[Semaphor]

What’s the issue there? How is knowing the local IP a security issue?

And FWIW, the local IP does not get leaked when using a VPN. (edit: Or rather, the VPN local IP gets leaked. Same question, no idea if that’s security relevant in some way?)

edit: Thanks everyone, I completely forgot about fingerprinting.

[rollcat]

> How is knowing the local IP a security issue?

It's a privacy issue. You can use it to fingerprint a user, local IP will give you quite many bits of entropy. <https://coveryourtracks.eff.org/>

Honestly I'm not even sure if I'm surprised, but it's 2022 and we've been having this problem basically since the day WebRTC was introduced. At this point, if you care about privacy, you should probably put it in the same bag as third-party cookies and just block it entirely.

[londons_explore]

It's because if you don't leak the local IP, then webRTC calls will typically fail between people on the same LAN. And, if they don't fail, then they will usually have to go via a TURN server on the internet adding a lot of latency.

It's a privacy/functionality tradeoff. But most people consider not being able to videocall or do online gaming with someone in the same building to not be acceptable.

[codedokode]

I don't think that there are many people using WebRTC especially within the same LAN, but fingerprinting is used by almost every commercial site. So I can assume that this "feature" was used in 99.99% cases for fingerprinting.

This shows how browser developers race to push new features without proper estimation of privacy concerns.

Luckily this was somewhat fixed by using randomized Apple mDNS names instead of IPs. But as a result the browser has to support Apple DNS protocol which can potentially increase attack surface.

I would prefer to disable this feature completely by default and let the minority who needs it enable it via settings.

[rollcat]

> But as a result the browser has to support Apple DNS protocol which can potentially increase attack surface.

The "Apple" DNS protocol is standard DNS, over a multicast IP address, on port 5353. You can literally use plain old dig to perform mDNS lookups:

    $ dig @224.0.0.251 -p 5353 +short hello.local

    192.168.123.45

If DNS lookups considerably increase your attack surface, something is very, very wrong with your architecture.

[webrtcdev1]

> literally

The DNS names WebRTC generates for this purpose are random, and known only to the signaling participants.

[wbl]

I remember old BIND versions

[Sean-Der]

I see a lot of WebRTC usage just in the LAN. WebRTC sees a lot of usage outside of conferencing!

* Controlling Robots (formant.io)

* Security Cameras

* File Sharing

* Game Streaming/VNC

I keep a list of interesting open source WebRTC projects at https://github.com/pion/awesome-pion

[nemothekid]

>I don't think that there are many people using WebRTC especially within the same LAN

Zoom/Teams with people in the same office? That seems like a rather large user base

Almost all of the “sales/demo/cross company” video calls I’ve been on have been in this bucket

[cma]

> Almost all of the “sales/demo/cross company” video calls I’ve been on have been in this bucket

My understanding is Zoom only supports P2P for two person calls.

I can't quite tell from this answer if it is the default or not, but it sounds like it has to be manually enabled:

> Account owners and admins can enable one-on-one meetings to have data routed between two participants (peer-to-peer), rather than going through the cloud or server. Enabling this may improve the quality and connection of one-on-one meetings (depending on how your network prioritizes traffic) by directly sending video and audio between both parties.

https://support.zoom.us/hc/en-us/articles/360061410851-Enabl...

[bawolff]

> This shows how browser developers race to push new features without proper estimation of privacy concerns.

Settling on a different trade-off then you would like is not the same thing as doing it without consideration.

[coldtea]

In this case, it is blatant disregard.

[helloooooooo]

Corporate networks…

[easrng]

They use MDNS hostnames to keep WebRTC working on LANs without leaking the IP itself, this was just an extra leak they didn't catch.

[ZiiS]

Are you sure? I bet most people have never even tried to do that.

[Semaphor]

Well, the big non-adtech browser is not vulnerable, so there’s that.

[amenghra]

https://bugzilla.mozilla.org/show_bug.cgi?id=959893 is a fun read... Firefox used to also leak the internal IP circa 2015.

[codedokode]

Yes it is interesting how developers race to push new features allowing deanonimization of VPN users and better fingerprinting.

There is also WebGL whose main purpose is to provide user's videocard model to advertising companies and governemnt institutions.

[lxgr]

> just block [WebRTC] entirely

I think an opt-in permission seems like the way to go, like the one we already have for microphone/camera permissions, and possibly just merged with these (i.e. grant WebRTC permissions together with A/V permissions).

There are quite a few interesting non-A/V WebRTC applications around – these could be handled via an explicit prompt, similarly to how newer iOS versions handle local network permissions.

[MomoXenosaga]

If memory serves Ublock origin does just that.

[Semaphor]

Not anymore on Desktop: https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-l...

[geocar]

> It's a privacy issue. You can use it to fingerprint a user, local IP will give you quite many bits of entropy. <https://coveryourtracks.eff.org/>

I don't buy it: You have to block IPv6 as well, and that's becoming harder to do.

