Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

WebRTC Leak Vulnerability SOLVED (For all Browsers)
Restore Privacy ^ | September 17, 2018 | Sven Taylor

Posted on 04/01/2019 4:31:27 AM PDT by Texas Fossil

When discussing online privacy and VPNs, the topic of WebRTC leaks and vulnerabilities often comes up.

While the WebRTC issue is often discussed with VPN services, this is in fact a vulnerability with web browsers – Firefox, Opera, Chrome, and Brave.

So what is WebRTC?

WebRTC stands for “Web Real-Time Communication”. This basically allows for voice, video chat, and P2P sharing within the browser (real-time communication) without adding extra browser extensions – further described on Wikipedia here.

While this feature may be useful for some users, it poses a threat to anyone using a VPN and seeking to maintain online anonymity.

WebRTC Vulnerability

The fundamental vulnerability with WebRTC is that your true IP address can be exposed via STUN requests with Firefox, Chrome, Opera and Brave browsers, even when you are using a VPN.

Daniel Roesler exposed this vulnerability in 2015 on his GitHub page, where he stated:

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript.

Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.

Essentially, this means that any site could simply execute a few Javascript commands to obtain your real IP address via your web browser.

Will a VPN protect me against WebRTC leaks?

Answer: maybe.

Just like with browser fingerprinting, the WebRTC issue is a vulnerability with web browsers..>.

(Excerpt) Read more at restoreprivacy.com ...


TOPICS: Computers/Internet
KEYWORDS: browser; leak; security; vulnerability; webrtc
Navigation: use the links below to view more comments.
first 1-2021-36 next last
Recently I upgraded my Debian Linux OS on this 32 bit machine. I hate reinstalls because of the house cleaning involved in saving the data, so I put it off as long as possible.

Simply upgrading from Debian 8 to Debian 9 is not a simple process, so I did the next best thing and upgraded all of what was available for Debian 8.

But when I upgraded the Firefox browser I found a lot of instability that I did not have before. I had no active plugins (I thought).

In my search for a solution to that I stumbled onto a security issue related to WebRTC. What is that? Looks like a programmers nightmare to me now. It is said to be an improvement allowing java script from one computer to another. But it appears it makes even VPN connections vulnerable to being viewed by a simple java attack.

So I followed the instructions on this page and it seems to have fixed my recent crash issue. I edited the about:config in Firefox and disabled WebRTC. It is a little early to be sure, but I've been planning to add VPN to my connection when I get moved to the farm in the near future. If VPN is not secure because of WebRTC, we should at least know about it.

Any opinions of the merit of this type of software?

1 posted on 04/01/2019 4:31:27 AM PDT by Texas Fossil
[ Post Reply | Private Reply | View Replies]

To: Texas Fossil

Thanks. For later.


2 posted on 04/01/2019 4:43:09 AM PDT by lysie
[ Post Reply | Private Reply | To 1 | View Replies]

To: lysie

Thank you.


3 posted on 04/01/2019 4:54:03 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 2 | View Replies]

To: Lazamataz

Do you have an opinion about WebRTC security issues?


4 posted on 04/01/2019 4:58:19 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 1 | View Replies]

To: Texas Fossil
This has wider implications. Teleconferencing software like Cisco Webex (which companies like mine use all the time) use WebRTC internally.
5 posted on 04/01/2019 5:03:15 AM PDT by PapaBear3625 ("Those who can make you believe absurdities, can make you commit atrocities." -- Voltaire)
[ Post Reply | Private Reply | To 1 | View Replies]

To: PapaBear3625

How do you handle the STUN queries?


6 posted on 04/01/2019 5:04:27 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 5 | View Replies]

To: Texas Fossil
Google Duo (video chat for Android). also uses WebRTC
7 posted on 04/01/2019 5:23:44 AM PDT by PapaBear3625 ("Those who can make you believe absurdities, can make you commit atrocities." -- Voltaire)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Texas Fossil

Use the M.O.O.S.E interface


8 posted on 04/01/2019 5:24:51 AM PDT by PapaBear3625 ("Those who can make you believe absurdities, can make you commit atrocities." -- Voltaire)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Texas Fossil

https://www.palemoon.org/technical.shtml

(...)

“WebRTC. Apart from opening up a whole can of worms security/privacy-wise, “Web Real Time Chat” (comparable with Skype video calls and the likes) is not considered useful or desired functionality for Pale Moon (both according to the developers and the users of the browser at large). This is best left to dedicated programs or at most a browser plug-in.”

