Many comments on this thread are about the pros and cons of leaking the local IP in an ICE candidate entry. You can certainly discuss this, but in my understanding, that's not what this post is about at all.
The issue is about leaking the local IP in the foundation which is supposed to be some sort of opaque UUID - the local IP isn't supported to be in there at all, whether you want LAN connections or not.
In Chrome/Chromium there is a WebRTC Network Limiter [1] extension that let you set "Use only my default public IP address" policy and render the method I presented ineffective.
> This can be disabled in Brave by turning "WebRTC IP handling policy" to "Disable non-Proxied UDP"
Not advised if you want to use WebTorrent, since it relies on WebRTC.
Setting it to "Default public interface only" still allows WebTorrent & WebRTC-reliant tools to be used, whilst still only broadcasting your public IP (which is already known anyway).
What’s the issue there? How is knowing the local IP a security issue?
And FWIW, the local IP does not get leaked when using a VPN. (edit: Or rather, the VPN local IP gets leaked. Same question, no idea if that’s security relevant in some way?)
edit: Thanks everyone, I completely forgot about fingerprinting.
It's a privacy issue. You can use it to fingerprint a user, local IP will give you quite many bits of entropy. <https://coveryourtracks.eff.org/>
Honestly I'm not even sure if I'm surprised, but it's 2022 and we've been having this problem basically since the day WebRTC was introduced. At this point, if you care about privacy, you should probably put it in the same bag as third-party cookies and just block it entirely.
It's because if you don't leak the local IP, then webRTC calls will typically fail between people on the same LAN. And, if they don't fail, then they will usually have to go via a TURN server on the internet adding a lot of latency.
It's a privacy/functionality tradeoff. But most people consider not being able to videocall or do online gaming with someone in the same building to not be acceptable.
I don't think that there are many people using WebRTC especially within the same LAN, but fingerprinting is used by almost every commercial site. So I can assume that this "feature" was used in 99.99% cases for fingerprinting.
This shows how browser developers race to push new features without proper estimation of privacy concerns.
Luckily this was somewhat fixed by using randomized Apple mDNS names instead of IPs. But as a result the browser has to support Apple DNS protocol which can potentially increase attack surface.
I would prefer to disable this feature completely by default and let the minority who needs it enable it via settings.
> Almost all of the “sales/demo/cross company” video calls I’ve been on have been in this bucket
My understanding is Zoom only supports P2P for two person calls.
I can't quite tell from this answer if it is the default or not, but it sounds like it has to be manually enabled:
> Account owners and admins can enable one-on-one meetings to have data routed between two participants (peer-to-peer), rather than going through the cloud or server. Enabling this may improve the quality and connection of one-on-one meetings (depending on how your network prioritizes traffic) by directly sending video and audio between both parties.
I think an opt-in permission seems like the way to go, like the one we already have for microphone/camera permissions, and possibly just merged with these (i.e. grant WebRTC permissions together with A/V permissions).
There are quite a few interesting non-A/V WebRTC applications around – these could be handled via an explicit prompt, similarly to how newer iOS versions handle local network permissions.
> It's a privacy issue. You can use it to fingerprint a user, local IP will give you quite many bits of entropy. <https://coveryourtracks.eff.org/>
I don't buy it: You have to block IPv6 as well, and that's becoming harder to do.
If the user is trying to protect their "privacy" from their ISP by using a VPN (for example), and are attempting to prevent the application-level leak of providing a list of all the local interfaces, they really need to configure their system to restrict e.g. their web browsers and other sensitive tools to those specific interfaces, e.g.
If you use Chrome-exclusive links, please at least also link to the closest standard section [0] and preferably, mention the Chrome-linked text directly.
That said, they don't say anything about security, I obviously forgot about fingerprinting, but still don’t see security issues?
A bit? The site claims it found a host on literally every single private IP that exists ;) And closing it nearly killed my FF (full freeze for ~10 seconds).
