I was openly critical of Cloudflare when they announced Warp the first time. My accusations were over-reaching, and I ultimately retracted them. But I'm still skeptical, and I still won't use Warp.
Here's what still bothers me: Cloudflare is a single company with points of presence all over the world, handling traffic for websites all over the world (including some big ones), and now trying to attract consumers worldwide to proxy their traffic through its network. That's a lot of power, and we all know the saying about power and corruption. It doesn't matter how conscientious the leadership are. I'd prefer that the temptation to abuse that power was just not there at all.
My idea of a better Internet is a return to the way the Internet was -- a large number of small providers, communicating with each other over open standard protocols. So, yes, I should switch to something other than Comcast here in my apartment. So far, I've been afraid that doing that would leave me with a truly abysmal quality of service. (I'm in Bellevue, Washington.) But at least I can avoid adding Cloudflare, with its terrifying power, to the mix.
Granted, I mostly use the Internet on a stationary computer with a cable connection at home. About the only thing I do on my phone away from a WiFi connection is request an Uber ride. And I do need that to work reliably. But it is working just fine without Warp. So, maybe Warp is just not for me. Still, for the people that would benefit, I'm afraid of how much more power they're going to be giving Cloudflare when they tap that "on" button.
Early on in Cloudflare’s history when we were asked who our competition was we said Facebook. The concern was that the challenges of being online would get so hard that individual websites would give up and just move to run Facebook pages. We saw our role as providing the security and performance needed to compete without making you give in to use an all-consuming platform.
We haven’t said that in a long time, but I was reminded of it while we were on our IPO Road Show. One investor we met with said:
“Here’s how I think of you: Cloudflare is to Facebook as Shopify is to Amazon.”
That resonated to me and reminded me of our earliest days and why we started the company.
So I appreciate the concern but hope there will always be more independent web because we exist than there would be if we didn’t.
Thank you for taking time to share your perspective. However, I remain skeptical.
It's true that a website using Cloudflare is more independent than a Facebook page, in that in the former case, the company can take their domain to another provider. But my idea of an independent Web is a large number of websites depending on a large number of high-quality hosting providers. The latter number will inevitably be smaller, but shouldn't be single-digit. That would lead to too much potential for abuse of power.
Also, the more sites are using a single provider with its black-box algorithms and heuristics, the more potential there is for bad consequences for innocent users when those things misfire. That's what worries me about the bot-fighting feature you launched on Monday.
To respond specifically to part of what you said:
> The concern was that the challenges of being online would get so hard that individual websites would give up and just move to run Facebook pages.
I don't think I understand how Cloudflare actually helps here. I think the average bar, karaoke DJ (I love karaoke), spa, or other small business that might just use a Facebook page would be served just as well by the kind of hosting provider that gives your website a single IP address pointing to a single machine. Are DDoS attacks and bots really that big of a problem? If so, I haven't run into them in the 16 years that I was the programmer and sysadmin for a small company (admittedly, online services are that company's business). Maybe we just didn't make the right enemies? Now, maybe small web hosting providers could make it even easier to set up a new website, but Cloudflare doesn't do anything about that problem anyway. If the concern is performance, maybe we need better alternatives to WordPress and Drupal, and more local hosting providers, so the website for small businesses can be closer to their mostly-local customers without using a CDN.
> The latter number will inevitably be smaller, but shouldn't be single-digit.
The space Cloudflare is in could afford plenty of players, I think—more than a single-digit amount. There’s nothing about Cloudflare’s business strategy that implies/necessitates that they’d become a monopoly in a market equilibrium state. The only reason you don’t see a pack of Cloudflare clone-companies, AFAIK, is that the talent required to clone Cloudflare is rare.
(Interestingly, an ISP—especially a cellular ISP familiar with routing roaming circuits—could totally pivot into Cloudflare’s business to expand globally. I wonder why we haven’t seen that?)
> I think the average bar, karaoke DJ (I love karaoke), spa, or other small business that might just use a Facebook page would be served just as well by the kind of hosting provider that gives your website a single IP address pointing to a single machine. Are DDoS attacks and bots really that big of a problem?
