The short story
In particular, this exposes users trying to anonymize their browsing through VPNs, Tor or I2P.
This has been known since 2015 and there are no serious plans for fixing it in the near future.
- In Firefox, we can disable WebRTC through a configuration preference. Type about:config in the navigation bar, and set media.peerconnection.enabled to false.
- Alternatively, we can use the Disable WebRTC extension, which provides an easy way to enable WebRTC in trusted sites when we are going to actually video-call.
- Another option is to use the Tor browser. Without a doubt this saves you from many surprises, the problem is that it still does not support Firefox Quantum.
- In Chrome, WebRTC has to be disabled through an extension, but if you really care about privacy you are probably not reading this from Chrome.
You can test the fix in websites, such as DoILeak.
What is WebRTC?
WebRTC is what we (rarely ever) use to be able to video-call from our browser. From Wikipedia:
WebRTC (Web Real Time Communication) allows audio and video communication to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps Supported by Google, Microsoft, Mozilla, and Opera, WebRTC is being standardized through the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF).
This is quite a sad story. In 2015 Torrent Freak reported the issue.
With a few lines of code websites can make requests to STUN servers and log users’ VPN IP-address and the “hidden” home IP-address, as well as local network addresses.
This is the wrong place to have this discussion. Please take it to the IETF
In summary, the situation is the following
- WebRTC creates peer to peer connections, and in order to do that it must convey the IP address.
- There is no warning or permissions to be accepted to share this information with the website, and they don’t want to implement it.
In other words, they prefer to sell the feature rather than protecting their users. The result is that we are all leaking details not only of our public IP but also of our internal network.
Whenever we share our location or we are going to use the microphone, we have to accept it explicitly. That is the way things should be. I don’t want those features if I don’t have control or knowledge over them. It is not that hard, just have to ask the user, and that is exactly what Mozilla is refusing to do.
Of course, the WebRTC standard needs to be urgently updated to be able to operate in the modern era of insecure internet, but there is no excuse for Mozilla to implement the leak literally and not warn the user or make WebRTC opt-in. We are not talking about adhering to standards to correctly render a website, we are talking an unbelievable huge privacy hole specially for those more concerned about it, people trying to anonymize their traffic.
This has been the situation for three years now.
My two cents
Given the situation, I think it is important to make people aware of the issue, and advise them to block WebRTC. At the same time I would like to help make the vulnerability more visible and in this way pressure Mozilla to do something about it.
In a following post we will review some other options to harden Firefox and control our privacy during browsing.