How to check if sites use WebRTC
WebRTC is one of these new technologies that is on the one hand pretty useful and on the other a privacy nightmare as it can be abused.
WebRTC, the RTC stands for Real-Time Communications, is a set of APIs that all major web browsers support. Its primary use is to integrate better communications capabilities in the browser that websites and services may utilize for voice and video chat, and other communication forms.
WebRTC is enabled by default in Firefox, Chrome and other browsers, and websites and services may use it without user interaction.
One of the issues with WebRTC from a privacy point of view is that browsers may leak the "real" IP address of the device to websites. Since there are no WebRTC permission prompts, sites may do so without users even knowing about it.
Users who connect to a VPN, Socks proxy or Tor, may have the IP of their device leaked automatically because of this which is a huge privacy issue that is ignored for the most part by browser makers.
Only a few browsers include options to block WebRTC IP leaks. Vivaldi has an option under Settings > Privacy to disable the broadcasting of the device's IP address, and Firefox users may disable WebRTC entirely even by setting media.peerconnection.enabled to false on about:config.
Add-ons like uBlock Origin, WebRTC Leak PRevent for Chrome, or Opera.
Privacy conscious Internet users know that WebRTC may leak the IP address of the device, but the bulk of users don't.
Check if sites use WebRTC
If you use Google Chrome, or most Chromium-based browsers such as Opera or Vivaldi: load chrome://webrtc-internals/ in the browser's address bar to list all WebRTC connections.
The site that tried to establish the WebRTC connection is listed at the top (in this case https://ip.voidsec.com/.
Mozilla Firefox users need to load about:webrtc in the browser's address bar to display WebRTC connections.
Firefox lists the site address under Session Statistics.
The fact that a WebRTC connection is listed by the browser does not necessarily mean that the IP address of the device was leaked.
If you have configured the browser to block WebRTC leaks, or if the software that your VPN provider uses blocks WebRTC IP leaks automatically, then it won't have been leaked.
You may use the internal pages to find out if sites use or abuse WebRTC. While you'd expect WebRTC use on sites that offer communication services and apps, you may be hard pressed finding a reason why a news site might want to do the same.
Closing words
If you ask me, I'd argue that browsers should never implement features that may leak data such as the IP address without asking users for permission first.
I hold some browser makers, Mozilla for instance, to a higher standard than others when it comes to privacy, and I find it puzzling that Firefox does not display permission prompts before WebRTC connections are established (or at least include an option to enable this).
Now You: Have you disabled WebRTC or blocked it from accessing local IP addresses?
Functionality as this should always come in the form of an extension and never built into the browser code.
web standards should be a browser extension? oO
Given the problems with the HTML5 standard, that’s not actually an entirely unreasonable position, in my opinion, but I understand why it’s not going to happen.
Dear Soren… we’re sorry to inform you that goofy-looking dots displayed atop the letter “o” are non-standard here. Therefore, you must change your given name else the typesetter will not be able to print your bank cheques.
You mean I have to install an extension to see the ö ? Fuck!
> WebRTC is enabled by default in Firefox, Chrome and other browsers, and websites and services may use it without user interaction
> Since there are no WebRTC permission prompts, sites may do so without users even knowing about it.
> I hold some browser makers, Mozilla for instance, to a higher standard than others when it comes to privacy, and I find it puzzling that Firefox does not display permission prompts before WebRTC connections are established (or at least include an option to enable this).
There are *always* permission prompts when a website wants access to your microphone or webcam via WebRTC. You should make this clear. Your article gives a completely different impression because you says that there are never permission prompts and at the same time you talk about voice and video chat. Both is not possible at all with WebRTC and without asking the user for permission…
@Sören Hentzschel,
“There are *always* permission prompts when a website wants access to your microphone or webcam via WebRTC.”
The point is a website may collect a user’s IP by establishing a WebRTC connection without the aim of using a webcam or microphone : they can trigger the tool without using it for anything else than IP collection.
I agree with Martin’s article, when privacy is concerned, be it related to a “Web standard” (itself arguable in the pros and cons and not to be considered a fantastic deployment of progress simply because it’s been adopted as a standard) then the user should be informed. I also often feel sorry that those are skilled often behave as if standards are progress and that side effects are negligible given the advantages and given the fact they know how to limit those cons’ disadvantages. There is undoubtedly an ego problem nowadays, on the Web as elsewhere, combining show-off and a certain haughtiness for the ignorant.
Completely agree with your assessment Martin.
I have webrtc disabled in my FF based browsers and in Vivaldi. And I’m thankful that uBlock Origin has the option to disable it as well.
imgur.com/sd36uzA
Disabled. On both FireFox and Chromium. Unfortunately, if my understanding is correct, soon Chromium won’t be able to compile without WebRTC. I’ll have to resort to uBlockOrigin blocking it – I like that features I don’t like to not exist, rather than blocking them.
I noticed comments vanishig lately. Is it a bug? Initially I thought it’s spam, but now mine’s gone too :(
As soon as I posted this, all comments show up o.O This has to be a bug.
YES!!! (BIG SORRY IN ADVANCE TO CAPITALIZE, BUT I WANT TO DRAW ATTENTION TO THIS)
MARTIN — YOUR COMMENTING SYSTEM IS DOING STRANGE THINGS!!!
WOULD BE MOST GRATEFUL IF YOU COULD BRING IT UP TO 2018.
……..but………….: thanks for the amazing articles, and all that you give to this community.
Sophie, apologies for that. I try to figure out why it is not doing what it should be doing ;)
@Sophie! I’ve never seen you (read you!) like this before! Wow!
Zen, bees and birds, the whisper of the wind in the spring leaves … :=)
haha!! @Tom – Zen man……Zen, and peace to all the world!!
No, I really hate capitals. A gentle soul you could say. But Yuliya is right…there does seem to be an odd thing with comments quite often.
But I did try and balance with a nice note at the end?
Nice to read you Tom. Spring is indeed coming, but a little late here in the UK. Bit of a worry for the butterflies, but all will be well, I’m sure.
@Sophie,
> “But I did try and balance with a nice note at the end?”
You did! I was only taking my revenge on the day it was me who was irritated and you who balanced my nervous system to a better level! As always problems arise when two (or all) are angry/irritated (how do we get out of that!) but otherwise the calmer calm the less calm :=)
There’s an add-on for Firefox:
https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-disable-webrtc
Once installed, you can click the toolbar icon to toggle enable/disable WebRTC.
You can use Mullvad’s site to check if it’s working:
https://am.i.mullvad.net
WebRC disabled, of course.
As always I salute Martin’s commitment to take into consideration all users and not only the savviest.
Well everyone is disabling a “web standard”,Not a standard everyone needs or wants then.No democracy as far as standards are concerned and from what i gather what google says goes so to speak.
“Have you disabled WebRTC or blocked it from accessing local IP addresses?”
I keep it disabled — it is of no use to me and weakens security. I don’t block such traffic on my LAN, though.
The Privacy Badger extension in Firefox also has an option to block WebRTC. However, I’m using an older version of Firefox so I don’t know if that extension survived the upgrades.
Latest Privacy Badger running under latest Chrome x64 beta says “WebRTC can leak your local IP address. Privacy Badger’s default setting helps protect you, but for added protection you may enable this option. Note that doing so may degrade performance on some tools like Google Hangouts.” I do have enabled in Privacy Badger and in uBlock with no known problems for me.
Hmm,
usually uBlock Origin has a feature to disable WebRTC leak local IP inbuild.
Greets,InGSoC.
Maybe is it pertinent to remind that if Firefox’s about:config ‘media.peerconnection.enabled’ set to false disables WebRTC, on the other hand uBlockOrigin’s WebRTC option doesn’t disable WebRTC but only “prevents it from leaking” [https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address]
Aye, but isn’t that enough to protect?
I mean, take a look at Googles Encrypted Searchpage,…. every Time i search for something, there is to see at thee Bottom: Your IP is, Blah,blah,blah, so i decided to change Local IP in my Router for random change, even that does NOT protect me to be seen in the WWW.
I NO use Proxys, cos of slowing down Webexperience, but i have an Adddon on Chromium
based Browsers to hide Location:Policy Control, which isn’t available for FF, yes there are 2
Addons, named the same way.
Hmm, u know the Idea of: Never wakeup sleeping Dogs?
I guess, thee WWW is nothing u can really hide from, u leave spots everywhere u go, so?
Okay, have a nice Easter, Greets, InGSoC. :)
Thanks for this. I had no idea.
Hi Martin,
Thanks for this. can you advise if there are any privacy/tracking problems associated with bookmarks?
For instance when i export bookmarks they have a date added and a long line referring to an icon that looks pretty individual? The line for your site from an expoted bookmarks file is below.
Thanks
Kevin
gHacks Technology News
Speaking generally about computer security principles, it’s never a good idea to keep all your eggs in one basket. If you are very concerned about security, you should not manage your bookmarks (or passwords, or any data that isn’t strictly necessary) in your browser. When you pile a bunch of data in one place — such as a browser — then all that is necessary for an attacker to get that data is subvert that one thing.
“long line referring to an icon”
it’s not “referring to”, that long line actually contains the pixel data used to recreate the favicon associated with the bookmark. The intent is to avoid the browser re-downloading icondata each time the bookmarks panel is opened for display.
setting
browser.chrome.site_icons=false
may avoid storing the raw pixel data along with each bookmark item.
Well thank Gawd then that uBlock exists. As long it hides the IP in any browser for WebRTC, it’s safe. Right, Martin?
Yes, uBlock can block WebRTC. You may want to run a test on a browser leak site to make sure that nothing is leaked, though.
WebRTC? Palemoon never had it.
That’s why it is dishonest to state that Pale Moon is totally bad. Just joking :=) Indeed Pale Moon does offer, in terms of privacy (and hardly in any other than those) perhaps the best privacy available on a browser nowadays.
Disable it with addon “Disable WebRTC” in Waterfox (+ Privacy Badger as mentioned by Jern)
More and more these ‘standards’ are just starting to be agreed upon methods for hiding user data being handed over to servers in the most hidden way possible. Especially as we are coming to see problems arise from people placing too much info on their computers, improperly securing it, and then using browsers that are working to export data everywhere possible.
seems like the only valid way to operate now is to keep everything disabled and enable things on a ‘need to know’ basis only. Im even segregating sensitive data to specially quarantined devices.
Yes, this is the source of most of the objections I have about HTML5 — so many of them are steps backwards in terms of privacy and security, and since they’re part of the standard, the effect is that HTML5 opens up holes in all standards-compliant browsers.
This is why I don’t consider “HTML5 compliant” to be a positive characteristic for any browser. HTML5 is, in my opinion, potentially disastrous.
I don’t really understand the webrtc leak.
In order to leak the real IP to a site, the browser must have access to it in the first place.
Shouldn’t a system wide VPN prevent this? Can any app/program access your IP address even if you are using a VPN?
Critical VPN Security Flaw Leaks Customer IP Addresses:
https://www.extremetech.com/internet/266671-critical-vpn-security-flaw-leaks-customer-ip-addresses?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ziffdavis%2Fextremetech+%28Extremetech%29
This is the site you can use to test if your VPN leaks your IP address:
https://ip.voidsec.com/
What is WebRTC and how to disable it:
https://thesafety.us/what-is-webrtc
Thanks, I didn’t even know about WebRTC.
Very informative site there: https://voidsec.com/vpn-leak/
You’ll even learn that Windscribe Addons ( =-O ) are leaking your IP…
That site’s a mess, Master of the Obvious stuff combined with Native Advertising. The so called leaks were submitted mostly by others. Why, I don’t know because it’s simple to check for IP leaks.
Windscribe doesn’t have add ons. They do have a free browser add on version of the VPN as do many other companies. It’s a really poor way to implement a VPN.
What’s so special about windscribe that it alone deserves mention?
Windscribe is “not” leaking here, but then webrtc is disabled in about:config. Another interesting site https://browserleaks.com/ has additional info at the bottom of most their tests.
Boom: Master of the Obvious, like in “Windscribe doesn’t have add ons. They do have a free browser add on…”
Boom’s opinion: “It’s a really poor way to implement a VPN.”
Definition of Boom by Merriam-Webster: to make a deep hollow sound;
I use the media.peerconnection option in about:config.
To test leaks: https://whoer.net/#extended (listed under Scripts)
Whoer is a good indicator indeed.
TelIV, when you write that you use the “media.peerconnection” I assume you mean that you’ve set media.peerconnection.enabled to true.
Also, what then woth Whoer, does it show WebRTC disabled? If so, are you running uBlock Origin with ‘Prevent WebRTC from leaking local IP addresses’ checked?
@ Tom Hawack,
Got the email, but can’t find your post.
Anyway, to your Q’s:
media.peerconnection.enabled is set to false.
whoer.net/#extended lists WebRTC under the heading “Scripts”.
@ TelV
Got the email, but can’t find your post as well :=)
I read you’ve set media.peerconnection.enabled to false and I acknowledge Whoer / WebRTC / Scripts which I know : I was wondering if Whoer stated WebRTC oas enabled or disabled on your system. Given you’ve set media.peerconnection.enabled to false, no doubt Whoer states your WebRTC as disabled. OK
whoer.net/#extended lists WebRTC under the heading “Scripts”.
Hi Martin,
I’m in Thailand at the moment and have just installed Waterfox on my ex-GF’s notebook which she alows me to use when I’m over here. I subsequently set media.peerconnection.enabled to false in prefs, but when I check on both whoer.net and browserleaks.com, both show WebRTC as enabled.
I’m using my smartphone as a Wifi hotspot (hotel Wifi is a bit suspect), but would that have anything to do with prefs setting failing to work?
Browserleaks.com suggests setting media.navigator.enabled to false as well, but it doesn’t make any difference.