I feel like the perspective you’re coming at the problem from here is already heavily influenced by the contraction and centralization that the web went through in the early 2000s. Yes, right now, businesses just want essentially an online business card, and Facebook handles that just fine. But their desires are more of an acknowledgement of the practicalities of what’s economical for them to have built and hosted in the current (or recent-historical, since it takes a while for people’s thoughts on this to shift) web landscape.
Look around the internet of the 90s. Companies didn’t used to build business-card websites. The dreams of even the most run-of-the-mill SME used to be far more grandiose. At the very least, every company who knew what the options were, wanted to host a forum for the community composed of their customers. Many of the web’s most prominent standalone forums were started back then. Why so few today? Because ambitious, dynamic, user-generated-content-filled sites like these do get hurt by spamming and DDoSing. They’re hard to run—and not just in a community-management sense, but in an ops sense.
Cloudflare’s tech (which, again, anyone could offer, not just Cloudflare) can and does provide the protection required to allow SME websites to be a little bit more ambitious again, to the point that they’re not just doing something commoditizable by Facebook.
Talent is everywhere, but a lot of people who have it don't want to move to a big city. So IMO, the next Cloudflare's developers should be as widely dispersed as its POPs.
Edit: The more recently added part of your comment is very insightful, and I hadn't thought about it that way. Still, I think we could go a lot further with old-school hosting providers if we traded PHP and Ruby for Rust, Nim, and the like. Note that I didn't mention garbage-collected languages, because lots of applications running efficiently on a shared host is incompatible with a garbage collector that really wants the whole heap to itself.
GC'd langs like golang, crystal, nim, etc. would probably be just as effective in practice, while remaining more accessible to business app developers.
.NET Core benchmarks since Span<T> have been very interesting, especially relevant to this particular discussion because ASP.NET (web stack) was a primary consumer/driver for Span<T> APIs.
I ran a small web service in the video game industry for several years, and CloudFlare was essential to our survival, as the DDoS attacks would repeat every few weeks, and at times last 6 to 12 hours at a time. CloudFlare simply ate that up, and our customers were not impacted. Today, at a different company, different industry, we use CloudFlare for similar needs, but within physical area security networks. It's essential.
They do, and CloudFlare has historically been part of the reason why they have such high DDoS risks. There's a bunch of "booter" sites out there which effectively sell botnet-as-a-service DDoS attacks to gamers, and those sites have relied on CloudFlare to stay online. Without that protection their competitors would DDoS their websites offline most of the time. Also, most reputable hosting and CDN services don't allow booters because they're both highly illegal and disruptive to the entire internet. CloudFlare, on the other hand, openly permits them.
We were hit hard by Chinese IP addresses. After a while we just blocked the entire Chinese IP range. Expecting script kiddies to try to hack our system, we started out with a Federal Reserve quality hardware firewall, and I suspect the presence of that security attracted attention.
Hetzner is 20 years old company with ~300 employees and ~230,000 servers. Of course on scale of AWS, Google and others it's fairly small, but CloudFlare is not all that much larger.
As a guess, people who are invested in games are more likely to consider themselves techy people, the competition makes everything a bit tenser and elicits more excitement, and games are explicitly online only.
How do you protect yourselves from becoming part of the USA's internet surveillance network? You're exposed to National Security Letters and you lost the case with the Ninth.
Ironically, the U.S. is the safest place from the USA's surveillance network, when no warrant whatsoever is required to collect information by hacking into a foreign entity.
The NSA was tapping glass of inter-DC links of all the major online players without their permission on US soil.
Not only that, the NSA was undermining NIST-approved algorithms by giving dishonest advice, thereby compromising the security of US institutions that used those algorithms:
> Ironically, the U.S. is the safest place from the USA's surveillance network
Only in the sense that one has the strongest theoretical argument for a legal remedy against surveillance after it happens, not in the sense that one is actually safe from being subjected to it in the first place, and only even then if one excluded “i’ll scratch your back if you scratch mine” from the other five eyes members when you say “U.S. surveillance network”.
