Huge security flaw leaks vpn users’ real ip-addresses

[MadScientist]

Just when you thought you were safe.

https://torrentfreak.com/huge-security-flaw-leaks-vpn-users-real-ip-addresses-150130/

From PIA:
https://www.privateinternetaccess.com/forum/discussion/8204/how-to-stop-webrtc-local-ip-address-leaks-on-google-chrome-and-mozilla-firefox-while-using-private-i#latest

I use PIA's VPN and have added the WebRTC Block extension to Chrome.



Moved from Software for Windows.

Anandtech Administrator
KeithTalent

 

[bbhaag]

It's kinda cool that you bought this up. A few weeks ago I started using a vpn for the first time. They have a tutorial for n00bs and at the top of the list they mention webrtc's and how they work.
Here's a link they recommend to see if your browser is leaking your IP address. https://www.browserleaks.com/webrtc

If you use Chrome they also recommend using the extension called webrtc block. It can be found in the store using this link. https://chrome.google.com/webstore/detail/webrtc-block/nphkkbaidamjmhfanlpblblcadhfbkdm

 

[John Connor]

WEBrtc doesn't seem to even exist in Pale Moon my main browser, but it was on in Firefox.

I set this page to my home page to make sure there are no DNS leaks. https://www.dnsleaktest.com/

+1 for NoScript. Been using that since NoScript came out.

Just wonder about Tor.

 

[Chiefcrowe]

Thanks for posting, this is good to know!!

 

[Chiefcrowe]

Another article on how to check if your vpn is vulnerable and what to do about it

http://lifehacker.com/how-to-see-if-your-vpn-is-leaking-your-ip-address-and-1685180082

 

[TheRyuu]

You can block this in Chrome for most (very nearly all) cases if you use uMatrix[1] with WebRTC Block[2]. The WebRTC Block plugin by itself is not enough and only blocks certain (naive cases). Luckily by combining the two the naive blocking should be enough.

By setting iframes to block by default (uMatrix whitelists 1st-party iframes so you have to disable those as well in the global scope to break the WebRTC Block workaround). This should allow you to keep javascript enabled and still block webrtc for the vast majority of (possible) cases except on sites where you've whitelisted iframes (and even then it would be restricted to the hostname that the iframes are whitelisted for).

[1] https://chrome.google.com/webstore/detail/µmatrix/ogfcmafjalglgifnmanfmnieipoejdcf?hl=en
[2] https://chrome.google.com/webstore/detail/webrtc-block/nphkkbaidamjmhfanlpblblcadhfbkdm?hl=en

 

[Suspicious-Teach8788]

Can someone explain what WebRTC does and what adverse effects there may be by disabling it? Sorry I'm so noob.

 

[lxskllr]

Can someone explain what WebRTC does and what adverse effects there may be by disabling it? Sorry I'm so noob.

Wikipedia's page looks as good as anything...

https://en.wikipedia.org/wiki/WebRTC

If you use a browser in the traditional way, disabling webrtc won't cause any issues. If you depend on a fairly new style of in-browser communication, you'll have to see how it works, cause it might depend on webrtc.

 

[TheRyuu]

By the way, this was fixed in Chrome although I'm not sure if it's made its way to the stable channel (it may be in the beta channel) yet so an extension (which didn't really work that great anyway) isn't needed anymore. You can't disable WebRTC completely but you can make it only give your public IP. So if you're connected through OpenVPN it'll only show the VPN server's IP.