The short story

There is an unbelievable security flaw in all major browsers that exposes your public and local IP to websites if you have WebRTC and Javascript enabled, which is the default.

In particular, this exposes users trying to anonymize their browsing through VPNs, Tor or I2P.

This has been known since 2015 and there are no serious plans for fixing it in the near future.

The fix

In Firefox, we can disable WebRTC through a configuration preference. Type about:config in the navigation bar, and set media.peerconnection.enabled to false.

in the navigation bar, and set to false. Alternatively, we can use the Disable WebRTC extension, which provides an easy way to enable WebRTC in trusted sites when we are going to actually video-call.

Another option is to use the Tor browser. Without a doubt this saves you from many surprises, the problem is that it still does not support Firefox Quantum.

In Chrome, WebRTC has to be disabled through an extension, but if you really care about privacy you are probably not reading this from Chrome.

You can test the fix in websites, such as DoILeak.

Before

After

If we have been careful to disable Javascript by default like we explained in this post, we haven’t been leaking our IPs, or at least only in our whitelisted sites. I would like to take the opportunity to recommend that we all do this.

What is WebRTC?

WebRTC is what we (rarely ever) use to be able to video-call from our browser. From Wikipedia:

WebRTC (Web Real Time Communication) allows audio and video communication to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps Supported by Google, Microsoft, Mozilla, and Opera, WebRTC is being standardized through the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF).

The story

This is quite a sad story. In 2015 Torrent Freak reported the issue.

With a few lines of code websites can make requests to STUN servers and log users’ VPN IP-address and the “hidden” home IP-address, as well as local network addresses.

Stemming from this, a conversation ensued in Bugzilla where many worried users point their finger at this and Mozilla basically refuses to do anything about it, and blames it on the WebRTC standard.

This is the wrong place to have this discussion. Please take it to the IETF

The issue is not getting much love in the IETF either. (link, link)

In summary, the situation is the following

WebRTC is enabled by default in all major browsers, and it works through a Javascript API.

Javascript is enabled by default in all major browsers.

WebRTC creates peer to peer connections, and in order to do that it must convey the IP address.

There is no warning or permissions to be accepted to share this information with the website, and they don’t want to implement it.

Therefore the website has access to this information through Javascript.

In other words, they prefer to sell the feature rather than protecting their users. The result is that we are all leaking details not only of our public IP but also of our internal network.

Whenever we share our location or we are going to use the microphone, we have to accept it explicitly. That is the way things should be. I don’t want those features if I don’t have control or knowledge over them. It is not that hard, just have to ask the user, and that is exactly what Mozilla is refusing to do.

Of course, the WebRTC standard needs to be urgently updated to be able to operate in the modern era of insecure internet, but there is no excuse for Mozilla to implement the leak literally and not warn the user or make WebRTC opt-in. We are not talking about adhering to standards to correctly render a website, we are talking an unbelievable huge privacy hole specially for those more concerned about it, people trying to anonymize their traffic.

This has been the situation for three years now.

My two cents

Given the situation, I think it is important to make people aware of the issue, and advise them to block WebRTC. At the same time I would like to help make the vulnerability more visible and in this way pressure Mozilla to do something about it.

In a following post we will review some other options to harden Firefox and control our privacy during browsing.