Hacker News new | past | comments | ask | show | jobs | submit login
WARP is here (cloudflare.com)
657 points by BCM43 28 days ago | hide | past | web | favorite | 365 comments

I was openly critical of Cloudflare when they announced Warp the first time. My accusations were over-reaching, and I ultimately retracted them. But I'm still skeptical, and I still won't use Warp.

Here's what still bothers me: Cloudflare is a single company with points of presence all over the world, handling traffic for websites all over the world (including some big ones), and now trying to attract consumers worldwide to proxy their traffic through its network. That's a lot of power, and we all know the saying about power and corruption. It doesn't matter how conscientious the leadership are. I'd prefer that the temptation to abuse that power was just not there at all.

My idea of a better Internet is a return to the way the Internet was -- a large number of small providers, communicating with each other over open standard protocols. So, yes, I should switch to something other than Comcast here in my apartment. So far, I've been afraid that doing that would leave me with a truly abysmal quality of service. (I'm in Bellevue, Washington.) But at least I can avoid adding Cloudflare, with its terrifying power, to the mix.

Granted, I mostly use the Internet on a stationary computer with a cable connection at home. About the only thing I do on my phone away from a WiFi connection is request an Uber ride. And I do need that to work reliably. But it is working just fine without Warp. So, maybe Warp is just not for me. Still, for the people that would benefit, I'm afraid of how much more power they're going to be giving Cloudflare when they tap that "on" button.

Early on in Cloudflare’s history when we were asked who our competition was we said Facebook. The concern was that the challenges of being online would get so hard that individual websites would give up and just move to run Facebook pages. We saw our role as providing the security and performance needed to compete without making you give in to use an all-consuming platform.

We haven’t said that in a long time, but I was reminded of it while we were on our IPO Road Show. One investor we met with said:

“Here’s how I think of you: Cloudflare is to Facebook as Shopify is to Amazon.”

That resonated to me and reminded me of our earliest days and why we started the company.

So I appreciate the concern but hope there will always be more independent web because we exist than there would be if we didn’t.

Thank you for taking time to share your perspective. However, I remain skeptical.

It's true that a website using Cloudflare is more independent than a Facebook page, in that in the former case, the company can take their domain to another provider. But my idea of an independent Web is a large number of websites depending on a large number of high-quality hosting providers. The latter number will inevitably be smaller, but shouldn't be single-digit. That would lead to too much potential for abuse of power.

Also, the more sites are using a single provider with its black-box algorithms and heuristics, the more potential there is for bad consequences for innocent users when those things misfire. That's what worries me about the bot-fighting feature you launched on Monday.

To respond specifically to part of what you said:

> The concern was that the challenges of being online would get so hard that individual websites would give up and just move to run Facebook pages.

I don't think I understand how Cloudflare actually helps here. I think the average bar, karaoke DJ (I love karaoke), spa, or other small business that might just use a Facebook page would be served just as well by the kind of hosting provider that gives your website a single IP address pointing to a single machine. Are DDoS attacks and bots really that big of a problem? If so, I haven't run into them in the 16 years that I was the programmer and sysadmin for a small company (admittedly, online services are that company's business). Maybe we just didn't make the right enemies? Now, maybe small web hosting providers could make it even easier to set up a new website, but Cloudflare doesn't do anything about that problem anyway. If the concern is performance, maybe we need better alternatives to WordPress and Drupal, and more local hosting providers, so the website for small businesses can be closer to their mostly-local customers without using a CDN.

> The latter number will inevitably be smaller, but shouldn't be single-digit.

The space Cloudflare is in could afford plenty of players, I think—more than a single-digit amount. There’s nothing about Cloudflare’s business strategy that implies/necessitates that they’d become a monopoly in a market equilibrium state. The only reason you don’t see a pack of Cloudflare clone-companies, AFAIK, is that the talent required to clone Cloudflare is rare.

(Interestingly, an ISP—especially a cellular ISP familiar with routing roaming circuits—could totally pivot into Cloudflare’s business to expand globally. I wonder why we haven’t seen that?)

> I think the average bar, karaoke DJ (I love karaoke), spa, or other small business that might just use a Facebook page would be served just as well by the kind of hosting provider that gives your website a single IP address pointing to a single machine. Are DDoS attacks and bots really that big of a problem?

I feel like the perspective you’re coming at the problem from here is already heavily influenced by the contraction and centralization that the web went through in the early 2000s. Yes, right now, businesses just want essentially an online business card, and Facebook handles that just fine. But their desires are more of an acknowledgement of the practicalities of what’s economical for them to have built and hosted in the current (or recent-historical, since it takes a while for people’s thoughts on this to shift) web landscape.

Look around the internet of the 90s. Companies didn’t used to build business-card websites. The dreams of even the most run-of-the-mill SME used to be far more grandiose. At the very least, every company who knew what the options were, wanted to host a forum for the community composed of their customers. Many of the web’s most prominent standalone forums were started back then. Why so few today? Because ambitious, dynamic, user-generated-content-filled sites like these do get hurt by spamming and DDoSing. They’re hard to run—and not just in a community-management sense, but in an ops sense.

Cloudflare’s tech (which, again, anyone could offer, not just Cloudflare) can and does provide the protection required to allow SME websites to be a little bit more ambitious again, to the point that they’re not just doing something commoditizable by Facebook.

> the talent required to clone Cloudflare is rare

Talent is everywhere, but a lot of people who have it don't want to move to a big city. So IMO, the next Cloudflare's developers should be as widely dispersed as its POPs.

Edit: The more recently added part of your comment is very insightful, and I hadn't thought about it that way. Still, I think we could go a lot further with old-school hosting providers if we traded PHP and Ruby for Rust, Nim, and the like. Note that I didn't mention garbage-collected languages, because lots of applications running efficiently on a shared host is incompatible with a garbage collector that really wants the whole heap to itself.

GC'd langs like golang, crystal, nim, etc. would probably be just as effective in practice, while remaining more accessible to business app developers.

.NET Core benchmarks since Span<T> have been very interesting, especially relevant to this particular discussion because ASP.NET (web stack) was a primary consumer/driver for Span<T> APIs.


Correcting people is good but please be polite when doing so.

I ran a small web service in the video game industry for several years, and CloudFlare was essential to our survival, as the DDoS attacks would repeat every few weeks, and at times last 6 to 12 hours at a time. CloudFlare simply ate that up, and our customers were not impacted. Today, at a different company, different industry, we use CloudFlare for similar needs, but within physical area security networks. It's essential.

I would not be surprised to find out that companies that have significant exposure to video game users have much higher DDOS risks.

They do, and CloudFlare has historically been part of the reason why they have such high DDoS risks. There's a bunch of "booter" sites out there which effectively sell botnet-as-a-service DDoS attacks to gamers, and those sites have relied on CloudFlare to stay online. Without that protection their competitors would DDoS their websites offline most of the time. Also, most reputable hosting and CDN services don't allow booters because they're both highly illegal and disruptive to the entire internet. CloudFlare, on the other hand, openly permits them.

We were hit hard by Chinese IP addresses. After a while we just blocked the entire Chinese IP range. Expecting script kiddies to try to hack our system, we started out with a Federal Reserve quality hardware firewall, and I suspect the presence of that security attracted attention.

Can confirm.

Don't lots of smaller hosting providers have DDoS protection? Did you try one of those and find it wasn't good enough?

No, but a few done, precisely because they partner with Cloudflare: https://www.bluehost.com/hosting/info/cloudflare

No, can you link me to some of these "smaller hosting providers [that] have DDoS protection"?

In fact, I can't find any matching that description.

Hetzner does. I guess it depends how much smaller is "smaller". DDoS protection I think is one of those things that demands a certain size.

