How to check if sites use WebRTC - gHacks Tech News

How to check if sites use WebRTC

WebRTC is one of these new technologies that is on the one hand pretty useful and on the other a privacy nightmare as it can be abused.

WebRTC, the RTC stands for Real-Time Communications, is a set of APIs that all major web browsers support. Its primary use is to integrate better communications capabilities in the browser that websites and services may utilize for voice and video chat, and other communication forms.

WebRTC is enabled by default in Firefox, Chrome and other browsers, and websites and services may use it without user interaction.

One of the issues with WebRTC from a privacy point of view is that browsers may leak the "real" IP address of the device to websites. Since there are no WebRTC permission prompts, sites may do so without users even knowing about it.

Users who connect to a VPN, Socks proxy or Tor, may have the IP of their device leaked automatically because of this which is a huge privacy issue that is ignored for the most part by browser makers.

Only a few browsers include options to block WebRTC IP leaks. Vivaldi has an option under Settings > Privacy to disable the broadcasting of the device's IP address, and Firefox users may disable WebRTC entirely even by setting media.peerconnection.enabled to false on about:config.

Add-ons like uBlock Origin, WebRTC Leak PRevent for Chrome, or Opera.

Privacy conscious Internet users know that WebRTC may leak the IP address of the device, but the bulk of users don't.

Check if sites use WebRTC

If you use Google Chrome, or most Chromium-based browsers such as Opera or Vivaldi: load chrome://webrtc-internals/ in the browser's address bar to list all WebRTC connections.

webrtc connections

The site that tried to establish the WebRTC connection is listed at the top (in this case https://ip.voidsec.com/.

Mozilla Firefox users need to load about:webrtc in the browser's address bar to display WebRTC connections.

 

firefox webrtc internals

Firefox lists the site address under Session Statistics.

The fact that a WebRTC connection is listed by the browser does not necessarily mean that the IP address of the device was leaked.

If you have configured the browser to block WebRTC leaks, or if the software that your VPN provider uses blocks WebRTC IP leaks automatically, then it won't have been leaked.

You may use the internal pages to find out if sites use or abuse WebRTC. While you'd expect WebRTC use on sites that offer communication services and apps, you may be hard pressed finding a reason why a news site might want to do the same.

Closing words

If you ask me, I'd argue that browsers should never implement features that may leak data such as the IP address without asking users for permission first.

I hold some browser makers, Mozilla for instance, to a higher standard than others when it comes to privacy, and I find it puzzling that Firefox does not display permission prompts before WebRTC connections are established (or at least include an option to enable this).

Now You: Have you disabled WebRTC or blocked it from accessing local IP addresses?

Summary
How to check if sites use WebRTC
Article Name
How to check if sites use WebRTC
Description
WebRTC is one of these new technologies that is on the one hand pretty useful and on the other a privacy nightmare as it can be abused.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Kubrick said on March 29, 2018 at 11:53 am
      Reply

      Functionality as this should always come in the form of an extension and never built into the browser code.

      1. Sören Hentzschel said on March 29, 2018 at 12:20 pm
        Reply

        web standards should be a browser extension? oO

        1. John Fenderson said on March 29, 2018 at 3:01 pm
          Reply

          Given the problems with the HTML5 standard, that’s not actually an entirely unreasonable position, in my opinion, but I understand why it’s not going to happen.

        2. ams said on March 29, 2018 at 9:17 pm
          Reply

          Dear Soren… we’re sorry to inform you that goofy-looking dots displayed atop the letter “o” are non-standard here. Therefore, you must change your given name else the typesetter will not be able to print your bank cheques.

        3. sma said on March 30, 2018 at 6:10 pm
          Reply

          You mean I have to install an extension to see the ö ? Fuck!

    2. Sören Hentzschel said on March 29, 2018 at 12:18 pm
      Reply

      > WebRTC is enabled by default in Firefox, Chrome and other browsers, and websites and services may use it without user interaction

      > Since there are no WebRTC permission prompts, sites may do so without users even knowing about it.

      > I hold some browser makers, Mozilla for instance, to a higher standard than others when it comes to privacy, and I find it puzzling that Firefox does not display permission prompts before WebRTC connections are established (or at least include an option to enable this).

