on the short list of Internet companies that I trust (with the usual small bit of doubt and skepticism!). With just a few reservations, I also trust G Suite, Firefox, and a few hosting companies I do business with.

I have been supporting FSF, ACLU, etc. for years, but the practical considerations that prompted me to be a bit more trusting are Cloud Search in GSuite, Cloudflare offering HTTPS to help get the web more secure, and a deep appreciation for having Firefox available (containers are so easy to use and make me feel more secure in my use of the web).

I have to mostly agree... Cloudflare has actively participated with a lot of communities to bring better CDN options to open-source projects who otherwise would be overloaded. I'm not sure how much I actually trust GSuite, ironically preferring Office365 to it as there are huge, gaping holes in it's usefulness, specifically group email tethered to a horribly broken secondary interface (groups) and the fact that the product as a whole has languished a lot.

I'm in a position where I do appreciate Google's software, Chrome/V8 and resulting node and electron as downstream projects. However, my trust of Google is waning in light of their incredibly divisive culture all around and a lot of their practices, cover ups and just poor form in the sun-setting of "don't be evil."

I don’t disagree about Google. I really just use their paid services (GSuite, Music/no ad YouTube, purchase books and movies). I mostly switched to DuckDuckGo years ago, and I run all Google properties through a single Firefox container.

maybe you've forgot Cloudbleed https://en.wikipedia.org/wiki/Cloudbleed Thanks for downvoting.

I trust Cloudflare to do their best, generally respect privacy, and not act maliciously.

I don't trust cloudflare to not make mistakes (like Cloudbleed). I don't trust myself to not make mistakes. I don't think there is anyone I trust not to make mistakes. It's just not a reasonable criteria.

Companies are made of people and people inevitably screw up. Cloudbleed made Cloudflare more trustworthy in my eyes simply because of how they handled their (very large, very unfortunate) mistake.

Please don't complain about voting on comments. This is in the site guidelines: https://news.ycombinator.com/newsguidelines.html.

I am sorry you were downvoted - shouldn’t happen when people express their opinions. just gave you a +1

There's a lot of dissing of competition (they drain your battery, "all suck", slow down your internet) without a single datapoint.

Personally I find the performance of PIA fine. I just ran a test through fast.com and got 42 mbps on 4g through PIA mobile VPN in NYC. (Weirdly, when I turn off the VPN and test I'm only getting around 2 Mbps.) Latency is a bit higher than direct, but not enough for me to agree with their blanket statement that all VPNs suck.

Fast.com is through Netflix, so your carrier is probably throttling. Try a different speed test with no VPN to confirm.

Using the speed test app I get 65 direct and 58 using the NYC setting in PIA. Ping is 31 ms for PIA vs 28 direct.

I look forward to testing with Warp once it's released, but I don't see how it could be much better than the status quo. PIA has lots of servers all over the place, cloudflare might have a bigger network but the delta should be negligible.

I am a bit surprised that fast would get throttled though.

> I am a bit surprised that fast would get throttled though.

Fast.com runs its tests against the actual servers that stream Netflix to you. It uses the same selection algorithms as actual Netflix. The whole point of it was so that you use Fast.com and then call your ISP and say you did a speed test and aren't getting anything close to the speed that they advertised.

On the back end they can't tell the difference between a Fast.com speed test and actually playing Netflix, and that was the point. So if they are going to throttle one they have to throttle both.

It's been pretty common and a big part of why Netflix created the service iirc. ISPs have been throttling netflix as a negotiating tactic when creating peering agreements for upstream traffic or deploying more content servers. The whole process has been really horrible imho. Some mobile providers do it to force lower quality streams, that in fairness are probably more appropriate for small/mobile devices. 1080p-4K are probably overkill on a 5-6" device.

Flagships from Apple, Samsung and Google are 1080p resolution or better. 4k is overkill but 1080p absolutely is not.

The question is, on a 5" screen will you really notice the difference between a 1080p stream and a 720p stream for video? Especially considering the 720p may be higher bits per pixel than the 1080p stream. I'd rather have a 720p stream at 3/4 the bitrate of a 1080p stream, which is often the case as there are multiple levels for a given resolution.

