What you Need to Know About WebRTC and IP Address Leaks

I’ve been working on a contract recently that requires end-to-end communication between two PCs. Each PC could be behind a firewall or NAT router and the client does not want to require users to have to install software on their PCs.

While looking at solutions I came across the WebRTC API. WebRTC (the RTC is for “Real Time Communication”) API provides browser-to-browser communication and does not need plugins. It sounded a lot like what I needed. It allows sharing video and audio for video calls and provides for data sharing. The latter is what I needed.

Web RTC logo
Since the API is supported by Google Chrome, Mozilla Firefox, Android, IOS and more with plugins for browsers yet to support it, it sounded too good to be true for my solution. Indeed, it may be.

WebRTC Security Issues

It seems that users who use VPNs (Virtual Private Networks) to hide their location may have that location information exposed via WebRTC. Common privacy tools used to help obscure that information don’t block the WebRTC exposure of it. If you are using your VPN for encryption (privacy) and not to hide your location, the WebRTC issue shouldn’t impact you.  (Users sometimes hide their locations to access servers or services in other areas from which they’d otherwise be blocked. They can create a VPN tunnel to, say, Germany and access German television that may not be accessible from the country in which they reside.)

How To Do An IP Leak Test

I read in Lifehacker how to perform the IP address leak test and how to turn off WebRTC in my Firefox browser if I want to. The test basically involves four steps (you can get the details from the article):

  1.  Discover your external IP address
  2. Enable your VPN to an exit server (a server where you want people to think you are connected to the Internet
  3.  Check your IP again to ensure your VPN works
  4. Use the WebRTC test page to see if your real IP is leaked out

I found that my IP was leaked out. I don’t mind since I don’t use a VPN to hide my location, but it is interesting to know.

The Lifehacker article tells how to disable WebRTC in your browser. That shouldn’t have a huge impact as few services are using WebRTC right now. However, as it becomes standardized we’ll likely see useful applications using it, so disabling it might be an issue. In that case you may want to use two browsers: one for real-time communication, another for VPN tunnels – at least until there is some kind of fix.

We talk about VPNs in Learning Tree’s System and Network Security Introduction. I have no idea how many people use VPNs for hiding their location (that’s kind of the point, isn’t it), but they are a valuable security tool especially for providing network confidentiality.

If you think this bug might impact you, let us know in the comments below.
To your safe computing,
John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.