      There are *always* permission prompts when a website wants access to your microphone or webcam via WebRTC. You should make this clear. Your article gives a completely different impression because you says that there are never permission prompts and at the same time you talk about voice and video chat. Both is not possible at all with WebRTC and without asking the user for permission…

      1. Tom Hawack said on March 29, 2018 at 1:47 pm
        Reply

        @Sören Hentzschel,
        “There are *always* permission prompts when a website wants access to your microphone or webcam via WebRTC.”

        The point is a website may collect a user’s IP by establishing a WebRTC connection without the aim of using a webcam or microphone : they can trigger the tool without using it for anything else than IP collection.

        I agree with Martin’s article, when privacy is concerned, be it related to a “Web standard” (itself arguable in the pros and cons and not to be considered a fantastic deployment of progress simply because it’s been adopted as a standard) then the user should be informed. I also often feel sorry that those are skilled often behave as if standards are progress and that side effects are negligible given the advantages and given the fact they know how to limit those cons’ disadvantages. There is undoubtedly an ego problem nowadays, on the Web as elsewhere, combining show-off and a certain haughtiness for the ignorant.

    3. Richard Allen said on March 29, 2018 at 12:55 pm
      Reply

      Completely agree with your assessment Martin.

      I have webrtc disabled in my FF based browsers and in Vivaldi. And I’m thankful that uBlock Origin has the option to disable it as well.

    4. Yuliya said on March 29, 2018 at 12:56 pm
      Reply

      imgur.com/sd36uzA
      Disabled. On both FireFox and Chromium. Unfortunately, if my understanding is correct, soon Chromium won’t be able to compile without WebRTC. I’ll have to resort to uBlockOrigin blocking it – I like that features I don’t like to not exist, rather than blocking them.

    5. Yuliya said on March 29, 2018 at 1:08 pm
      Reply

      I noticed comments vanishig lately. Is it a bug? Initially I thought it’s spam, but now mine’s gone too :(

      1. Yuliya said on March 29, 2018 at 1:09 pm
        Reply

        As soon as I posted this, all comments show up o.O This has to be a bug.

      2. Sophie said on March 29, 2018 at 1:52 pm
        Reply

        YES!!! (BIG SORRY IN ADVANCE TO CAPITALIZE, BUT I WANT TO DRAW ATTENTION TO THIS)

        MARTIN — YOUR COMMENTING SYSTEM IS DOING STRANGE THINGS!!!

        WOULD BE MOST GRATEFUL IF YOU COULD BRING IT UP TO 2018.

        ……..but………….: thanks for the amazing articles, and all that you give to this community.

        1. Martin Brinkmann said on March 29, 2018 at 1:55 pm
          Reply

          Sophie, apologies for that. I try to figure out why it is not doing what it should be doing ;)

        2. Tom Hawack said on March 29, 2018 at 1:58 pm
          Reply

          @Sophie! I’ve never seen you (read you!) like this before! Wow!
          Zen, bees and birds, the whisper of the wind in the spring leaves … :=)

        3. Sophie said on March 29, 2018 at 2:22 pm
          Reply

          haha!! @Tom – Zen man……Zen, and peace to all the world!!

          No, I really hate capitals. A gentle soul you could say. But Yuliya is right…there does seem to be an odd thing with comments quite often.

          But I did try and balance with a nice note at the end?

          Nice to read you Tom. Spring is indeed coming, but a little late here in the UK. Bit of a worry for the butterflies, but all will be well, I’m sure.

        4. Tom Hawack said on March 29, 2018 at 7:13 pm
          Reply

          @Sophie,
          > “But I did try and balance with a nice note at the end?”

          You did! I was only taking my revenge on the day it was me who was irritated and you who balanced my nervous system to a better level! As always problems arise when two (or all) are angry/irritated (how do we get out of that!) but otherwise the calmer calm the less calm :=)

    6. Scott said on March 29, 2018 at 1:19 pm
      Reply

      There’s an add-on for Firefox:
      https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-disable-webrtc

      Once installed, you can click the toolbar icon to toggle enable/disable WebRTC.

      You can use Mullvad’s site to check if it’s working:
      https://am.i.mullvad.net

    7. Tom Hawack said on March 29, 2018 at 1:50 pm
      Reply

      WebRC disabled, of course.
      As always I salute Martin’s commitment to take into consideration all users and not only the savviest.

    8. Kubrick said on March 29, 2018 at 3:50 pm
      Reply

      Well everyone is disabling a “web standard”,Not a standard everyone needs or wants then.No democracy as far as standards are concerned and from what i gather what google says goes so to speak.