Then again, I don't always notice even on a larger screen from a better 720p stream and a poorer (relatively) 1080p stream. I often notice the difference from 1080p to 4K though, which is a slightly bigger bump on a much larger screen.

Netflix will never even try to show you 4K on a mobile device. The ISPs know this. They just want to throttle Netflix so that you'll prefer the ISPs streaming service to Netflix.

I think it's more about double dipping and getting extra money for network agreements and near-side content servers from Netflix.

That too. They want to get paid on both sides of the network drop, even though their customers are already paying for both sides.

Anything that uses the Android built in IPsec VPN is going to be fine unless the app really goes out of it's way to be crappy. This uses Wireguard in userspace so is likely actually a battery drain. Less than OpenVPN at least.

While it might use more power I've been using Wireguard on my phone for 6 months or so now and the performance is way better than IPSec, especially on spotty connections such a mobile!

This sounds curious, both protocols just encapsulate your ip packets without affecting retransmissions, no?

I wonder how the increase in performance might offset the difference in battery drain between both protocols. If wireguard uses a bit more battery to achieve a task quicker the extra idle time achieved might off-set any increase in power usage.

CPU on your phone is probably gonna be the main reason VPN is slower than not using one.

But this only sends DNS over the VPN so it won’t use much power at all. 99% of your traffic does not route via the VPN with this app.

Where do you get the idea this is DNS over VPN only?

> Any unencrypted connections are encrypted automatically and by default.

> Unfortunately, a lot of the Internet is still unencrypted. For that, Warp automatically adds encryption from your device to the edge of Cloudflare’s network

It reads to me like all your traffic goes through your service, not just DNS.

Yep... my apologies..

The blog led me to their " app", which I installed and found created a VPN on my iOS device that only tunneled DNS traffic.

This "warp" thing, which is not released you can only go on a waiting list for, will apparently tunnel all traffic.

My apologies for the error.

Just as an aside, I thought that was an exceptionally well-written product announcement, or press release, or whatever you'd call it. It was long, but I didn't mind reading the whole thing. It answered all the basic questions about why I should use it, how they plan to make money, and with enough technical detail that I understood essentially how it works. It was very much the opposite of the marketing material you get from most big corporations. I'm saving the page as a PDF as a good example if and when I need to write a product announcement.

I had the same reaction. As I was reading the article, I started asking myself "Hold on, what's in it for you? You're still a private company. How are you going to make money?". I then reached the "Ok, Sure, But You’re Still a Profit-Seeking Company" section. It's as if the article was reading my mind.

Every free product comes with a catch. When this catch is not clearly explained by the company, I always feel it's because the reason is too "shady" to acknowledge publicly (like Gmail and Facebook gathering data for advertisers). I'm probably naive to believe the reason here is vastly different, but the tone and style of this article puts Cloudflare closer to Apple than to Google privacy-wise in my eyes.

The choice to omit any sort of sign-in or account feature for the app is also a very stark difference. Even most apps with the stated goal of improving your privacy requires some sort of account.

While it's true that if Cloudflare was evil, they could fairly likely identify you from metadata, that's a lot more complex and a lot more error-prone than having you sign in.

I am curious though if this will extend to their premium Warp+ offering though, as presumably they need to identify a paying customer. Perhaps if they're entirely built off of IAP on whatever platforms their clients are on, they can avoid this problem entirely?

We'll have to take payment for the paid feature, obviously, but plan to use the Apple and Google payment systems for that. I'm not an expert on the nitty gritty of that, but I don't think that gives us access to any of your personal details. We've always thought of personally identifiable information as a toxic asset and something we try to minimize collecting whenever we can.

One of the first (and most important) lessons I learned from @eastdakota when starting at Cloudflare ~4 years ago was how to write a product announcement.

Nobody does it quite like him, though @jgrahamc is great too, and I try to encourage my team to follow the lead here as much as possible.

Thank you. That's very nice of you to say. It was a team effort because we were working until the last minute to figure out exactly what we were going to be able to announce today. Glad it came across as clear.