The "I'll scratch your back if you scratch mine" theory has been written about ad nauseam, but isn't substantiated. The U.S. government can get the information faster by using the warrant power enumerated in the Constitution.
> The U.S. government can get the information faster by using the warrant power enumerated in the Constitution.
Not without presenting probable cause that the surveillance would produce evidence of a crime to a judge it can't.
Of course it can (and is well documented to have, on many occasions) just ignore the statutory and Constitutional restrictions on domestic surveillance. And that will probably, in most cases, be easier than going to a third party. Information sharing is most likely to be efficient when the other agency had a targeted surveillance operation already in place covering a target of interest, rather than in the naive “on demand” form.
> but hope there will always be more independent web because we exist than there would be if we didn’t.
I'm wary about joining in on Cloudflare bashing. I like Cloudflare. But...
The mark of a responsible company is that it has plans to mitigate potential harm once it stops being responsible. At one point growing up, I would have made the same arguments you make here about Google. They're not perfect, but they're better than the alternative.
The problem is that this promise essentially boils down to, "we'll try very hard not to be bad." You can't make that promise, even if you're a good person. At some point you're going to either retire or die, and your company will be handed off to other people. Your comment doesn't make me feel any better, because it reads to me like your plan is, "things won't go wrong", and you don't know that.
I'm glad Cloudflare exists, and I do think you're doing a heck of a lot more good than harm. Cloudflare is about as close as anyone can get to an ethical company. But if this is the attitude, then Cloudflare is not a responsible company, because it's not making plans for what will happen after its owners turn evil. Cloudflare is an ally for the Open Web right now. It doesn't have a backup strategy I can see for when that changes.
The Shopify analogy is actually really fitting to me. Shopify is better than Amazon, but Shopify is definitely not where I want the future of commerce to be. Many of the problems and risks inherent in Amazon's design are also inherent in Shopify -- Shopify just happens to be a more ethical company that tries harder not to exploit those flaws.
At some point in the future, once we've all centralized everything onto Shopify, that will change and Shopify will become the new Amazon. And at some point in the future, maybe even decades from now, Cloudflare will become evil. All powerful companies eventually become evil, it's inevitable.
Concretely, what are you suggesting Cloudflare is doing wrong here? What responsible things should they be doing that they aren't?
The "we try very hard not to be bad" form of mitigation is scary when the company is doing dangerous things without adequate safeguards, but I don't see how you figure Cloudflare is doing that here. Ultimately, when you've done everything you can not to put people at risk and the only remaining risk is that you'll stop being trustworthy, "We try very hard not to be bad" is all you can offer. So what more do you think they should be doing that would meaningfully reduce this risk?
If they really want to mitigate risk, then they should open up their tech, and promote competition. Not in their interests, but decentralising is the only way to safeguard against potential later abuses of power.
What I'm complaining about is a lot more broad than just the specific dangers with this service -- it has to do with how Cloudflare prioritizes what it spends it time on, and what the effects are of consolidation even with good actors. I disagree that conversation can be boiled down to, "what specifically is wrong with this particular project."
But, asking for specifics is reasonable, so very briefly, I'll describe two concrete problems I have.
----
First (and biggest), IP addresses should be hidden for everyone or no one. Cloudflare is revealing IP addresses because it doesn't want its VPN to be used as a privacy tool, just as a security tool. By positioning itself as a way to keep your data encrypted, and not as a way to bypass geo-locks, it's also less likely to be blocked by other companies. Ignoring whether or not it's a good use of resources for Cloudflare to make VPNs less private, this is on its face not unreasonable.
However, when you dig into the details, IP addresses are only exposed to websites that are using Cloudflare[0]. This creates a perverse economic incentive for sites to sign up for Cloudflare, because effectively Cloudflare is holding user data captive. If you're the NYT, and you thrive on data collection, and suddenly a huge portion of your visitors have their IP addresses hidden, and you can get those IP addresses by paying Cloudflare... that's problematic. That's Cloudflare creating a problem and then letting you pay them to solve it.