Hetzner is 20 years old company with ~300 employees and ~230,000 servers. Of course on scale of AWS, Google and others it's fairly small, but CloudFlare is not all that much larger.


is this down voted because it's an endorsement? It's not, just an answer. https://faq.nearlyfreespeech.net/full/attack

>> Don't lots of smaller hosting providers have DDoS protection?

It is pointless if you have a small pipe. Pipe jamming attacks are way too common and small vendors are almost always unable to cope with that.

Why are a disproportionate amount of DDoS attacks launched against video games? Serious question.

As a guess, people who are invested in games are more likely to consider themselves techy people, the competition makes everything a bit tenser and elicits more excitement, and games are explicitly online only.

> Are DDoS attacks and bots really that big of a problem?

They are to the kinds of websites that Cloudflare takes an active stance in deciding whether to serve/protect/censor or not.

How do you protect yourselves from becoming part of the USA's internet surveillance network? You're exposed to National Security Letters and you lost the case with the Ninth.


Ironically, the U.S. is the safest place from the USA's surveillance network, when no warrant whatsoever is required to collect information by hacking into a foreign entity.

> U.S. is the safest place from the USA's surveillance network


* https://blog.cryptographyengineering.com/2019/09/24/looking-...

* https://en.wikipedia.org/wiki/Room_641A

The NSA was tapping glass of inter-DC links of all the major online players without their permission on US soil.

Not only that, the NSA was undermining NIST-approved algorithms by giving dishonest advice, thereby compromising the security of US institutions that used those algorithms:

* https://en.wikipedia.org/wiki/Dual_EC_DRBG

> Ironically, the U.S. is the safest place from the USA's surveillance network

Only in the sense that one has the strongest theoretical argument for a legal remedy against surveillance after it happens, not in the sense that one is actually safe from being subjected to it in the first place, and only even then if one excluded “i’ll scratch your back if you scratch mine” from the other five eyes members when you say “U.S. surveillance network”.

The "I'll scratch your back if you scratch mine" theory has been written about ad nauseam, but isn't substantiated. The U.S. government can get the information faster by using the warrant power enumerated in the Constitution.

> The U.S. government can get the information faster by using the warrant power enumerated in the Constitution.

Not without presenting probable cause that the surveillance would produce evidence of a crime to a judge it can't.

Of course it can (and is well documented to have, on many occasions) just ignore the statutory and Constitutional restrictions on domestic surveillance. And that will probably, in most cases, be easier than going to a third party. Information sharing is most likely to be efficient when the other agency had a targeted surveillance operation already in place covering a target of interest, rather than in the naive “on demand” form.

If you think intelligence communities for other nations aren't doing the exact same thing in the USA, you're kidding yourself.

> but hope there will always be more independent web because we exist than there would be if we didn’t.

I'm wary about joining in on Cloudflare bashing. I like Cloudflare. But...

The mark of a responsible company is that it has plans to mitigate potential harm once it stops being responsible. At one point growing up, I would have made the same arguments you make here about Google. They're not perfect, but they're better than the alternative.

The problem is that this promise essentially boils down to, "we'll try very hard not to be bad." You can't make that promise, even if you're a good person. At some point you're going to either retire or die, and your company will be handed off to other people. Your comment doesn't make me feel any better, because it reads to me like your plan is, "things won't go wrong", and you don't know that.

I'm glad Cloudflare exists, and I do think you're doing a heck of a lot more good than harm. Cloudflare is about as close as anyone can get to an ethical company. But if this is the attitude, then Cloudflare is not a responsible company, because it's not making plans for what will happen after its owners turn evil. Cloudflare is an ally for the Open Web right now. It doesn't have a backup strategy I can see for when that changes.

The Shopify analogy is actually really fitting to me. Shopify is better than Amazon, but Shopify is definitely not where I want the future of commerce to be. Many of the problems and risks inherent in Amazon's design are also inherent in Shopify -- Shopify just happens to be a more ethical company that tries harder not to exploit those flaws.

At some point in the future, once we've all centralized everything onto Shopify, that will change and Shopify will become the new Amazon. And at some point in the future, maybe even decades from now, Cloudflare will become evil. All powerful companies eventually become evil, it's inevitable.

Concretely, what are you suggesting Cloudflare is doing wrong here? What responsible things should they be doing that they aren't?

The "we try very hard not to be bad" form of mitigation is scary when the company is doing dangerous things without adequate safeguards, but I don't see how you figure Cloudflare is doing that here. Ultimately, when you've done everything you can not to put people at risk and the only remaining risk is that you'll stop being trustworthy, "We try very hard not to be bad" is all you can offer. So what more do you think they should be doing that would meaningfully reduce this risk?

If they really want to mitigate risk, then they should open up their tech, and promote competition. Not in their interests, but decentralising is the only way to safeguard against potential later abuses of power.

What I'm complaining about is a lot more broad than just the specific dangers with this service -- it has to do with how Cloudflare prioritizes what it spends it time on, and what the effects are of consolidation even with good actors. I disagree that conversation can be boiled down to, "what specifically is wrong with this particular project."

But, asking for specifics is reasonable, so very briefly, I'll describe two concrete problems I have.


First (and biggest), IP addresses should be hidden for everyone or no one. Cloudflare is revealing IP addresses because it doesn't want its VPN to be used as a privacy tool, just as a security tool. By positioning itself as a way to keep your data encrypted, and not as a way to bypass geo-locks, it's also less likely to be blocked by other companies. Ignoring whether or not it's a good use of resources for Cloudflare to make VPNs less private, this is on its face not unreasonable.

However, when you dig into the details, IP addresses are only exposed to websites that are using Cloudflare[0]. This creates a perverse economic incentive for sites to sign up for Cloudflare, because effectively Cloudflare is holding user data captive. If you're the NYT, and you thrive on data collection, and suddenly a huge portion of your visitors have their IP addresses hidden, and you can get those IP addresses by paying Cloudflare... that's problematic. That's Cloudflare creating a problem and then letting you pay them to solve it.

Cloudflare is looking into ways to expose IP addresses everywhere. Until they figure that out, they should either avoid launching the service, or they should hide IP addresses from Cloudflare customers.


Secondly, while there are people here disputing Warps performance increases, let's assume that (particularly Warp+) works as advertised and really does help make slow collections faster. It's worth noting that the majority of the underlying technology beneath Warp and Argo only works for companies of Cloudflare's scale. Cloudflare itself acknowledges this:

> There are few companies that have the breadth, reach, scale, and flexibility of Cloudflare's network. We don’t believe there are any such companies that aren't primarily motivated by selling user data or advertising. We realized a few years back that providing a VPN service wouldn’t meaningfully change the costs of the network we're already running successfully. That meant if we could pull off the technology then we could afford to offer this service.[1]

This makes it much harder for users to move away from Cloudflare or switch to an alternative VPN if Cloudflare turns evil, because unless the VPN market stays diverse, it won't get the opportunity to become diverse again in the future.

Google helped wall in its AI dominance by investing heavily into AI research that relied on massive data collection for good performance. This restricted small competitors from ever being able to compete with them, because they didn't have massive databases. That dominance became self-reinforcing, because Google's AI programs are all designed to increase the size of its database. At the same time, Google garnered good will by Open Sourcing its underlying technology, despite the fact that the technology was useless to potential competitors without large data sets.

In the same way, Cloudflare is able to wall in its dominance by primarily researching technologies that require a network of Cloudflare's scale in order to work. In effect, Cloudflare is investing a lot of effort into technologies that only work for big companies. Google can claim, "it's not our fault that we have the most data, what do you want us to do?" Cloudflare can claim, "it's not our fault that we have the biggest network. There's no switch we can flip to make the network size not matter, it's just the logistics of cost." But if a technology or service results in a natural monopoly, that's still a monopoly.

As a concrete step, to be responsible, Cloudflare should be looking for ways to allow competing 3rd-party VPNs to utilize Argo in the same way that Warp+ does. It should be possible to build a competing VPN service that gets the same speed benefits of Warp+.

