Sophos Cloud Optix
As promised in April, Cloudflare has finally launched Warp, a consumer mobile privacy app that looks a lot like a VPN without actually being one.
That sounds confusing so let’s start by describing the service itself, which can be accessed via a free Android and iOS app called Warp, and a $4.99 per month subscription app called Warp+.
The first, Warp, is a development of the 1.1.1.1 service and mobile apps launched in 2018 as an alternative DNS resolver that headlined on the theme of privacy – i.e. we don’t log the sites you visit.
More recently, the 1.1.1.1 app added support for the emerging encrypted DNS standards, DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), which hide the domains people visit from ISPs and anyone else listening in (Mozilla recently integrated this service into Firefox).
Now 1.1.1.1 has become ‘1.1.1.1 with Warp’ by adding the ability to encrypt all traffic from the mobile device and not just DNS queries, hence the similarity to a full VPN.
What does the Warp+ subscription add to this? Despite being limited to one device, the user gets unlimited bandwidth and 30% better performance thanks, Cloudflare says, to Warp+ traffic being routed over its global network in an optimised way.
Note that if you signed up for the Warp waiting list via the 1.1.1.1 app, you also get the chance to try Warp+ free of charge with an initial 10GB of data.
If Warp isn’t a VPN, what is it?
Traditional VPNs route a user’s network traffic to a trusted, internet-connected server, via an encrypted ‘tunnel’. The security benefit of a VPN is that it lets a user send traffic via a provider they trust (the VPN company) while hiding it from others they don’t trust (ISPs, Wi-Fi snoopers and bad actors, which can’t).
The privacy benefit of a VPN is that a user’s traffic appears to originate from the trusted server rather than their own device. The server may be in a different country to the user and some commercial VPNs allow users to choose which country they appear to be browsing from.
This is why VPNs have become a popular way to dodge geographic restrictions placed on streaming content such as Netflix or the BBC.
Warp is different
Warp creates a VPN-like encrypted tunnel between the user and Cloudflare using an open-source protocol called WireGuard, which encapsulates TCP inside UDP.
Once connected, Warp behaves more like an optimised global routing network based on what Cloudflare calls ‘Argo Smart Routing’.
To make this fast, the traffic always enters Cloudflare at the nearest server to the user and exits from the network at a point closest to where the website is hosted.
However, the site is careful not to claim it can spoof or hide IP addresses as a VPN would. Websites visited see the real IP address of the user, which they wouldn’t with a true VPN.
In addition, Warp also excludes traffic to certain “over-the-top content provider websites, as determined by Cloudflare in its sole discretion,” from its network, which presumably refers to services such as Netflix, Hulu or Amazon.
In summary: if you don’t want your ISP to monitor which websites you visit, or want an extra layer of security when using public Wi-Fi, Warp is a simple way to ensure that for most sites – even if HTTPS and browsers such as Firefox and Opera already do much the same job.
What you don’t get is complete anonymity. Some apps can still see what you’re doing, as can websites and Cloudflare itself.
Anything else?
Warp might stop some apps from working (Google’s Play store and mobile data connections to name two), but it does allow apps to be excluded on an individual basis.
Similarly, Cloudflare is still working to get captive portals working when Warp is turned on. Some will work, some won’t.
In these cases, you can temporarily turn the app off.
As for using Warp with a laptop or PC, because Warp uses WireGuard, in principle there should be a way to make it work with these platforms with some fiddling.
Who can you trust?
1.1.1.1 with Warp follows hot on the heels of Firefox’s collaboration with Cloudflare on its experimental Firefox Private Network – a similar sort of VPN-that-isn’t-a-VPN for your desktop web browser.
In at least one important respect, both of these things don’t do something you might expect a VPN to do: 1.1.1.1 with Warp doesn’t hide your IP address and Firefox Private Network doesn’t encrypt all of your network traffic. That’s got some people worried that naive consumers who use them end up with less privacy or security than they’re expecting.
On the other hand, both are aimed at incrementally improving the security of people who aren’t already using a VPN and both position themselves as being like a VPN, rather than a VPN proper.
The common factor in both is CloudFlare. Through these and other projects, the company is now shepherd to a vast amount of our internet traffic, which requires that we place a great deal of trust in it.
Of course choosing not to trust your traffic to CloudFlare just means trusting it to somebody else: another VPN provider, your ISP or your mobile provider, for example.
Interestingly, because Warp+ is purchased through the Google Play store, the user doesn’t hand any personal data to Cloudflare itself.
While I haven’t tried Warp yet, it seems a lot of the comments for the app so that it significantly drains your battery (#1 battery usage for most). And several posters are not happy with basic apps (Google Play for one) not being accessible. I’ll sit this out for awhile.
Google Play is among a small number of apps that have never worked with the 1.1.1.1. app. The solution is either to turn Warp off temporarily using the slider or configure the app to exclude traffic from Play from being routed by Cloudflare (Settings > More Settings > Connection Options > Disable for selected apps > scroll down and tick option beside Google Play Store).
Clarification: the specific problem with Google Play and 1.1.1.1. mentioned above was an inability to install or update apps. It has always been possible to access the Play store itself.
“Similarly, Cloudflare is still working to get captive portals working when Warp is turned on. Some will work, some won’t.”
What do you mean by “captive portals”?
That’s the name for those temporary divert systems that many Wi-Fi services use to redirect your network traffic to an interstitial server (often, they redirect everything at the IP level, so that you’re trapped whether you use an IP number directly or a DNS server name), so that until you agree to some specifific T&Cs you end up stuck on their ‘read this first and agree’ page – what’s known as a ‘captive portal’.
Thanks!
With Warp+ enabled on iOS, I connected via SSH to a Linux box on the Internet. According to WHOIS, the peer IP address was in Cloudflare’s IP space, not my ISP’s (on WiFi) nor my mobile carrier’s. Geographically it seems to be associated with the POP that my client connected to, rather than where connections exit, same as with a classic VPN provider.
This makes sense, since Warp/Warp+ was supposed to be optimized for mobile devices, which can go back and forth between WiFi and cellular pretty frequently. (Example, in parts of NYC where LinkNYC has public access points, walking along an avenue can take you in and out of WiFi every couple of blocks.)
How is this not a VPN?
There is some uncertainty about this issue. As far as I can tell, Warp will only hide your IP address if the site being connected to is OUTSIDE (i.e. not being served by) Cloudflare’s own content delivery/hosting network.
Of course, many other sites ARE Cloudflare customers, in which case the IP address won’t be hidden.
True VPNs, of course, always hide your IP address, serving one from the VPN provider or laundered through an intermediary ISP (that’s how VPNs beat geo-restrictions).
Great in depth article! I wanted to understand Warp+ more and this post was just what I was looking for.
While being connected, I am in fact able to access and download apps from Google Play Store, but then again my device is rooted so not sure if that makes a difference.
Haven’t come across any apps I’m not able to access yet. If you can list some more I’ll try and test.
I have been using Warp on an iPhone 5 for about six months and have seen no drop in battery performance (other than that which Apple have induced) and on only one occasion had any difficulty connecting, but I think that was more a 4G problem than warp. As I don’t actually use a lot of mobile data, subsequently the free version has been good enough for me. Just saying.