[MichaelGG]

Except Tor no longer works as WebRTC ignores your connection settings (in Firefox anyways, I think). Up til now the networking for a browser has been straightforward, now it's got a whole extra model that's unneeded by default, yet enabled anyways.

Also, as per EFF's Panopticlick, fingerprinting isn't nearly a lost cause. And even then it's thrown off by changing UAs due to updating versions.

[pthatcherg]

You can control WebRTC's network behavior, including forcing it to go through a proxy, by using this Chrome extension:

https://chrome.google.com/webstore/detail/webrtc-network-lim...

It's published by the Chrome WebRTC (of which I am a member) for just that purpose: to let you control that behavior.

[MichaelGG]

That's neat, but oughtn't the browser be respecting the proxy settings by default? If tags like <img> added an "ignoreproxy" attribute, folks would be rightfully upset, wouldn't they? So why should data channels be any different? (Video/audio is fine as the user is notified first.)

[api]

Don't use Tor this way; browser fingerprinting makes it useless regardless of WebRTC. Use a Tor bundle in a VM.

[MichaelGG]

While I agree with the advice, it's not useless. If you run a normal browser with no plugins via Tor, your IP won't leak except via exploits. WebRTC leaks by design, then handwaves browser fingerprinting as a shield.

[jacquesm]

Panopticlick is thrown off course but that's just because they don't actually try to track you persistently. Any party that does want to track you will use many more channels than just the UA and will happily re-acquire you if all you just did was upgrade your browser.

If you:

- upgrade your browser

- switch to a new IP

- wipe all your cookies

- change your browsing habits dramatically

(don't visit the same 10 websites over and over again)

Then maybe you could avoid re-acquisition.

[MichaelGG]

Panopticlick does use several methods. But, by far, the biggest thing is the UA (and most likely measured incorrectly as I explained). I'd bet using a popular OS/browser probably only leaks like 4 bits' worth. The next highest thing is resolution, but only because I tried it on a phone with unusual settings (Huawei Mate 2 with scaling).

IP address is a big one, but if browsers respected your explicit proxy settings instead of ignoring it for WebRTC, then changing it is easy. History, supercookies, and other stuff is taken care of by private mode, or, at worst, wiping out all browser info (private mode doesn't clear HSTS).

My point is that all is not lost, that supercookies are not a given. Thus saying WebRTC gets a free pass because things are already broken is simply wrong and a misleading argument to push data channels in where they don't belong.

[JupiterMoon]

Surely one should use the Tor browser bundle these days?