WebRTC killing Tor, VPN, IP Masking, Privacy

6:33:00 PM

Update (July-30-2015): Google Chrome team tries to fix this issue. Not really! With the release of the WebRTC Network Limiter extension, the Google dev team itself is now having a jab at the issue, trying, just like Rentamob's chrome extension , to fix the IP leaking problem without disabling WebRTC completely. According to Google devs, "once the extension is installed, WebRTC will only use public IP addresses associated with the interface used for web traffic," which are "typically the same addresses that are already provided to sites in browser HTTP requests." With the extension developed by Rentamob to fix the issue without disabling WebRTC completely, but according to TorrentFreak, this caused some WebRTC functions like VoIP not to work correctly. Unfortunately, just like the Rentamob add-on, the WebRTC Network Limiter also has its own downsides, more accurately, by limiting "potential network paths, WebRTC may pick a path that results in significantly longer delay or lower quality." Google, doesn't reveal it public nor accept that they are the people who have 100s of STUN servers globally to keep track of real IP address for the connections that come through VPN or TOR networks.

Update (Feb-26-2015): Few readers on Reddit raised questions about, what does TOR have to do with this bug as, the Tor bundled browser, is a very highly stripped down browser keeping privacy and security in mind and could not be affected by this bug, but in fact many TOR users are unaware that the Tor browser is NOT Firefox browser and they end up treating it like Firefox using all sorts of add-ons on it. But whats more important is that the real discussion is NOT just about the Tor browser, but Tor as a service being used through another browser like Chrome [Video] still doesn't give you the expected privacy what TOR has to offer. So, all I say is guys, lets look at this problem and find a way to fix it than get into discussions which doesn't lead us anywhere. 

A recently discovered security flaw explained by TorrentFreak allows remote sites to take advantage of WebRTC (Web Real Time Communication, a feature built in to most browsers) to reveal a user's true IP address, even if they're connected to a VPN. Most sites aren't taking advantage of the flaw yet, but considering services like Hulu, Spotify, Netflix, and others are taking steps to identify and lock out VPN users, it's not a stretch to assume they'll start.

A few lines of code is all it takes to remove the location protection you get from using a VPN, and figure out where you're actually located and who your internet service provider really is (who can then tie your address back to who you are specifically.) While the vulnerability is primarily browser-based right now, any application that can render web pages (and uses WebRTC) is affected, meaning anyone who wants to can see past your VPN to where you really are and who you really are. Advertisers, data brokers, and governments can use it to peek through your VPN to find out where your connection is really coming from. If you use services like BitTorrent, have a set-top box like a Roku, or just stream music or movies on your computer through a site that's not available in your country (or you're an expat and live abroad), the apps and services you use could suddenly stop working

WebRTC-STUN-VS-TOR-VPN-Proxy | | UnhappyGhost - Ethical Hacker - Security Expert - India

The flaw was documented by developer Daniel Roesler over at GitHub. Roesler explains how the process works:

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript.  
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain. 

How to see if your VPN is affected:

- Visit a site like What Is My IP Address and jot down your actual ISP-provided IP address.
- Log in to your VPN, choose an exit server in another country (or use whichever exit server you prefer) and verify you're connected.
- Go back to What Is My IP Address and check your IP address again. You should see a new address, one that corresponds with your VPN and the country you selected.
- Visit Roseler's WebRTC test page and note the IP address displayed on the page.

If both tools show your VPN's IP address, then you're in the clear. However, if What Is My IP Address shows your VPN and the WebRTC test shows your normal IP address, then your browser is leaking your ISP-provided address to the world.   

What is the Solution?

Luckily, you don't have to wait for VPN providers to address the issue on their ends to protect yourself. There are a number of things you can do right now, and most of them are as easy as installing a plug-in, or disabling WebRTC in your browser

The Easy Way: Disable WebRTC In Your Browser

Chrome, Firefox, and Opera (and browsers based on them) generally have WebRTC enabled by default. Safari and Internet Explorer don't, and thus aren't affected (unless you've specifically enabled WebRTC.) Either way, if the test above worked in your browser, you're affected. You can always switch to a browser that doesn't have WebRTC enabled, but since most of us like the browsers we use, here's what to do

Chrome and Opera: Install the ScriptSafe extension from the Chrome Web Store. It's overkill, but it'll disable WebRTC in your browser. Opera users can use this add on as well, see here how to install chrome extensions in Opera

Firefox: You have two options. You can install the Disable WebRTC addon from Mozilla Add-ons, or disable WebRTC directly by opening a tab and going to “about:config” in the address bar. Find and set the “media.peerconnection.enabled” setting to false. (You could also install NoScript, which is much like ScriptSafe, but like we mentioned, it's probably overkill.)

The Better Way: Configure Your VPN on Your Router

While talking to a number of people in the security community about this issue, and after those conversations, it is difficult to be confident that configuring your VPN at the router level is any more effective (or rather, terribly effective at all) than blocking WebRTC at the browser. While it is still recommend setting up your VPN at the router level for a number of reasons (outlined below), as far as this issue is concerned, right now, it is suggested that you use one of the browser add-ons mentioned above while more research is conduct into the root cause—and surefire remediation for it.