If so, I'd love to hear it. As far as I know all iOS browsers are forced to use the same rendering engine, and I suspect there's no way to modify that.
I've yet to see a normally configured browser _not_ be uniquely identifiable many times over through fingerprinting.
At some point it feels like trying to drain the ocean with a cup. Maybe we just need to accept that anyone who really wants to fingerprint you _can_ fingerprint you unless you use a specialist browser.
At that point the solution is fairly obvious, make it legally difficult to use unique fingerprinting and move on (ie stuff like gdpr). People will still do it, but they'll have to balance it with not falling foul of the law and wont be able to abuse it too much.
We wont stop real world facial recognition by all trying to make our faces more similar either, we have to accept it's generally possible to do, but discourage the actual doing of it rather than trying to make it impossible.
(note in both cases, actually preventing it when you have a reason to is totally possible and valid, via specialist browser modes and physical masks respectively)
I just tried a clean FF profile with resistFingerprinting enabled. No dice. Everything adds only very few bits of identifying information (unlike my main profile which is already almost unique thanks to the accept header (English, then German)) yet it still results in 17.75 bits which according to EFF is unique.
I’m agreeing with you, though I wonder, is there any way to not be unique? What would you have to do? Use Windows with no extra fonts, Chrome in English, on a FullHD monitor with webgl/canvas/audio fingerprinting protection extensions?
Actually, resistFingerprinting + switching to the user-agent string tor uses gets me 99% of the way there. All that’s missing is the weird window size (vertical taskbar), if I could get that to report a default size, I’d actually be better than Tor (they have a bunch of responses slightly more unique than FF with resistFingerprinting).
But it’s academic for me anyway, I have
Accept-Language en-US,en;q=0.7,de-DE;q=0.3
which is close enough to unique that nothing else really matters.
> All that’s missing is the weird window size (vertical taskbar)
TBB actually adds a border at the bottom of the browser so the reported size isn't the actual size. If you change the size of your browser window to the tor-reported size then it should work.
Unless I'm misunderstanding and you mean something to do with the scrollbar?
Like siblings are saying, they use all available information to fingerprint you.
You can cover your identity only to the extent that you can display the same characteristics to the web server as the largest group of users that have all the same characteristics. This includes whether you have JS disabled as well as your IP address, User-Agent, display resolution, etc.
Yeah. All that's needed is to leak link-local IPv6 address from a single interface. There's your unique commputer identifier, unless someone's using mac randomization.
WebRTC was already known to leak local IP. Which can be dangerous if you're behind a VPN.
I use two browsers. One with WebRTC disabled (Firefox) and one with WebRTC enabled (Safari/Chromium). The former also runs a myriad of other addons which increase privacy. The latter I use to connect to PiKVM.
I also use similar browser isolation strategy. I use one browser for real-ID activity such as banks, domain registrars.. and avoid entering real creds in the private browser to keep an anonymous fingerprint. This is one of those gray areas though where I don't always want to share my IP over Jitsi.
The concern was dialog fatigue. If a web site prompts permission to ‘gather local candidates’ most users are just going to hit OK. So this wouldn’t stop abusive uses of WebRTC as hoped.
I am using Microsoft Edge and the test on the linked page times out without detecting anything. Perhaps it is because I've enabled the "Anonymize local IPs exposed by WebRTC" flag.
The root technical issue here seems to be that the IPv4 space is fundamentally pretty small and easy to search, the browser just uses a crc32 to obscure the local IP address, and you can write code to brute force it with a little sophistication.
The security impact, as others are pointing out, is pretty minimal. Knowing a local IP address behind a NAT isn't "not" a privacy issue (e.g. I can see things like gaming anti-abuse using tricks like this to discriminate users who need to be blocked vs. normal players), but it's not much of one.
Thank you, I will try that. Although I hope that for critical security
updates they will be faster... Right now it is lagging behind (105.1.0
vs. current 106.1.0)
Yes, but as far as I understand, the fight against fingerprinting is
lost anyway.
