What is WebRTC and How to Protect Yourself from WebRTC Leak?

WebRTC LeakThis post briefly explains what WebRTC is and why you should be aware about the WebRTC leak. Also it presents how to fix the problem.

What is WebRTC?

WebRTC (Web Real-Time Communication) provides RTC (Real-Time Communications) capabilities to browsers and mobile applications. Basically, WebRTC uses Javascript to enable peer-to-peer audio, video, and data sharing web applications, running in browsers without any external plugins.

At this time, WebRTC is supported by the following browsers:

  • Desktop PC –  Google Chrome 23+, Mozilla Firefox 22+. Opera 18+, Microsoft Edge 12+.
  • Android – Google Chrome 28+, Mozilla Firefox 24+. Opera Mobile 12+.
  • Chrome OS.
  • Firefox OS.

What is WebRTC leak?

In January 2015, TorrentFreak reported that users were facing a massive security flaw as websites can easily see their real and local IP-addresses through WebRTC.

More than that WebRTC can be tricked into revealing your actual IP address, even if you are connected to VPN! This is called WebRTC leak.

If you are interested in more technical details, here is how WebRTC may reveal your IP address. WebRTC relies on Javascript and a website can insert some Javascript code to send a UDP packet to a STUN Server (Session Traversal Utilities for NAT). That server simply sends back a packet containing the IP address from which the request originated. This is simple to implement as Firefox provides a default STUN server that can also be used with Google Chrome.

How to check if you are exposed

Don’t panic! It is simple to detect if your browser may leak your IP address through WebRTC and it is also simple to fix the problem.

Go to a site that performs a WebRTC leak test like IPLeak.net.

  • If you are not connected to VPN and you see your local IP and the visible IP then the WebRTC is enabled and you may be exposed to the WebRTC leak.
  • If you are connected to a VPN and you see your regular IP (provided by the ISP) it means that your VPN does not properly handle the leak. If you see the IP of the VPN server then you are safe.

WebRTC Leak Test

How to fix it

The simplest way to fix the WebRTC leak is by disabling WebRTC from Firefox and Chrome. Thus, you will not rely on your VPN to handle the WebRTC leak.

Disable WebRTC in Mozilla Firefox:

In the browser address bar enter: about:config. Next, find media.peerconnection.enabled. Set the value to false and check again!

Further, according to this Reddit thread there are additional settings you may set:

  • media.peerconnection.enabled;false // VPN cannot bypassed anymore
  • media.peerconnection.turn.disable;true // makes sure WebRTC is really disabled
  • media.peerconnection.use_document_iceservers;false // makes sure WebRTC is really disabled
  • media.peerconnection.video.enabled;false // makes sure WebRTC is really disabled
  • media.peerconnection.identity.timeout;1 // makes sure WebRTC is really disabled

Disable WebRTC in Google Chrome:

In Google Chrome for blocking WebRTC need to install the plugin WebRTC Network Limiter.

Disable WebRTC on Android for Chrome users:

In the address bar, enter the Chrome browser: chrome://flags/#disable-webrtc. Sets the value of enable.

After you disable the WebRTC and reload IPLeak.net you should see the “No leak” message:

WebRTC Leak Test Passed

Are there VPN services that offer protection against WebRTC leaks?

Yes, there are. Such VPN providers route the WebRTC STUN requests through their servers. Thus, even thought the WebRTC is enabled in the browsers the security flaw is handled by the VPN server. Here are several VPN services that I have tested and seem to properly handle the leak:

Conclusion

To sum up, WebRTC is a great tool that enriches web applications but it encapsulates a security flaw that may expose your real IP address even when connected to a VPN. The fix for the WebRTC leak is simple and you should use it if you are concerned about your online privacy and security. Also, check the list of VPNs that properly handle the leak.

What do you think about WebRTC leak? Do you disable WebRTC while connected to VPN? Feel free to share your thoughts in the comments below.

0 comments… add one

Leave a Comment