This post briefly explains what WebRTC is and why you should be aware about the WebRTC leak. Also it presents how to fix the problem.
What is WebRTC?
At this time, WebRTC is supported by the following browsers:
- Desktop PC – Google Chrome 23+, Mozilla Firefox 22+. Opera 18+, Microsoft Edge 12+.
- Android – Google Chrome 28+, Mozilla Firefox 24+. Opera Mobile 12+.
- Chrome OS.
- Firefox OS.
What is WebRTC leak?
In January 2015, TorrentFreak reported that users were facing a massive security flaw as websites can easily see their real and local IP-addresses through WebRTC.
More than that WebRTC can be tricked into revealing your actual IP address, even if you are connected to VPN! This is called WebRTC leak.
How to check if you are exposed: WebRTC leak test
Don’t panic! It is simple to detect if your browser may leak your IP address through WebRTC and it is also simple to fix the problem.
Go to a site that performs a WebRTC leak test like IPLeak.net.
- If you are not connected to VPN and you see your local IP and the visible IP then the WebRTC is enabled and you may be exposed to the WebRTC leak.
- If you are connected to a VPN and you see your regular IP (provided by the ISP) it means that your VPN does not properly handle the leak. If you see the IP of the VPN server then you are safe.
How to fix it
The simplest way to fix the WebRTC leak is by disabling WebRTC from Firefox and Chrome. Thus, you will not rely on your VPN to handle the WebRTC leak.
Disable WebRTC in Mozilla Firefox:
In the browser address bar enter: about:config. Next, find media.peerconnection.enabled. Set the value to false and check again!
Further, according to this Reddit thread there are additional settings you may set:
- media.peerconnection.enabled;false // VPN cannot bypassed anymore
- media.peerconnection.turn.disable;true // makes sure WebRTC is really disabled
- media.peerconnection.use_document_iceservers;false // makes sure WebRTC is really disabled
- media.peerconnection.video.enabled;false // makes sure WebRTC is really disabled
- media.peerconnection.identity.timeout;1 // makes sure WebRTC is really disabled
Disable WebRTC in Google Chrome:
In Google Chrome for blocking WebRTC need to install the plugin WebRTC Network Limiter.
Disable WebRTC on Android for Chrome users:
In the address bar, enter the Chrome browser: chrome://flags/#disable-webrtc. Sets the value of enable.
After you disable the WebRTC and reload IPLeak.net you should see the “No leak” message:
Are there VPN services that offer protection against WebRTC leaks?
Yes, there are. Such VPN providers route the WebRTC STUN requests through their servers. Thus, even thought the WebRTC is enabled in the browsers the security flaw is handled by the VPN server. Here are several VPN services that I have tested and seem to properly handle the leak:
To sum up, WebRTC is a great tool that enriches web applications but it encapsulates a security flaw that may expose your real IP address even when connected to a VPN. The fix for the WebRTC leak is simple and you should use it if you are concerned about your online privacy and security. Also, check the list of VPNs that properly handle the leak.
What do you think about WebRTC leak? Do you disable WebRTC while connected to VPN? Feel free to share your thoughts in the comments below.