Discussion in 'privacy problems' started by mvario, Jan 27, 2015.
dogbite is correct on this. The change blocks your local IP from showing, but not your public IP.
Right. Blocking public IP is what Tor, JonDonym and VPN services are for.
Is this a concern at all if you can do VPN via the router? Some of the comments suggest that it's not, but I wanted to be sure.
If you're connecting to a VPN server from your router (or from anywhere) sites will see only the VPN exit IP address, as long as you have routing and firewall rules to prevent leaks. You also want to use a good DNS server (the VPN's or third-party) with lookups only via the VPN tunnel.
But Zenmate is a VPN isn't it - here's a quote from their home page - "We route your traffic through our free vpn cloud-network of highly secure servers. This means your personal IP address will not be visible and replaced by a generic ZenMate IP address. You’ll be completely anonymous - untraceable, unidentifiable and secure."
in chrome Zenmate hides my public IP address in all fields here http://whoer.net/extended except WebRTC and the changes to chrome 42 hides local IP with or without Zenmate turned on
Zenmate is not a vpn. It is just a extension that rout your trafic true the zenmate servers. i would never call a extension a full vpn service. and how they can hold it free for all the time and more and more user is another reason to suspect this extension.
thanks for the reply - so a service like cyberghost would be considered a full VPN then and should work? i've noticed Zenmate is now stating in their "Faqs" that their paid desktop client is required to fix the WebRTC leak issue... i guess this is the case for chrome - Zenmate is working fine with appropriate changes to firefox.
just tried Cyberghost VPN - works as it should - WebRTC IP now shows as 'simulated' IP - thanks for the help all
This goes to show the commonly held belief that mozilla is on our side regarding privacy is a fallacy. Firefox is just another corporate spyware.
are you replying to my post?? firefox provides a switch to turn webRTC off - chrome does not - sorry if i was not clear
I know it does but it is enabled by default with no warning to the user that their internal network address is available to all and sundry and the switch lies amongst thousands of other switches, I refer you to inka's post about a similar issue.
I was thinking about this some more and I realized I was a little hasty in condemning Mozilla for this.
Windows is obviously ready to give up its internal and external network ip addresses to any application that asks for it.
I wonder how many other internet connected applications have been quietly doing this without our knowledge and for how long while we thought vpn's were anonymizing our connections.
Mozilla's use of webrtc with switches to turn it off has let the cat out of the bag.
Edit: Someone said Linux is immune to this, I don't think so. I didn't test it vpn'd but with default Firefox settings both my internal network IP address and my internet IP address were revealed by the test under both Windows and Linux.
@RockLobster - I think it's more the nature of some kinds of application (principally voip), that need to use things like STUN to work through NAT. Applies to Windows, Mac, Linux, whatever.
HOWEVER - this is not what I want a browser to be doing at all, with or without my permission. If you want to offer a voice-enabled application that is also able to render web pages, call it a voice application not a browser.
And the obscurity and lack of consent in enabling the feature is simply disastrous. The promise of browsers was that they were fully sandboxed. This is now a lie.
Yes I agree with you entirely. Sneaking streaming media communications through firewalls by masquerading as html traffic should not be condoned or implemented by mainstream web browser developers. It sets a bad president and should be labeled malware.
They seem to playing the old, "lets put a cute smiley face on it and give it a cute friendly sounding name (hello) and no one will notice the insidious nature of it". That game is getting old.
It seems webrtc is taking advantage of HTML5 technology as is websockets, I had not realized until now, Youtube no longer requires flash and is using HTML5 player which works without any browser plugins. Does this mean we cannot disable web video that is using HTML5 player ? Maybe there is some configuration option in about:config. So far it seems the flash ads are still disabled by disabling the flash plugin but I wonder how long before they catch up and we are swamped with HTML5 player ads.
Apparently html5 allows websites to store up to 10mb of persistant data on your hard drive too like some kind of mega cookie.
Post #2 of Large scale attack hijacks routers through users' browsers shows how this facilitates real-world attacks that change the DNS server in routers to a malicious DNS server.
Which other browsers notify the user that such a thing is enabled...?
Just a note:
Last time i tried to disable this function in chrome it could not be turned off at all as shown in the settings page.
I use slimjet browser from www.slimjet.com they also have a portable version its base off chromium, just simply go in settings ->security :uncheck enable WebRTC and problem solved,I dropped opera for this browser because it have alot of customisation That I wanted opera to have.
You can not disable WebRTC in chrome. It's a shame because Chrome with ublock & umatrix is best browser security wise on any platform
Really? Read and proceed according to post #37 in this thread to prevent your Chrome leaking the local IP address. I pass any tests I've run with it in Chrome.
Also uBlock Origin has as an option to Prevent WebRTC from leaking local IP address. Though I have not tested if it really works.
chrome does not block this as effectively as firefox.
The WebRTC Block extension has just been updated to work with current versions of Chrome/Chromium without the need to modify the Preferences file manually. It worked fine for me with Chromium 45.0 at both the browserleaks and privacytool.io sites.
Thanks for the heads up. I can also confirm that v2 of this extension is working great once again.
Does ublock work with it's settings? Prevent WebRTC from leaking local IP address