WARP is not a VPN for privacy

Posted on Sep 25, 2019 by Caleb Chen

You may have heard earlier this year that Cloudflare was planning a mobile VPN called WARP. Today, 9/5/19, Cloudflare has officially opened its WARP “VPN” feature on its popular 1.1.1.1. DNS encrypting app to the public – and it’s important to note that WARP is NOT private. What most people don’t notice is that the app passes along your IP address to the destination. Cloudflare first announced their WARP VPN on April 1st of 2019 when they also started a public waitlist. WARP was built on technology which Cloudflare first got its hands on when they acquired Neumob in 2017. More specifically, WARP is a Wireguard VPN. That doesn’t mean that the Wireguard technology, which is powerful and promising, can’t still be intentionally misconfigured to pass along the user’s IP address – or other “random” user-specific identifier – to the destination.

1.1.1.1. WARP mobile VPN is not for privacy

While the original 1.1.1.1. Mobile app sans VPN technology provides a crucial, free service to encrypt DNS queries for otherwise unprotected mobile internet users leaking their DNS queries to public WiFi networks or private mobile data providers, the addition of this VPN widens the amount of trust considerably. While Cloudflare does have an extensive privacy policy for WARP, that doesn’t change the unique potential for privacy disaster. As Lily Hay Newman surmises in her article on the Cloudflare WARP announcement for Wired:

[…] Cloudflare already provides foundational services as a content delivery network for 20 million internet properties around the world. So whether you realize it or not, a fair portion of your web browsing traffic likely flows over Cloudflare’s servers every day anyway.

Perhaps that means that also using the company’s VPN doesn’t expose you to significantly more potential privacy risk if the company were to go rogue. But offering a consumer VPN may only further entrench Cloudflare’s influence and power on the internet. […]

Privacy needs to be built into Virtual Private Networks

The number one most obvious symptom of using a VPN (Virtual Private Network) is to give a different IP address to your destination. That IP address can be a shared IP address, it can be a fixed IP address – whatever it is it should be different than the originating IP address if it is to be private. While there arguably are uses for a VPN that doesn’t provide this key feature, they aren’t anywhere near as numerous. One might also argue that this is a must-have feature that is expected of any one click solution mobile VPN that offers VPN service with zero user configuration necessary.

Comments are closed.

5 Comments

  1. ahyu84

    Yeah I checked once connected to warp+ my public IP still visible and dns leak test show my isp as well.

    In conclusion warp+ is not secure.

    5 years ago
  2. Karel Donk

    Anyone using Cloudflare has got to be an idiot. Their CEO has proven that the company can never be trusted. Supposedly they value user privacy and security but all that goes away when their CEO “wakes up in a bad mode” and decides to screw you over. Just DuckDuckGo it.

    But a more alarming quote from their CEO is the following:

    “In the two years since the Daily Stormer what we have done to try and solve the Internet’s deeper problem is engage with law enforcement and civil society organizations to try and find solutions. Among other things, that resulted in us cooperating around monitoring potential hate sites on our network and notifying law enforcement when there was content that contained an indication of potential violence. We will continue to work within the legal process to share information when we can to hopefully prevent horrific acts of violence.”

    That’s frankly surveillance. Spying. This is why Cloudflare wants to man-in-the-middle (MITM) all ((encrypted) (HTTP)) traffic on the Internet. Sooner or later the mask had to begin coming off. You can bet your ass they will be scanning all traffic on their “VPN”. Cloudflare is going down the same path of breaking all privacy and security on the Internet like Facebook.

    5 years ago
    1. Jay

      I found this in the denylist, but this isn’t explained up front. I have netflix installed and it’s not on the denylist checked on the UI. Would regular users care?
      denylist”: [
      {
      “name”: “Netflix”,
      “android-packages”: [
      “com.netflix.mediaclient”
      ],
      “visible”: true
      },
      {
      “name”: “BBC iPlayer”,
      “android-packages”: [
      “com.bbc.globaliplayerradio.international”,
      “bbc.iplayer.android”
      ],
      “visible”: true
      },
      {
      “name”: “YouTube”,
      “android-packages”: [
      “com.google.android.youtube”,
      “com.google.android.apps.youtube.mango”
      ],
      “visible”: true
      },
      {
      “name”: “DisneyLife”,
      “android-packages”: [
      “com.disney.disneylife_goo”
      ],
      “visible”: true
      },
      {
      “name”: “Hulu”,
      “android-packages”: [
      “com.hulu.plus”
      ],
      “visible”: true
      },
      {
      “name”: “HBO”,
      “android-packages”: [
      “com.hbo.hbonow”
      ],
      “visible”: true
      },

      5 years ago
    2. Charles Dunc

      Personally, I don’t see the issue this article is complaining about.

      You’ll always have people using the (perceived) anonymity of a VPN to do less than legal things on the internet. This only becomes a bigger problem when you have a VPN that’s free of charge and has no concept of accounts – thus not enabling the blacklisting of bad actors.

      At no point has Cloudflare claimed to provide anonymity, hide the user or unblock content. The only aim for Warp is to provide free transit security, which it does perfectly.

      5 years ago
    3. plaster

      It should be reiterated: monitoring sites HOSTED BY THEM. Cloudflare is not a government, or a country; and they ain’t doing anything with sites hosted on, for example, Linode.

      5 years ago