[0]: https://news.ycombinator.com/item?id=21070828

[1]: https://blog.cloudflare.com/1111-warp-better-vpn/

There is a fundamental difference between Google and Cloudflare. Cloudflare has a real business that is based on paying customers. Google never had that. It was founded in 1998 and AdWords was introduced in 2000. Cloudflare is already 10 years old and not showing any sign that it will change its business model. As far as I am concerned, they are a trusted vendor and I will trust them with my business unless they change up.

Totally agree with that analogy having worked @ Shopify. We shall see which is more durable long term.

The fact that this names four companies and remains an effective analogy is deeply troubling. There should be so many actors in all of these spaces that listing them would be a challenge.

Could you add Privacy restrictions? I'd like to see a maximum 18 month data retention, and some restriction on changing the terms: promise to never change them, or only change with 6 month public notice... idk

We’ve promised logs deleted after no more than 24 hours. We don’t want personally identifiable information; we think of it as a toxic asset. Here are the privacy guarantees we’ve made for and WARP: https://developers.cloudflare.com/

i'm on the wary side of this thread, but kudos for this

I have always thought it’d be super interesting if Cloudflare owned Twilio (or vis versa)

Would you now consider that AWS is Cloudflare’s greatest threat?

Basically we should trust you because you're not facebook. Haven't you personally shut down websites because you don't like their content?

There's quite a big difference in having a website "shut down" compared to deciding not to provide a given site/company/organization with services.

It's the digital equivalent to a No Shirt, No Shoes... No service sign.

I think sharing sources would help your point.


But it's ok, 8chan is a 'hate site,' right? We all know which ones those are.


For such cases, we should have the necessary legal tools to deal with them if the material is truly dangerous enough to be consequential. It is not the job of a corporation to decide, though I suppose they are not under any obligation to provide service, either.

I am generally against censorship, because for every case that is "obvious", there are many more that merely seem so on the surface. This is especially important in cases where you might simply disagree with how someone else thinks, since thoughts can never be allowed to become illegal or immoral; it is only actions where such judgements are applicable.

The proper approach to combating misinformation and dangerous ideas is education. By understanding why an idea is dangerous, you will also understand why it cannot inform your actions.

You and I have completely inverted ideas of what censorship is and why it is bad.

Using legal tools would be horrific. Government censors deciding what material is too dangerous for the public is exactly one of the elements of fascism.

Private entities on the open market exercising their right to not help promote ideas they object to is a good thing. It means that the more objectionable an idea is, the harder it is to publish and the smaller its reach; and the more in the gray area an idea it is, the easier it is disseminate and the wider its reach. If one of those private entities makes a mistake in judgment, that's an opportunity for a competitor.

Governments have a monopoly on violence. Its power is not kept in check by competitors, but by systems like a bill of rights. Weakening those rights to allow legal tools to control ideas would be disastrous.

Corporations have no responsibility or ability to educate everyone about misinformation. They do have a responsibility not to enable bad people to do bad things, including not promoting ideas they know are dangerous.

the point is that in every jurisdiction in the world there are already laws to stop "encouraging mass murder to post their killing spree". Governments should not interfere in censoring lawful speech. Moreover an actual court of law ruling that 8chan was an illegal site would set a precedent for such thing happening.

> They do have a responsibility not to enable bad people to do bad things, including not promoting ideas they know are dangerous.

This is literally corporate fascism if done in an extralegal way. And no, the free market is not going to care about the 1-5% of people discarded.

To quote a very nice blog[1]:

Declare that you’re going to stop holding witch hunts, and your coalition is certain to include more than its share of witches.

[1] https://slatestarcodex.com/2015/07/22/freedom-on-the-central...

> Governments should not interfere in censoring lawful speech.

What's "lawful speech" today may not be lawful tomorrow if we go down this path. I don't want governments deciding (except in very narrow circumstances) what people are and are not allowed to say.

I really like the parent's idea that a company deciding to not provide service to someone they find objectionable is just a business opportunity for someone else. If no one wants to take up that opportunity, then the public has spoken. It's not ideal, but it's way better than a government making that choice through threats of force.

> What's "lawful speech" today may not be lawful tomorrow if we go down this path. I don't want governments deciding (except in very narrow circumstances) what people are and are not allowed to say.

Entirely agree and current laws already prohibit encouraging murder

> I really like the parent's idea that a company deciding to not provide service to someone they find objectionable is just a business opportunity for someone else.

Like it was in in the 20th century before civil right laws?

It is like saying that a monopoly is impossible because competitors can always emerge. It just does not work in practice.

Especially when the "competitor" become themselves target of a new witch hunt.

So what's your solution, then? If you agree that governments should not be broadly deciding what speech is ok and what is not, then how do you prevent monopolization pushing out legitimate but unpopular speech, while also allowing companies the freedom to disallow certain kinds of speech on their platforms?

Things like civil rights laws are the flip side of the same coin. I'm comfortable with laws that prohibit threats of violence. I'm comfortable with laws that ensure you can't refuse service to someone just because they're of a race you don't like. I think that's a reasonable compromise of "free speech".

But I'm not comfortable with a government requiring that a company allow their users to build something like 8chan inside their service. If Reddit didn't want to allow users to have a sub dedicated to fat shaming, I'm not comfortable with the government being able to tell Reddit that they're required to allow that sub to operate, unfettered. If Facebook wants to shut down a page or group that promotes hatred of a particular race, I'm not comfortable with the government saying they have to let it run.

So how do we solve this problem? The article you reference even suggests, at the very end, that (despite the examples of past bad behavior) all this worrying might be for nothing:

> My primary hope is that it’s just not a real problem. Certainly there has been very little in the way of speech restriction so far, and what little there has been has been against things which, on the object level, I’m happy to see gone. It’s entirely possible that we’ll escape with only a few things banned that probably deserve it. I certainly hope this is the case.

He also acknowledges that it's not great to be in a position where we have to depend on hope in order to reach a good outcome, which I agree with, but maybe that's just all we have. Legislating behavior only works up to a point. Legislating attitudes doesn't work at all.

I'm happy to see the Daily Stormer gone. I'm happy to see 8chan gone. I'm happy to see Reddit banning some subs (and honestly wish they'd ban more). I don't see the value in tolerating speech that promotes intolerance. But I'm not comfortable with the government stepping in here, and while their handling is far from perfect, the private companies aren't doing too terrible a job at it.

That is a great blogpost! It also explicitly undermines your point:

"My primary hope is that it’s just not a real problem. Certainly there has been very little in the way of speech restriction so far, and what little there has been has been against things which, on the object level, I’m happy to see gone."

> This is literally corporate fascism if done in an extralegal way.

I resolutely and absolutely oppose corporations acting extralegally. But Cloudflare and Voxility have an absolute legal right to not do business with 8chan and Epik if they so choose.

What crime did 8chan commit? I don't mean what did they do that you don't like, I mean what actual crime?

Why are they required to have committed a crime? Cloudflare isn't the government, why do you believe they're obligated to serve 8chan?

Cloudflare took down one website that was directly related to a major tragedy that cost people their lives. If you want to complain about that go ahead, but I don't care. I don't allow people to use my websites to spread that kind of hate, and I have no problem with Cloudflare doing the same in extreme circumstances.

The original comment had to do with whether we should trust Cloudflare more than Facebook. If they as a company want to make editorial decisions, that's fine, but the reality is that also means they are not content agnostic. Interestingly enough, they provide services for known spammers and other shady internet operations.

As to whether 8chan 'caused' those abhorrent crimes, I couldn't say, any more than 'violent video games' caused them. I view such crimes as having a root cause of some form of mental illness, which does not (imo) relieve the doers of culpability.

The point is that they are demonstrably not exactly what they claim to be, and thus some level of distrust is warranted.

> The point is that they are demonstrably not exactly what they claim to be, and thus some level of distrust is warranted.

