Cloudflare Announces Warp VPN

Back when Cloudflare released its 1.1.1.1 secure DNS application for mobile devices, I wondered what the point was, since (at least on Android) users needed to disable any VPNs they were using in order to use the 1.1.1.1 application. Who is the audience for secure DNS minus a VPN?

This week, Cloudflare closed that gap by announcing Warp, a free VPN (with premium options to follow) that will eventually be rolled into the 1.1.1.1 mobile app.

From Cloudflare’s press release,

Technically, Warp is a VPN. However, we think the market for VPNs as it’s been imagined to date is severely limited. Imagine trying to convince a non-technical friend that they should install an app that will slow down their Internet and drain their battery so they can be a bit more secure. Good luck.

. . .

We built Warp because we’ve had those conversations with our loved ones too and they’ve not gone well. So we knew that we had to start with turning the weaknesses of other VPN solutions into strengths. Under the covers, Warp acts as a VPN. But now in the 1.1.1.1 App, if users decide to enable Warp, instead of just DNS queries being secured and optimized, all Internet traffic is secured and optimized. In other words, Warp is the VPN for people who don’t know what V.P.N. stands for.

. . .

Security is table stakes. What really distinguishes Warp is performance and reliability. While other VPNs slow down the Internet, Warp incorporates all the work that the team from Neumob has done to improve mobile Internet performance. We’ve built Warp around a UDP-based protocol that is optimized for the mobile Internet. We also leveraged Cloudflare’s massive global network, allowing Warp to connect with servers within milliseconds of most the world’s Internet users. With our network’s direct peering connections and uncongested paths we can deliver a great experience around the world. Our tests have shown that Warp will often significantly increase Internet performance. Generally, the worse your network connection the better Warp should make your performance.

. . .

Finally, we knew that if we really wanted Warp to be something that all our less-technical friends would use, then price couldn’t be a barrier to adoption. The basic version of Warp is included as an option with the 1.1.1.1 App for free.

We’re also working on a premium version of Warp — which we call Warp+ — that will be even faster by utilizing Cloudflare’s virtual private backbone and Argo technology. We will charge a low monthly fee for those people, like many of you reading this blog, who want even more speed. The cost of Warp+ will likely vary by region, priced in a way that ensures the fastest possible mobile experience is affordable to as many people as possible.

Users can sign up from the 1.1.1.1 app to be on a waitlist that they’ll move up as the VPN rolls out. I’m currently at #340921, so it may be awhile before I get to use it.

This is certainly an exciting development, but I assume that just as Cloudflare highlights some of the problems with traditional VPNs in its press release, there are some things that traditional VPNs are probably better for than Warp. For example, my suspicions are that Cloudflare isn’t going to be a big fan of people using their VPN for torrenting.

CloudFlare’s Encrypted DNS App for Android and iOS

CloudFlare recently released an app for Android and iOS that makes it easy for users to encrypt their DNS queries using CloudFlare’s 1.1.1.1 DNS resolver.

For once, I’m really not sure what the point is of a security tool like this. One of the criteria for using the 1.1.1.1 app is you need to turn off any VPN you have activated. But I’m not really certain what the use case would be for wanting encrypted DNS but not a VPN.

Personally, I use ProtonMail’s VPN on my phone when I want privacy from the local network operator. There are issues with Proton, but it’s security is more than good enough for anyone not concerned about state actors in their threat model.

TorrentFreak’s 2018 Roundup Of VPNs

TorrentFreak recently published the latest version of its annual roundup of which VPNs really protect their user’s privacy. The last thing you want to do is pay extra money to a VPN for the “benefit” of having them log your Internet activity anyways.

As with past such roundups, TorrentFreak is here relying on responses from the VPNs themselves, so this should be the start, not the end, of research you’d want to do on any VPN you’re thinking about using.

