Get posts like this one in your inbox by signing up for our newsletter.
An awful lot of our lives seems to be occurring online these days; whether or not that’s a good thing is up to you. But, protecting the part of our lives that’s online seems like the obvious thing to do; we expect a certain level of privacy when sending a letter in the mail, so why should we accept anything less of the internet?
How The Internet Works
The best analogy I can think of to the internet is sending a letter:
- You put the data you want to send in an envelope
- You put the address you want the letter to go to on the envelope
- You send the letter on its way
- The letter is routed to its destination, where it’s then opened and read
The internet doesn’t work too much differently on a basic level:
- The data you want to send is put into a format that can be sent over the internet
- Your computer figures out where you want to send the data
- Your computer sends the data to the right place
- The information is then routed to it’s destination, where it’s then opened and read
Figuring Out Where To Send The Data
In order to visit a website, you open your favorite web browser, type in a URL, and hit enter. This seems pretty straightforward, until you realize that your computer doesn’t actually know how to reach “google.com”. Instead, your computer needs an IP address before it can make its request. To solve this issue, your computer sends the domain to a DNS (Domain Name System) server which then returns the IP address of the web server. From there, your computer can then send a request to the IP address, and the website you visited loads.
But, there’s a pretty big design flaw: requests and responses to/from a DNS server aren’t encrypted. This means that your ISP, or anyone with access to your network, can at the very least see the websites you’re visiting, and at worst modify the responses (and direct your browser to visit a different website than the one you intended without you or your browser knowing). Not that there’s any reason for your ISP to do this, as your default DNS server(s) are probably theirs in the first place.
Sending The Data
Luckily, this isn’t as much of a problem as figuring out where to send the data in terms of security and privacy. Most websites you’ll be visiting use something called HTTPS, which is probably most commonly recognized via the green (or gray in some cases) padlock icon that appears next to the address bar of your browser. This ensures that not only your session is being encrypted, but also that you’re communicating with the correct web server. In the event that you’re not communicating with the correct server, and you’re using HTTPS and not plain HTTP, your browser will let you know that something is wrong with a big, scary red warning. Of course, this isn’t a guarantee as there is a small chance someone can steal the HTTPS certificate of the website they’re impersonating. Additionally, HTTPS only verifies that the certificate matching the domain name you visited, not the one you intended; this means that if you’re redirected to a site with the domain “www.apple.com.example.net,” that site can still have a valid HTTPS certificate despite impersonating Apple. However, for the most part, if you typed in the correct URL, you can be sure you’re browsing the website you intended.
DNS over HTTPS
Luckily, a solution to the DNS problem now exists in the form of DNS over HTTPS, also known as DoH. Basically, this protocol simply sends your DNS queries through an HTTPS connection instead of over the open internet as-is. This ensures that your DNS queries are not being monitored by a third party and that the DNS response has not been tampered with.
However, there are still some problems with this approach. For one, you still need to have faith in your DNS provider because they can still see the websites you’re requesting along with information such as your IP address, which can then technically be sold to others. Additionally, your ISP and others on your network can still know which websites you’re visiting by inspecting your web traffic*. Even without knowing the domain you’re actually visiting, anyone on your network can still see the IP address of the website you’re visiting, which may be combined with reverse DNS to figure out which website you’re visiting.
* The ClientHello packet sent when initiating an HTTPS connection includes the site you want to connect with. This allows for multiple HTTPS-enabled websites to be hosted on the same IP address. Without this, it would be impossible for the web server to know which certificate to send to establish the HTTPS connection, as that is reliant on the site's domain. The process can be better understood in the image below.
It is worth noting that it is now possible to encrypt this data in TLS 1.3 via encrypted SNI, but it does not appear to be enabled by default in the latest version of Google Chrome (as of December 4, 2019). You can check if your browser supports encrypted SNI here.
220.127.116.11 is simply a DNS service by Cloudflare that supports DNS over HTTPS, with the added benefit of being free and promising to not sell your data. Oh, and it’s also faster than most other DNS services.
What About WARP?
I think Cloudflare said it best on their blog post:
From a technical perspective, WARP is a VPN. But it is designed for a very different audience than a traditional VPN. WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit. If you’re looking for that kind of high-security protection then a traditional VPN or a service like Tor are likely better choices for you.
Basically, while WARP will encrypt your web traffic and prevent your ISP from seeing which websites you’re visiting, it won’t do many of the other things people have come to expect from VPNs. Most notably, WARP won’t hide your IP address. This is contrary to most VPN providers, which market their product precisely as a way to mask your IP and get access to geo-restricted content (like Netflix).
That being said, WARP is one of the very few free VPN services out there that you can trust with your data. It will encrypt your traffic, and it will prevent your ISP from monitoring every website you visit.