W3C home > Mailing lists > Public > public-webrtc@w3.org > February 2015

ICE exposes 'real' local IP to javascript

From: Tim Panton <thp@westhawk.co.uk>
Date: Mon, 2 Feb 2015 14:16:30 +0000
Message-Id: <5B986D58-AB56-4976-8F61-4E80110916A2@westhawk.co.uk>
Cc: "rtcweb@ietf.org >> rtcweb@ietf.org" <rtcweb@ietf.org>
To: public-webrtc <public-webrtc@w3.org>
Firstly- sorry for cross posting - I’m not sure which side of the line this falls.
Secondly - if this is covered, please let me know, I don’t recall it cropping up...

I’ve been reading worried blogs that WEBRTC in browsers ‘leaks’ the local ‘real’ ip addresses to the javascript.
The principle worriers are VPN users e.g https://cryptostorm.org/viewtopic.php?f=50&t=2867&p=13096#p13096 <https://cryptostorm.org/viewtopic.php?f=50&t=2867&p=13096#p13096>
The concern is that this can be done without user notification (DataChannel request) and might be used to 
identify or finger-print users. Clearly the most vulnerable are Tor users who are on a real routeable IP address
or directly on a carrier grade nat (eg android phones etc) where the IP may reveal the identity or location of the user.

It seems to me that this concern will be increased in the case of ipv6 deployments (MNOs).

Do we need to specify a config option on the browser ‘I’m using a VPN don’t expose my local IP’ 

Again, sorry if I missed this being hashed to death already. 


Tim Panton - Web/VoIP consultant and implementor
www.westhawk.co.uk <http://www.westhawk.co.uk/>
Received on Monday, 2 February 2015 14:17:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:43 UTC