by xg15 on 10/25/22, 12:42 PM
Many comments on this thread are about the pros and cons of leaking the local IP
in an ICE candidate entry. You can certainly discuss this, but in my understanding, that's not what this post is about at all.
The issue is about leaking the local IP in the foundation which is supposed to be some sort of opaque UUID - the local IP isn't supported to be in there at all, whether you want LAN connections or not.
Is this correct?
by Eisenstein on 10/25/22, 11:09 AM
This can be disabled in Brave by turning "WebRTC IP handling policy" to "Disable non-Proxied UDP" in "settings - > Privacy and Security".
by Semaphor on 10/25/22, 9:05 AM
What’s the issue there? How is knowing the local IP a security issue?
And FWIW, the local IP does not get leaked when using a VPN. (edit: Or rather, the VPN local IP gets leaked. Same question, no idea if that’s security relevant in some way?)
edit: Thanks everyone, I completely forgot about fingerprinting.
by Fnoord on 10/25/22, 1:43 PM
WebRTC was already known to leak local IP. Which can be dangerous if you're behind a VPN.
I use two browsers. One with WebRTC disabled (Firefox) and one with WebRTC enabled (Safari/Chromium). The former also runs a myriad of other addons which increase privacy. The latter I use to connect to PiKVM.
by thesuperbigfrog on 10/25/22, 1:33 PM
If you are unfamiliar with WebRTC I recommend checking out "WebRTC for the Curious":
https://webrtcforthecurious.com/
WebRTC is designed to be secure, so a privacy leak is not good.
by Scharkenberg on 10/25/22, 9:32 AM
I am using Microsoft Edge and the test on the linked page times out without detecting anything. Perhaps it is because I've enabled the "Anonymize local IPs exposed by WebRTC" flag.
by saghul on 10/25/22, 1:45 PM
Has this been reported to Chromium / WebRTC? At a quick glance I don't see it in the WebRTC bug tracker.
by ajross on 10/25/22, 12:38 PM
The root technical issue here seems to be that the IPv4 space is fundamentally pretty small and easy to search, the browser just uses a crc32 to obscure the local IP address, and you can write code to brute force it with a little sophistication.
The security impact, as others are pointing out, is pretty minimal. Knowing a local IP address behind a NAT isn't "not" a privacy issue (e.g. I can see things like gaming anti-abuse using tricks like this to discriminate users who need to be blocked vs. normal players), but it's not much of one.
by jackewiehose on 10/25/22, 10:50 AM
How to disable WebRTC on Firefox Mobile? I have uBlock which prevents
from leaking the local IP but I don't want WebRTC at all.
Why did they take about:config from us?
by ck2 on 10/25/22, 3:46 PM
by sesm on 10/25/22, 7:30 PM
Is user IP leaked to another peer if there is a media server (like Kurento) between peers? I’ve worked in 2 WebRTC-based projects and in both cases the connection was not actually P2P, but had some kind of media server in between, either to mux multi-user conferences or to re-encode the media to a format supported by the other peer.
by encryptluks2 on 10/25/22, 9:01 PM
I'm not getting a leak with Chromium, but that is probably because I have my policy set to `default_public_interface_only`. I believe this is by design as WebRTC notoriously leaks local IPs.
by AtNightWeCode on 10/25/22, 5:02 PM
WebRTC again. On the same page. There is no isolation between remote and local networks in browsers.
by Gualdrapo on 10/25/22, 9:11 AM
I seem to recall Fallon (based on Chromium) has a feature which disables that.
by plaguepilled on 10/25/22, 9:40 AM
What does "Used 0 keys for lookups" mean?
by matheusmoreira on 10/25/22, 2:40 PM
I think uBlock Origin prevents that.
by jovial_cavalier on 10/25/22, 12:12 PM
It gets "leaked" to a web app that I'm choosing to connect to? Why do I care?