Knowledgebase: Securing VPN & DNS
Important: How to prevent a real IP exposure from "WebRTC" (Firefox & Chrome affected!)
Posted by Max Biggavelli on 01 February 2015 19:42

A method how how to expose your real IP has been roaming around within a feature called "WebRTC" which is used in Google Chrome and Firefox browser.


This is a major security flaw and must be taken seriously, follow the below link to understand what it is about and how to secure yourself!

https://github.com/diafygi/webrtc-ips 

"Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.

WebRTC was originally developed to aid certain types of connections between browsers without the need for an additional plugin. The ‘RTC’ in WebRTC stands for Real-Time-Communication, and the API directory is used for voice calls, video chats, and p2p file sharing. Suspicions that WebRTC could be used to discover a user’s local IP, even under the presence of a VPN, have been around since 2013. Since WebRTC uses javascript requests to get your IP address, users of NoScript or similar services will not leak their IP addresses.

Note: This doesn't affect OSX, Android and neither Linux users, seemingly its just Windows users."


How to fix:

Google Chrome:

1. If you plan to use a plugin, then only the "ScriptSafe" plugin is successfully blocking WebRTC for Chrome here   (Additional note: ScriptSafe is a very restrictive plugin, meaning any website would have to be adjusted too!)

and then restart the Chrome browser!

2. Update 02.07.2015: A much smarter and better way is to entirely disable the WebRTC functionality in Chrome's own "Preferences" file! To do this you need to have a Chrome browser version of atleast 42 or greater. 

Completely close the Chrome browser now and navigate to it's "Preferences" file. For windows it should be located at "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences" it will ask how to open it, simply choose a text editor of your choice (for example windows native editor, or notepad++).

The file is json format, scroll to the end/bottom of the file and place the cursor before the last closing "}" and copy and paste in:

,"webrtc": {"multiple_routes_enabled": false}

Save the file when completed. The end of your Preferences file must now look exactly like below (notice the double brackets, otherwise its wrong format and Chrome will crash):

,"webrtc": {"multiple_routes_enabled": false}}

 

Firefox:

Type "about:config" in your address bar and then find "media.peerconnection.enabled" and set it to "false".
From Firefox version => 34 on to be sure additionally disable "loop" as well, so set "loop.enabled" to "false".
Or alternatively for Firefox a plugin exists too -> here


How to test: http://check.nvpn.net

(53 vote(s))
Helpful
Not helpful