Is the new iOS cloudflare 1.1.1.1 app an actual VPN

Question

The new 1.1.1.1 cloudflare iOS app installs as a VPN profile and when connected the device shows the active VPN icon in the top bar.

My question is, can one tell whether this is actually a VPN (if traffic being encrypted and routed to a cloudflare server) or is the VPN element just a mechanism to install some settings on the device to change the default DNS resolvers to 1.1.1.1.

I think iOS settings currently only allow you to specify DNS resolvers on individual wifi networks, not on cellular or for all current and new future networks, so perhaps this VPN profile is a way around that. But does it lead to a false sense of security for some users (seeing the VPN icon for e.g.)

Comparing the settings that are visible from ios settings -> VPN, for a "real" VPN app I see "Type: IKEv2 along with server and account. On this new cloudflare one I see type: 1.1.1.1, server but no account - that's the only visible difference in the VPN UI.

My suspicion is that all traffic is still probably unencrypted and open to the ISP to see (if http for example).

Can anyone confirm my suspicion?

What app? CloudFlare does not have an iOS app that sets a VPN profile or changes DNS servers. — Michael Hampton, Nov 13 '18 at 13:32
I thought this was it: https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627?mt=8 Seller is listed as "Cloudflare Inc." — David, Nov 13 '18 at 14:12
I installed it today and tested it out after seeing it trending on page 1 of hacker news. — David, Nov 13 '18 at 14:13
Well, that's so new I didn't even see it on their web site or on a Google search. — Michael Hampton, Nov 13 '18 at 14:16

score 2 · Accepted Answer · answered Nov 13 '18 at 15:41

2

Cloudflare's 1.1.1.1 is not a VPN provider, it's a DNS resolver service. It doesn't encrypt your traffic. However, it can encrypt your DNS queries.

By using DNS over HTTPS (DoH) you can transparently offer enhanced security to your customers while improving the speed of your devices.

The automatic configuration tool probably configures the DNS servers and adds either DNS over HTTPS or DNS over TLS, both supported by 1.1.1.1. Therefore, it increases security (prevents MitM attacks) and privacy despite it's not a VPN. You can & should use additional methods to force your applications to use encrypted connections.

answered Nov 13 '18 at 15:41

Esa Jokinen

46,944
3
83
129

Thanks, I think it's probably an implementation detail that it works via a VPN setting in iOS. But I do wonder how much this could cause people to think their connected to a VPN leading to a false sense of security. I certainly like it and will use it, but I already have an actual VPN too. For some users I think they'll assume due to the fact that they install a VPN profile and when connected the "VPN" icon appears that they are more safe than they really are. Granted the ISP isn't seeing their DNS query, but they'll still see any plain text traffic and can MITM those. – David Nov 13 '18 at 17:52
I am aware that this issues doesn't magically go away when using a VPN, the VPN provider can MITM and so could the ISP of the VPN provider. But assuming you've done your due diligence on the VPN provider you might be more happy with that than with your ISP or a random wifi network at the airport or coffee shop. – David Nov 13 '18 at 17:53

Is the new iOS cloudflare 1.1.1.1 app an actual VPN

1 Answers1