    9. John Fenderson said on March 29, 2018 at 3:56 pm
      Reply

      “Have you disabled WebRTC or blocked it from accessing local IP addresses?”

      I keep it disabled — it is of no use to me and weakens security. I don’t block such traffic on my LAN, though.

    10. jern said on March 29, 2018 at 4:03 pm
      Reply

      The Privacy Badger extension in Firefox also has an option to block WebRTC. However, I’m using an older version of Firefox so I don’t know if that extension survived the upgrades.

      1. chesscanoe said on March 30, 2018 at 1:29 am
        Reply

        Latest Privacy Badger running under latest Chrome x64 beta says “WebRTC can leak your local IP address. Privacy Badger’s default setting helps protect you, but for added protection you may enable this option. Note that doing so may degrade performance on some tools like Google Hangouts.” I do have enabled in Privacy Badger and in uBlock with no known problems for me.

    11. InGSoC said on March 29, 2018 at 4:04 pm
      Reply

      Hmm,

      usually uBlock Origin has a feature to disable WebRTC leak local IP inbuild.

      Greets,InGSoC.

    12. Tom Hawack said on March 29, 2018 at 4:12 pm
      Reply

      Maybe is it pertinent to remind that if Firefox’s about:config ‘media.peerconnection.enabled’ set to false disables WebRTC, on the other hand uBlockOrigin’s WebRTC option doesn’t disable WebRTC but only “prevents it from leaking” [https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address]

      1. InGSoC said on March 29, 2018 at 6:33 pm
        Reply

        Aye, but isn’t that enough to protect?

        I mean, take a look at Googles Encrypted Searchpage,…. every Time i search for something, there is to see at thee Bottom: Your IP is, Blah,blah,blah, so i decided to change Local IP in my Router for random change, even that does NOT protect me to be seen in the WWW.

        I NO use Proxys, cos of slowing down Webexperience, but i have an Adddon on Chromium
        based Browsers to hide Location:Policy Control, which isn’t available for FF, yes there are 2
        Addons, named the same way.

        Hmm, u know the Idea of: Never wakeup sleeping Dogs?

        I guess, thee WWW is nothing u can really hide from, u leave spots everywhere u go, so?

        Okay, have a nice Easter, Greets, InGSoC. :)

      2. exrelayman said on March 30, 2018 at 2:14 am
        Reply

        Thanks for this. I had no idea.

    13. Kevin Baker said on March 29, 2018 at 5:02 pm
      Reply

      Hi Martin,
      Thanks for this. can you advise if there are any privacy/tracking problems associated with bookmarks?
      For instance when i export bookmarks they have a date added and a long line referring to an icon that looks pretty individual? The line for your site from an expoted bookmarks file is below.
      Thanks
      Kevin

      gHacks Technology News

      1. John Fenderson said on March 29, 2018 at 5:23 pm
        Reply

        Speaking generally about computer security principles, it’s never a good idea to keep all your eggs in one basket. If you are very concerned about security, you should not manage your bookmarks (or passwords, or any data that isn’t strictly necessary) in your browser. When you pile a bunch of data in one place — such as a browser — then all that is necessary for an attacker to get that data is subvert that one thing.

      2. ams said on March 29, 2018 at 9:04 pm
        Reply

        “long line referring to an icon”

        it’s not “referring to”, that long line actually contains the pixel data used to recreate the favicon associated with the bookmark. The intent is to avoid the browser re-downloading icondata each time the bookmarks panel is opened for display.

        setting
        browser.chrome.site_icons=false
        may avoid storing the raw pixel data along with each bookmark item.

    14. Jeff said on March 29, 2018 at 5:33 pm
      Reply

      Well thank Gawd then that uBlock exists. As long it hides the IP in any browser for WebRTC, it’s safe. Right, Martin?

      1. Martin Brinkmann said on March 29, 2018 at 6:28 pm
        Reply

        Yes, uBlock can block WebRTC. You may want to run a test on a browser leak site to make sure that nothing is leaked, though.

    15. P said on March 29, 2018 at 6:55 pm
      Reply

      WebRTC? Palemoon never had it.

      1. Tom Hawack said on March 29, 2018 at 7:21 pm
        Reply

        That’s why it is dishonest to state that Pale Moon is totally bad. Just joking :=) Indeed Pale Moon does offer, in terms of privacy (and hardly in any other than those) perhaps the best privacy available on a browser nowadays.

