W3C home > Mailing lists > Public > public-webrtc@w3.org > February 2015

Re: ICE exposes 'real' local IP to javascript

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 03 Feb 2015 15:03:43 +0100
To: Tim Panton <thp@westhawk.co.uk>
Cc: public-webrtc <public-webrtc@w3.org>, "rtcweb@ietf.org >> rtcweb@ietf.org" <rtcweb@ietf.org>
Message-ID: <5gk1da11j4bvb89rq7u7bkv24d3jutvnoe@hive.bjoern.hoehrmann.de>
* Tim Panton wrote:
>I’ve been reading worried blogs that WEBRTC in browsers ‘leaks’ the local ‘real’ ip addresses to the javascript.
>The principle worriers are VPN users e.g https://cryptostorm.org/viewtopic.php?f=50&t=2867&p=13096#p13096 <https://cryptostorm.org/viewtopic.php?f=50&t=2867&p=13096#p13096>
>The concern is that this can be done without user notification (DataChannel request) and might be used to 
>identify or finger-print users. Clearly the most vulnerable are Tor users who are on a real routeable IP address
>or directly on a carrier grade nat (eg android phones etc) where the IP may reveal the identity or location of the user.

If this actually allows random web sites to know that I am using the
addresses 192.168.12.96, 192.168.3.222, and 192.168.200.7 (Ethernet,
Wifi, virtual machine) on this computer then that is pretty much like
broadcasting a device GUID and should concern everybody. I note that
some of the recent news coverage of this indicated that some major web
sites and services already use this to identify and track users.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 
Received on Tuesday, 3 February 2015 14:04:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:43 UTC