WebRTC Leaking

Discussion in 'privacy problems' started by TerryWood, Dec 19, 2018.

  1. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi All

    Need some clarification from our experts please.

    I am using Win 10 x64 Chrome Browser with WebRTC addon enabled. I also use SetUP free VPN.

    The addon blocks leaking of my IP when enabled and using the VPN. When the addon is disabled my IP is shown. So in essence the extension works.

    When I am NOT using a VPN, the addon, when ENABLED states you are protected, BUT when I run a leak test it shows my IP and a lot of other information.

    Does WebRTC blocking only occur with VPN's?

    Or should the extension block IP information when I am not using a VPN.

    Thanks for your help.

    Terry
     
  2. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    I'm not an expert, but
    No
    This

    Do you use uBlock Origin? It has a WebRTC blocker build in. Try enabling it. It is disabled by default (It's on the first page in the settings, all the way down)
    If you are using ScriptBlock it also has a WebRTC blocker build in. I don't know if this one is enabled or disabled by default.

    Just to clarify, which IP do you mean? Your private IP (like 192.168.178.*) or your public IP?
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    In order to communicate with some remote device, it must know where to send stuff. That is, it needs an IP address through which your device can be reached. So when you're connecting directly though your ISP, that's the IP address that it's assigned to you.

    When you're connecting though a VPN or Tor, the remote device (ideally) just knows the exit IP address. And the VPN or Tor circuit knows how to get stuff back to you.

    OK, so what does WebRTC do? Well, its job is making sure that you're connected with some peer in the best possible way. And in order to do that, it needs to discover all of the network interfaces available on your device, and test their connectivity.

    Using VPNs or Tor, there's the possibility that WebRTC will find leaks, and discover your ISP-assigned IP address. But if you're already just using that ISP-assigned IP address, it doesn't need to discover it. Because, you know, you're actually using it. So blocking WebRTC won't do any good.

    Make sense?
     
    Last edited: Dec 19, 2018
  4. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Are you sure that SHOULD be done at the browser level and not before it at the tcp stack?
     
  5. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    It's browser level stuff but it uses low level gimmicks (like STUN, TURN and ICE) to bypass NAT (which in turn can lead to problems like the real IP leaks etc.) and is controlled with JavaScript.

    Meant for browser-to-browser video conferencing and that kind of s*it...

    After WebRTC 1.0 the w3c folks want to extend the idea
    https://www.w3.org/community/ortc/
    http://draft.ortc.org/

    Object RTC (ORTC) API for WebRTC....
    That sound almost like DCOM from Windows world .... hope not.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I'm sayin' nothin' 'bout "should". I always disable WebRTC, just on general principles.
     
  7. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi Mirimir

    Thanks for answering my question without too much jargon, and yes it does make sense. A very clear explanation.

    Thank you

    Terry
     
  8. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    What principle, exactly? That it can be used to reveal your internal IP address?

    I've got bad news for you 1) Disabling it makes you just as unique, since next to no one disables it. 2) Everyone will have a unique IP address with IPv6, just as the internet was intended.
     
  9. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Yes, that is true that you can check if someone has WebRTC disabled and by that way do browser fingerprinting but about the IPv6 ... well not necessarily because device owners could have several throw away IPv6 address. For example, if you have /64 block you will have tons of IPv6 addresses to choose from. Your ISP could give you less but practically /64 block is the recommend minimum because below that things start to break.

    So in IPv4 world we have many-to-one mapping (NAT) while in IPv6 world we have one-to-many mapping (no NAT) which could be equally good as long as you don't use the same address often.

    And many operators still (like mine...*sight*) don't offer IPv6 addresses for their clients....


    EDIT:
    AFAIK, at least Windows should have support for temporary IPv6 addresses ... that is, source addresses that are used only once (or few times) when, for example, surfing net.

    However, temporary addresses do not exclude a static IPv6 address tought. You could have for example, one static that never used (or rarely) and several temporary ones.

    Discussion about various possible ways to add privacy for IPv6:
    https://tools.ietf.org/html/rfc7721#page-8

    EDIT2:

    Table of various addresses generation methods and what they protect against
    https://tools.ietf.org/html/rfc7721#page-9

    EDIT3:
    Confirmed, Windows has temporary IPv6 address generation but it only re-generates them at each reboot....
    http://computer-outlines.over-blog.com/article-windows-ipv6-privacy-addresses-118018020.html

    EDIT4:
    And for Linux
    https://www.tldp.org/HOWTO/Linux IPv6-HOWTO/ch06s05.html
    and here (little newer info)
    https://home.regit.org/2011/04/ipv6-privacy/comment-page-1/
     
    Last edited: Dec 20, 2018
  10. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    1: I don't think so. People start to use more and more privacy extensions and many browsers have it disabled. (Practically all Firefox and Chromium forks, I think) Also I think that suggesting to keep something activated or unblocked that makes you unique in order to prevent becoming unique as well, is not only tautological, it also results in creating a mindset in the people that they should just not care about it - yet if everyone would just block or deactivate all the things that make them unique, everyone would be mostly identical. Things like Canvas fingerprinting and all the useless hardware APIs like battery. They will be defeated if everyone blocks their things.

    2: You can still have IPv6 disabled without any issues. I don't think this will end in the near future decades. IPv4 will always be needed and you can put all the unimportant devices, like IoT, in IPv6, leaving enough space for enthusiasts to be stealthy. I mean we already have things like VPN server that only have one IP but ten or a hundred computer behind. I don't see the issue of "addresses running out" in the real world. Ok, I'm also not a network guy, but still.
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402

    Ditto

    At some point in the future it might become necessary to enable IPV6, but not now, for me at least. In linux you can completely and surely remove IPV6 capabilities during boot of the machine, which is what I do. No mistakes can be made by mistake when it happens automatically during mount.

    This is exactly why many thousands of us use Tor Browser in default mode. We all look the same!
     
  12. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Wilders doesn't represent the ~2 billion people on the internet, sorry.

    For now.

    You look the same as whom, exactly? The other few thousand people using the Tor browser? Not even a blip on the browser market. If you want to blend in, you mask as the most popular browser. Disabling a bunch of features is counter to that.

    1) Show me 1 consumer ISP that gives the user more than 1 address

    2) You've completely missed the point. The number of addresses has nothing to do with it. The point is that the majority of people will not be using any form of NAT for IPv6, making each of the devices on your internal network have a unique public IP. WebRTC does the same thing by exposing your internal IP.

    Your internal IP can change according to DHCP needs and is NOT a good metric to use for tracking, specifically because it can be given to a completely different person. Thus, worrying about WebRTC is pointless.
     
  13. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    How do you target an individual with 10,000 identities?
    Again you are recommending using a normal , even the most common,browser without tweaks to be the most stealthy option. I don't think you know much about the possibilities of fingerprinting, otherwise you wouldn't say that. Because you are perfectly unique, and tracked by the browser itself, when just using Chrome. (Chrome is the most popular. But that's true for Firefox too.)
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    With as much compartmentalization as I do, I don't care much about tracking for any given persona.

    For now, I just block IPv6 completely. If IPv6 becomes essential, I'll use VPN services that provide their own IPv6 addresses. It wouldn't be hard to push a new IPv6 address every 10 minutes or whatever.
     
  15. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402

    Same here, but I bet it will be quite a few years until I NEED to have IPV6 enabled.

    In addition to the questions/comments higher in this thread regarding TBB: I agree with the > 10,000.00 identities all being the same. But in addition I am also sitting in a VM which is chained to two or more VPN's before TBB. It would take a dedicated 3 letter agency to tackle that, but since I am not doing anything to draw that attention I am hoping to be left alone. Regular fingerprinting abuses from companies and others are never going to grab my stuff and make sense of anything. My belief anyway.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.