45

About two months ago I've decided to use a VPN all the time (it's launched at startup) for various reasons, privacy being the first one. But recently I realized that if you agree to share your location when an HTML5 geolocalization pops up in firefox, they can still get your localization pretty accurately (about 3 km away) when my VPN IP address locates me in another country.

Since I'm on a fixed computer without wifi how can they know my localization ?

user
  • 152
  • 9
drov
  • 451
  • 4
  • 3
  • 7
    HTML5 geolocation uses a GPS chip, which doesn't need internet at all. – dandavis Jul 23 '16 at 14:06
  • 30
    @dandavis "A fixed computer without wifi" is probably a desktop PC. Since when do desktops come with GPS? – Damian Yerrick Jul 23 '16 at 15:07
  • 5
    IMO the only sane way to use a VPN is confining the programs you want to use the VPN to a VM and using a second VM as gateway that tunnels all traffic through the VPN. – CodesInChaos Jul 23 '16 at 16:51
  • if your location was based on your external ip, they would not need your permission for that. – njzk2 Jul 25 '16 at 03:04
  • 4
    A VPN only hides your IP address from sites you access, not from other programs on your computer. (Like your browser.) – Ajedi32 Jul 25 '16 at 13:18
  • You're likely leaking WebRTC, which can be used to discover your location even when behind a VPN. https://www.browserleaks.com/webrtc – SnakeDoc Jul 25 '16 at 16:08
  • This just proves that the security rule *if you do not understand it, you cannot protect yourself from it* is still valid. A VPN only hides your source IP and is not a magic silver bullet against any possible spying system... – Serge Ballesta May 02 '17 at 15:00

4 Answers4

46

I just checked this with my VPN in http://html5demos.com/geo

Although I VPN through Germany, it still shows my nearby location in London.

If you read https://www.mozilla.org/en-US/firefox/geolocation/ , you will see:

If you consent, Firefox gathers information about nearby wireless access points and your computer’s IP address Then Firefox sends this information to the default geolocation service provider, Google Location Services, to get an estimate of your location.

As @Aria noted, Google Location Services uses their collection of WiFi AP to try to pin-point your location. I assume they have a global list of AP SSIDs through the Google Street View project as well as their Android devices.

edit:

FYI, here is the captured request that is being sent to Google. A full list of nearby APs. You might want to launch a proxy and check for yourself.

enter image description here

Also the fact that you are on a computer without WiFi doesn't mean that nearby APs aren't stored somewhere within your computer (Cache, Registry, Logged in Google/Firefox profiles, etc)

Iraklis
  • 651
  • 4
  • 7
  • What's the proxy you're using? I know of fiddler, and this one isn't it. – John Dvorak Jul 23 '16 at 14:24
  • 2
    Without WiFi card? How? – pri Jul 23 '16 at 16:00
  • 10
    @PriyankGupta: My WiFi router uses the same MAC address for both wired and wireless connections. Maybe Firefox/Google is using the MAC address of the local gateway to identify networks? This, of course, assumes the OP is connected via wire to a router that is also broadcasting a wireless network. – poke Jul 23 '16 at 16:58
  • @JanDvorak Burp. (https://portswigger.net/burp/proxy.html) – Iraklis Jul 23 '16 at 20:57
20

A VPN masks your IP address. But the HTML5 geolocation API isn't based on your IP address. It is a Javascript API which can be used to ask the web browser directly where it thinks it is located according to whatever information is available to it (system locale settings, nearby wifi networks, GPS sensors, IP address of the network interfaces as you see them with ipconfig / ifconfig etc,).

When you would like to protect your privacy, configure your web browser to either ask you for permission before giving websites your location or disable the geolocation API altogether. How to do that depends on your web browser.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • I'm pretty sure it's HTML5, not JavaScript. – Hashim Aziz Aug 29 '17 at 01:14
  • 2
    @Hashim The majority of new browser features which are commonly marketed as "HTML5" are actually new JavaScript APIs. [Geolocation](https://developer.mozilla.org/en-US/docs/Web/API/Geolocation/Using_geolocation) is among them. It adds a new JavaScript object but no new HTML nodes, attributes or syntax enhancements. – Philipp Aug 29 '17 at 08:41
  • Ah, fair enough. – Hashim Aziz Aug 29 '17 at 09:15
12

Try disabling HTML5 geolocation if you don't use it. In Firefox, set geo.enabled to false in about:config.

There have been bugs, and there will be again, example 1 and example 2.

Jedi
  • 3,906
  • 2
  • 24
  • 42
a25bedc5-3d09-41b8-82fb-ea6c353d75ae
  • 228
  • 1
  • 6
-6

Your VPN does not route all traffic through the vpn interface - in particular, the encapsulated vpn traffic itself necessarily travels via your normal internet connection - otherwise it could not reach your other vpn endpoint. This may allow to determine your "official" IP (which would be the external IP of your access router in the typical case of a NATted LAN), for example by querying a service like http://whatsmyip.de/ (bypassing a proxy if applicable) or even directly some geolocation service.

Hagen von Eitzen
  • 1,098
  • 8
  • 19
  • 1
    A VPN connection in the OP case is a point-to-point connection between your system and an VPN gateway. The only traffic anyone on the way will see (including the infrastructure of your ISP ) is encrypted traffic between your host and that VPN entry point. If you are correctly routed **all** operational traffic (including browsing) goes though this tunnel. "*this may allow to determine your official IP"* - who is "this"? – WoJ Jul 24 '16 at 11:32
  • "this" would maybe be Firefox, circumventing the proxy/VPN settings because the user asked it to share the user's true location. – Nobody Jul 24 '16 at 11:37
  • Your ISP obviously knows your IP address, and being your ISP most likely your billing address and so on. However, the only message that the ISP receives from my device is completely encrypted and addressed to the VPN server. The worst the ISP can do is not pass that message on, which breaks your internet access. If it passes the encrypted message to the VPN server, it cannot modify that message. So the ISP cannot possibly any information that would allow anyone to find out who I am. Obviously if your browser determines your machine location locally, then it can pass it on. – gnasher729 Jul 24 '16 at 22:58