I’ve been working on a contract recently that requires end-to-end communication between two PCs. Each PC could be behind a firewall or NAT router and the client does not want to require users to have to install software on their PCs.
While looking at solutions I came across the WebRTC API. WebRTC (the RTC is for “Real Time Communication”) API provides browser-to-browser communication and does not need plugins. It sounded a lot like what I needed. It allows sharing video and audio for video calls and provides for data sharing. The latter is what I needed.
It seems that users who use VPNs (Virtual Private Networks) to hide their location may have that location information exposed via WebRTC. Common privacy tools used to help obscure that information don’t block the WebRTC exposure of it. If you are using your VPN for encryption (privacy) and not to hide your location, the WebRTC issue shouldn’t impact you. (Users sometimes hide their locations to access servers or services in other areas from which they’d otherwise be blocked. They can create a VPN tunnel to, say, Germany and access German television that may not be accessible from the country in which they reside.)
I read in Lifehacker how to perform the IP address leak test and how to turn off WebRTC in my Firefox browser if I want to. The test basically involves four steps (you can get the details from the article):
I found that my IP was leaked out. I don’t mind since I don’t use a VPN to hide my location, but it is interesting to know.
The Lifehacker article tells how to disable WebRTC in your browser. That shouldn’t have a huge impact as few services are using WebRTC right now. However, as it becomes standardized we’ll likely see useful applications using it, so disabling it might be an issue. In that case you may want to use two browsers: one for real-time communication, another for VPN tunnels – at least until there is some kind of fix.
We talk about VPNs in Learning Tree’s System and Network Security Introduction. I have no idea how many people use VPNs for hiding their location (that’s kind of the point, isn’t it), but they are a valuable security tool especially for providing network confidentiality.
If you think this bug might impact you, let us know in the comments below.
To your safe computing,