Are you using a VPN to hide your IP address? WebRTC may be giving it out anyway.
This issue has been known since at least January 2015, but I thought it worth mentioning given the growing popularity of anonymous VPN services like +Private Internet Access
due in no small part to recent government surveillance efforts like Australia's new mandatory data retention law (http://www.bbc.com/news/world-australia-34513124
) as well as a desire to access services like Netflix from places where they're otherwise unavailable.
VPNs are one of the best tools we have to protect our privacy online and bypass geographic restrictions on websites and services as well as limiting government and corporate surveillance efforts. But there's no magic bullet solution when it comes to security and privacy, especially when the fundamental protocols the apps we use to communicate are flawed.
WebRTC (Real-Time Communications) allows Web browsers to communicate in a lot of interesting ways, including browser-to-browser video chat (using Firefox Hello, for example: https://www.mozilla.org/en-US/firefox/hello/
). But a vulnerability in this protocol can allow websites to see your actual IP address without your knowledge even if you're using a VPN.
If you use a VPN and want to see if this affects you, follow these steps:
1) With your VPN disconnected, go to https://www.privateinternetaccess.com/pages/whats-my-ip/
and take note of your public IP address.
2) Connect to your VPN, and reload the previous page. You should now see a different IP address, provided by your VPN service.
3) Go to https://diafygi.github.io/webrtc-ips/
and see what IP addresses are listed. If you see no addresses at all, you're safe. If you only see your VPN's IP address, you're probably safe, but it's possible that a different exploit of this vulnerability could still find out your actual IP address. If you see the IP address you found in step 1, any website can see your real IP address even when you're using your VPN.
Unfortunately, there's not much that VPN services can do to fix this, since the problem lies with how applications implement WebRTC. So to keep our IP address from being leaked, we need to fix the specific applications that are leaking it.
If you're using Firefox, you have a couple of options to keep WebRTC from revealing your IP address. The first is to install the Disable WebRTC
). This extension allows you to easily toggle WebRTC support in case you use any websites or services that use it. The second is by opening a new tab and typing "about:config" in the address bar, then setting media.peerconnection.enabled
to "false". This second method works for Firefox for Android as well as the desktop version.
For Chrome, you can use one of several extensions including WebRTC Network Limiter
or WebRTC Block
, neither of which disable WebRTC completely but do seem to limit the amount of information Chrome leaks to websites. A few websites recommend a rather hackish solution involving editing your Chrome userdata file, but these extensions do the exact same thing. So far I haven't found a fix for Chrome Mobile.
Unfortunately, any application capable of rendering Web pages and that supports WebRTC could leak your IP address, so this won't absolutely guarantee your IP address won't still be leaked. But until the vulnerability in the WebRTC protocol is fixed, we can at least keep our browsers from ratting us out.