Virtual private networks: how WebRTC could undermine VPN security
4 February 2019
Your VPN may be more vulnerable than you thought.
Virtual private networks (VPNs) are used for a wide variety of reasons, but what many VPN users have in common is that they don’t want their identity to be revealed online.
This may be because they hope to avoid targeted advertising, or simply to prevent internet service providers (ISPs) from snooping on their browsing activity. Whatever the reason, it’s easy to understand why VPN users were shocked to discover that many major internet browsers leak people’s IP addresses through WebRTC, even if they’re using a VPN.
So what is WebRTC, and why is it leaking IPs?
What is WebRTC?
WebRTC, short for Web Real-Time Communication, is an open source tool that allows browsers to form real-time connections with websites over application programming interfaces (APIs.) Before WebRTC, the only way websites could communicate with their visitors’ computers in real-time was through browser plugins: programs which required installation by the user and often suffered from poor performance among other issues.
WebRTC was developed because many web users were hesitant to install plugins onto their computers, even when they worked without too many issues. It’s the reason why web apps like Google Hangouts, Facebook Messenger and Discord work without anything having to be downloaded onto the user’s computer. However, while making these kinds of apps a breeze to use, WebRTC can also leave your privacy vulnerable.
WebRTC can expose IP addresses
The vulnerability caused by WebRTC stems from the real-time connection that it creates with your computer. Rather than using your web browser connection, which your VPN keeps secure, a new connection between the website and your computer is created, thus allowing your actual IP address to be accessed unless your VPN is built to stop this from happening.
Why hasn’t the WebRTC leak been fixed?
While WebRTC is being constantly developed and improved, the IP address leak isn’t really something that can be fixed, due to the nature of the tool itself. The whole idea of WebRTC is to create a direct communication channel between your computer and a website, and removing the ability of WebRTC to access your IP information would undermine this goal.
How to check if you have an WebRTC leak
If you are using a VPN, it is important to check that your IP address is not being leaked through WebRTC. The easiest way to check if you are protected is by using a tool like HMA!’s WebRTC leak checker.
How to fix a WebRTC leak
While some web browsers have settings or third-party extensions which allow you to prevent WebRTC leaks, most of the fixes include turning off WebRTC entirely. This will mean you are unable to use online services such as Google Hangouts and Facebook Messenger that need WebRTC in order to work.
The best way to secure your web browsing from WebRTC leaks without losing functionality is by using a VPN with a built-in WebRTC leak blocker. Otherwise, you’ll have to turn off WebRTC in your browser to disable leaks. Find out how to do this in some of the most popular web browsers below.
How to turn off WebRTC in Google Chrome
Chrome doesn’t have a built-in option to disable WebRTC, so turning it off is a bit tricky. If you are set on doing it you’ll need to use a third-party extension, many of which can be found in the Chrome store.
WebRTC Control allows you to turn WebRTC on and off, giving you full control over preventing IP leaks and using WebRTC functionality. WebRTC Leak Prevent doesn’t disable WebRTC entirely, but rather changes the privacy settings to help protect your IP address. However, many WebRTC services will still not work or at least lose some functionality.
How to turn off WebRTC in Mozilla Firefox
Unlike Chrome, Firefox has a setting which allows you to turn off WebRTC without using any third-party extensions. However, Mozilla didn’t make the setting too easy to find.
- In the address bar, type about:config and press Enter.
- A warning screen appears to let you know you’re about to edit important settings. Click ‘I accept the risk!’
- In the search box at the top of the page, type in media.peerconnection.enabled and press Enter.
- Double-click on the media.peerconnection.enabled setting, and the ‘Value’ column will change to ‘False’ to let you know that peer to peer connections including WebRTC are now disabled.
How to turn off WebRTC in Microsoft Edge and Safari
There is currently no way to turn off WebRTC in Edge or Safari, either as a setting or with an extension.
Turning off WebRTC, if your browser allows it, should stop your IP address from being leaked. However, to stay safe and keep your browsing private without sacrificing your ability to use popular web services, it’s a good idea to start using a VPN which has built-in WebRTC leak prevention.
This article was contributed by Micke Ahola, a freelance researcher and writer.
Image under licence from iStockPhoto.co.uk, credit anyaberkut.