Cloudflare is looking into ways to expose IP addresses everywhere. Until they figure that out, they should either avoid launching the service, or they should hide IP addresses from Cloudflare customers.
----
Secondly, while there are people here disputing Warps performance increases, let's assume that (particularly Warp+) works as advertised and really does help make slow collections faster. It's worth noting that the majority of the underlying technology beneath Warp and Argo only works for companies of Cloudflare's scale. Cloudflare itself acknowledges this:
> There are few companies that have the breadth, reach, scale, and flexibility of Cloudflare's network. We don’t believe there are any such companies that aren't primarily motivated by selling user data or advertising. We realized a few years back that providing a VPN service wouldn’t meaningfully change the costs of the network we're already running successfully. That meant if we could pull off the technology then we could afford to offer this service.[1]
This makes it much harder for users to move away from Cloudflare or switch to an alternative VPN if Cloudflare turns evil, because unless the VPN market stays diverse, it won't get the opportunity to become diverse again in the future.
Google helped wall in its AI dominance by investing heavily into AI research that relied on massive data collection for good performance. This restricted small competitors from ever being able to compete with them, because they didn't have massive databases. That dominance became self-reinforcing, because Google's AI programs are all designed to increase the size of its database. At the same time, Google garnered good will by Open Sourcing its underlying technology, despite the fact that the technology was useless to potential competitors without large data sets.
In the same way, Cloudflare is able to wall in its dominance by primarily researching technologies that require a network of Cloudflare's scale in order to work. In effect, Cloudflare is investing a lot of effort into technologies that only work for big companies. Google can claim, "it's not our fault that we have the most data, what do you want us to do?" Cloudflare can claim, "it's not our fault that we have the biggest network. There's no switch we can flip to make the network size not matter, it's just the logistics of cost." But if a technology or service results in a natural monopoly, that's still a monopoly.
As a concrete step, to be responsible, Cloudflare should be looking for ways to allow competing 3rd-party VPNs to utilize Argo in the same way that Warp+ does. It should be possible to build a competing VPN service that gets the same speed benefits of Warp+.
There is a fundamental difference between Google and Cloudflare. Cloudflare has a real business that is based on paying customers. Google never had that. It was founded in 1998 and AdWords was introduced in 2000. Cloudflare is already 10 years old and not showing any sign that it will change its business model. As far as I am concerned, they are a trusted vendor and I will trust them with my business unless they change up.
The fact that this names four companies and remains an effective analogy is deeply troubling. There should be so many actors in all of these spaces that listing them would be a challenge.
Could you add Privacy restrictions? I'd like to see a maximum 18 month data retention, and some restriction on changing the terms: promise to never change them, or only change with 6 month public notice... idk
We’ve promised logs deleted after no more than 24 hours. We don’t want personally identifiable information; we think of it as a toxic asset. Here are the privacy guarantees we’ve made for 1.1.1.1 and WARP: https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...
For such cases, we should have the necessary legal tools to deal with them if the material is truly dangerous enough to be consequential. It is not the job of a corporation to decide, though I suppose they are not under any obligation to provide service, either.
I am generally against censorship, because for every case that is "obvious", there are many more that merely seem so on the surface. This is especially important in cases where you might simply disagree with how someone else thinks, since thoughts can never be allowed to become illegal or immoral; it is only actions where such judgements are applicable.
The proper approach to combating misinformation and dangerous ideas is education. By understanding why an idea is dangerous, you will also understand why it cannot inform your actions.
You and I have completely inverted ideas of what censorship is and why it is bad.
Using legal tools would be horrific. Government censors deciding what material is too dangerous for the public is exactly one of the elements of fascism.
Private entities on the open market exercising their right to not help promote ideas they object to is a good thing. It means that the more objectionable an idea is, the harder it is to publish and the smaller its reach; and the more in the gray area an idea it is, the easier it is disseminate and the wider its reach. If one of those private entities makes a mistake in judgment, that's an opportunity for a competitor.
Governments have a monopoly on violence. Its power is not kept in check by competitors, but by systems like a bill of rights. Weakening those rights to allow legal tools to control ideas would be disastrous.
