The main two issues are that a data connection doesn't require user consent (unlike video/audio) and the browser checks all network interfaces as connection candidates (so VPN users on Windows and Mac expose their real IPs). As I proposed in the bug, if we fix those two things, we would be a lot better off.
These requests do not show up in developer consoles and
cannot be blocked by browser plugins
I'm using FF with a WebRTC-blocking plugin, and it does successfully block the proof-of-concept exploit (it's called "Happy Bonobo Disable WebRTC", an admittedly shady name, but there are surely others).
Yes, most of those plugins were made after this test was created. This one just sets "media.peerconnection.enabled" to false in Firefox's settings. However, it means you have to disable WebRTC entirely, not just the STUN requests.
Unfortunately, Chrome doesn't let you disable WebRTC at all unless you recompile with "-Denable_webrtc=0", and Chrome blocking plugins are easily bypassed (see some pull requests in my repo).
All true; but a perfect solution would not involve more prompts to the user. Crying wolf and all that; too many and nobody reads the prompts any more.
The exposure of your IP address(es) is a very mild risk; not in a class with security risks, more like cookies. It just helps de-anonymize you, if you care about that.
Vulnerability doesn't seem like the correct word to describe this issue. It's more of an exposure of potentially sensitive information (your local IP address if you're using a VPN) as a result of WebRTC's protocol design.
I haven't thought about it enough, but I suspect it's more of a problem on the VPN side; IP addresses were never intended to be private or sensitive. My suspicion is that this is another case of NAT being the reason we can't have nice things.
I agree. For the vast majority of use cases, this doesn't seem to be an exceptionally big issue. Almost all major websites collect IP addresses and don't explicitly prompt the user that this is happening. It seems the OP is really highlighting the edge case for users who want quasi-absolute security.
Knowing the LAN IP behind any NAT is useful for silently launching behind-the-firewall cross-site attacks against the router web admin interface (or any other local services) via a browser, without having to blindly guess addresses. Someone posted a POC LAN scanner elsewhere in a thread here, too.
It seems like the problem that WebRTC wants to solve could be solved another way, by putting more of the discovery logic into the browser rather than the application. WebRTC wants to find peers on the local LAN, and communicate with them directly. Why not let the browser find peers, and then hand the WebRTC application a connection without exposing where that connection leads?
That said, long-term, I think networks need to stop treating non-routability alone as a firewall mechanism. Any information that this WebRTC mechanism reveals could also be exploited by any random client application, or in the case of http-based protocols, by anyone who can embed an iframe or submit a form. Consider how you'd design a network in which every device had a routable IP address, and go ahead and design it that way anyway as a defense-in-depth measure. Use encrypted and authenticated protocols even on your "private" network.
This forces all WebRTC connections to only use server-reflexive and relay ICE candidates, and only on the default IP route. While this may cause a QoS hit (two users behind NAT can no longer keep their traffic internal to the NAT), it does allow the issue mentioned here to be fully addressed without disabling WebRTC altogether.
Thanks very much for your reply. I've been trying to enable the preference in Google Chrome Canary on Mac OSX. However, I haven't been able to successfully block the IP leak - I suspect because I haven't configured it correctly. I had to manually create the file "/Library/Google/Google Chrome Master Preferences" and add the setting you suggested. I then reinstalled Chrome Canary and tested but no effect. I also tried editing the user preferences file in ~/Library/Application\ Support/Google/Chrome\ Canary/Default/Preference but that seems to be overwritten by the browser. How should I be configuring this preference? Thanks again.
That doesn't necessarily mean they need to be sent to the server. The two browsers on the same LAN could coordinate via local discovery, establish a socket between themselves, hand that socket to WebRTC, and never tell the two applications running in the browser sandbox what local LAN IPs they use.
There is a permission request to access the camera but this is triggered by a call to getUserMedia(). This would be done if setting up a peer connection to transmit voice and/or video. However, if you want to set up a WebRTC data channel no such prompt occurs.
Doesn't look like it. The LAN scanner in another comment didn't put up any prompts for me. It might look like it does because WebRTC is normally used with audio or video, which does require a prompt, but you don't have to use it that way.
The "setPeerInfo" command is sent by the client to the server over the NetConnection control flow to inform the server of candidate socket addresses through which the client might be reachable. This list SHOULD include all directly connected interface addresses and proxy addresses except as provided below. The list MAY be empty. The list need not include the address of the server, even if the server is to act as an introducer for the client. The list SHOULD NOT include link-local or loopback addresses.
Flash can be blocked, or not installed. If you are running a modern Chrome or Firefox, there is no way to stop this from running. (edit: apparently you can now block WebRTC entirely in Firefox, but Chrome has to be recompiled)
I wish chrome had an advanced configuration interface similar to firefox's for this kind of thing... I'm actually surprised WebRTC doesn't at least prompt for access, similar to location, camera and similar requests.
This is interesting and seems to indicate that there is a small edge case for people who want as much privacy as possible.
The larger topic for me is that webRTC has to make tradeoff for developers. And, I for one, love what it does. If you look at legacy comms development in the peer to peer space (e.g. Skype) the process was orders of magnitude more difficult than using a webRTC implementation. So, as a developer, sacrificing a prompt that grants an IP detection notice seems like a worthwhile tradeoff.
Also, I think webRTC is still in draft form and is still being modified in working sessions (although I'm not 100% sure of this). It would be great if Apple would get on board with webRTC for ios.
I agree that WebRTC is very powerful and makes peer-to-peer communication from browsers easily accessible for developers. And I also love what it does. However, the issue raised in the post is seen from the point of view of the user. Convenience for the developer probably won't be a concern to a user who is concerned about IP leakage. Yes, the WebRTC API is still being standardised so perhaps this issue will be addressed in future
WebRTC can also be used for fingerprinting (apparently Chrome only) in a similar way as cookies. [1] has an explanation and test of it, as well some other fingerprinting methods.
My test: https://diafygi.github.io/webrtc-ips/
The main two issues are that a data connection doesn't require user consent (unlike video/audio) and the browser checks all network interfaces as connection candidates (so VPN users on Windows and Mac expose their real IPs). As I proposed in the bug, if we fix those two things, we would be a lot better off.