Where does Cloudflare claim to be content agnostic?

Here's one of their statements about free speech from six years ago. It's essentially what I've always thought of as their brand.

It's sad to see them compromise their principles, but sometimes it only takes one little Twitter mob to make people back down. That's why it's reasonable to question their character.


My personal impression was that they did not surrender to a mob, but that the mob made them look closer to what they were hosting. I am not saying it is better, this is just my personal impression.

> Where does Cloudflare claim to be content agnostic?

They may want to claim it, one way or the other, as part of their IPO filing so that potential investors have some idea of liability risks with the company.

their ceo previously took a 'stand' before buckling

I have no reason to doubt that the CEO believes in free speech. Many people share this belief.

He did buckle, but we're only human. But did the pressure come from an angry mob on twitter, as most people assume, or from some guys wearing shades and an earpiece?

i don't doubt his belief, only his conviction.

that was like their major claim until they dropped stormfront and 8chan but they didnt drop all the other sites

It is not about CF being forced to serve them, it is about balance, honestly I am fine with this take-down, but this cannot be dismissed as just being private individuals with private choices. This was obviously in their freedom to do, and it is not for me to say whether it was wrong or not (I actually quite like CF), but if stuff like this become a pattern then things become problematic.

It would either mean that the laws are insufficient or that the market is overreaching.

8chan's primary crime is not being sufficiently popular.

The Christchurch killer livestreamed the event on Facebook, and the enormous well-funded content moderation apparatus within failed to shut it down until well after the innocents were dead.

But Grandma uses Facebook, so we can't go after them.

The Wal-Mart shooter had a Twitter account, and posted plenty of content questionable enough even for the FBI to take notice.

But cousin Jake uses Twitter, so we can't go after them.

It doesn't matter what 8chan was used for, because far more popular platforms were used for far worse content. The only thing that mattered here was popularity.

And 8chan didn't have it.

8chan attracting such people despite being so small is the entire point and i can't believe i have to point that out

they want those people there

this is where they radicalize each other


quote: There’s an unfortunate corollary to this, which is that if you try to create a libertarian paradise, you will attract three deeply virtuous people with a strong commitment to the principle of universal freedom, plus millions of scoundrels. Declare that you’re going to stop holding witch hunts, and your coalition is certain to include more than its share of witches.

As an addition, this is not meant to discourage you from taking this path.

No snark, but if you sincerely believe that, then there can't be a Libertarian Utopia because the libertarians are outnumbered by scoundrels 1mil to 3. Why would you take a path destined for failure?

You're right that Facebook was successfully abused by the Christchurch killer, but 8chan was being used by his community as intended, not abused.

To most people, that's why 8chan needed to be shut down, but Facebook only needs to be fixed. Why do you think that's irrelevant, and being small is the only crime?

As I understand 8chan took down the stream in reasonable time.

I have searched and been unable to find anything suggesting this is true. Do you have a citation?

Another reason I don't think this is true is that I also can't find anything suggesting that the content the Christchurch killer posted is illegal (indeed, it has significant newsworthiness and academic value), and 8chan's policy was to allow anything not "illegal in the United States of America" [1] . If it didn't violate 8chan's policies, why did they take down the stream?

[1]: http://web.archive.org/web/20190805065011/https://8ch.net/fa...


Could you please stop posting in the flamewar style to HN? You've done it more than once, and that's not what we're trying for here.


Sometimes people see things differently from you without being stupid.

welcome to the internet where people can post whatever they want

you know this doesnt actually stop the murders right? does it feel better to get outraged at the site instead of the murderer?

I don't have a horse in this race, but observing this back and forth is reminding me of Nietzsche:

He who fights with monsters should look to it that he himself does not become a monster. And if you gaze long into an abyss, the abyss also gazes into you.

I agree using Cloudflare proxy (or really any VPN) gives the company a lot of power.

But the idea of Cloudflare intercepting all of my traffic doesn't bother me since the alternative is simply another company (Spectrum, or my random friend's wifi, or Starbucks) intercepting all of my traffic by virtue of being my ISP. It's up to you which is the lesser of two evils.

I suppose Cloudflare may have more insight into the data being proxied if they're also managing the SSL certificates at the other end, however.

I can believe that Cloudflare's current leadership are currently more conscientious than, say, Comcast's. But, especially post-IPO, what is that actually worth? I think that, worldwide, it's likely that Cloudflare is already bigger than Comcast. So, unless I'm given evidence to the contrary, I think Comcast is the lesser evil.

I'm consistently amazed at how many people [on HN...] over-estimate the size/scale of Cloudflare.

Comcast is a huge, multi-billion $ operation with global contracts and broadcasting capabilities, and > 184,000 employees globally (that's more than Google, and even MSFT).

That's not to say that we shouldn't be wary of Cloudflare for many other reasons; but that they have more influence over the Internet than one of the world's largest consumer & corporate ISPs is definitely "a take".

According to [0] between 5 and 10% of all websites use Cloudflare. Even using the lower number, I'm pretty sure that neither 5% of websites are hosted by Comcast nor that they serve 5% of internet users. This gives Cloudflare already a much larger potential to monitor/censor than Comcast has. I am not saying that they actively do so, just pointing out that they do have the scale and market share to do so. What is more, in contrast to said Comcast, they also have the ability to access unencrypted traffic for those 5-10% percent.

[0] https://www.wired.com/story/cloudflare-spectrum-iot-protecti....

How many websites have you visited that are hosted or proxied by Comcast? The fact that Cloudflare is now mediating the connection on both ends is what makes it frightening.

Comcast operates a CDN, launched in 2014. [0] [1]

After some googling, it's very unclear how popular their CDN service is. Based on some of their marketing, seems like it might be focussed more on the video delivery side, which would also make sense given that it's Comcast. (If it indeed is an enterprise video delivery service, they may only have a handful of very large customers)

If this is accurate, it seems like Comcast also controls the data end-to-end (being both an ISP and CDN).

[0] https://www.comcasttechnologysolutions.com/

[1] https://www.comcasttechnologysolutions.com/sites/default/fil...

You realize people are worried about more power being concentrated among less people, right?

My sense was that Comcast is far bigger than cloudflare, and from my googling that appears to be the case.

Xfinity: $52 B revenue 2017

Comcast holdings (the parent of xfinity, couldn't find numbers for xfinity): 184,000 employees

Cloudflare: < $ 0.2 B revenue 2018, several thousand employees (looks like less than 2000)

If size is your only criteria then you might be right, but look at the company policies on privacy. Cloudflare has some pretty specific customer-oriented privacy policies. Comcast's policies are specifically set up to sell you and your information. That's a meaningful distinction and one with some (not much, but some) legal weight in the US.

> it's likely that Cloudflare is already bigger than Comcast.

Unless I'm given evidence to the contrary, I will adamantly say it is silly to say Comcast is the lesser evil.

Is your legal relationship with Cloudfare the same as with your ISP? Is Cloudfare liable for the same things as the ISP? Genuinely asking, I have no clue, just a vague sense that it's not apples to apples.

Very good point... Cloudflare is probably considered a third party according to the law... so no warrant is needed to get all of your data that is 6 months or older... a bit like your email hosted in the cloud: https://newspunch.com/government-can-read-any-email-over-six...

The law is wrong in this case, of course.

How would your “better Internet” work when it reaches an ocean? Maybe this doesn’t matter to you, as someone who lives in the US and mostly access websites hosted in the US; but for the majority of the world, getting access to “the Internet” is more about tapping into the millisecond-latency backbone of submarine cables, than it is about last-mile residential ISPs. Those submarine cables form a natural monopoly, there’s no escaping that. They’re utility infrastructure, like country-spanning bridges.

And the usual (optimal?) outcome for ownership of utility infrastructure, is that it gets held as a “public resource” by the government of the country or countries that built it; and then companies are contracted to manage it. From there, you end up with multilateral organizations weaving those pieces of infrastructure together in a top-down way (like shipping routes, or the postal system, or, hopefully one day, low-earth orbit.)

Which is far from an anarchosyndicalist mesh of interested companies, organizations, and individuals (ala the early Internet, or the HAM radio network), but we’ve never seen an ararchosyndicalist mesh successfully serving as a reliable/fault-tolerant backbone for any commercial endeavour so far, and I don’t know if it could.

Submarine cables absolutely are not a monopoly, natural or otherwise. It’s the ocean, it’s pretty fucking big, and lots of companies and countries pay more cable every day.

Fair enough. But let's not add into the mix a single company that spans the whole world yet is headquartered in a single country.

> yet is headquartered in a single country.

The vast majority of companies have their HQ in a single country. This is due to the base function that the HQ serves for a corporation. [0][1]



I'm not sure how being headquartered in 2, 20 or 200 countries is going to make a difference, can you please explain? At most, those would be satellite or region offices, which in the end will report to a central HQ.

I think it's extremely clear that mwcampbell is pointing to being 'headquartered in a single country' as one of the aspects they don't like about a single company having too much power. It's clear they're not advocating more headquarters for companies with too much power, they're advocating more companies each with less power.

Can't the same be said about any of the huge hosting companies such as OVH, Hetzner, 1&1, AWS, etc.

And any VPN provider that hosts their servers and routes their traffic through unknown datacenters?

I'd rather trust Cloudflare that has a great track-record (+Public Canary and are on US Privacy Shield), than any random VPN provider.

Trust with what? Warp is specifically designed to reveal your IP address. This is as anti-privacy VPN as a VPN can be. Which is absolutely not surprising coming from a US corporation.

It leaks IP and DNS resolvers.

It's not designed to be anonymous, but it does fully encrypt all traffic coming from your device to the internet, meaning, it's great when you don't want to trust the ISP, public Wifi or even the cell provider with your traffic.

and if you do want to trust CF with your traffic.

be careful what you wish for.

> Warp is specifically designed to reveal your IP address

Your entire IP address or a mask to an approximate location?

Your entire IP address.

> WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit.

Maybe I'll feel better if some other company releases a product that directly competes with Warp.

Aren't there a lot of them?

The bigger VPN providers also offer Wireguard and a simple UI (Basically click the map and you're connected).

According to Saurik, Warp IS Wireguard.


His provided script is cache.saurik.com/twitter/wgcf.sh

Yes, it is a modified version of it. That's why I wrote "also" :)

When I look at friends and family, they use their phones for everything because Computer UX failed. And they will switch to whatever public WiFi is available because their expensive yet small mobile data plan.

I can see how some people would benefit from this kind of VPN.

Another commenter on this thread said that there are already VPN services with Wireguard support and easy-to-use apps. Why not recommend those to friends and family?

The history of most of these is terrible. Many actively log / aggregate and in some cases sell your data - are based in non-US jurisdictions so no recourse. There is going to be a reason cloudflare does better - they are more trusted.

Because I don't trust any random VPN service provider not to spy on my friends and family, the way I trust Cloudflare.

Those are paid and this one is free?

Remember, if you're not the customer, you're the product. These days, even if you're the customer, you may still be part of the product for another kind of customer.

Yes, sure, but it's harder to convince people to pay for something monthly when there's a good (and free) alternative available.

while that is true it can be meaningfully qualified.

On facebook you are the product in the sense that they sell access to your eyes.

On linkedin you are the product in the sense of aiming to the network effect (and also for ads I imagine)

If I am the product on warp in the sense that websites hosted on cloudflare are faster it is not that bad.

(it is your choice to trust them or not, but that truism just says that the profit needs to come somewhere and you should be aware of it)

sure... but I'd trust Cloudflare over Comcast anyday.

Plus, (1) you can turn on/off WARP at your leisure and (2) they've explicitly committed to limited logging and not selling data which is pretty huge.

I use a small local provider where possible... but the reality is that they have to lease their lines from AT&T anyway. In general, there are very few providers out there that have capability to offer competitive services.

the way the Internet was -- a large number of small providers, communicating with each other over open standard protocols

I don't remember the internet ever being like that.

I remember when you couldn't e-mail someone in another city without going through gateways. When you couldn't visit the majority of major web sites without downloading plug-ins. When you knew the information you wanted was out there, but couldn't get to it because it was behind obtuse, non-searchable infrastructure.

To me, the internet today isn't perfect. But it's a heck of a lot better than its romanticized distant past.

As for WARP, I'll give it a try. I don't fully trust Cloudflare, but I trust it a heck of a lot more than I trust my ISP or my cell phone provider. Long ago, both of those entities burned privacy bridges. Cloudflare hasn't done so. Yet, anyway.

> When you couldn't visit the majority of major web sites without downloading plug-ins.

I was on the web since AOL added it to their client in the mid-90s and it was never as bad as you're hinting it is.

I was on the web since AOL added it to their client

I was online before there was AOL, or a web, and before there was an internet, back when it was dozens of networks, with varying degrees of interconnectivity.

it was never as bad as you're hinting it is.

It was bad. You had to be there. (Think an e-mail from the east coast of the United States taking 10 days to reach Norway. For many destinations, snail mail was faster.)

I'd like to be in a world where if Cloudflare or AWS is down my websites and the sites I enjoy are still up.

But to do that I'd need to have replication not just across data centers but across providers. And it's hard enough getting your team to understand how one provider works. We'd have to go an awful long way toward standardizing and dare I say comodifying these companies to get there.

But as Fortune 500 companies have known for longer than Fortune has existed, if you have two vendors you can play off of each other your life tends to go a lot better. Right now almost none of us have that, and I suspect we are all a little poorer for it.

This is exactly my scepticism. Also, they always happen to be rooted in the US where my data has no rights and come with a general cultural lack of understanding of consumer protections.

This isn't power that good intentions are going to keep straight.

Exciting! We're a tiny company and have sponsored WireGuard two years in a row; you can see us on the WireGuard home page. Cloudflare is a gigantic company who just used the WireGuard design work to fork the project. Has Cloudflare given a cent to WireGuard? Why isn't their logo on the site?

If I’m not mistaken, they’ve open sourced their “fork” (actually more of a rewrite than a fork).


Which is more valuable to the community? I don’t really think you can quantify it.

And why should they? WireGuard is free† so it seems (to me) a bit futile trying to shame them on a niche site like HN and expect them to change their behavior and support the community that they draw from. Mind you, this problem is not limited to Wireguard/Cloudflare. The NTP servers, curl, libssl prior to Heartbleed, the list of important open source software in need of funding goes on. It's fighting also a basic refusal or desire to pay. When was the last time someone you know paid Redhat for CentOS or Canonical for Ubuntu on principal?

What/how can we do more to encourage corporate sponsorship (either time or money) of code that's critical to a company? There are various ways the community has tried to enable this, in different ways. Librapay and platforms like it try to make it easier (Think Patreon but less commercial). The Linux Foundation takes large corporate donations and distributes it out to a large number of projects they support. Stick a paypal email address or bitcoin address in the Readme.md as a "serverless" way to receive money.

However at the end of the day, that seems to not work. Curl is used in billions of devices but the majority of the work on it has been done by one person for 20 years.

Something is not working as we hoped.

†) specifically Open Source under the GPLv2 license ‡) https://www.linuxfoundation.org/projects/

> And why should they?

Because that's a sensible thing to do when someone's open source project is at the very core of your commercial product?

> When was the last time someone you know paid Redhat for CentOS or Canonical for Ubuntu on principal?

Netflix and Tarsnap have donated to FreeBSD Foundation multiple times[1], and Jan Koum has donated over $1 million after selling WhatsApp[2].

Also, look at how many companies are sponsoring LetsEncrypt[3] – including Akamai and Fastly – but not Cloudflare.

