WebRTC killing Tor, VPN, IP Masking, Privacy6:33:00 PM
Update (July-30-2015): Google Chrome team tries to fix this issue. Not really! With the release of the WebRTC Network Limiter extension, the Google dev team itself is now having a jab at the issue, trying, just like Rentamob's chrome extension , to fix the IP leaking problem without disabling WebRTC completely. According to Google devs, "once the extension is installed, WebRTC will only use public IP addresses associated with the interface used for web traffic," which are "typically the same addresses that are already provided to sites in browser HTTP requests." With the extension developed by Rentamob to fix the issue without disabling WebRTC completely, but according to TorrentFreak, this caused some WebRTC functions like VoIP not to work correctly. Unfortunately, just like the Rentamob add-on, the WebRTC Network Limiter also has its own downsides, more accurately, by limiting "potential network paths, WebRTC may pick a path that results in significantly longer delay or lower quality." Google, doesn't reveal it public nor accept that they are the people who have 100s of STUN servers globally to keep track of real IP address for the connections that come through VPN or TOR networks.
Update (Feb-26-2015): Few readers on Reddit raised questions about, what does TOR have to do with this bug as, the Tor bundled browser, is a very highly stripped down browser keeping privacy and security in mind and could not be affected by this bug, but in fact many TOR users are unaware that the Tor browser is NOT Firefox browser and they end up treating it like Firefox using all sorts of add-ons on it. But whats more important is that the real discussion is NOT just about the Tor browser, but Tor as a service being used through another browser like Chrome [Video] still doesn't give you the expected privacy what TOR has to offer. So, all I say is guys, lets look at this problem and find a way to fix it than get into discussions which doesn't lead us anywhere.
A recently discovered security flaw explained by TorrentFreak allows remote sites to take advantage of WebRTC (Web Real Time Communication, a feature built in to most browsers) to reveal a user's true IP address, even if they're connected to a VPN. Most sites aren't taking advantage of the flaw yet, but considering services like Hulu, Spotify, Netflix, and others are taking steps to identify and lock out VPN users, it's not a stretch to assume they'll start.
|WebRTC-STUN-VS-TOR-VPN-Proxy | | UnhappyGhost - Ethical Hacker - Security Expert - India|
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.
How to see if your VPN is affected:
- Log in to your VPN, choose an exit server in another country (or use whichever exit server you prefer) and verify you're connected.
- Go back to What Is My IP Address and check your IP address again. You should see a new address, one that corresponds with your VPN and the country you selected.
- Visit Roseler's WebRTC test page and note the IP address displayed on the page.
What is the Solution?
The Easy Way: Disable WebRTC In Your Browser
The Better Way: Configure Your VPN on Your Router