If the user is trying to protect their "privacy" from their ISP by using a VPN (for example), and are attempting to prevent the application-level leak of providing a list of all the local interfaces, they really need to configure their system to restrict e.g. their web browsers and other sensitive tools to those specific interfaces, e.g.

https://askubuntu.com/questions/1313755/forcing-chrome-brows...

This should be easier, like maybe a button in the VPN software.

[proszkinasenne2]

It's both security and privacy issue. Whonix wiki explains the latter in more detail https://www.whonix.org/wiki/Data_Collection_Techniques#:~:te...

[Semaphor]

If you use Chrome-exclusive links, please at least also link to the closest standard section [0] and preferably, mention the Chrome-linked text directly.

That said, they don't say anything about security, I obviously forgot about fingerprinting, but still don’t see security issues?

[0] https://www.whonix.org/wiki/Data_Collection_Techniques#Finge...

[tyingq]

Have a look at this that scans your local network: http://samy.pl/webscan/

I think some browser changes might have hobbled it a bit, but it was startling when I first tried it.

[Semaphor]

A bit? The site claims it found a host on literally every single private IP that exists ;) And closing it nearly killed my FF (full freeze for ~10 seconds).

[iosjunkie]

OTOH, using Mobile Safari, this site leaked my device’s IP as well as a number of connected devices on my internal network.

Anyone know an easy fix for this?

[CommitSyn]

If so, I'd love to hear it. As far as I know all iOS browsers are forced to use the same rendering engine, and I suspect there's no way to modify that.

[Etheryte]

Leaking any kind of data is yet another data point for fingerprinting. You only need a few to uniquely identify a user.

[scratcheee]

I've yet to see a normally configured browser _not_ be uniquely identifiable many times over through fingerprinting.

At some point it feels like trying to drain the ocean with a cup. Maybe we just need to accept that anyone who really wants to fingerprint you _can_ fingerprint you unless you use a specialist browser.

At that point the solution is fairly obvious, make it legally difficult to use unique fingerprinting and move on (ie stuff like gdpr). People will still do it, but they'll have to balance it with not falling foul of the law and wont be able to abuse it too much.

We wont stop real world facial recognition by all trying to make our faces more similar either, we have to accept it's generally possible to do, but discourage the actual doing of it rather than trying to make it impossible.

(note in both cases, actually preventing it when you have a reason to is totally possible and valid, via specialist browser modes and physical masks respectively)

[Semaphor]

I just tried a clean FF profile with resistFingerprinting enabled. No dice. Everything adds only very few bits of identifying information (unlike my main profile which is already almost unique thanks to the accept header (English, then German)) yet it still results in 17.75 bits which according to EFF is unique.

I’m agreeing with you, though I wonder, is there any way to not be unique? What would you have to do? Use Windows with no extra fonts, Chrome in English, on a FullHD monitor with webgl/canvas/audio fingerprinting protection extensions?

[hdjjhhvvhga]

I believe the only feasible way without bending over backwards is to use the Tor Browser. But privacy and security always come at a price.

[Semaphor]

Actually, resistFingerprinting + switching to the user-agent string tor uses gets me 99% of the way there. All that’s missing is the weird window size (vertical taskbar), if I could get that to report a default size, I’d actually be better than Tor (they have a bunch of responses slightly more unique than FF with resistFingerprinting).

But it’s academic for me anyway, I have Accept-Language en-US,en;q=0.7,de-DE;q=0.3 which is close enough to unique that nothing else really matters.

[CommitSyn]

> All that’s missing is the weird window size (vertical taskbar)

TBB actually adds a border at the bottom of the browser so the reported size isn't the actual size. If you change the size of your browser window to the tor-reported size then it should work.

Unless I'm misunderstanding and you mean something to do with the scrollbar?

[codedokode]

I think a HTML-only browser without support for CSS and JS might help.

[bawolff]

How many people do you know run html only browsers? Not having CSS would be extremely uniquely identifying.

[Semaphor]

Disabling JS is enough to almost perfectly fingerprint you.

[nequo]

The EFF has a website that illustrates why that doesn't help:

https://coveryourtracks.eff.org/

Like siblings are saying, they use all available information to fingerprint you.

You can cover your identity only to the extent that you can display the same characteristics to the web server as the largest group of users that have all the same characteristics. This includes whether you have JS disabled as well as your IP address, User-Agent, display resolution, etc.

[scarface74]

Yes and you probably “haven’t watched television in 20 years”.

[dmm]

> We wont stop real world facial recognition by all trying to make our faces more similar either

The normalization of mask wearing in public was a great step towards this. I really wish it had gone better. Alas!

[megous]

Yeah. All that's needed is to leak link-local IPv6 address from a single interface. There's your unique commputer identifier, unless someone's using mac randomization.