Websites can use WebRTC to determine your local IP address

Discussion in 'privacy problems' started by mvario, Jan 27, 2015.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    dogbite is correct on this. The change blocks your local IP from showing, but not your public IP.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    Right. Blocking public IP is what Tor, JonDonym and VPN services are for.
     
  3. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    554
    Location:
    USA
    Is this a concern at all if you can do VPN via the router? Some of the comments suggest that it's not, but I wanted to be sure.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    If you're connecting to a VPN server from your router (or from anywhere) sites will see only the VPN exit IP address, as long as you have routing and firewall rules to prevent leaks. You also want to use a good DNS server (the VPN's or third-party) with lookups only via the VPN tunnel.
     
  5. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    345
    Location:
    Canada
    But Zenmate is a VPN isn't it - here's a quote from their home page - "We route your traffic through our free vpn cloud-network of highly secure servers. This means your personal IP address will not be visible and replaced by a generic ZenMate IP address. You’ll be completely anonymous - untraceable, unidentifiable and secure."

    in chrome Zenmate hides my public IP address in all fields here http://whoer.net/extended except WebRTC and the changes to chrome 42 hides local IP with or without Zenmate turned on
     
  6. NWOAbschaum

    NWOAbschaum Registered Member

    Joined:
    Feb 9, 2014
    Posts:
    222
    Location:
    Germany
    Zenmate is not a vpn. It is just a extension that rout your trafic true the zenmate servers. i would never call a extension a full vpn service. and how they can hold it free for all the time and more and more user is another reason to suspect this extension.
     
  7. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    345
    Location:
    Canada
    thanks for the reply - so a service like cyberghost would be considered a full VPN then and should work? i've noticed Zenmate is now stating in their "Faqs" that their paid desktop client is required to fix the WebRTC leak issue... i guess this is the case for chrome - Zenmate is working fine with appropriate changes to firefox.
     
  8. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    345
    Location:
    Canada
    just tried Cyberghost VPN - works as it should - WebRTC IP now shows as 'simulated' IP - thanks for the help all
     
  9. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,097
    This goes to show the commonly held belief that mozilla is on our side regarding privacy is a fallacy. Firefox is just another corporate spyware.
     
  10. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    345
    Location:
    Canada
    are you replying to my post?? firefox provides a switch to turn webRTC off - chrome does not - sorry if i was not clear
     
  11. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,097
    I know it does but it is enabled by default with no warning to the user that their internal network address is available to all and sundry and the switch lies amongst thousands of other switches, I refer you to inka's post about a similar issue.
     
  12. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,097
    I was thinking about this some more and I realized I was a little hasty in condemning Mozilla for this.
    Windows is obviously ready to give up its internal and external network ip addresses to any application that asks for it.
    I wonder how many other internet connected applications have been quietly doing this without our knowledge and for how long while we thought vpn's were anonymizing our connections.
    Mozilla's use of webrtc with switches to turn it off has let the cat out of the bag.
    Edit: Someone said Linux is immune to this, I don't think so. I didn't test it vpn'd but with default Firefox settings both my internal network IP address and my internet IP address were revealed by the test under both Windows and Linux.
     
    Last edited: May 5, 2015
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,376
    Location:
    UK
    @RockLobster - I think it's more the nature of some kinds of application (principally voip), that need to use things like STUN to work through NAT. Applies to Windows, Mac, Linux, whatever.

    HOWEVER - this is not what I want a browser to be doing at all, with or without my permission. If you want to offer a voice-enabled application that is also able to render web pages, call it a voice application not a browser.

    And the obscurity and lack of consent in enabling the feature is simply disastrous. The promise of browsers was that they were fully sandboxed. This is now a lie.
     
  14. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,097
    Yes I agree with you entirely. Sneaking streaming media communications through firewalls by masquerading as html traffic should not be condoned or implemented by mainstream web browser developers. It sets a bad president and should be labeled malware.
    They seem to playing the old, "lets put a cute smiley face on it and give it a cute friendly sounding name (hello) and no one will notice the insidious nature of it". That game is getting old.
     
    Last edited: May 6, 2015
  15. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,097
    It seems webrtc is taking advantage of HTML5 technology as is websockets, I had not realized until now, Youtube no longer requires flash and is using HTML5 player which works without any browser plugins. Does this mean we cannot disable web video that is using HTML5 player ? Maybe there is some configuration option in about:config. So far it seems the flash ads are still disabled by disabling the flash plugin but I wonder how long before they catch up and we are swamped with HTML5 player ads.
    Apparently html5 allows websites to store up to 10mb of persistant data on your hard drive too like some kind of mega cookie.
     
    Last edited: May 8, 2015
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  17. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,948
    Which other browsers notify the user that such a thing is enabled...?

    Just a note:
    Last time i tried to disable this function in chrome it could not be turned off at all as shown in the settings page.
     
  18. PRUHDG

    PRUHDG Registered Member

    Joined:
    Mar 4, 2010
    Posts:
    77
    I use slimjet browser from www.slimjet.com they also have a portable version its base off chromium, just simply go in settings ->security :uncheck enable WebRTC and problem solved,I dropped opera for this browser because it have alot of customisation That I wanted opera to have.
     
  19. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,448
    You can not disable WebRTC in chrome. It's a shame because Chrome with ublock & umatrix is best browser security wise on any platform
     
  20. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,204
    Really? Read and proceed according to post #37 in this thread to prevent your Chrome leaking the local IP address. I pass any tests I've run with it in Chrome.

    Also uBlock Origin has as an option to Prevent WebRTC from leaking local IP address. Though I have not tested if it really works.
     
  21. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,948
    chrome does not block this as effectively as firefox.
     
  22. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    289
    Location:
    USA
    The WebRTC Block extension has just been updated to work with current versions of Chrome/Chromium without the need to modify the Preferences file manually. It worked fine for me with Chromium 45.0 at both the browserleaks and privacytool.io sites.
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Thanks for the heads up. I can also confirm that v2 of this extension is working great once again.
     
  24. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    764
    Does ublock work with it's settings? Prevent WebRTC from leaking local IP address
     
  25. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,031
    Location:
    USA
    Yes
     
Loading...