[1] https://www.freebsdfoundation.org/donors/

[2] https://www.freebsdnews.com/2016/12/02/jan-koum-founder-what...

[3] https://letsencrypt.org/sponsors/

Sensible isn’t really the right word here. It’s sensible to buy a support contract. It’s charitable and good PR to give them money.

> It’s sensible to buy a support contract. It’s charitable and good PR to give them money.

If the development of an open-source project significantly affects your commercial product, there is nothing charitable in supporting it: because you are the one who needs that project to survive.

Not really, it's open source. You could just start putting resources into it yourself. If you back up to a local copy, it's not like that source code is just going to disappear.

I don't know. That's certainly a way of looking at the world. To answer that question, I'd have to give you a deep reason why companies like ours and Trail of Bits and the VPN providers donated. I can't tell you any more than "it seemed like the right thing to do".

AFAIK They acted same with nginx.

s/home page/donations page/


use wireguard instead if you want to be safer... not exciting at all unless you are invested in cloudflare

The article mentions that WARP is exposing the end user's IP to websites they visit. I'd be interested in how they do that, especially with HTTPS websites where they can't MITM and inject headers.

> WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit.

Great eye! We haven't figured out how to expose them yet for sites not using Cloudflare. We do have some experience solving this problem for Spectrum [1] we're hoping to lean on. The most important thing to us is users don't expect us to keep their IP private, as that is not the intent of WARP.

1- https://blog.cloudflare.com/mmproxy-creative-way-of-preservi...

Thank you for your reply. I see that it's rather easy to do that for websites running behind CF as you terminate the traffic and can just set the corresponding header.

But for websites outside your network I don't see any obvious way how to do that. Wouldn't this being possible imply that it's possible to spoof traffic? That would open a whole can of worms for the web and even the internet at large.

But I also get your point that you don't want people to see WARP as a regular VPN to protect a users IP address from being exposed to the other side. Since it's not easy for a user to see which sites run behind CF and which ones don't while browsing they must keep this in mind. Or they can just firewall all CF IPs minus the ones used by WARP (assuming none are shared with other CF products and a list can be obtained).

Are you going out of your way to forward the original IP to the end recipient? What's the point of that?

Is it to support IP authenticated logins or similar?

Not step on the toes of Netflix, Amazon Prime and other services that rely on geo location for enforcing licensing of content / geo-location based artificial scarcity of digital goods?

I'd like an answer to this also!

It sounds like cloudflare spent the time to do away with hiding ip addresses. Actively removing that feature of a VPN, which you should get for free in a wireguard implementation, seems fishy to say the least. Especially since no reasonable explanation for this was given.

Most likely so the receivers of abusive traffic can contact the original ISP rather than Cloudflare having to deal with abuse reports.


From the deafening silence I'm going to take the less charitable interpretation that it's meant to enable Cloudflare to essentially sell Warp users' IPs to Cloudflare customers as an added perk.

That is a bit worrying.

For instance, to play nicely with IP whitelisting in firewalls as an additional security measure.

Although Warp doesn't mask IP addresses, it should be useful for these two use cases:

1) Communicating with insecure websites (HTTP instead of HTTPS)

2) Using unsecured wireless networks (e.g. Wi-Fi at a coffee shop)

Beyond these two cases, is there any advantage to using Warp? Does Warp provide any benefits for email (secure IMAP/SMTP), file sharing (BitTorrent), or other protocols?

WARP+ apparently takes advantage of CloudFlare's Argo Smart Routing https://www.cloudflare.com/products/argo-smart-routing/

Statistics from one of my websites running Argo show a 16.73% percent improvement for 32.3% of web traffic routed through Argo.

For my Google Cloud Washington based server, I see 5-15% improvement for some traffic from the EU and US East Coast and 15-30% improvement some traffic from Asia, Africa, and South America. (all according to CF statistics)

> Statistics from one of my websites running Argo show a 16.73% percent improvement for 32.3% of web traffic routed through Argo.

I don't understand the statistic. Is that the best 32.3%? Is the worst 32.3% 16.73% worse?

What's the actual vulnerability when simply using an unsecured wireless network? Sure, it's easy for them to MitM you if you're using http, but if you're only using https, what's the harm?

DNS queries and the unencrypted parts of the HTTPS protocol (like SNI without recent enhancements). So passive sniffers can at least see what sites you're visiting.

Huh, didn't know about SNI, thanks for the info. Seems like a relatively small risk though.

It looks decent for hiding your traffic from your ISP

Thanks, this should have been obvious in hindsight.

One more for people with cell phone plans that don't adhere to net neutrality: Warp can probably bypass quality caps on video streaming.

Traditional VPNs are strictly better than Warp+, as far as I can see, but the free version of Warp is a generous offering for users who would otherwise not be using a VPN.

Warp excludes many sites from traffic routing (like video)

Are you sure? Some comments like this one say that Warp affects YouTube speed:


Source? That seems like a huge caveat - WARP protects your privacy except for specific sites you visit that Cloudflare silently decides on?

Found it.

> Warp and Warp+ will not route traffic data from your device through the Cloudflare network for certain Internet properties, such as over-the-top content provider websites, as determined by Cloudflare in its sole discretion.


"Over-the top content provider websites" most likely include Netflix, Hulu, Prime Video, etc.


If this is the case, then Warp would not be helpful for evading speed caps for video on mobile data plans.

> WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit.


I think that's because Warp doesn't let you select the location of the server you're connecting to. Almost all VPN services have servers in different areas, and you can choose which geographic area you want an IP address from. In contrast, Warp only lets you connect to a server that's close to you.

Based on speed tests, it doesn't look like Warp is bypassed for video content.

That’s not the same thing - they could provide your IP to the site you visit in an added header or something without compromising your privacy from your ISP. That doesn’t imply they aren’t routing traffic to some websites.

You forgot your ISP, some collect and resell your activity online

Some yes. In Australia, all are required by law to record "metadata" and retain for several years (5 I think)

Can you have an option to do that? I imagine in some cases it might be better for people (in certain regions or roles) where their IP being hidden is a core component of "Privacy First".

>The most important thing to us is users don't expect us to keep their IP private

I would dare to say you're wrong. It's one big reason I wouldn't/won't use Warp.

I think that you're in agreement; he seems to have meant that it was important that Cloudflare clarify to users that their IPs will not be masked.

On the app stores it's shown as a privacy tool. Nowhere they make it clear, which is honestly a bit sad.

Warp doesn't provide anonymity, however, for some reason Netflix in my phone can stream US TV shows with Warp on while my non warped devices can not even list the show. Weird.

Because Netflix is not a Cloudflare client, so CF can't pass the source (client) IP. The same should happen with Google, Facebook (or anyone not behind CF infrastructure).

At least, that's the way I'm currently understanding it.

It seems to not be hiding IP, but it does inadvertently(?) do so for some site's detection methods I think. When I did an IP lookup, some sites reported correct while others reported one I didn't recognize (assumed its the one from WARP).

Ya it only forwards the IP for websites behind CF for now https://news.ycombinator.com/item?id=21070828

This split tunneling article may be useful. https://www.macobserver.com/news/tmo-scoop/cloudflare-warp-s...

The requests come from a CloudFlare address range -- my original IP isn't visible to the server. Not sure what they mean either.

It passes on your IP address if the website you're visiting is using CF. See for yourself:

https://icanhazip.com - on CF network https://ifconfig.me - not on CF network

I can confirm.

Last night i was testing it and geo-location was visible...

Just going to throw this out there for anyone who is hesitant using a vpn managed by another service. You can set up your own easily using the ansible scripts provided by trailofbits, which supports both IPSEC and wireguard.


a small DO (Digital Ocean) instance is only $5 a month and comes with 1TB outbound bandwidth (last I checked), which ends up being cheaper than most commercial offerings.

On their patreon goal of $1600/month : "We can start working on an easy-to-use mobile app that let people deploy their own VPN server without touching a terminal window."

Damn, that would be so cool.

I hadn't heard about that yet. Will have to look into it.

Or host it for free in one of Oracle's cloud 'always free' tier VMs.

Disclaimer: I'm an employee

"Oracle" and "free" in the same sentence? Has hell finally frozen over?

Cool. Didn't know about free oracle vm. Thanks

Does it have public IP?

It does

Oracle? Yikes.

I fully understand why a company would like to launch this type of service. This is the free market after all, and it would make the company insanely valuable, should it succeed.

However I do have an issue with the marketing behind it. While not said outright, there is a clear message here that due to some unspecified magic your network performance will increase. That's clearly stretching the laws of physics, at the very least. There are also nebulous privacy statements which looks conspicuously like services that shield your identity, which does not seem to be the case here.

If the real intent here is to help underprivileged Internet users escape their great firewall, onboarding some regular users might be necessary to make the service more legitimate. However even a generous reading of this announcement does not seem to support this use case. The consumer VPN business is a questionable business at best, and this does not look different.

> That's clearly stretching the laws of physics, at the very least

This is not clear to me. Few mobile users have pings to anywhere pushing up against the speed of light, and the bandwidth/loss/routing is not close to being limited by physics.

It was not meant in a literal sense, I hope that much was clear. The language was suggestive on purpose considering the article being commented on. A longer path takes longer time as speed of light varies comparably little, that much is physics.

And sending traffic by way of a third party is very likely to make for a longer path, for most people in most circumstances. Not by necessity but because few have that lousy routing agreements, unless we're talking about special circumstances such as 6to4 tunnels and the like.

No, he's correct here, it's an extra indirection and so overall it can only hurt performance, not improve it. For example, ISPs often have caching servers from Google installed and Google is the biggest traffic generator. If you route traffic through somewhere else you are going to reach different Google's caching servers that are farther away and over more congested links.

> No, he's correct here, it's an extra indirection and so overall it can only hurt performance, not improve it.

Really? The cost of an extra hop is just one of tens (hundreds?) of factors that would determine if using WARP would be faster for a particular scenario.

That's not an extra hop, but essentially two different paths with many different hops instead of a more direct one. I'm sure there will be edge cases where this can be faster due to one of those factors, but for most destinations it will be slower.

In aggregate, is it necessarily an extra indirection? If, for example, your ISP bounces around a bunch getting to your destination and Cloudflare has a faster path, isn't it possible they have the faster path?

What basis are you making this on, have you worked on a multi-homed BGP environment before? There is a lot of latency hiding in the route maps and interconnections most providers use, and running your own lines can reduce a ton of jitter, route instability, congestion, and other common issues where most tech people oversimplify the constituents of the Internet.

"due to some unspecified magic your network performance will increase"

In this post, they say that routing over cloudflare's network can be up to 30% faster because they maintain more efficient routing information than the public network:


They could speed up your international traffic (they don't tho).

Cloudflare WARP is an easy-to-use free VPN which protects your IP address from businesses who haven't paid Cloudflare yet.

Companies like InfoUSA can convert 95% of US IP addresses to physical addresses and household resident names. By inserting themselves in the network between users and websites, Cloudflare will soon be able to get a chunk of InfoUSA's advertising profits.

Remember, if you aren't paying for it then you are the product.

Stay away from Cloudflare WARP and use a real VPN.


> What WARP Is Not

> From a technical perspective, WARP is a VPN. But it is designed for a very different audience than a traditional VPN. WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit. If you’re looking for that kind of high-security protection then a traditional VPN or a service like Tor are likely better choices for you.

Then what does it do?

> WARP, instead, is built for the average consumer. It’s built to ensure that your data is secured while it’s in transit. So the networks between you and the applications you’re using can’t spy on you.

Isn't that what ssl does already lol? What a load of sham.

SSL/TLS encrypts your traffic between you and a server but by itself doesn't prevent your ISP from snooping some information about your encrypted connection. If you aren't using Secure DNS & DNSSEC, they may be able to see and intercept your DNS queries. If you don't use TLS 1.3, they can see the SSL certificate of the website you are connecting to. If you don't encrypt your Server Name Indication (SNI), they can see the hostname of the server you are connecting to.

This all allows your ISP to figure out which websites you are connecting to and this can be used to prevent you from accessing certain websites, sell your browsing history to an advertising agency, etc.

You can read more about it here: https://www.cloudflare.com/ssl/encrypted-sni/

P.S. I don't work for Cloudflare.

All that to hide hostnames from your ISP? Again, what a load of sham.

> Then what does it do?

From my limited guess, you dial into Cloudflare's intranet, access CDN'd content inside a giant & very fast NAT.

“Use a real VPN” is actually pretty hard for a random user: there are constant ads for VON services that turn out to not protect their users’ traffic, and/or harvest and sell their users traffic, and yet are harder to use and more expensive.

Just like how “but they can see your email” isn’t enough of a deterrent to convince the majority of people to switch from free gmail (hotmail, yahoo, etc.) to a paid service with actual privacy, “Cloudflare can see your traffic” is unlikely to convince people who are more worried about nebulous sniffers and scammers at their local coffee shops than giant internet infrastructure companies.

Great that it's finally launched. I've been on the waitlist for months.

That said, I'm very ambivalent about Cloudflare.

On the one hand, I love them because they're doing a lot of cool stuff (shoutout to kentonv whose sandstorm project I loved, who works there now), and even own a bit of their stock.

On the other hand, them being an infrastructure company but also wading into what travels over their pipes makes me uncomfortable. I get that 8chan was horrible (and Stormfront before that, IIRC), but it shows more discretion than I'd like that that level of the stack. They seemed to be more hands-off in the past, so I wonder if the IPO changed that at all.

A policy question: forbidding 8chan as a Cloudflare customer is one thing, but what if someone was using Warp and tried to load wherever it is they moved to? Would Warp block that?

They didn't block requests to 8chan, they simply won't provide services to the site. If you're using cloudflare for DNS lookups, 8chan resolves just like any other non-cloudflare customer.

…until someone gets the media going about it, at which point they block it. And that time, they will have a precedent.

So far it has been tried but both registrars and DNS resolvers have resisted such censorship attempts unless it has been law enforcement and even then it has been local.

Yup just wait for the "Cloudflare allows access to domestic terrorist sites" headline next time the CEO pisses off the NYT

Thanks for the shoutout!

I wish we could have an actual conversation about the 8chan thing, but the public debate is far too emotionally charged for me to touch. :(

There's also a technical version of this post: https://blog.cloudflare.com/warp-technical-challenges/

I'm hyped to see Rust code running on so many phones.

Just remembered, you now work at cloudflare! I remember reading your blog post about joining cloudflare, so how's it going so far?

I've been enjoying it. My team is great, we're building cool stuff. Being a PM is different, but I like it a lot. Thanks for asking :)

I wonder if any popular applications for a mobile platform ship with Rust code already.

There have been some instances of this before; at least one game was implemented in Rust. But, given the length of the Warp waitlist, I'm pretty sure this is the most popular application so far. There could be things I don't know about though, at this point Rust is big enough that not everyone who uses it talks about it publicly.

Isn't Firefox using at least some Rust on the Android version?

I forget the status of that, you may be right! That'd be a large deploy too. The intention was to do that, for sure, I'm just not sure if it shipped or not.

Stylo (Rust rewrite of CSS engine) shipped for Android in Firefox 60, released in 2018. https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Rel...

Awesome! Thanks for letting me know.

I think that for Rust to really take off in that space, we'll need comprehensive, auto-generated bindings for the platform APIs. Are there any serious efforts in that area yet?

Just wanted to say Thank You. I could only wish this was released a little sooner, but better late than Never. The Hong Kong people desperately need something like this to avoid ISP monitoring. I wonder if something similar is planned for Windows and Mac?

P.S Regarding the 10GB, have been on the waiting list since April 1st, nothing shown up yet.

