13

What is WebRTC and what is it intended to be used for?

According to this Browser Leaks Test for WebRTC and IP Leaks, I am currently leaking IP information for IP addresses that I do not believe anybody on the internet needs to know, ever.

I installed a plugin for Google Chrome (WebRTC Block) which apparently disables WebRTC - the Browser Leaks page reports that WebRTC is disabled but the IP Leaks link still lists IPv4 IP addresses in the 192.168.x range.

How can I protect myself against WebRTC leaking information that doesn't need to be shared? Is it possible to keep WebRTC enabled for the purposes it was designed for without revealing IP information?

kalina
  • 3,354
  • 5
  • 20
  • 36
  • Useful reading here: https://www.privateinternetaccess.com/forum/discussion/8204/how-to-stop-webrtc-local-ip-address-leaks-on-google-chrome-and-mozilla-firefox-while-using-private-i – AlexH Feb 20 '15 at 12:04
  • Knowing where internet request is coming and going can be a good way for you to reduce your risk. I use `netstat -tlpn` and a few bash scripts to make sure I am not attacked by MiTM. – pensebien Dec 03 '17 at 07:45

1 Answers1

7

WebRTC stands for Web Real Time Communication. It's used for most web related voice, video, or file sharing capabilities. Specifically instances of communication where you are directly connecting to your peer through your browser. Some examples could be web-games that let you play tic-tac-toe with a friend. Sharing files directly through a browser to another peer. Most browsers have native support for WebRTC except for Internet Explorer and Safari. It uses encryption for all its communications, but as you've found there's a huge vulnerability.

It seems that Windows and FreeBSD are the vulnerable operating systems. I'm currently running a Debian based distro, and it does not seem to be vulnerable based on the two links you've provided.

It does not appear that you can only block the leaked IP vulnerability and use WebRTC for its intended use.

Mitigations

I'm not sure which plugin you've installed to disable WebRTC. This article states that both WebRTC Block and ScriptSafe extensions for Chrome will stop the vulnerability. For Chrome make sure that all Chrome processes have been closed after you've installed the extension. Sometimes the Chrome sandboxes aren't properly closed when the browser window is. This will ensure the new extension has taken effect properly.

For FireFox the NoScript add-on should block the request. You can also disable some settings with the following steps:

  1. Type about:config in the address bar
  2. Find the setting media.peerconnection.enabled and set it to false
  3. Find the setting media.navigator.enabled and set it to false

I would not suggest using Internet Explorer as a mitigation... a leaked IP would probably be the least of your worries. Switching OSs is an option, but probably a tedious one.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
RoraΖ
  • 12,317
  • 4
  • 51
  • 83
  • 1
    "Switching OSs is an option, but probably a tedious one." - WebRTC works on all OS (with the right browser), so this won't help. – rugk Jul 21 '16 at 08:08
  • 1
    "It does not appear that you can only block the leaked IP vulnerability and use WebRTC for its intended use." Of course not, because WebRTC is based on using your local IP for example for a direct connection if possible. – rugk Jul 21 '16 at 08:08
  • 1
    "I'm currently running a Debian based distro, and it does not seem to be vulnerable based on the two links you've provided." As said above that's wrong. WebRTC is platform-independent (which is one advantage of it). It all depends on the browser (version) you use. – rugk Jul 21 '16 at 08:09
  • 1
    I edited this to include `media.navigator.enabled`, since you missed that. :P – Mark Buffalo Dec 02 '17 at 22:49