What does using Cloudflares WARP app offer that HTTPS (websites) alongside DNS over HTTPS / TLS doesn't?

Question

Intoduction to Cloudflare WARP

I’ve been looking at Cloudflares WARP app for mobile. It claims to be a VPN but without some of the IP hiding anonymity features normal VPNS have: “Under the covers, WARP acts as a VPN. But now in the 1.1.1.1 App, if users decide to enable WARP, instead of just DNS queries being secured and optimized, all Internet traffic is secured and optimized“.

It also claims that it will encrypt all internet connected apps on your phone: “This doesn't just apply to your web browser but to all apps running on your phone. Any unencrypted connections are encrypted automatically and by default. WARP respects end-to-end encryption and doesn’t require you to install a root certificate or give Cloudflare any way to see any encrypted Internet traffic we wouldn’t have otherwise.”

Aside from the privacy implications it also claims to be faster in some areas, however I’m only really interested from a privacy / security perspective.

Question

My question is, what does using Cloudflare WARP offer over using a standard HTTPS enabled site (with HTTPS everywhere) alongside DNS over HTTPS or TLS (DoH or DoT) to say, access content on a public coffee shop WiFi where people could spy on your browsing activity. Or even your ISP on your own private network.

Is there much point using WARP if a HTTPS enabled site with DNS over HTTPS or TLS encrypts both your DNS lookups and website content already?

I use DNS over TLS via Cloudflare for my Android phone via Android 9’s built in private DNS setting and for Firefox using DNS over HTTPS, again via Cloudflare.

From a security / privacy perspective, the only benefit I can see to using WARP over normal HTTPS + DNS over HTTPS / TLS, is if you don’t browse content on a web browser and use mobile apps where a HTTPS connection might not be present. According to this, it’s not easy to verify. As mentioned earlier WARP supposedly encrypts everything on your phone, which would be beneficial in this siutation.

But as for DNS over HTTPS / TLS I can’t see any benefit to using WARP.

Maybe someone could provide insight into this. Am I any more secure and private using Cloudflare WARP from public WiFi snoopers or even my ISP, than just ensuring my apps and websites use HTTPS and ensuring my phone or browsers built in DNS over HTTPS / TLS is active?

I'm well aware that using WARP is not a substitute for a VPN.

Thanks.

Answer 1

It looks like Cloudflare WARP uses the Wireguard VPN as the underlying technology to tunnel the traffic between the client and Cloudflare's own servers. This means that everything on this way will be encrypted.

This includes not only DNS and HTTPS content which would also be protected by DNS over HTTPS and by HTTPS. But this includes also HTTPS-level meta data like the target server name (SNI) and IP-level meta data like target IP address. And of course everything not using HTTPS will be encrypted too, but that wasn't your point.

The encryption of these HTTPS-level and IP-level meta data means less visibility in what your are doing for the owner of the Hotspot and your ISP. All they can see is that you connect to Cloudflare and that you are using their VPN. Without the VPN they could still see which sites you were connecting to by analyzing the SNI information in the TLS handshake and/or the target IP address of the connection.

I'm well aware that using WARP is not a substitute for a VPN.

If your goal is primarily to protect yourself from sniffing by your ISP or the owner of a WiFi Hotspot then Cloudflare WARP is a substitute for other VPN. In fact it is a VPN in the classical use case, i.e. to provide protection from sniffing and manipulation when using potential insecure communication lines. It does not address the additional use cases other VPN offer, like bypassing geo-restrictions of services or providing more privacy by hiding your source IP address.