Corporations have no responsibility or ability to educate everyone about misinformation. They do have a responsibility not to enable bad people to do bad things, including not promoting ideas they know are dangerous.
the point is that in every jurisdiction in the world there are already laws to stop "encouraging mass murder to post their killing spree". Governments should not interfere in censoring lawful speech. Moreover an actual court of law ruling that 8chan was an illegal site would set a precedent for such thing happening.
> They do have a responsibility not to enable bad people to do bad things, including not promoting ideas they know are dangerous.
This is literally corporate fascism if done in an extralegal way. And no, the free market is not going to care about the 1-5% of people discarded.
To quote a very nice blog[1]:
Declare that you’re going to stop holding witch hunts, and your coalition is certain to include more than its share of witches.
> Governments should not interfere in censoring lawful speech.
What's "lawful speech" today may not be lawful tomorrow if we go down this path. I don't want governments deciding (except in very narrow circumstances) what people are and are not allowed to say.
I really like the parent's idea that a company deciding to not provide service to someone they find objectionable is just a business opportunity for someone else. If no one wants to take up that opportunity, then the public has spoken. It's not ideal, but it's way better than a government making that choice through threats of force.
> What's "lawful speech" today may not be lawful tomorrow if we go down this path. I don't want governments deciding (except in very narrow circumstances) what people are and are not allowed to say.
Entirely agree and current laws already prohibit encouraging murder
> I really like the parent's idea that a company deciding to not provide service to someone they find objectionable is just a business opportunity for someone else.
Like it was in in the 20th century before civil right laws?
It is like saying that a monopoly is impossible because competitors can always emerge. It just does not work in practice.
Especially when the "competitor" become themselves target of a new witch hunt.
So what's your solution, then? If you agree that governments should not be broadly deciding what speech is ok and what is not, then how do you prevent monopolization pushing out legitimate but unpopular speech, while also allowing companies the freedom to disallow certain kinds of speech on their platforms?
Things like civil rights laws are the flip side of the same coin. I'm comfortable with laws that prohibit threats of violence. I'm comfortable with laws that ensure you can't refuse service to someone just because they're of a race you don't like. I think that's a reasonable compromise of "free speech".
But I'm not comfortable with a government requiring that a company allow their users to build something like 8chan inside their service. If Reddit didn't want to allow users to have a sub dedicated to fat shaming, I'm not comfortable with the government being able to tell Reddit that they're required to allow that sub to operate, unfettered. If Facebook wants to shut down a page or group that promotes hatred of a particular race, I'm not comfortable with the government saying they have to let it run.
So how do we solve this problem? The article you reference even suggests, at the very end, that (despite the examples of past bad behavior) all this worrying might be for nothing:
> My primary hope is that it’s just not a real problem. Certainly there has been very little in the way of speech restriction so far, and what little there has been has been against things which, on the object level, I’m happy to see gone. It’s entirely possible that we’ll escape with only a few things banned that probably deserve it. I certainly hope this is the case.
He also acknowledges that it's not great to be in a position where we have to depend on hope in order to reach a good outcome, which I agree with, but maybe that's just all we have. Legislating behavior only works up to a point. Legislating attitudes doesn't work at all.
I'm happy to see the Daily Stormer gone. I'm happy to see 8chan gone. I'm happy to see Reddit banning some subs (and honestly wish they'd ban more). I don't see the value in tolerating speech that promotes intolerance. But I'm not comfortable with the government stepping in here, and while their handling is far from perfect, the private companies aren't doing too terrible a job at it.
That is a great blogpost! It also explicitly undermines your point:
"My primary hope is that it’s just not a real problem. Certainly there has been very little in the way of speech restriction so far, and what little there has been has been against things which, on the object level, I’m happy to see gone."
> This is literally corporate fascism if done in an extralegal way.
I resolutely and absolutely oppose corporations acting extralegally. But Cloudflare and Voxility have an absolute legal right to not do business with 8chan and Epik if they so choose.
Why are they required to have committed a crime? Cloudflare isn't the government, why do you believe they're obligated to serve 8chan?
