Websites can use WebRTC to determine your local IP address

Discussion in 'privacy problems' started by mvario, Jan 27, 2015.

  1. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,948
    Really..?
    Could you please share those bugs,stability and vulnerabilities please.?
     
  2. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Well, as to vulnerability, you can find by simple googling, or even in this forum many vuln are reported in last year. Also I experienced some not-serious bugs on Ubuntu from 9.04 to 12.04.
    But as to stability, my experience was not bad. But this thread is about WebRTC.
     
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Stability and bug issues in Distros are widely reported. I can break Linux Mint by accident in 3-4 minutes of doing what any normal computer user would do, and then requires sudo CLI fixes to get it working properly again. I've installed various distros over the years, and inevitably have to spend as much, possibly more time fixing them for relatives then I do with Windows 8x. Also, for 2014, Linux overall, had more vulnerabilities then Windows. Linux fanboys can't keep their heads buried in the sand forever. But overall, the battle is over in terms of desktops - Windows is the winner, and 10 will solidify that lead by bridging the gap between Win7 and Win 8, while also providing a free upgrade path for everyone.

    Again, all of this data is out there - the 2014 vulnerability reports are widely available. Let's get back to WebRTC.
     
  4. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,080
    Yes they are, especially when you consider the only thing we really need a browser to do is send a GET request for the website data and then display that data in a presentable form so we can look at it. We have all been railroaded into believing it is necessary to also send data back "to improve our browsing experience". It has become ludicrous.
    They have had it all their own way, the tech corporates keep churning out more and more "improvements" and we keep accepting them, these improvements are not improvements for us, they are improvements for them so they can bombard us with advertising and collect data on us.
     
  5. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,080
    You can, you can make a duel boot system and boot Windows for gaming and boot linux for everything else or you could do like me if you have a laptop that has a slide out hard drive caddy, remove the screws that hold the hard drive caddy in permanently, get some more hard drives then you can switch hard drives like changing hats, I have several operating systems each on its own hard drive, in its own caddy ready to slide straight in.
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    We've seen HD corruptions with dual boot systems, so we avoid them. I recommend VirtualBox/VM with Linux in it, then simply switch as needed. Containing all browsing in the VB/VM under Linux would add some nice security layer to you.
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,863

    That's my strategy!!
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,373
    Location:
    UK
    Ditto - as well as the guest isolation, there are good uses for snapshots and reversion. You can update, take a snapshot, and only browse in VM sessions that revert.

    If you need to "dual boot" for any reason, these days it's normally better to use the bios boot option to select a USB stick boot. With pendrive, this can also be used in an update-and-save, or browse and revert with care.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,871
    As I've mentioned, one of my machines has an SSD toaster, so I can quickly switch among multiple projects, which remain entirely independent. The machine gets Internet via nested chains of VPNs and Tor, running on my main VM host.
     
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,171
    Location:
    Southern Rocky Mountains USA
    From WebRTC to multibooting, the request to keep this thread on topic is going nowhere. Multibooting certainly deserves a thread or two of its own but I'll put a few words in here.

    Almost every computer I own dual or triple boots and I have no data corruption issues but I've been doing this for years and know what I'm doing. These days I keep a lot of isolation between systems. Going from one OS to another is like going through a space warp into another universe and there is shared data but the OSes know nothing about each other. There is no boot menu, each OS boots itself when set active and can't boot any other system on the disk.

    I haven't had Linux and Windows on the same machine for years. When I experimented with this, I learned quickly not to let Linux modify the mbr and that dealt quickly with most of the issues I was having.

    I also use VMs but a lot of the time I prefer the power of a full machine. I tend to have specific purposes for VMs like using a specific VPN or vetting software and the snap shots are much more convenient than restoring an image. I agree that using VMs is preferable to multibooting for most purposes if you want different Oses on the same machine. Especially if they are vastly different like Windows and Linux.
     
  11. Clodo

    Clodo Registered Member

    Joined:
    Apr 14, 2015
    Posts:
    1
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    With the stable release of Chrome 42 today, WebRTC can block the IP leak from https://diafygi.github.io/webrtc-ips/ now.

    However, you have to manually make changes from according to here: https://www.wilderssecurity.com/thre...ck-no-longer-works.373191/page-3#post-2465806

    Particularly, adding the following code:

    Code:
       "webrtc": {
          "multiple_routes_enabled": false
       }
    to the following file:

    Code:
    C:\Users\{user-profile}\AppData\Local\Google\Chrome\User Data\Default\Preferences
    However, ensure that you follow this 100%: https://code.google.com/p/chromium/issues/detail?id=333752#c67

    Paying close attention to this part:

    A simple On/Off button would have been too easy.
    Cheers! :thumb:
     
  13. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,194
    Location:
    EU
    Thanks. Just a kinda obvious reminder: if you have more than one profile, you need to do it for each one.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,871
    There's also no leak using pfSense VPN-geteway VMs ;)
     
  15. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,204
    Thank you!
    I agree that a browser interface should have been built for this. But it was not too hard to edit that file :)
     
  16. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    425
    Yes, we are being railroaded.
    Whatever prefs you find, I assure you that you CANNOT disable webRTC in the current version of firefox.
    Don't take my word for it. Lookup the bugzilla bug: "disabling webRTC breaks Mozilla Hello"

    Mozilla is up to, what, five separate prefs a user needs to know/find/disable in order to suppress experiments.
    ("experiments"? Yeah, check your about:config ...and go read about how, on a whim, mozilla devs can silently mess with your "experience")

    Leaking my local (LAN) IP address isn't high among my list of worries, but the incessant introduction of unwanted browser "features" is.
    Also, FWIW, TorBrowser (as of v4.02) is "off the rails" -- they're including an "automagic updater" and are shipping the browser with 130+ privacy-unfriendly (IMO) default preferences.
     
    Last edited: Apr 15, 2015
  17. NWOAbschaum

    NWOAbschaum Registered Member

    Joined:
    Feb 9, 2014
    Posts:
    222
    Location:
    Germany
    Glad i use a vpn with firewall rules that block webrtc leaks.
     
  18. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Tested again and you are incorrect, setting media.peerconnection.enabled to false still is effective at disabling WebRTC.

    Of course it breaks Firefox Hello, Firefox Hello is a WebRTC communication service. If WebTC is disable then of course Firefox Hello isn't going to work since you have disabled its underlying protocol.
     
  19. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    425
    Thanks for the correction. I misspoke about which pref has recently been removed.

    https://bugzilla.mozilla.org/show_bug.cgi?id=1091016
    "The preference network.websocket.enabled, true by default, has been removed; Websocket API cannot be deactivated anymore"

    Rationale for the removal of the pref was that users are "breaking Mozilla Hello" by electing network.websocket.disabled=false

    websockets {-- webRTC {-- Mozilla Hello

    We can no longer disable access to the firefox websockets API.
    Numerous services may utilize websockets (not just Mozilla Hello).
    We do still have feelgood prefs (in media.* prefs branch and peerconnection.* branch) to toggle off webRTC and/or Mozilla Hello.

    When user prefs were surreptitiously changed during the recent auto-upgrade, and Mozilla Hello got reactivated...
    https://www.mozilla.org/en-US/firefox/36.0.4/releasenotes/
    "Known Issues:
    For users who removed the Share & Hello buttons, this new version brings them back unexpectedly (1136300)"
    ...ah, that was just an accident. Yeah, riiiiiiiight.

    The presence/absence of those displayed buttons doesn't necessarily reflect the status of the underlying prefs, but my point stands.
    Incremental unexpected / unwanted "features" being shoved down our collective gullet.
    We're being sold down the pike.
     
  20. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    238
    That Chrome extension does not do anything IP addresses still show on the Demo site with it installed.
     
  21. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    I wonder if there's anything being done about this webRTC in chromium... I much prefer chromium to firefox, but I'm not going to use it without fixing this first.
     
  22. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,171
    Location:
    Southern Rocky Mountains USA
    Try Chromium browsers other than Chrome. The Chromium based Opera passes a stun server test even with javascript enabled. I haven't tested any others.
     
  23. tlu

    tlu Guest

    Are you using Tor or a VPN? If not, see posts #2 and #3 of this thread.
     
  24. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    345
    Location:
    Canada
  25. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,194
    Location:
    EU
    Zenmate will not hide your IP from webRTC, even if you have made your changes in Chrome 42.
    You need a VPN to hide it.
     
Loading...