WebRTC leak test
This page is mainly for people using older browsers, or people who want to disable WebRTC completely.
What is WebRTC?
WebRTC (Web Real-Time Communication) is an open-source project that provides web browsers and mobile applications with real-time communication capabilities via simple APIs. It enables peer-to-peer audio, video, and data sharing directly between users without the need for plugins. WebRTC uses various protocols and technologies, including STUN (Session Traversal Utilities for NAT), ICE (Interactive Connectivity Establishment), and TURN (Traversal Using Relays around NAT), to establish and maintain these connections.
How can WebRTC deanonymize VPN users?
Deanonymization through WebRTC can occur because WebRTC requires the real IP address of a user to establish direct peer-to-peer connections. This process involves contacting STUN servers to determine the public IP address of the user. While this is essential for enabling direct connections, it can inadvertently reveal a user's true IP address even when they are connected to a VPN. Here’s how it works:
- STUN Requests: WebRTC makes STUN requests to determine the user's public and local IP addresses. These requests can bypass the VPN tunnel and reveal the actual IP address assigned by the user's ISP.
- Leakage of Real IP Address: Even if a user is connected to a VPN, which masks their IP address with another IP address, WebRTC can expose their original IP address to websites and other online services. This happens because WebRTC is designed to discover the most efficient route for peer-to-peer communication, which includes using the real IP address if available.
- Browser Vulnerability: Most modern browsers support WebRTC, and unless it is explicitly disabled, it can be exploited to reveal the user's true IP address. Websites can execute JavaScript code that triggers WebRTC requests and captures the IP addresses returned by the STUN server, bypassing the VPN's protection.
Example code
A simple JavaScript code snippet can be used on a website to gather IP addresses via WebRTC:
const pc = new RTCPeerConnection({
iceServers: [{urls: "stun:stun.l.google.com:19302"}]
});
pc.createDataChannel("");
pc.createOffer().then(offer => pc.setLocalDescription(offer));
pc.onicecandidate = event => {
if (event.candidate) {
const candidate = event.candidate.candidate;
console.log(candidate); // This will log the IP addresses
}
};Mitigation
To prevent WebRTC from leaking real IP addresses, users can:
- Manually disable WebRTC in the Browser
In Firefox you can disable WebRTC by typing about:config in the address bar then searching for media.peerconnection.enabled and changing the value to false.
In Chrome, there is no setting that allows you to completely disable WebRTC, so use an addon instead. - Use a browser addon that disables or limits WebRTC functionality: We recommend WebRTC Control because it's open source and easy to enable with a single click. It supports Chrome, Opera, FireFox, and Edge. It's source code is available on GitHub.