We got rid of RECAPTCHA. We're officially de-googled! Learn More

WebRTC Leaks and Your Privacy (+ how to fix them)

WebRTC can prove useful when you need to use it.

However, did you know that a critical flaw in WebRTC that has yet to be adequately addressed across all browsers leaks your internal (or true) IP address?

And did you know that the browser will leak your true IP address, even if you're using a credible VPN service?

This phenomenon is known as a WebRTC leak and it greatly affects your online privacy.

We'll look into what WebRTC does and how to prevent your browser from leaking your true IP address everywhere.

What is WebRTC?

Let's break down the name first.

WebRTC = Web Real Time Communication

WebRTC lets you communicate by voice, video chat, and other forms of P2P sharing from inside your browser - without downloading any extensions or add-ons.

Originally, WebRTC was released in 2011. However, only in the past couple of years has it become more popular.

You should be aware that while WebRTC is an open-source project, it is created, backed, and heavily endorsed by Google.

If interested, you can view the code repository here.

How WebRTC works

WebRTC leaks and privacy

To keep it very simple: WebRTC frequently leaks your true or internal IP address.

Your internal IP address is not the same as your external IP address. Your external IP address is assigned by your Internet Service Provider (ISP) and is "meant" to be shared with the Internet.

Your true IP address is meant to only be shared with other devices connected to your local network (ex: your Wi-Fi).

Therefore, to the outside world, it functions as a unique identifier.

When outsiders, such as the web servers that host the websites you visit, get ahold of your internal IP address it compromises your online privacy.

It then becomes easy to collect other more sensitive information such as:

  • Your precise geo-location (frequently within 1-2 miles accuracy)
  • Excessive details about the device you're using (make, operating system, software version{s}, exact model, etc.)
  • Information about other devices on your network

To top it all off, it's not exactly hard for any website to pull your internal IP address from your browser using the WebRTC protocol

Hell, it can be done with just a few lines of JavaScript. Without you even knowing.

And keep in mind that even if you're behind a solid VPN, this can (read: will) happen unless you address the leak in your browser (or VPN service) directly.

Is your browser leaking your IP address?

Here are some reliable tools to check if your browser is leaking your internal IP address:

Fixing browser WebRTC leaks

You can fix browser WebRTC leaks two different ways:

  1. Disabling the WebRTC function in your chosen web browser, if possible.

or

  1. Installing an extension that fixes or helps curve WebRTC components from leaking your true IP address all over. (However, you should be aware that the extension method isn't always 100% effective.)

Firefox

You can disable WebRTC altogether in Firefox:

  1. Open Mozilla Firefox
  2. Type about:config into the address bar
  3. If you've never been the advanced settings, you'll see an alert. Click the equivalent of "I accept."
  4. You should be looking at a mostly blank page with a search bar the top. In the search bar on the page, type media.peerconnection.enabled
  5. Double click on media.peerconnection.enabled. It should now say "false."
  6. Restart the browser and retest for leaks

Chrome

We strongly recommend not using this browser at all. Here's why

On the desktop version of Chrome, you cannot disable WebRTC from within the browser settings.

Your only option is installing an extension that mitigates the WebRTC leak.

WebRTC extension recommendations:

It's important to understand that these extensions will not disable WebRTC for you, but rather tweak settings to help prevent leaks.

And again, even with the tweaking done by these extensions, this is not foolproof. Under specific circumstances, your true IP address can still be revealed via WebRTC leakage.

Android

With Chrome on Android, you can disable WebRTC:

  1. Open Chrome on your Android device
  2. In the address bar, type chrome://flags/#disable-webrtc
  3. Find the setting Disable WebRTC
  4. Click "Enable"
  5. Restart the browser and test for leaks

Edge

We strongly recommend not using this browser at all. Here's why

Like Chrome, you can't outright disable WebRTC in Edge.

However, you can disable sharing your internal IP address over WebRTC connections:

  1. Open Microsoft Edge
  2. Type about:flags into the address bar.
  3. There's a whole bunch of settings here. Look for Anonymize local IPs exposed by WebRTC (hint: use CTRL+F to the search the page for "hide")
  4. For Anonymize local IPs exposed by WebRTC, select "Enable."
  5. Restart the browser and retest for leaks

Brave

Brave is based on the Chromium engine.

Therefore, you can't outright disable WebRTC.

However, you can easily mitigate WebRTC leaks from within the browser settings:

Method 1

  1. Open the Brave browser
  2. Find and click "Settings"
  3. Click on the search icon, located in the upper right of the screen (or press CTRL+F)
  4. In the search bar, type webrtc
  5. Under WebRTC IP Handling Policy, click the drop-down
  6. Select "Default public interface only" from the drop-down
  7. Restart browser and test for leaks

Method 2

  1. Open the Brave browser
  2. Find and click "Settings"
  3. Look for the "Shields" section within the "Settings" page
  4. Click on the drop down for "Fingerprinting blocking"
  5. Select "Strict, may break sites" from the drop-down
  6. Restart browser and test for leaks

Alternatively, since most extensions that work on Chrome also work on Brave, you can install a Chrome extension to handle this for you.

I will say that it's better to use the settings within the Brave browser itself because they're more reliable than the extension solution.

Safari

Safari doesn't leak your internal IP address over WebRTC.

WebRTC leaks only seem to affect browsers on Windows platforms. Maybe Linux, depending on the build.

However, in recent years, Apple has included WebRTC into Safari on both macOS and iOS.

So, the potential could be there.

Disabling WebRTC in Safari:

iOS 14

WebRTC doesn't leak your internal IP address on iOS.

You can still disable WebRTC related features by using the advanced settings for Safari:

  1. Open the Settings app on your iDevice
  2. Tap "Safari"
  3. Scroll all the way down and tap "Advanced"
  4. Tap "Experimental Features"
  5. Disable anything with WebRTC in the name
  6. Open Safari and test for leaks

Re-test for IP leaks

After you adjusted your settings accordingly, you'll want to retest the browser for any leaks.

Again, these are solid web tools for testing for WebRTC leaks:

Keep in mind that seeing your external (or public) IP address is fine. What we are concerned about is stopping the leakage of our internal (private or true) IP address.

This should help you keep control of your online privacy. As always, stay safe out there!

Next Post Previous Post