Cloudflare took down one website that was directly related to a major tragedy that cost people their lives. If you want to complain about that go ahead, but I don't care. I don't allow people to use my websites to spread that kind of hate, and I have no problem with Cloudflare doing the same in extreme circumstances.
The original comment had to do with whether we should trust Cloudflare more than Facebook. If they as a company want to make editorial decisions, that's fine, but the reality is that also means they are not content agnostic. Interestingly enough, they provide services for known spammers and other shady internet operations.
As to whether 8chan 'caused' those abhorrent crimes, I couldn't say, any more than 'violent video games' caused them. I view such crimes as having a root cause of some form of mental illness, which does not (imo) relieve the doers of culpability.
The point is that they are demonstrably not exactly what they claim to be, and thus some level of distrust is warranted.
Here's one of their statements about free speech from six years ago. It's essentially what I've always thought of as their brand.
It's sad to see them compromise their principles, but sometimes it only takes one little Twitter mob to make people back down. That's why it's reasonable to question their character.
My personal impression was that they did not surrender to a mob, but that the mob made them look closer to what they were hosting. I am not saying it is better, this is just my personal impression.
> Where does Cloudflare claim to be content agnostic?
They may want to claim it, one way or the other, as part of their IPO filing so that potential investors have some idea of liability risks with the company.
I have no reason to doubt that the CEO believes in free speech. Many people share this belief.
He did buckle, but we're only human. But did the pressure come from an angry mob on twitter, as most people assume, or from some guys wearing shades and an earpiece?
It is not about CF being forced to serve them, it is about balance, honestly I am fine with this take-down, but this cannot be dismissed as just being private individuals with private choices. This was obviously in their freedom to do, and it is not for me to say whether it was wrong or not (I actually quite like CF), but if stuff like this become a pattern then things become problematic.
It would either mean that the laws are insufficient or that the market is overreaching.
8chan's primary crime is not being sufficiently popular.
The Christchurch killer livestreamed the event on Facebook, and the enormous well-funded content moderation apparatus within failed to shut it down until well after the innocents were dead.
But Grandma uses Facebook, so we can't go after them.
The Wal-Mart shooter had a Twitter account, and posted plenty of content questionable enough even for the FBI to take notice.
But cousin Jake uses Twitter, so we can't go after them.
It doesn't matter what 8chan was used for, because far more popular platforms were used for far worse content. The only thing that mattered here was popularity.
quote:
There’s an unfortunate corollary to this, which is that if you try to create a libertarian paradise, you will attract three deeply virtuous people with a strong commitment to the principle of universal freedom, plus millions of scoundrels. Declare that you’re going to stop holding witch hunts, and your coalition is certain to include more than its share of witches.
No snark, but if you sincerely believe that, then there can't be a Libertarian Utopia because the libertarians are outnumbered by scoundrels 1mil to 3. Why would you take a path destined for failure?
You're right that Facebook was successfully abused by the Christchurch killer, but 8chan was being used by his community as intended, not abused.
To most people, that's why 8chan needed to be shut down, but Facebook only needs to be fixed. Why do you think that's irrelevant, and being small is the only crime?
I have searched and been unable to find anything suggesting this is true. Do you have a citation?
Another reason I don't think this is true is that I also can't find anything suggesting that the content the Christchurch killer posted is illegal (indeed, it has significant newsworthiness and academic value), and 8chan's policy was to allow anything not "illegal in the United States of America" [1] . If it didn't violate 8chan's policies, why did they take down the stream?
I don't have a horse in this race, but observing this back and forth is reminding me of Nietzsche:
He who fights with monsters should look to it that he himself does not become a monster. And if you gaze long into an abyss, the abyss also gazes into you.
I agree using Cloudflare proxy (or really any VPN) gives the company a lot of power.
But the idea of Cloudflare intercepting all of my traffic doesn't bother me since the alternative is simply another company (Spectrum, or my random friend's wifi, or Starbucks) intercepting all of my traffic by virtue of being my ISP. It's up to you which is the lesser of two evils.