    16. Belga said on March 29, 2018 at 7:33 pm
      Reply

      Disable it with addon “Disable WebRTC” in Waterfox (+ Privacy Badger as mentioned by Jern)

    17. daveb said on March 29, 2018 at 9:41 pm
      Reply

      More and more these ‘standards’ are just starting to be agreed upon methods for hiding user data being handed over to servers in the most hidden way possible. Especially as we are coming to see problems arise from people placing too much info on their computers, improperly securing it, and then using browsers that are working to export data everywhere possible.

      seems like the only valid way to operate now is to keep everything disabled and enable things on a ‘need to know’ basis only. Im even segregating sensitive data to specially quarantined devices.

      1. John Fenderson said on March 30, 2018 at 12:34 am
        Reply

        Yes, this is the source of most of the objections I have about HTML5 — so many of them are steps backwards in terms of privacy and security, and since they’re part of the standard, the effect is that HTML5 opens up holes in all standards-compliant browsers.

        This is why I don’t consider “HTML5 compliant” to be a positive characteristic for any browser. HTML5 is, in my opinion, potentially disastrous.

    18. 1 said on March 29, 2018 at 11:40 pm
      Reply

      I don’t really understand the webrtc leak.
      In order to leak the real IP to a site, the browser must have access to it in the first place.
      Shouldn’t a system wide VPN prevent this? Can any app/program access your IP address even if you are using a VPN?

      1. Torrent Duck said on March 30, 2018 at 1:11 pm
        Reply
    19. Jozsef said on March 30, 2018 at 5:10 am
      Reply

      Thanks, I didn’t even know about WebRTC.

    20. X said on March 30, 2018 at 6:52 pm
      Reply

      Very informative site there: https://voidsec.com/vpn-leak/

      You’ll even learn that Windscribe Addons ( =-O ) are leaking your IP…

      1. ULBoom said on March 31, 2018 at 4:08 am
        Reply

        That site’s a mess, Master of the Obvious stuff combined with Native Advertising. The so called leaks were submitted mostly by others. Why, I don’t know because it’s simple to check for IP leaks.

        Windscribe doesn’t have add ons. They do have a free browser add on version of the VPN as do many other companies. It’s a really poor way to implement a VPN.

        What’s so special about windscribe that it alone deserves mention?

      2. leanon said on April 1, 2018 at 11:26 pm
        Reply

        Windscribe is “not” leaking here, but then webrtc is disabled in about:config. Another interesting site https://browserleaks.com/ has additional info at the bottom of most their tests.

    21. X said on March 31, 2018 at 7:05 pm
      Reply

      Boom: Master of the Obvious, like in “Windscribe doesn’t have add ons. They do have a free browser add on…”

      Boom’s opinion: “It’s a really poor way to implement a VPN.”

      Definition of Boom by Merriam-Webster: to make a deep hollow sound;

    22. TelV said on April 1, 2018 at 12:12 pm
      Reply

      I use the media.peerconnection option in about:config.

      To test leaks: https://whoer.net/#extended (listed under Scripts)

      1. Tom Hawack said on April 1, 2018 at 12:23 pm
        Reply

        Whoer is a good indicator indeed.

        TelIV, when you write that you use the “media.peerconnection” I assume you mean that you’ve set media.peerconnection.enabled to true.

        Also, what then woth Whoer, does it show WebRTC disabled? If so, are you running uBlock Origin with ‘Prevent WebRTC from leaking local IP addresses’ checked?

    23. TelV said on April 1, 2018 at 12:30 pm
      Reply

      @ Tom Hawack,

      Got the email, but can’t find your post.

      Anyway, to your Q’s:

      media.peerconnection.enabled is set to false.

      whoer.net/#extended lists WebRTC under the heading “Scripts”.

    24. Tom Hawack said on April 1, 2018 at 12:55 pm
      Reply

      @ TelV
      Got the email, but can’t find your post as well :=)

      I read you’ve set media.peerconnection.enabled to false and I acknowledge Whoer / WebRTC / Scripts which I know : I was wondering if Whoer stated WebRTC oas enabled or disabled on your system. Given you’ve set media.peerconnection.enabled to false, no doubt Whoer states your WebRTC as disabled. OK

      whoer.net/#extended lists WebRTC under the heading “Scripts”.

    Leave a Reply