02 January 2016

Why WebRTC allows tracking of your local IP online with Chrome and Firefox

The internal IP information is perceived as necessary information for allowing optimal real time trafic to flow. The primary use case being to route the trafic more optimaly for users of VPN connections or proxies. I have been monitoring the issue since june, and there are no global fixes in the horizon.

You can prevent the leak by using the extension https://goo.gl/74pT1m, but most people wont even know about this issue nor install the extension, so it seems that you can now see the internal IP information as common available information for anyone to use (from Chrome and firefox)... =(

Note that the official extension does help, but in private mode all extensions are disabled, unless you allow it in incognito from the extension settings...

Background on the leak of internal IP address information

A year ago an implementation issue was found in Chrome and Firefox. It allows a website you visit to get your local IP information (even proxy and vpn ip's) without you being able to block it...Documentation can be found at https://github.com/diafygi/webrtc-ips

Try it for yourself at https://diafygi.github.io/webrtc-ips/

There is an officiel issue at google Chrome

Going to chrome://flags/ shows some mentions of WebRTC but none allows disabling that the internal IP getting revealed.

Visiting the official issue you will notice that Google has marked the issue as fixed on june 28. but not with a global fix, instead an extension published by https://webrtc.org/ is required for protecting your internal ip.

#49 juberti@chromium.org
We have now released an official Chrome extension to control this behavior. We believe this is better than a checkbox in preferences, since it can be directly linked to, and we can provide a more detailed explanation of what it does.

Extension: https://goo.gl/74pT1m
Details: https://groups.google.com/forum/#!topic/discuss-webrtc/bMOsMFx7PFc

There are certain apps that don't work properly with this extension right now (e.g. https://webrtc.github.io/samples) We are working on addressing these issues.

Fingerprinting your specific devices has always been possible by combining the public IP with e.g. your listed plugins or available fonts. But private browser mode has been created to help a bit with this fingerprinting. Since revealing the internal ip's, affects browsing in private mode and connecting through VPN's, this basically means that you have no where to hide when using chrome or firefox. Your distinct device can be fully monitored from any online service that wishes to.

What is WebRTC ?

https://webrtc.org/ a protocol for real time communication directly from the browser. Basically giving a browser with javascript the same access to real-time communication that normally has been the difference between "the web" and local applications.

Chrome Extension: WebRTC Network Limiter 

Configures how WebRTC's network traffic is routed by changing Chrome's privacy settings.
★ What it does:
This configures WebRTC to not use certain IP addresses or protocols:
- IP addresses not visible to the public internet (e.g. addresses like
- any public IP addresses associated with network interfaces that are not used for web traffic (e.g. an ISP-provided address, when browsing through a VPN)
- Require WebRTC traffic to go through proxy servers as configured in Chrome. Since most of the proxy servers don't handle UDP, this effectively turns off UDP until UDP proxy support is available in Chrome and such proxies are widely deployed.
Once the extension is installed, WebRTC will only use public IP addresses associated with the interface used for web traffic, typically the same addresses that are already provided to sites in browser HTTP requests.

The extension may also disable non-proxied UDP, but this is not on by default and must be configured using the extension's Options page.

★ Notes:
This extension may affect the performance of applications that use WebRTC for audio/video or real-time data communication. Because it limits the potential network paths and protocols, WebRTC may pick a path which results in significantly longer delay or lower quality (e.g. through a VPN) or use TCP only through proxy servers which is not ideal for real-time communication. We are attempting to determine how common this is.

No comments: