Cloudflare announced their new VPN product called Warp, which is based on their own implementation of WireGuard. This product seems to fit into their general strategy of wanting to man-in-the-middle (MITM) themselves into most of the traffic on the Internet, like I discussed in a previous post. As I explained there, they did the same thing with IPFS as well.
Knowing their willingness to deplatform people and block content, it would be stupid to trust them with your Internet traffic. The fact that they also refused to work with Jason Donenfeld (at least so far), the creator of WireGuard, seems highly suspicious in light of their history. Here’s what Donenfeld wrote on the WireGuard mailing list:
Each time it came up, I asked them [Cloudflare] if they’d consider working with the WireGuard project itself, and they’ve repeatedly refused. They have insisted on remaining separate and expressed that they don’t want to work as part upstream. I expressed various concerns about unity of community and compatibility of implementations, as well as vision for simplicity and security, but they were pretty adamant about remaining separate. I thought the invitation to put their engineers as the head of a WireGuard subproject was a cool invitation, but alas. That’s a bummer, but that’s how it goes; folks are entitled to do what they wish with software they make. I guess they’ll make products or something and control is important to them; I just hope they don’t fragment or otherwise yank WireGuard in unfortunate directions with their access to vast engineering resources. It remains to be seen how they’ll use it or what their objectives are.
Although Cloudflare mention using WireGuard in their blog post, they didn’t even have the decency to link to the official WireGuard website. You probably shouldn’t go looking for it, you see, they want you to use Cloudflare’s implementation instead. In their blog post about Warp, Cloudflare promises that:
The 184.108.40.206 App with Warp will continue to have all the privacy protections that 220.127.116.11 launched with, including:
1. We don’t write user-identifiable log data to disk;
2. We will never sell your browsing data or use it in any way to target you with advertising data;
3. Don’t need to provide any personal information — not your name, phone number, or email address — in order to use the 18.104.22.168 App with Warp; and
4. We will regularly hire outside auditors to ensure we’re living up to these promises.
The question is, can you trust them? Do you want to take the risk of trusting them? Keep in mind that if you use their Warp VPN product, they will be able to see and inspect all your Internet communications, and will be able to block you from visiting certain websites if they want to. Or perhaps even serve you a completely different version of a website without you realizing it. And yes, this is a possibility for every VPN out there, not just Cloudflare’s Warp. But again, the thing about Cloudflare is that they have already demonstrated to act contrary to their promise to “protect” their users from attacks. They have demonstrated to break promises, just like other corporations such as Facebook.
So instead of being stupid enough to trust Cloudflare, I strongly advise using an official implementation of WireGuard.