(...)


9 posted on 04/01/2019 5:40:58 AM PDT by Moltke (Reasoning with a liberal is like watering a rock in the hope to grow a building.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Texas Fossil

Sending data on the internet is STILL like shouting it from the street corner... so be careful.


10 posted on 04/01/2019 5:55:57 AM PDT by Mr. K (No consequence of repealing Obamacare is worse than Obamacare itself.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Texas Fossil; Abby4116; afraidfortherepublic; aft_lizard; AF_Blue; AppyPappy; arnoldc1; ...
Web Browser Security/Privacy Issue ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

11 posted on 04/01/2019 6:06:07 AM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government."`)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce; Swordmaker; ThunderSleeps

*PING* to your respective lists.


12 posted on 04/01/2019 6:06:57 AM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government."`)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dayglored

I stopped using Windows long ago.

Still have 2 Windows machines in my house.

I keep one of them for referencing things my wife checked on it.

Security in general is better using Linux, but some changes are going on with Firefox and security in general that affect both Windows and Linux systems. Get error message of “wrong user name or password”. When I go to Internet Explorer under the Windows machine it logs in fine.

I have found my old email provider will no longer work under Firefox under Windows or Linux.

The login handshake has changed. Have not fixed that yet.


13 posted on 04/01/2019 6:13:17 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 11 | View Replies]

To: PapaBear3625

Thank you.


14 posted on 04/01/2019 6:13:46 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 7 | View Replies]

To: rdb3; Calvinist_Dark_Lord; JosephW; Only1choice____Freedom; Ernest_at_the_Beach; martin_fierro; ...

15 posted on 04/01/2019 6:15:33 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Moltke

I will have to make some changes on my Debian 8 machine to install Palemoon. I looked at it. It suggested an actual upgrade to Debian 9, which has some issues that will have to be manually worked around. Right now don’t have the time for along project.

Thanks I will not forget “Palemoon”. I’m taking my security more serious lately and plan to add VPN soon.


16 posted on 04/01/2019 6:16:23 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 9 | View Replies]

To: Mr. K

Yes, sir. I’m aware and totally sure you are correct.


17 posted on 04/01/2019 6:17:20 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 10 | View Replies]

To: 109ACS; AbolishCSEU; aimhigh; bajabaja; Bikkuri; Bobalu; Bookwoman; Bullish; Carpe Cerevisi; ...
Keep those browsers up to date! - ANDROID PING!

Android Ping!
If you want on or off the Android Ping List, Freepmail me.

18 posted on 04/01/2019 6:20:40 AM PDT by ThunderSleeps ( Be ready!)
[ Post Reply | Private Reply | To 12 | View Replies]

To: Texas Fossil
Windows security has improved a lot over the last decade, but it started so far behind, and had so many bad guys attacking it, it took time to catch up to Linux and MacOS. These days, IMO, they're all roughly equal, and as a result security is mainly about your browsing and email-reading habits, whether you're on Windows, Linux, or MacOS. Mistakes like clicking on bad links, or entering credentials into spoofed websites, can happen on any platform.

The vulnerability you posted in this thread is a good example of how platform-independent applications carry potential problems everywhere.

With regard to Windows, I have multiple Win7 instances, of which all but one are VMs; the exception is a dual-boot (BootCamp) on my Mac. They're for running Windows-only applications -- I don't use them for internet access other than updates. My internet work is done primarily on MacOS and Linux (CentOS and Ubuntu), but that's mostly because a lot of my real work is done at an SSH xterm, which are properly integrated into those platforms; none of the third-party bolt-on xterm/SSH solutions for Windows are nearly as handy for my work.

19 posted on 04/01/2019 7:05:16 AM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government."`)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Texas Fossil; ShadowAce
Thanks I will not forget “Palemoon”. I’m taking my security more serious lately and plan to add VPN soon.

I've been using Palemoon for a few years now. Never looked back when Mozilla went to the dark side. But while we're on the subject of VPN, can anyone suggest a good one because with the heightened sense of security going around now I'll be looking for now one.

20 posted on 04/01/2019 7:05:29 AM PDT by ducttape45 ("Righteousness exalteth a nation; but sin is a reproach to any people." Proverbs 14:34)
[ Post Reply | Private Reply | To 16 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-36 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson