How to check if sites use WebRTC

Martin Brinkmann
Mar 29, 2018
Updated • Mar 29, 2018
Internet
|
48

WebRTC is one of these new technologies that is on the one hand pretty useful and on the other a privacy nightmare as it can be abused.

WebRTC, the RTC stands for Real-Time Communications, is a set of APIs that all major web browsers support. Its primary use is to integrate better communications capabilities in the browser that websites and services may utilize for voice and video chat, and other communication forms.

WebRTC is enabled by default in Firefox, Chrome and other browsers, and websites and services may use it without user interaction.

One of the issues with WebRTC from a privacy point of view is that browsers may leak the "real" IP address of the device to websites. Since there are no WebRTC permission prompts, sites may do so without users even knowing about it.

Users who connect to a VPN, Socks proxy or Tor, may have the IP of their device leaked automatically because of this which is a huge privacy issue that is ignored for the most part by browser makers.

Only a few browsers include options to block WebRTC IP leaks. Vivaldi has an option under Settings > Privacy to disable the broadcasting of the device's IP address, and Firefox users may disable WebRTC entirely even by setting media.peerconnection.enabled to false on about:config.

Add-ons like uBlock Origin, WebRTC Leak PRevent for Chrome, or Opera.

Privacy conscious Internet users know that WebRTC may leak the IP address of the device, but the bulk of users don't.

Check if sites use WebRTC

If you use Google Chrome, or most Chromium-based browsers such as Opera or Vivaldi: load chrome://webrtc-internals/ in the browser's address bar to list all WebRTC connections.

webrtc connections

The site that tried to establish the WebRTC connection is listed at the top (in this case https://ip.voidsec.com/.

Mozilla Firefox users need to load about:webrtc in the browser's address bar to display WebRTC connections.

 

firefox webrtc internals

Firefox lists the site address under Session Statistics.

The fact that a WebRTC connection is listed by the browser does not necessarily mean that the IP address of the device was leaked.

If you have configured the browser to block WebRTC leaks, or if the software that your VPN provider uses blocks WebRTC IP leaks automatically, then it won't have been leaked.

You may use the internal pages to find out if sites use or abuse WebRTC. While you'd expect WebRTC use on sites that offer communication services and apps, you may be hard pressed finding a reason why a news site might want to do the same.

Closing words

If you ask me, I'd argue that browsers should never implement features that may leak data such as the IP address without asking users for permission first.

I hold some browser makers, Mozilla for instance, to a higher standard than others when it comes to privacy, and I find it puzzling that Firefox does not display permission prompts before WebRTC connections are established (or at least include an option to enable this).

Now You: Have you disabled WebRTC or blocked it from accessing local IP addresses?

Summary
How to check if sites use WebRTC
Article Name
How to check if sites use WebRTC
Description
WebRTC is one of these new technologies that is on the one hand pretty useful and on the other a privacy nightmare as it can be abused.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. TelV said on June 10, 2018 at 3:11 pm
    Reply

    Hi Martin,

    I’m in Thailand at the moment and have just installed Waterfox on my ex-GF’s notebook which she alows me to use when I’m over here. I subsequently set media.peerconnection.enabled to false in prefs, but when I check on both whoer.net and browserleaks.com, both show WebRTC as enabled.

    I’m using my smartphone as a Wifi hotspot (hotel Wifi is a bit suspect), but would that have anything to do with prefs setting failing to work?

    Browserleaks.com suggests setting media.navigator.enabled to false as well, but it doesn’t make any difference.

  2. Tom Hawack said on April 1, 2018 at 12:55 pm
    Reply

    @ TelV
    Got the email, but can’t find your post as well :=)

    I read you’ve set media.peerconnection.enabled to false and I acknowledge Whoer / WebRTC / Scripts which I know : I was wondering if Whoer stated WebRTC oas enabled or disabled on your system. Given you’ve set media.peerconnection.enabled to false, no doubt Whoer states your WebRTC as disabled. OK

    whoer.net/#extended lists WebRTC under the heading “Scripts”.

  3. TelV said on April 1, 2018 at 12:30 pm
    Reply

    @ Tom Hawack,

    Got the email, but can’t find your post.

    Anyway, to your Q’s:

    media.peerconnection.enabled is set to false.

    whoer.net/#extended lists WebRTC under the heading “Scripts”.

  4. TelV said on April 1, 2018 at 12:12 pm
    Reply

    I use the media.peerconnection option in about:config.

    To test leaks: https://whoer.net/#extended (listed under Scripts)

    1. Tom Hawack said on April 1, 2018 at 12:23 pm
      Reply

      Whoer is a good indicator indeed.

      TelIV, when you write that you use the “media.peerconnection” I assume you mean that you’ve set media.peerconnection.enabled to true.

      Also, what then woth Whoer, does it show WebRTC disabled? If so, are you running uBlock Origin with ‘Prevent WebRTC from leaking local IP addresses’ checked?

  5. X said on March 31, 2018 at 7:05 pm
    Reply

    Boom: Master of the Obvious, like in “Windscribe doesn’t have add ons. They do have a free browser add on…”

    Boom’s opinion: “It’s a really poor way to implement a VPN.”

    Definition of Boom by Merriam-Webster: to make a deep hollow sound;

  6. X said on March 30, 2018 at 6:52 pm
    Reply

    Very informative site there: https://voidsec.com/vpn-leak/

    You’ll even learn that Windscribe Addons ( =-O ) are leaking your IP…

    1. leanon said on April 1, 2018 at 11:26 pm
      Reply

      Windscribe is “not” leaking here, but then webrtc is disabled in about:config. Another interesting site https://browserleaks.com/ has additional info at the bottom of most their tests.

    2. ULBoom said on March 31, 2018 at 4:08 am
      Reply

      That site’s a mess, Master of the Obvious stuff combined with Native Advertising. The so called leaks were submitted mostly by others. Why, I don’t know because it’s simple to check for IP leaks.

      Windscribe doesn’t have add ons. They do have a free browser add on version of the VPN as do many other companies. It’s a really poor way to implement a VPN.

      What’s so special about windscribe that it alone deserves mention?

  7. Jozsef said on March 30, 2018 at 5:10 am
    Reply

    Thanks, I didn’t even know about WebRTC.

  8. 1 said on March 29, 2018 at 11:40 pm
    Reply

    I don’t really understand the webrtc leak.
    In order to leak the real IP to a site, the browser must have access to it in the first place.
    Shouldn’t a system wide VPN prevent this? Can any app/program access your IP address even if you are using a VPN?

    1. Torrent Duck said on March 30, 2018 at 1:11 pm
      Reply
  9. daveb said on March 29, 2018 at 9:41 pm
    Reply

    More and more these ‘standards’ are just starting to be agreed upon methods for hiding user data being handed over to servers in the most hidden way possible. Especially as we are coming to see problems arise from people placing too much info on their computers, improperly securing it, and then using browsers that are working to export data everywhere possible.

    seems like the only valid way to operate now is to keep everything disabled and enable things on a ‘need to know’ basis only. Im even segregating sensitive data to specially quarantined devices.

    1. John Fenderson said on March 30, 2018 at 12:34 am
      Reply

      Yes, this is the source of most of the objections I have about HTML5 — so many of them are steps backwards in terms of privacy and security, and since they’re part of the standard, the effect is that HTML5 opens up holes in all standards-compliant browsers.

      This is why I don’t consider “HTML5 compliant” to be a positive characteristic for any browser. HTML5 is, in my opinion, potentially disastrous.

  10. Belga said on March 29, 2018 at 7:33 pm
    Reply

    Disable it with addon “Disable WebRTC” in Waterfox (+ Privacy Badger as mentioned by Jern)

  11. P said on March 29, 2018 at 6:55 pm
    Reply

    WebRTC? Palemoon never had it.

    1. Tom Hawack said on March 29, 2018 at 7:21 pm
      Reply

      That’s why it is dishonest to state that Pale Moon is totally bad. Just joking :=) Indeed Pale Moon does offer, in terms of privacy (and hardly in any other than those) perhaps the best privacy available on a browser nowadays.

  12. Jeff said on March 29, 2018 at 5:33 pm
    Reply

    Well thank Gawd then that uBlock exists. As long it hides the IP in any browser for WebRTC, it’s safe. Right, Martin?

    1. Martin Brinkmann said on March 29, 2018 at 6:28 pm
      Reply

      Yes, uBlock can block WebRTC. You may want to run a test on a browser leak site to make sure that nothing is leaked, though.

  13. Kevin Baker said on March 29, 2018 at 5:02 pm
    Reply

    Hi Martin,
    Thanks for this. can you advise if there are any privacy/tracking problems associated with bookmarks?
    For instance when i export bookmarks they have a date added and a long line referring to an icon that looks pretty individual? The line for your site from an expoted bookmarks file is below.
    Thanks
    Kevin

    gHacks Technology News

    1. ams said on March 29, 2018 at 9:04 pm
      Reply

      “long line referring to an icon”

      it’s not “referring to”, that long line actually contains the pixel data used to recreate the favicon associated with the bookmark. The intent is to avoid the browser re-downloading icondata each time the bookmarks panel is opened for display.

      setting
      browser.chrome.site_icons=false
      may avoid storing the raw pixel data along with each bookmark item.

    2. John Fenderson said on March 29, 2018 at 5:23 pm
      Reply

      Speaking generally about computer security principles, it’s never a good idea to keep all your eggs in one basket. If you are very concerned about security, you should not manage your bookmarks (or passwords, or any data that isn’t strictly necessary) in your browser. When you pile a bunch of data in one place — such as a browser — then all that is necessary for an attacker to get that data is subvert that one thing.

  14. Tom Hawack said on March 29, 2018 at 4:12 pm
    Reply

    Maybe is it pertinent to remind that if Firefox’s about:config ‘media.peerconnection.enabled’ set to false disables WebRTC, on the other hand uBlockOrigin’s WebRTC option doesn’t disable WebRTC but only “prevents it from leaking” [https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address]

    1. exrelayman said on March 30, 2018 at 2:14 am
      Reply

      Thanks for this. I had no idea.

    2. InGSoC said on March 29, 2018 at 6:33 pm
      Reply

      Aye, but isn’t that enough to protect?

      I mean, take a look at Googles Encrypted Searchpage,…. every Time i search for something, there is to see at thee Bottom: Your IP is, Blah,blah,blah, so i decided to change Local IP in my Router for random change, even that does NOT protect me to be seen in the WWW.

      I NO use Proxys, cos of slowing down Webexperience, but i have an Adddon on Chromium
      based Browsers to hide Location:Policy Control, which isn’t available for FF, yes there are 2
      Addons, named the same way.

      Hmm, u know the Idea of: Never wakeup sleeping Dogs?

      I guess, thee WWW is nothing u can really hide from, u leave spots everywhere u go, so?

      Okay, have a nice Easter, Greets, InGSoC. :)

  15. InGSoC said on March 29, 2018 at 4:04 pm
    Reply

    Hmm,

    usually uBlock Origin has a feature to disable WebRTC leak local IP inbuild.

    Greets,InGSoC.

  16. jern said on March 29, 2018 at 4:03 pm
    Reply

    The Privacy Badger extension in Firefox also has an option to block WebRTC. However, I’m using an older version of Firefox so I don’t know if that extension survived the upgrades.

    1. chesscanoe said on March 30, 2018 at 1:29 am
      Reply

      Latest Privacy Badger running under latest Chrome x64 beta says “WebRTC can leak your local IP address. Privacy Badger’s default setting helps protect you, but for added protection you may enable this option. Note that doing so may degrade performance on some tools like Google Hangouts.” I do have enabled in Privacy Badger and in uBlock with no known problems for me.

  17. John Fenderson said on March 29, 2018 at 3:56 pm
    Reply

    “Have you disabled WebRTC or blocked it from accessing local IP addresses?”

    I keep it disabled — it is of no use to me and weakens security. I don’t block such traffic on my LAN, though.

  18. Kubrick said on March 29, 2018 at 3:50 pm
    Reply

    Well everyone is disabling a “web standard”,Not a standard everyone needs or wants then.No democracy as far as standards are concerned and from what i gather what google says goes so to speak.

  19. Tom Hawack said on March 29, 2018 at 1:50 pm
    Reply

    WebRC disabled, of course.
    As always I salute Martin’s commitment to take into consideration all users and not only the savviest.

  20. Scott said on March 29, 2018 at 1:19 pm
    Reply

    There’s an add-on for Firefox:
    https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-disable-webrtc

    Once installed, you can click the toolbar icon to toggle enable/disable WebRTC.

    You can use Mullvad’s site to check if it’s working:
    https://am.i.mullvad.net

  21. Yuliya said on March 29, 2018 at 1:08 pm
    Reply

    I noticed comments vanishig lately. Is it a bug? Initially I thought it’s spam, but now mine’s gone too :(

    1. Sophie said on March 29, 2018 at 1:52 pm
      Reply

      YES!!! (BIG SORRY IN ADVANCE TO CAPITALIZE, BUT I WANT TO DRAW ATTENTION TO THIS)

      MARTIN — YOUR COMMENTING SYSTEM IS DOING STRANGE THINGS!!!

      WOULD BE MOST GRATEFUL IF YOU COULD BRING IT UP TO 2018.

      ……..but………….: thanks for the amazing articles, and all that you give to this community.