If you want a more surefire way to protect yourself beyond installing add-ons and making tweaks to your browser every time you install or update, there is a more permanent method. Run your VPN at your router instead of on your computer directly.

There are a number of benefits to this approach. For one, it protects all of the devices on your home network, even if they're not vulnerable to this specific flaw. It also gives all of your devices, like your smartphones, tablets, set-top boxes, and smart appliances the same protection and encryption that your VPN gives your desktop.

There are caveats, though. For one, if you're the type who likes to change exit servers often (e.g., one day you want to browse as though you're in Japan, another in Iceland, and another in the US), this means you'll have to tweak your router setup every time you want to switch locations. Similarly, if you only need to be connected sometimes but not others—like you use a VPN for work but not when you're streaming Netflix, you’ll need to enable or disable your VPN on your router every time you need to switch. That process can be easy or complicated, depending on your router, and your VPN.

Many VPN service providers suggest you set up your VPN at the router level anyway. Some even sell specific routers that come pre-configured to use their service, but odds are you can use your existing router (as long as it's not provided by your internet service provider). Log in to your router's admin page, and check your "security" or "connection" options. Depending on your model, you'll see a VPN section, where you can type in the name of the VPN provider you're connecting to, their server hostnames, and your username and password. Once it's enabled, all of your traffic will be encrypted.

If you don't see it, all isn't lost. Check with your VPN provider and let them know what type of router you have. They may have instructions to walk you through the process. If they don't, see if your router is supported by open-source router firmwares like DD-WRT ( search supported devices here), Open WRT (see supported devices here), or Tomato (see supported devices here). You can find how to install and set up DD-WRT here and configure Tomato here. All of those custom firmwares will allow you to set up your VPN at the router level.

The source of this article and more details can be found here

#unhappyghost #webrtc #tor #vpn #privacy #ipmasking #stun #javascript #scriptsafe #noscript #ddwrt #openwrt #tomatorouter #firefox #mozilla #chrome #google #networksecurity


You Might Also Like


  1. Good Catch! Although, I believe most WebRTC endpoints are deployed to mobile, with that in mind most will not be affected by this, right?

    1. Well, with the BYOD policies in most enterprise networks, the mobile and tablets will surely be affected. In the environment that I work, I find most of the employees connect through VPN for privacy issues through their mobile devices and its a known fact that mobile devices have out numbered the desktop/laptop computers in many scenarios and so the number of devices affected will also be high!

  2. Thanks for this Information
    But a Problem with this Site, i have share it to my turkish Friends but they can not see your Website correct.
    Can you do something for this People

    1. On the right panel, below the Popular posts, there is a translate page widget available. You can easily translate the website to the desired language, in this case to Turkish!

  3. Shouldn't the STUN communication be tunneled through your VPN as well giving the expected VPN endpoint IP?

    1. In this case, it is about the VPN services offered for Web Privacy and not the enterprise class like Site-to-Site VPN. So, most of the VPN services offer protection to the data transmitting through the browser but when the Javascript loads accessed on the page, it makes a connection behaving like an application and not sending data through http, and so the info isn't travelling through VPN as expected!

    2. Ah sorry, when I think of a VPN I think of PPTP, openvpn, L2TP etc which are protocol agnostic and forward any traffic not destined for your local subnet through the VPN. There are many consumer VPN privacy services which do offer true VPNs.

      For privacy services which use a SOCKS proxy server (I believe this is what Tor uses), I was surprised to find out that the STUN requests seem to be made directly. I filed a bug on Chrome for not respecting the system's proxy setting in this case: http://crbug.com/462056

  4. You don't see this really happening on Safari Browser or Internet Explorer yet as they do not support the WebRTC directly but they can be enabled on them as well. On the other hand, Chrome, Chromium, Firefox, Opera or any other browser built on these platform support webrtc out of the box! While you already filed a bug with Chrome team, did you know Google also hosts STUN servers to keep track of many thing. I assume that even while you logon to their services and while they create logs of authentication and IP address from where you accessed it, they must also be tracking down the real IP addresses in case the govt authorities demand for the real identity behind a network hack or security breach which seems to come from a VPN or proxy!!

    While its totally a privacy issue from the end user's perspective, for the investigators and forensic analysts its an amazing weapon to track down the people behind sophisticated cyber attacks. Please share your opinion on this

  5. This is easily remedied. You need a router that can connect to the vpn directly and share that tunneled connection with the local network. For example,I use a vpn on my phone. I share that connection with several computers. The hotspot routes traffic over the vpn. (had to change the routing tables to get it to work). I still have the bug,but any website that tries to find my "true" IP just ends up finding the private IP address assigned to me by the phones DHCP server. That IP is not valid on the real internet and its not even unique,there are millions of local networks using the same address range. A hardware router running something like openwrt or ddwrt can easily do the same thing.


Please choose to comment wisely, constructively, stay on the subject of the article, and respect the opinions of others. Commenting good or bad here may not impact the reputation of this blog but surely will show one of yours :)

If you have queries, issues, complaints, opinions or ideas especially if not related to this article, you are welcome to shoot them to us through Contact Page on this blog.

Contact Form


Email *

Message *