I suppose Cloudflare may have more insight into the data being proxied if they're also managing the SSL certificates at the other end, however.
I can believe that Cloudflare's current leadership are currently more conscientious than, say, Comcast's. But, especially post-IPO, what is that actually worth? I think that, worldwide, it's likely that Cloudflare is already bigger than Comcast. So, unless I'm given evidence to the contrary, I think Comcast is the lesser evil.
I'm consistently amazed at how many people [on HN...] over-estimate the size/scale of Cloudflare.
Comcast is a huge, multi-billion $ operation with global contracts and broadcasting capabilities, and > 184,000 employees globally (that's more than Google, and even MSFT).
That's not to say that we shouldn't be wary of Cloudflare for many other reasons; but that they have more influence over the Internet than one of the world's largest consumer & corporate ISPs is definitely "a take".
According to [0] between 5 and 10% of all websites use Cloudflare. Even using the lower number, I'm pretty sure that neither 5% of websites are hosted by Comcast nor that they serve 5% of internet users. This gives Cloudflare already a much larger potential to monitor/censor than Comcast has. I am not saying that they actively do so, just pointing out that they do have the scale and market share to do so.
What is more, in contrast to said Comcast, they also have the ability to access unencrypted traffic for those 5-10% percent.
How many websites have you visited that are hosted or proxied by Comcast? The fact that Cloudflare is now mediating the connection on both ends is what makes it frightening.
After some googling, it's very unclear how popular their CDN service is. Based on some of their marketing, seems like it might be focussed more on the video delivery side, which would also make sense given that it's Comcast. (If it indeed is an enterprise video delivery service, they may only have a handful of very large customers)
If this is accurate, it seems like Comcast also controls the data end-to-end (being both an ISP and CDN).
If size is your only criteria then you might be right, but look at the company policies on privacy. Cloudflare has some pretty specific customer-oriented privacy policies. Comcast's policies are specifically set up to sell you and your information. That's a meaningful distinction and one with some (not much, but some) legal weight in the US.
Is your legal relationship with Cloudfare the same as with your ISP? Is Cloudfare liable for the same things as the ISP? Genuinely asking, I have no clue, just a vague sense that it's not apples to apples.
Very good point... Cloudflare is probably considered a third party according to the law... so no warrant is needed to get all of your data that is 6 months or older... a bit like your email hosted in the cloud: https://newspunch.com/government-can-read-any-email-over-six...
How would your “better Internet” work when it reaches an ocean? Maybe this doesn’t matter to you, as someone who lives in the US and mostly access websites hosted in the US; but for the majority of the world, getting access to “the Internet” is more about tapping into the millisecond-latency backbone of submarine cables, than it is about last-mile residential ISPs. Those submarine cables form a natural monopoly, there’s no escaping that. They’re utility infrastructure, like country-spanning bridges.
And the usual (optimal?) outcome for ownership of utility infrastructure, is that it gets held as a “public resource” by the government of the country or countries that built it; and then companies are contracted to manage it. From there, you end up with multilateral organizations weaving those pieces of infrastructure together in a top-down way (like shipping routes, or the postal system, or, hopefully one day, low-earth orbit.)
Which is far from an anarchosyndicalist mesh of interested companies, organizations, and individuals (ala the early Internet, or the HAM radio network), but we’ve never seen an ararchosyndicalist mesh successfully serving as a reliable/fault-tolerant backbone for any commercial endeavour so far, and I don’t know if it could.
Submarine cables absolutely are not a monopoly, natural or otherwise. It’s the ocean, it’s pretty fucking big, and lots of companies and countries pay more cable every day.
I'm not sure how being headquartered in 2, 20 or 200 countries is going to make a difference, can you please explain? At most, those would be satellite or region offices, which in the end will report to a central HQ.
I think it's extremely clear that mwcampbell is pointing to being 'headquartered in a single country' as one of the aspects they don't like about a single company having too much power. It's clear they're not advocating more headquarters for companies with too much power, they're advocating more companies each with less power.