We're working our way through the waitlist now, hoping to get to everyone today. If you have an up-to-date version of the app running you'll get a push notification when we are ready for you to opt-into WARP.

I was in the waitlist on my old phone but just got a new one, is there any way I can get the 10 GB too?

Thank you! I have been waiting since April and also on the Testflight beta. Have been looking forward to recommending this to my friends and family that needs a casual VPN for those use cases where they are visiting a unfamiliar hotspot.

Heads up that the 10GB is also not showing up.

Re HK, how could something like this even be used? I would have thought ISP traffic would ensure this is being blacklisted.

Blacklisting it would require them blacklisting all of cloudflare.

> Blacklisting it would require them blacklisting all of cloudflare.

China Government: "Here, hold my beer..."

I don't see it either, perhaps a slow rollout?

I’m still #700K on the Warp waitlist

Edit: And the wait is over!! WARP is now available!

Nope. They put me on the waitlist again at #2.008M

That doesn't seem right. Please submit an issue via the in-app feedback form and we'll get it fixed.

It’s like a progress bar for the internet. DNS and mobile app have improved my internet experience considerably outside the US (currently in Costa Rica). I'm very excited about WARP and totally buy the "everyday user" premise.

As soon as it feels stable I'm telling my activist brother-in-law in Venezuela to install it and enable WARP. Personally I trust Cloudflare above any ISP. I see myself installing it over holidays to the rest of the family there.

I understand and celebrate HN's high level discussion about concentration of power on the internet and its effects. But at the same time I want to celebrate a geeky company, releasing something cool, with a free tier – and an evident openness about its plans and how it works. Congrats on the launch!

I can't really see the value proposition here.

Most use a VPN to add a layer of anonymity (hidden IP) and to circumvent geo blocking.

All this does is hide unencrypted traffic from the local network and maybe give a moderate speedup, but one that will probably be restricted to non-Cloudflare properties. For other properties, especially high-traffic ones with their own fancy routing logic, this will probably be more detrimental than helpful.

Admittedly a lot of people also just use VPNs because of the countless ads telling them that the Web is terribly insecure without one. I don't see this being much of a success without big ad spending.

Might work out just fine for CF, but I will pass.

I'm in the (likely) target demographic for this (and just signed up for the paid version). I don't care about true anonymity or geo-blocking - what I care about is that Verizon/Comcast both do HEAVY traffic shaping to suit them, not me. I.e. I'm promised "720p" video quality on Netflix when streaming over LTE and yet, for some strange reason that goly gee I can't quite understand (/s) it's never very good and always slow, even with full signal.

I'd rather just encrypt all my traffic and let Cloudflare make the routing decisions - that alone is worth an extra $5/month.

I don't understand how "Warp" would help you in the long run - wouldn't we expect Verizon et. al to treat cloudflare endpoints as "suspect" or "throttle-worthy" ?

TOR endpoints are discriminated against by many endpoints and providers - why not Warp endpoints ?

Likely because Warp endpoints are the same as cloudflare endpoints, which also includes a large portion of the web.

It's borderline unusable for me.

It takes 20 seconds for every YouTube video to load while they load instantaneous without WARP:


YT is the only problem for me, likely something to do with YouTube trying to use gQUIC (but I'm not sure).

Same for me. Uninstalled because of this. I feel for those people that won’t understand that the app that says they will get faster speed is the one slowing them down.

Please file a bug report.

I'm having problems recording the screen and playing back the video when reporting a bug.

Also for me. Instagram, Facebook, WhatsApp and Google Photos just load forever. Android 8.1.

Someone’s already got it working on macOS: https://twitter.com/saurik/status/1176893448445558784

Fast work indeed, the meat of it:

(registering a `wg` generated public key with CF)

    ins() { vrb=$1; shift; curl -s -H 'user-agent:' -H 'content-type: application/json' -X "${vrb}" "${api}/$@"; }
    sec() { ins "$@" -H 'authorization: Bearer '"${reg[1]}"''; }

    cfg=($(if [[ -e "${usr}" ]]; then
        reg=($(cat "${usr}"))
        test "${#reg[@]}" -eq 2
        sec GET "reg/${reg[0]}"
        reg=($(ins POST "reg" -d '{"install_id":"","tos":"'"$(date -u +%FT%T.000Z)"'","key":"'"${pub}"'","fcm_token":"","type":"ios","locale":"en_US"}' |
            jq -r '.result|.id+" "+.token'))
        test "${#reg[@]}" -eq 2
        echo "${reg[@]}" >"${usr}"
        sec PATCH "reg/${reg[0]}" -d '{"warp_enabled":true}'
    fi | jq -r '.result.config|(.peers[0]|.public_key+" "+.endpoint.v4)+" "+.interface.addresses.v4'))
    test "${#cfg[@]}" -eq 3

Will this work on Linux?

I can't see why that bit wouldn't, the rest of the script has some macOS-specific network setup though.

I just bought a monthly + WARP subscription, and it's slow as hell. Maybe because I'm in Indonesia. But it works just fine with WARP disabled.

Another problem is suddenly disconnected when I'm not browsing the internet, like watching videos or reading something on my phone.

Hope you guys fix these problems soon.

I have a 300/300 symmetric connection in Barcelona and only get 80/0.07 Mbps with Warp. The 80 is fine, but what is up with 0.07 Mbps up, and why is it so jittery?

EDIT: Anyone in Barcelona want to go axe throwing in an hour?

Same in Paris:500 down/60 up without Warp, 300 down/1.25 up with Warp

86.3/0.28 with Warp, 109.4/117.8 without. I am in LA, CA, US.

I have a different reason for being unable to use Warp: I don't want to access a "proper" DNS server, I want a DNS server that blocks ads for me in Mobile Chrome (I am aware that ad-blocking is fully integrated w/ Mobile Safari). I currently use AdGuard to get this feature, which sets the DNS server to one that blackholes ad servers.

Still, it's quite exciting that Cloudflare's finally released Warp, and that the waitlist for Warp was so long.

Rather than using the Adguard local VPN app, you can set your DNS to them.


Unfortunately this is only possible on wifi on iOS. On Android 9+ you can set custom DNS on both mobile and wifi.

It sounds like an interesting product, but I'm wary of anything put out by the arbiters of the internet.

Really? The arbiters of the internet? You don't think that's maybe a little melodramatic?

Cloudflare has, time and time again demonstrated openness, transparency, and insight into their technical and ethical frameworks. I trust them a whole lot more than my isp or any random vpn provider.

> The arbiters of the internet? You don't think that's maybe a little melodramatic?

As someone who has browsed sites "powered by cloudflare" over Tor and been tossed into an infinite "are you human" loop, it certainly doesn't feel melodramatic.

They've also exercised power over websites based on moral outrage. Perhaps 99.999% of people agree with the morals behind this decision, and maybe it's even the right decision, but it's still an arbitrary decision made by Cloudflare.

They are also bound by US law, and other entities bound by US law have been forced to enable the exact same forms of record keeping that Cloudflare says they will keep turned off.

Cloudflare is not a neutral party. They don't even advertise themselves as a neutral party.

> As someone who has browsed sites "powered by cloudflare" over Tor and been tossed into an infinite "are you human" loop, it certainly doesn't feel melodramatic.


There are no neutral parties on the Internet.

Pick the evil you're most comfortable with.

Were you allowing them to set cookies on your browser? If not, I don't see how they could do anything but toss you into an infinite "are you human" loop...

Personally, I'd feel safer using this vs any other random VPN service. At least these guys have a reputation at stake, if people discovered they were selling your data.

If you're dealing with adversarial middle-men, it could be OK. I lived in a country where everything inside the country right up to the border could be considered adversarial.

If it brings competition to the shady VPN-peddlers, and is easy to download and get going, I'll consider it a net positive, all-in-all, regardless whether I'll use it personally or not.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact