Faster Mobile Internet for FREE - No… Seriously

[RILEYISMYNAME]

Cloudflare has boosted their 1.1.1.1 app with something they call WARP. It's a "VPN" that makes your internet faster, but... maybe not in the way you'd expect.

 

 

Install Cloudflare 1.1.1.1 app:
https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone&hl=en_CA

[NinJake]

Hey, what's your name?

 

DOES ANYONE KNOW OP'S NAME?!

 

(Might have to watch this one...)

[RILEYISMYNAME]

@NinJake IT'S RILEY, HAHA

[Lurick]

13 minutes ago, NinJake said:

Hey, what's your name?

 

DOES ANYONE KNOW OP'S NAME?!

 

(Might have to watch this one...)

I think it's Fred

[NinJake]

5 minutes ago, RILEYISMYNAME said:

@NinJake IT'S RILEY, HAHA

WOW WHO WOULD HAVE THOUGHT!

 

Everyone, OP's name is Riley!! He also looks like that one guy from LMG!

[ImAyaanKhan]

5 hours ago, Lurick said:

I think it's Fred

Nah, it's joe

[kakik09]

The video didn't prove anything on speed/responsiveness and has delivered more explanations rather than proof. I'm not gonna argue against the security benefits, but you should've just replaced "FASTER" with "MORE SECURE" in the title. 

[kblocks]

So I googled this after watching the video, and unfortunately I’m still a little confused. 
 

There’s WARP, and WARP+. Put simply, I guess what I want to know is: What’s the difference? Is WARP plus exactly the same, just faster? No other benefit?

 

Is WARP (not WARP+), totally free (looks like it) and encrypts traffic from my device, like a regular VPN? Cause that’s what I really want from it. Not having IPs masked actually serves me very well so not an issue for me, just want to at least encrypt data on public, guest, or hotel WiFis.

[SkilledRebuilds]

39 minutes ago, kblocks said:

So I googled this after watching the video, and unfortunately I’m still a little confused. 
 

There’s WARP, and WARP+. Put simply, I guess what I want to know is: What’s the difference? Is WARP plus exactly the same, just faster? No other benefit?

 

Is WARP (not WARP+), totally free (looks like it) and encrypts traffic from my device, like a regular VPN? Cause that’s what I really want from it. Not having IPs masked actually serves me very well so not an issue for me, just want to at least encrypt data on public, guest, or hotel WiFis.

Warp ONLY changes DNS to 1.1.1.1

Warp+ does (whatever was stated)

[hui]

Another thing that wasn't mentioned in the video: pricing is not the same all over the world. For example, it is Rs.140/month here in Pakistan, which is under 1 USD. I'm glad that is a thing, since the feature is geared more towards people in developing countries anyway.

[mynameisjuan]

3 hours ago, kakik09 said:

The video didn't prove anything on speed/responsiveness and has delivered more explanations rather than proof. I'm not gonna argue against the security benefits, but you should've just replaced "FASTER" with "MORE SECURE" in the title. 

The way WARP works is by encapsulating TCP inside of UDP which eliminates TCPs biggest weakness, ACK delay. This means packets will sends data without having to wait for an ACK making the response times much less while still providing resiliency. This means something when you have 20-30+ request made on a site. This difference in delay varies based on distance to where you are accessing content and can sway greatly even from site to site.

 

 So yes it isnt "faster" but instead more responsive and was shown vaguely in the video with his Pixel 3s. Responsiveness has more to do with the experience of a fast connection than does raw throughput. 

 

Technically though this extra encapsulation means that in a raw throughput the added overhead would make it slower. 

 

Cloudflares whitepaper on WARP

https://blog.cloudflare.com/warp-technical-challenges/

[BeneCollyridam]

I usually love LTT videos but while watching this I had a few concerns:

• If this is an ad I think it should be stated clearly in the video, which I don't think it was?
• Your connection is already encrypted! (as long as you use HTTPS, which most websites do after let's encrypt). As someone said in a YouTube comment the only thing your ISP can see is the first part of the URL (e.g. "www.lttstore.com")
• UDP does not automatically mean that the connection will be faster as what TDP does is nessecary for a stable connection. You simply have to move the error correcting code to another "layer"
• Wireguard: you should always be sceptic about new programs that have to encrypt your data. It has been shown time and time again that obscurity is not a security measure and therefore you need to rely on tested methods e.g. OpenVPN. I'm not saying that wireguard can't do what it does, but simply that it is a new protocol and therefore more likely to have flaws. See these links for some opinions that aren't mine: https://restoreprivacy.com/wireguard/ or  https://news.ycombinator.com/item?id=16326438
• Cloudflare does not support EDNS - if this is good or bad I don't know. What I know is that some websites are not resolvable with 1.1.1.1 like archive.is
• Finally some concerns have been raised as to how much control we give Cloudflare. If you decide to use this now Cloudflare has this information instead of your ISP. If you trust them more, great. If not... well.

 

 

[AngryBeaver]

A VPN protects against other items though. Like MITM attacks, dns attacks, etc. So the source or your connection isn't a concern. If you are able to establish your VPN connection you can be sure the data between you and that VPN is most likely secure. Now once it comes out the other end that is a different story.  Now you also have DoH (DNS over Https) and DoT (DNS over TLS) as well as a few other similar techniques for encrypting dns information.

 

Personally I have a fast enough connection at home with various items I like access to that I VPN to my home connection and then have it routed out with encrypted DNS or depending on the machine and it's use I might route it through another VPN. I mean VPN's are a perfect solution, but they are another layer of security.

 

I won't even get into cookies and the like which people seem to forget about that allow them to be tracked over their vpn.

[LogicalDrm]

@BeneCollyridam, merged to official video thread. Usually the best place to post video related criticism/questions.

[tech.guru]

There is already free technology inside opera that does something similar. 

No way id be paying for a service when there is may feee alternatives 

[Kroon]

8 hours ago, BeneCollyridam said:

• Your connection is already encrypted! (as long as you use HTTPS, which most websites do after let's encrypt). As someone said in a YouTube comment the only thing your ISP can see is the first part of the URL (e.g. "www.lttstore.com")

 

 

 

HTTPS do not protect you against MITM attacks.  Questiuon is how good Cloudflares protection against MITM are.

[Murasaki]

Who did the thumbnail on this video, the tracing on linus' hand is yikes yo.

[BeneCollyridam]

1 hour ago, Kroon said:

 

HTTPS do not protect you against MITM attacks.  Questiuon is how good Cloudflares protection against MITM are.

If I remember correctly HTTPS does protect against MITM.

It would require:

• Either a CA Authority to be compromised for a MITM to be possible.
• Or the administrator (or someone who has compromised your computer) to leak your keys

Edit: I think this explains it better - https://security.stackexchange.com/a/8309

[Kroon]

9 minutes ago, BeneCollyridam said:

If I remember correctly HTTPS does protect against MITM.

It would require:

• Either a CA Authority to be compromised for a MITM to be possible.
• Or the administrator (or someone who has compromised your computer) to leak your keys

Edit: I think this explains it better - https://security.stackexchange.com/a/8309

 

HTTPS do NOT protect against MITM, it's actually quite easy to go around.  Have been doing practical jokes with coworkers by spoofing sites.

 

All you have to do is register a site that have a similar name using Unicode character that looks the same.  like lttstoгe.com in the browser address field that will look like lttstore.com.  Then you get a legitimate SSL/TLS certification for lttstoгe.com.  Now all you have to do is to redirect lttstore.com to your computer and simply redirect there.  The connection between your computer and target will report as save by the browser and even if you are connected to the wrong host what you see in the adress field is "correct", however if the target click in the padlock and check the certification it will be obvious that something is wrong. 

[BeneCollyridam]

17 minutes ago, Kroon said:

 

HTTPS do NOT protect against MITM, it's actually quite easy to go around.  Have been doing practical jokes with coworkers by spoofing sites.

 

All you have to do is register a site that have a similar name using Unicode character that looks the same.  like lttstoгe.com in the browser address field that will look like lttstore.com.  Then you get a legitimate SSL/TLS certification for lttstoгe.com.  Now all you have to do is to redirect lttstore.com to your computer and simply redirect there.  The connection between your computer and target will report as save by the browser and even if you are connected to the wrong host what you see in the adress field is "correct", however if the target click in the padlock and check the certification it will be obvious that something is wrong. 

Well, that is true.

 

But to say that it does not protect against MITM at all is false. You cannot do simple MITM attacks anymore like you used to with HTTP.

[Kroon]

1 minute ago, BeneCollyridam said:

Well, that is true.

 

But to say that it does not protect against MITM at all is false. You cannot do simple MITM attacks anymore like you used to with HTTP.

 

Problem is that as long DNS are insecure you can always redirect the traffic and make an MITM attack no matter what crypto you are using.  Also worth knowing that law enforcement and even your employer can legally edit the DNS and thereby catch your traffic unencrypted.