Cloudflare Launches Its Security-Focused Mobile VPN, Again

Credit to Author: Lily Hay Newman| Date: Wed, 25 Sep 2019 13:00:00 +0000

When the company first launched the Warp VPN, “all hell broke loose,” its CEO says. After a few months of tinkering, Cloudflare wants a do-over.

In April, Cloudflare, the internet infrastructure giant, launched a security- and speed-focused mobile VPN called Warp. The idea was to offer a sleek, streamlined alternative to the buggy, laggy, generally frustrating options that make up most of the mobile VPN market. But things with Warp didn't go as planned. In fact, the original release had almost all the problems that Cloudflare was trying to solve. And a waitlist of about 2 million people who wanted to try a half-baked product.

On Wednesday, the company is finally relaunching Warp, which Cloudflare says is better for its rocky debut—even if it was embarrassing. The VPN builds on Cloudflare's existing mobile app 1.1.1.1, which encrypts "domain name system" connections, so your internet service provider or other lurkers can't see which websites you access. But Warp goes beyond this protection to encrypt the whole journey from your device to a web server and back—even if the website itself still isn't offering HTTPS web encryption. And all of this happens quickly, without draining your battery, and without complicated setup. Seriously. Like, for real this time.

"Yeah, what we thought was going to be easy back in April turned out to be a lot harder than we expected," says Cloudflare's CEO Matthew Prince. "We had been testing this primarily in San Francisco and Austin and London, which is where the teams that were working on this are based. But as soon as users started to get anywhere that didn't have a fairly reliable internet connection, just all hell broke loose."

In describing the hurdles Cloudflare faced getting Warp off the ground, John Graham-Cumming, the company's chief technology officer, and Dane Knecht, its head of product strategy, note that many of the challenges came from dealing with interoperability issues between mobile device models, operating system versions, and different mobile network and Wi-Fi configurations around the world. For example, Warp is built on a newer secure communication protocol for VPNs known as WireGuard, which isn't ubiquitous yet and therefore isn't always natively supported by devices. The team also faced challenges dealing with web protocols and standards that are implemented inconsistently across different wireless carriers and internet service providers around the world. Cloudflare's 1.1.1.1 focuses on encrypting DNS connections specifically, but Warp aims to encompass everything in one protected tunnel. Keeping everything together as data traverses the labyrinth of servers that make up the internet, including Cloudflare's own massive network, was tough.

"What’s really hard about mobile is you can switch between Wi-Fi and LTE and within Wi-Fi and your IP address changes," Knecht says, referring to the string of numbers that gets assigned to devices on the internet as a sort of mailing address. "Normally your connection is tied to your IP, so if you change IPs or change networks you have to start all over again with what your device has been doing. Instead we abstracted away that reliance on a connection ID, so no matter if the device is traveling over LTE or Wi-Fi it all gets to the same place and the underlying connection can still continue."

Virtual Private Networks are controversial, because they are not the privacy and security panacea marketers often promise. VPNs connect you to the larger internet using a smaller, controlled network as an intermediary. By routing all your traffic through this encrypted tunnel, you can make it harder for bad actors, or your internet service provider, to spy on what you're doing. The outside world just sees you connecting to your VPN. What's contentious is that this setup requires you to really trust your VPN provider, because your traffic isn't magically hidden from everyone—it's being shielded by a new third-party that could potentially take a peek itself.

On mobile in particular, though, users have to weigh this risk against the constant land grab of ad trackers, targeted services, and internet service providers all vying for information about user browsing. In recent months, a wider array of privacy- and security-focused tools specifically built for mobile has finally started cropping up.

Warp isn't meant for people who already have, say, an enterprise VPN set up on their phones by their employer with specific customizations and tailored protections. But for individuals who want a quick and easy way to encrypt more of their web traffic without having to configure anything, Warp is certainly an accessible option. The basic service is free, and an upgraded version called Warp+ offers additional speed and security by more strategically routing your traffic across Cloudflare's networks. Prince says the cost of Warp+ in different markets around the world will roughly mirror the cost of a Big Mac in each region. In the United States, Warp+ costs $4.99 per month. Both tiers of service are launching in all markets Wednesday.

I found that Warp largely has the set-it-and-forget-it appeal that Cloudflare is going for. I only tested it around New York City, where Wi-Fi and mobile data connections are generally quite strong, but it mostly transitioned between the two easily—something Cloudflare prioritized during development. I also didn't notice much impact on battery life or page load speeds. The only area where Warp really struggled, which I've noticed with every mobile VPN I've tested, was the frequent data interruptions that come from riding the subway. Every time you get to a station your phone finds service anew and works to establish a connection, at which point you have about 30 seconds to a minute before going back into the tunnel and losing the connection again. VPNs tend to waste your 30 seconds of connectivity trying to sort themselves out, and Warp was no exception. Though this is a pretty specific use case, I did also notice Warp having similar difficulties when I walked through spots in my office that simultaneously have weak wifi connectivity and poor mobile data reception.

On the question of whether you should trust Cloudflare to be your VPN provider, independent privacy consultant Joseph Jerome, who has spent years researching VPNs, says that Cloudflare's policies for Warp are strong. "Many VPNs recognize the trust deficit, but they're all grasping at different ways they can demonstrate their good intentions publicly," Jerome says. "While I’m usually dismissive of privacy policies, Cloudflare goes to great lengths to describe what they aren't doing with data. You don’t see that in most privacy policies."

Jerome says he signed up for the Warp waitlist months ago. He's No. 330,088. (I was No. 1,971,455 until I jumped the line to test the service for this story.) But, as always with large companies like Cloudflare, the question of consolidation and market dominance is also important to consider. Cloudflare already provides foundational services as a content delivery network for 20 million internet properties around the world. So whether you realize it or not, a fair portion of your web browsing traffic likely flows over Cloudflare's servers every day anyway.

Perhaps that means that also using the company's VPN doesn't expose you to significantly more potential privacy risk if the company were to go rogue. But offering a consumer VPN may only further entrench Cloudflare's influence and power on the internet. Prince, the CEO, says he'll judge the project a success if the company has 100 million people using Warp within a year. And for the average user, it's hard to argue with the benefits and convenience of an accessible, functional, and reputable mobile VPN.

https://www.wired.com/category/security/feed/

Leave a Reply