      1. Tom Hawack said on March 29, 2018 at 1:58 pm
        Reply

        @Sophie! I’ve never seen you (read you!) like this before! Wow!
        Zen, bees and birds, the whisper of the wind in the spring leaves … :=)

      2. Sophie said on March 29, 2018 at 2:22 pm
        Reply

        haha!! @Tom – Zen man……Zen, and peace to all the world!!

        No, I really hate capitals. A gentle soul you could say. But Yuliya is right…there does seem to be an odd thing with comments quite often.

        But I did try and balance with a nice note at the end?

        Nice to read you Tom. Spring is indeed coming, but a little late here in the UK. Bit of a worry for the butterflies, but all will be well, I’m sure.

      3. Tom Hawack said on March 29, 2018 at 7:13 pm
        Reply

        @Sophie,
        > “But I did try and balance with a nice note at the end?”

        You did! I was only taking my revenge on the day it was me who was irritated and you who balanced my nervous system to a better level! As always problems arise when two (or all) are angry/irritated (how do we get out of that!) but otherwise the calmer calm the less calm :=)

      4. Martin Brinkmann said on March 29, 2018 at 1:55 pm
        Reply

        Sophie, apologies for that. I try to figure out why it is not doing what it should be doing ;)

    2. Yuliya said on March 29, 2018 at 1:09 pm
      Reply

      As soon as I posted this, all comments show up o.O This has to be a bug.

  22. Yuliya said on March 29, 2018 at 12:56 pm
    Reply

    imgur.com/sd36uzA
    Disabled. On both FireFox and Chromium. Unfortunately, if my understanding is correct, soon Chromium won’t be able to compile without WebRTC. I’ll have to resort to uBlockOrigin blocking it – I like that features I don’t like to not exist, rather than blocking them.

  23. Richard Allen said on March 29, 2018 at 12:55 pm
    Reply

    Completely agree with your assessment Martin.

    I have webrtc disabled in my FF based browsers and in Vivaldi. And I’m thankful that uBlock Origin has the option to disable it as well.

  24. Sören Hentzschel said on March 29, 2018 at 12:18 pm
    Reply

    > WebRTC is enabled by default in Firefox, Chrome and other browsers, and websites and services may use it without user interaction

    > Since there are no WebRTC permission prompts, sites may do so without users even knowing about it.

    > I hold some browser makers, Mozilla for instance, to a higher standard than others when it comes to privacy, and I find it puzzling that Firefox does not display permission prompts before WebRTC connections are established (or at least include an option to enable this).

    There are *always* permission prompts when a website wants access to your microphone or webcam via WebRTC. You should make this clear. Your article gives a completely different impression because you says that there are never permission prompts and at the same time you talk about voice and video chat. Both is not possible at all with WebRTC and without asking the user for permission…

    1. Tom Hawack said on March 29, 2018 at 1:47 pm
      Reply

      @Sören Hentzschel,
      “There are *always* permission prompts when a website wants access to your microphone or webcam via WebRTC.”

      The point is a website may collect a user’s IP by establishing a WebRTC connection without the aim of using a webcam or microphone : they can trigger the tool without using it for anything else than IP collection.

      I agree with Martin’s article, when privacy is concerned, be it related to a “Web standard” (itself arguable in the pros and cons and not to be considered a fantastic deployment of progress simply because it’s been adopted as a standard) then the user should be informed. I also often feel sorry that those are skilled often behave as if standards are progress and that side effects are negligible given the advantages and given the fact they know how to limit those cons’ disadvantages. There is undoubtedly an ego problem nowadays, on the Web as elsewhere, combining show-off and a certain haughtiness for the ignorant.

  25. Kubrick said on March 29, 2018 at 11:53 am
    Reply

    Functionality as this should always come in the form of an extension and never built into the browser code.

    1. Sören Hentzschel said on March 29, 2018 at 12:20 pm
      Reply

      web standards should be a browser extension? oO

      1. ams said on March 29, 2018 at 9:17 pm
        Reply

        Dear Soren… we’re sorry to inform you that goofy-looking dots displayed atop the letter “o” are non-standard here. Therefore, you must change your given name else the typesetter will not be able to print your bank cheques.

      2. sma said on March 30, 2018 at 6:10 pm
        Reply

        You mean I have to install an extension to see the ö ? Fuck!

      3. John Fenderson said on March 29, 2018 at 3:01 pm
        Reply

        Given the problems with the HTML5 standard, that’s not actually an entirely unreasonable position, in my opinion, but I understand why it’s not going to happen.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.