WebRTC: vulnerability or functionality?
WebRTC is an API developed by the World Wide Web Consortium (W3C), which supports browser-to-browser video chat, voice communication and P2P file sharing applications without the need for external plug-ins. In May 2011, Google launched a project for a web-based open-source communication platform known as WebRTC. The W3C version is in the process of refining and implementation in Chrome and Firefox browsers.
According to Mozilla, the ability of WebRTC to request information through the visitor's web browser is not a vulnerability, but a feature. For this purpose, browsers must comply with three requirements set out in a draft published to the IETF organization. However, what is a prerequisite for concern and why is it classified as a vulnerability by the majority of the IT community?
What is the threat?
Although this feature may be useful to some users, it poses a threat to anyone who uses a proxy server (VPN or other) and seeks to maintain anonymity online without revealing his originating IP address.
WebRTC can be used to reveal your originating IP address as well as your local IP address. This is possible through STUN queries with Firefox, Chrome, and Opera browsers even when using VPN.
Do VPN services guarantee 100% anonymity?
The answer to this question is just as difficult as the question itself - maybe.
To be best informed, it is advisable to contact your VPN service provider to see if additional protection is available on their behalf to prevent leakage of information through WebRTC.
Solution to the problem
There are several solutions that can be considered, some of which are:
- Turn off WebRTC functionality from the browser you are using.
- Using external plug-ins and browser add-ons to block vulnerability. Keep in mind that this solution is not always 100% secure.
- Using a VPN that has a WebRTC protection policy. Some of them are - ExpressVPN, HoxxVPN, Perfect Privacy
- Using Tor Browser, which has WebRTC turned off by default and some other security measures implemented.
Due to the fact that Google Chrome and other browsers based on it cannot disable WebRTC under Desktop, the only two options to protect yourself are the use of add-ons and the above-mentioned VPN services.
To exclude WebRTC from Mozilla Firefox, type about.config in the URL bar and then type "media.peerconnection.enabled" in the search box. Double-click the preference to change its value to "false."
To disable WebRTC from the Chrome mobile version, enter chrome://flags/#disable-webrtc in the URL field, then locate the WebRTC STUN origin header and disable it.
To turn off WebRTC from Opera, you'll also need to use an external plug-in called Chrome WebRTC Leak Prevent. Then, in the advanced options for the WebRTC Leak Prevent extension, select "Disable non-proxied UDP (force proxy)," and then click Apply settings.