Trust with what? Warp is specifically designed to reveal your IP address. This is as anti-privacy VPN as a VPN can be. Which is absolutely not surprising coming from a US corporation.
It's not designed to be anonymous, but it does fully encrypt all traffic coming from your device to the internet, meaning, it's great when you don't want to trust the ISP, public Wifi or even the cell provider with your traffic.
> WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit.
When I look at friends and family, they use their phones for everything because Computer UX failed. And they will switch to whatever public WiFi is available because their expensive yet small mobile data plan.
I can see how some people would benefit from this kind of VPN.
Another commenter on this thread said that there are already VPN services with Wireguard support and easy-to-use apps. Why not recommend those to friends and family?
The history of most of these is terrible. Many actively log / aggregate and in some cases sell your data - are based in non-US jurisdictions so no recourse. There is going to be a reason cloudflare does better - they are more trusted.
Remember, if you're not the customer, you're the product. These days, even if you're the customer, you may still be part of the product for another kind of customer.
sure... but I'd trust Cloudflare over Comcast anyday.
Plus, (1) you can turn on/off WARP at your leisure and (2) they've explicitly committed to limited logging and not selling data which is pretty huge.
I use a small local provider where possible... but the reality is that they have to lease their lines from AT&T anyway. In general, there are very few providers out there that have capability to offer competitive services.
the way the Internet was -- a large number of small providers, communicating with each other over open standard protocols
I don't remember the internet ever being like that.
I remember when you couldn't e-mail someone in another city without going through gateways. When you couldn't visit the majority of major web sites without downloading plug-ins. When you knew the information you wanted was out there, but couldn't get to it because it was behind obtuse, non-searchable infrastructure.
To me, the internet today isn't perfect. But it's a heck of a lot better than its romanticized distant past.
As for WARP, I'll give it a try. I don't fully trust Cloudflare, but I trust it a heck of a lot more than I trust my ISP or my cell phone provider. Long ago, both of those entities burned privacy bridges. Cloudflare hasn't done so. Yet, anyway.
I was on the web since AOL added it to their client
I was online before there was AOL, or a web, and before there was an internet, back when it was dozens of networks, with varying degrees of interconnectivity.
it was never as bad as you're hinting it is.
It was bad. You had to be there. (Think an e-mail from the east coast of the United States taking 10 days to reach Norway. For many destinations, snail mail was faster.)
I'd like to be in a world where if Cloudflare or AWS is down my websites and the sites I enjoy are still up.
But to do that I'd need to have replication not just across data centers but across providers. And it's hard enough getting your team to understand how one provider works. We'd have to go an awful long way toward standardizing and dare I say comodifying these companies to get there.
But as Fortune 500 companies have known for longer than Fortune has existed, if you have two vendors you can play off of each other your life tends to go a lot better. Right now almost none of us have that, and I suspect we are all a little poorer for it.
This is exactly my scepticism. Also, they always happen to be rooted in the US where my data has no rights and come with a general cultural lack of understanding of consumer protections.
This isn't power that good intentions are going to keep straight.
Here's what still bothers me: Cloudflare is a single company with points of presence all over the world, handling traffic for websites all over the world (including some big ones), and now trying to attract consumers worldwide to proxy their traffic through its network. That's a lot of power, and we all know the saying about power and corruption. It doesn't matter how conscientious the leadership are. I'd prefer that the temptation to abuse that power was just not there at all.
My idea of a better Internet is a return to the way the Internet was -- a large number of small providers, communicating with each other over open standard protocols. So, yes, I should switch to something other than Comcast here in my apartment. So far, I've been afraid that doing that would leave me with a truly abysmal quality of service. (I'm in Bellevue, Washington.) But at least I can avoid adding Cloudflare, with its terrifying power, to the mix.
Granted, I mostly use the Internet on a stationary computer with a cable connection at home. About the only thing I do on my phone away from a WiFi connection is request an Uber ride. And I do need that to work reliably. But it is working just fine without Warp. So, maybe Warp is just not for me. Still, for the people that would benefit, I'm afraid of how much more power they're going to be giving Cloudflare when they tap that "on" button.