I still use AirVPN as my VPN, and am very happy with it. AirVPN allows BitTorrent connections, and has relatively high speeds for the price. However, my primary use case is to keep my activity private from ISPs and copyright authorities. If I were worried about 3-letter agencies or other state actors, I might take a closer look at other alternatives.

Anyway, here is how AirVPN answered TorrentFreak’s 12 questions.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

No, we don’t.

2. What is the name under which your company is incorporated, and under which jurisdiction does your company operate?

The name of the company is Air and it is located in Italy.

3. What tools are used to monitor and mitigate abuse of your service, including limits of concurrent connections if these are enforced?

We do not use any monitoring or traffic inspection tools. We do associate a connections counter for each account to enforce the limit of five simultaneous connections per account. We also promptly investigate any service (website etc.) running behind our service to prevent phishing and other scams (malware spreading, bot controllers, etc) if we receive a complaint about them. However, checking those services after a complaint or a warning from a third-party does not require any traffic monitoring.

4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?

Absolutely not.

5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?

They are ignored.

6. What steps are taken when a court orders your company to identify an active or past user of your service? How would your company respond to a court order that requires you to log activity going forward? Has any of this ever happened?

The matter is handled by our law firm which explains to the competent authorities how our system works and why it is not possible to track a user “ex-post” when such identification requires access to traffic logs, which simply do not exist. We have so far not received any order trying to force us to “log activity going forward” and we would not be able to comply for strictly technical reasons.

7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

Yes, BitTorrent (just like any other protocol) is allowed on all servers without any re-routing.

8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?

Nowadays we use Coinpayments, BitPay, PayPal and Avangate. We accept a wide variety of cryptocurrencies and several credit cards. We also planned to accept payments in Bitcoin (and some other cryptocurrency) directly in late 2018, with no need for any third party payment processor, which anyway does not require any personal data to complete a transaction.

We do not keep any information about account usage and/or IP address assignments, so there can’t be any correlation with any payment. As usual a customer needs to consider that any payment via a credit card or PayPal will be recorded for an indefinite amount of time by the respective financial companies. We also accept cryptocurrencies inherently designed to provide a strong layer of anonymity.

9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

We recommend only and exclusively OpenVPN. A proper configuration must include TLS mode, Perfect Forward Secrecy, 4096 bit Diffie-Hellmnn keys, and at least 2048 bit (preferably 4096 bit) RSA keys. About the channels ciphers, AES-256 both on the Control Channel and the Data Channel is an excellent choice, while digests like HMAC SHA (when you don’t use an AED cipher such as AES-GCM) for authentication of packets are essential to guarantee integrity (preventing for example injection of forged packets in the stream), both on the Control and the Data channels.

Our service provides all of the above. About Elliptic Curve Cryptography, since it is finally of public domain that at least one random number generator (Dual_EC_DRBG) had a backdoor, and that an NSA program did exist with the aim to implement backdoors in some curves and then have exactly those curves recommended by NIST, momentarily we would suggest to drop ECC completely, just to stay on the safe side and according to Bruce Schneier’s considerations.

10. Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

Yes, of course. They are integrated in our free and open source software “Eddie” released under GPLv3. Anyway, usage of our software is not mandatory to access our service, so we also provide guides to prevent any kind of traffic leaks outside the VPN “tunnel” on a variety of systems.

11. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Do you use your own DNS servers? (if not, which servers do you use?)

The VPN server management is never outsourced. Even the IPMI, which has proven to be the source of extremely dangerous vulnerabilities, is patched and access-restricted by the AirVPN core management persons only. The Air company does not own datacenters. Owning a datacenter would put Air in a vulnerable position in the scenario described in your question number 6 (second part: court order to start logging traffic).

12. What countries are your servers physically located? Do you offer virtual locations?

We do not offer “virtual” locations. No IP address geo-location trick, hidden re-routing or any other trick is ever performed. We do not use Virtual Servers at all. Currently, we have physical (bare metal) servers really located in the following countries: Austria, Belgium, Bulgaria, Canada, Czech Republic, Germany, Hong Kong, Japan, Latvia, Lithuania, Netherlands, Norway, Romania, Singapore, Spain, Sweden, Switzerland, Ukraine, United Kingdom, United States.

Turkey Seizes ExpressVPN Server In Assassination Investigation–Finds Nothing, By Design

It seems inevitable that anytime there’s a discussion of VPNs, someone chimes in that a) of course all VPNs are really logging users, and b) it would be impossible for them not to log users. Unfortunately, there have been a number of cases where VPNs that strongly implied they were not logging or tracking users actually went out of their way to help law enforcement or intellectual property owners.

Turkey’s seizure of an ExpressVPN server–as part of its investigation into the assassination of Russian Ambassador Andrey Karlov–went the opposite direction. According to a statement by ExpressVPN released after Turkish media recently began reporting about the server’s seizure,

According to recent Turkish media reports, investigators in Turkey allege that a still-unknown individual used ExpressVPN in an attempt to delete evidence related to last year’s assassination of Russian Ambassador Andrey Karlov. This individual, according to the reports, logged into the Gmail and Facebook accounts of the assassin (off-duty police officer Mevlüt Mert Altintas) and deleted conversations that would have been relevant to the investigation.

As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.

. . .

VPNs are first and foremost security tools that help to protect users from being hacked, tracked, monitored or otherwise compromised. As such, the ExpressVPN service is built from the ground up to provide the best protection possible, including ensuring that our servers do not contain personal data about anyone’s online activity.

While it’s unfortunate that security tools like VPNs can be abused for illicit purposes, they are critical for our safety and the preservation of our right to privacy online. ExpressVPN is fundamentally opposed to any efforts to install “backdoors” or attempts by governments to otherwise undermine such technologies.

Several things come to mind after reading ExpressVPN’s statement:

  1. I’m surprised an individual somehow connected with the assassination of a Russian ambassador would use a commercial VPN to try to cover his or her tracks. Yes, ExpressVPN publicly claimed to not do any logging of any sort, but that’s a pretty high stakes bet that that person made.
  2. Contrary to the naysayers, some VPNs do, in fact, run their services in such a way that they have extremely limited to zero knowledge about their users’ activities after the fact.
  3. The inability of ExpressVPN to offer the sort of information that Turkey is looking for in this high profile case is likely to lead to calls for more regulation around VPNs. ExpressVPN notes that it is based in the British Virgin Islands which has “strong privacy legislation and no data retention requirements.” I imagine they’ll be under a lot of pressure to “update” their data retention requirements.

AirVPN 6th Anniversary

AirVPN recently celebrated its sixth birthday,

From a two servers service located in one tiny country providing a handful of Mbit/s in 2010, the baby has grown up to a wide infrastructure in 16 countries in three continents with 165 VPN dedicated servers and several secondary servers aimed to additional services, providing now up to 156900 Mbit/s to tens of thousands persons around the world. The number of available VPN servers since the last birthday has almost doubled. An outstanding growth that makes us very proud!

I have been using AirVPN since 2011 and route all of the Internet traffic on my two personal laptops through their service (other than times when I’m playing online games where the lowest possible latency is a must).

Based on what I’ve read, AirVPN is the best VPN for when you don’t want your ISP or other network provider monitoring what you’re doing over the Internet. I appreciate things like their client’s “Network Lock” feature, which prevents any Internet traffic that doesn’t traverse the AirVPN network so as to prevent any leakage which might allow my ISP or others to monitor what I’m connecting to.

As I’ve written on my blog before, if I were engaged in activities where I was worried about a state actor and where connection speed isn’t important, I would use something like Tor. But for keeping the MPAA and my ISP’s monitors at bay, AirVPN does the trick.

Finally, the price for AirVPN has stayed fairly stable–a one year subscription costs roughly $59 (the company bills in Euros)–while the company has expanded the number of concurrent connections it allows to three, so that I can have both of my laptops and occasionally my phone connected simultaneously.