Overall I'd agree, though they nearly lost me at the start:

> on “April Fools” a handful of elite tech companies decide to waste the time of literally billions of people with juvenile jokes that only they find funny.

Bah Humbug much?

I think a lot of the backlash the tech industry is facing is due to its unwillingness to grow up. So, yes, perhaps I'm a humbug in tech circles, but it's only because I've been outside of the Silicon Valley bubble and listened to how the tech industry is perceived. It's not good. And the April Fools foolishness is a very stark illustration of that.

> I think a lot of the backlash the tech industry is facing is due to its unwillingness to grow up.

I'd say the backlash is due to unaccountability, privacy erosion, and income inequality.

April Fools gimmicks are barely a blip on the radar compared to the above. At best they provide a target to focus the above ire on, but that's confusing the issue.

> exceptionally well-written product announcement

Yup... a rare beast these days. My niece is a gifted writer - one of less than a half dozen that I personally know.

She graduated recently and had her pick of several positions due to her portfolio of work.

I've been fortunate enough to earn degrees in English (BA), Computer Science (minor), Law (JD), and Business (MBA). The one that serves me the most regularly in my role as CEO of Cloudflare is my English degree. Learning to communicate is so critical to success in your field, regardless of the field.

"Every business is a writing business." - Ray Edwards

Just curious, do you hire copywriters?

Yes, we do. We have roles open in Austin and SF right now: https://www.cloudflare.com/careers/departments/marketing/

> had her pick of several positions due to her portfolio of work

Aside from previous job experience, what sort of things are in a portfolio like this?

She did freelance work while getting her degree (mostly friends/family small business promos, article, press-releases) and received a ton of positive feedback that she was able to use.

An aside from the comment, but I don't appreciate the derisive tone of their first paragraph:

> a handful of elite tech companies decide to waste the time of literally billions of people with juvenile jokes that only they find funny.

I sort of agree, but it's not nice, and not necessary. It also isn't particularly classy to then go on to say "and we're so much better, because we do useful things".

(I do happen to find Cloudflare, as a company, so much better, and awesome things like and warp make me really want to push my employer to use Cloudflare for all the things).

Absolutely, that part left a bitter taste in my mouth reading the rest of the article. Feels like they released this on April 1st just so they could make this claim, strange move.

Or because (in American calendars), today is 4/1, and the IP address for their DNS server is, or four ones.

I actually loved that intro. Check out Stackoverflow for a horrendous example of an April fools "joke" today.

Screenshot for people reading this outside of 4/1/2019:


I think they were just trying to be extremely clear right away that this announcement is not an April Fool's joke.

While this might improve user experience for some, I don't see the greater value in a VPN solution like this.

It's the fast path to replacing the decentralized internet with a few proprietary CDNs. I'm much more excited about those projects that actually try to fix the raised issues:

Unencrypted connections -> TLS / Letsencrypt

TCP sucks on mobile/roaming devices -> QUIC & HTTP/3

Cloudflare pushed out free TLS years before Let's Encrypt and we are actively working on and supporting QUIC and HTTP/3. But QUIC/HTTP/3 aren't here today, not everyone is using HTTPS and there are other worries in coffee shops etc. hence a VPN service makes sense.

There is a bit of a difference between LetsEncrypt and Cloudflare TLS termination though... one is TLS for everyone, the other is TLS for Cloudflare customers (paying or not). For instance can an Iranian website use Cloudflare TLS? I would wager not. (ironic as they probably need secure transport the most).

I'm not saying Cloudflare isn't doing good things for the Internet but it's a bit disingenuous to equate the 2 efforts. Cloudflare could have done LetsEncrypt, but as a CDN that would make no business sense - which is why we need LetsEncrypt, so they can continue to do the things that don't make good business sense for Cloudflare.

CF is at the mercy of the CAs (DigiCert/Comodo), and at least based on LetsEncrypt's stance [0], they should be OK to issue .ir certificates as long as the customer is not a Gov't entity. The only issue is that these CA's are just playing it safe by not issuing any .ir domains, making CF also unable to issue .ir.

I believe CF is working on LetsEncrypt certificates, at least based on letsencrypt.org being included in the 'automatic' CAA records[1].

0: https://community.letsencrypt.org/t/issuance-criteria-for-ir...

1: https://support.cloudflare.com/hc/en-us/articles/11500031083...

Having Cloudflare's weight behind Wireguard seems like a great thing for an open decentralized Internet.

If only they were willing to work with Wireguard: https://lists.zx2c4.com/pipermail/wireguard/2019-March/00404...

Should Cloudflare go evil in some way then I would guess other services would pick up the ball and would keep delivering the same level of service as this one.

My ISP is rate-limiting specific services -> VPN

Which, incidentally, allows you freer access to the open Internet.

Cloudflare, are there plans for ad blocking? Currently using AdGuard DNS and it works well. Router-level ad-blocking would be an attractive premium option.

You should really want those to be separate services. The incentives get weirdly snarled if you expect your VPN to also block ads.

Making it a plugin that you could plug another app into might be cool, though?

I think he's asking because you can't easily combine DNS services. If you're using a service to block ads via dns then you aren't using If you want to use then you need to either host your own forwarding dns server or forego ad blocking.

If Cloudflare provides CDN services for advertisers, you likely won't see adblocking products from them.

That is not something which has factored into the conversation on our (Cloudflare's) end. The bigger issue is even as we make technical improvements, we very much don't want to create a separate Internet. The minute we begin adding, removing, or changing content when it comes through Warp those questions begin to be asked.

You also don't want to be in the business of determining which ads are "good" and which are "bad" and being tastemakers in any way, so probably a smart choice to stay out of the ad game.

A good add on though might be a way for people to run their own service on a Cloudflare worker that gets hit with each request to 1^4, which would allow them to run their own ad blocker.

Same concern here. I use the open source dns66 app with cloudflare dns so I get the best of ad blocking/content filtering and fast connections. I love the idea of improving my privacy and theoretically performance for the connections I want to make, but not at the expense of that functionality.

I currently use DNS66 for ad blocking on android without root. Is there a way to do something similar while using this app?

Alternatively, I have a Xperia XA1 running a June 5, 2017 security patch. It's been my intent for a long time now to figure out how to get root without unlocking the boot loader the sony approved way (which makes the camera less functional). Anyone have any pointers on easy to exploit privilege escalations that should exist on my phone?

Are you Android 9 or later? If so, set up private DNS to dns.adguard.com [0]

Otherwise, you are out of luck. You cannot run the app and run another VPN app like blockada, netguard, no-root-firewall side by side on Android (at least not supported till the latest release, Android 10).

[0] https://news.ycombinator.com/item?id=18788410

You are worried about unlocking bootloader (which you should) for rooting or system less mod, but okay for an exploit operating from user space?

Yes, basically.

Could also approach from usb/wifi/bluetooth/etc instead of local userspace.

The problem specifically is that unlocking the bootloader the official way deletes drm keys stored in a "TA" partition, and that makes the camera less functional. It would be sufficient to find a vulnerability that let me back up the DRM keys - but that seems unlikely without gaining root access and I'd have more confidence that I backed up the right thing with root access.

Okay that makes more sense.

Unfortunately AFAIK all community run mods for Android require bootloader to be unlocked.

Despite criticisms, I've been using the Brave browser on Android, which is pretty much Chrome with integrated AdBlock plus. Though there is some level of irksome override with some advertisers, it's been about the best overall experience for me. May actually switch my desktop browser at home when I build my new computer.

For browser I already use firefox, so I could easily add ublock origin (or, I suppose, adblock plus). Having a DNS level adblocker is just a nice to have for anything not browser based that decides ads are a good idea.

In all honesty it's pretty rare that I use anything not browser based that might have ads, but on principle I'd like to keep it around.

I understand... I tried Firefox (mainline and beta) on Android with ublock, and it was just unstably slow for me, let alone the alien UX.

Setup your own wireguard instance on a throwaway VPS, then use the android app with the DNS setting turned on:


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact