This post briefly explains what WebRTC is and why you should be aware of the WebRTC leak. Also, it presents how to fix the problem.
What is WebRTC?
At this time, WebRTC is supported by the following browsers, and it is enabled by default:
- Desktop PC – Google Chrome 23+, Mozilla Firefox 22+. Opera 18+, Microsoft Edge 12+.
- Android – Google Chrome 28+, Mozilla Firefox 24+. Opera Mobile 12+.
- Chrome OS.
- Firefox OS.
What is WebRTC leak?
In January 2015, TorrentFreak reported that users were facing a massive security flaw as websites can easily see their real and local IP-addresses through WebRTC.
More than that WebRTC can be tricked into revealing your real IP address, even if you are connected to VPN! It is called WebRTC leak (a.k.a. WebRTC IP leak or WebRTC flaw), and it is seen as a critical security hole.
How to check if you are exposed: WebRTC leak test
Don’t panic! It is simple to detect if your browser may leak your IP address through WebRTC and it is also simple to fix the problem.
Go to a site that performs a WebRTC leak test like IPLeak.net or XMyIP WebRTC test.
- If you are not connected to VPN, and you see your local IP and the visible IP then the WebRTC is enabled and you may be exposed to the WebRTC leak.
- Are you connected to a VPN? If you see your public IP (provided by the ISP), it means that your VPN does not correctly handle the leak. If you see the IP of the VPN server, then you are safe.
How to fix the WebRTC leak
The simplest way to fix the WebRTC leak is by disabling WebRTC from Firefox and Chrome. Thus, you will not rely on your VPN to handle the WebRTC leak.
Disable WebRTC in Mozilla Firefox:
In Firefox you may stop WebRTC by changing the browser settings. In the address bar enter about:config. Next, find media.peerconnection.enabled. Set the value to false and check again!
Further, according to this Reddit thread, there are additional settings you may set:
- media.peerconnection.enabled;false // VPN cannot bypassed anymore
- media.peerconnection.turn.disable;true // makes sure WebRTC is really disabled
- media.peerconnection.use_document_iceservers;false // makes sure WebRTC is disabled
- media.peerconnection.video.enabled;false // makes sure WebRTC is really disabled
- media.peerconnection.identity.timeout;1 // makes sure WebRTC is disabled
Disable WebRTC in Google Chrome:
In Google Chrome, for blocking WebRTC you need to install the WebRTC Network Limiter Chrome extension and select the Disable non-proxied UDP (force proxy) option.
Disable WebRTC in Opera:
In Opera, to implement the WebRTC block you need to install the WebRTC Network Limiter Opera extension and select the Disable non-proxied UDP (force proxy) option. It will prevent the WebRTC IP leaking problem.
Disable WebRTC on Android for Chrome users:
In the address bar, enter the Chrome browser: chrome://flags/#disable-webrtc. It sets the value of enable.
After you disable the WebRTC and reload IPLeak.net you should see the “No leak” message:
Are there VPN services that offer protection against WebRTC leaks?
Yes, there are. Such VPN providers route the WebRTC STUN requests through their servers. Thus, even though the WebRTC is enabled in the browsers, the security flaw is handled by the VPN server. Here are several VPN services that I have tested and seemed to handle the leak properly (including other possible leaks like DNS leak or IPv6 leak):
- ibVPN – According to the latest ibVPN news, it prevents WebRTC leaks for all apps (Windows, Mac OS, Android, iOS) and web browser extensions.
To sum up, WebRTC is a great tool that enriches web applications, but it encapsulates a security flaw that may expose your real IP address even when connected to a VPN. The fix for the WebRTC leak is simple, and you should use it if you are concerned about your online privacy and security. Also, check the list of VPNs that correctly handle the leak.
What do you think about WebRTC leak? Do you disable WebRTC while connected to a VPN? Feel free to share your thoughts in the comments below.
Recommended read: How to check if your VPN is working and how to test it for data leaks.