Having WebRTC enabled can be dangerous for other reasons. You could be
seeding a torrent unknowingly just by visiting a website. This can turn
into a freaking disaster if you live in country like Germany.
It's a shame that browsers don't ask you for WebRTC like they do with
webcams.
Well for one a website can make you secretly upload copyrighted content with plain old javascript. And it's going to be hard to hold you liable for data uploads that someone else initiated and you didn't know about.
> Well for one a website can make you secretly upload copyrighted content with plain old javascript
Only to a webserver and thanks to CORS not to any webserver. There is
no benefit for a website doing that - unlike with sharing a torrent to
other internet users.
The problem with torrents is that they are actively watched by
"Abmahnanwälte" (lawyers who make a living by suing copyright offenders).
> And it's going to be hard to hold you liable for data uploads that someone else initiated and you didn't know about
yeah good luck with that. All they see is your IP and then you can try
to explain how this happened and how you are totally innocent.
about:config is only available in Beta or Nightly on Android now, though forks like Fennec also have it enabled by default.
They took it away in Stable because changing some settings may disconnect GeckoView from the application containing it and they can't have that.
I run Beta for this reason. Nightly is too unstable for me so I had to give up custom addon lists to bypass Mozilla's outdated whitelist (they were only available in nightly for a while, I believe that's in Beta now).
Mozilla doesn't trust you to use their precious software right and they'll take away your toys if it considers you to be playing with them wrong. I still like Mozilla over Google, Microsoft, and Apple, but it's really hard to be a fan of Firefox when they pull shit like this.
Yeah. It's only available in nightly. Which is fine so long as you're ok with things occasionally breaking or sudden vulnerabilities (I've dogfooded nightly on desktop and mobile for years and it definitely happens. Happened to me just last week) and you also have to be fine with downloading a huge package and writing it to your internal card basically every day which may be an issue with your plan, and after a few years, is also an extra thousand writes that you might have wanted to avoid (my last 3 phones have had replaceable batteries but not internal storage).
Is user IP leaked to another peer if there is a media server (like Kurento) between peers? I’ve worked in 2 WebRTC-based projects and in both cases the connection was not actually P2P, but had some kind of media server in between, either to mux multi-user conferences or to re-encode the media to a format supported by the other peer.
I'm not getting a leak with Chromium, but that is probably because I have my policy set to `default_public_interface_only`. I believe this is by design as WebRTC notoriously leaks local IPs.
You appear to be correct. I just tried the test on Falkon and it failed. But since not many poeple use Falkon regularly... maybe that's a fingerprint all by itself.
From what I can tell it is taking the local IP it finds and then looking it up in a database. If it doesn't find any IPs then it reports used 0 keys for lookup.
Yeah we don't need privacy, especially to third party extensions loaded by sites, we should just set our user agent to our full name, address and phone number.
I know you said this as a joke, but I think you underestimate the convenience draw of that. Already if I have to sign up for something on not-my-primary-computer I'm annoyed because I can't use the Chrome autofill to take care of entering my address/phone/credit card details. For a large number of people the privacy concerns take a definite backseat to seamless and quick experiences and there isn't anything wrong with making that value judgement.
Your full name is not the same as your local IP. Since your NAT subnet is almost always /24, there really are only 256 local IP addresses. Which one you happen to be using at the time is not really important. There are 10,000 other things about your browser that could be used to uniquely identify you. This is a feature of WebRTC that allows it to do what it does, not a bug. If you are worried about 3rd party web apps sniffing your local IP and somehow using that info against your interests, don't go on the internet.
If it leaks local ipv6 there may not even be NAT involved. This would unmask the user on the other end of a VPN or Proxy, for example.
While this generation is done only for IPv4 space someone with sufficient time, resources, and inclination (say a large Ad conglomerate) could similarly start generating these for IPv6 address spaces.
The issue is about leaking the local IP in the foundation which is supposed to be some sort of opaque UUID - the local IP isn't supported to be in there at all, whether you want LAN connections or not.
Is this correct?