[jnbiche]

I agree that Tor is a special case, but who uses Tor without Tor Button, Tor Browser, or something similar? It's easy to disable WebRTC in those instances.

Regarding internal VPN IPs, I don't understand how this would help an attacker. If someone has broken into a VPN network and is in a position where they could make use of that data, then it's game over anyway. Otherwise, what do you want with an internal IP, besides fingerprinting?

By the way, fingerprinting no doubt is an issue, along with a dozen or so other JavaScript APIs that leak data. If you don't want to be fingerprinted, use something like NoScript. Advertisers can already uniquely identify you based on various other data leaked by JS, don't know why WebRTC has been singled out for this reason.

[lallysingh]

Because IP addresses feel private. Even though you send one with every packet. Even though the extra one sent by webrtc is the one behind your NAT, and probably just 192.168.[0,1].

[mikeash]

They can actually be private. What if you set up a proxy or a VPN with the express purpose of masking your real IP address, and then WebRTC barfs it out on demand anyway?

[jnbiche]

Again, WebRTC does not "barf" out your real IP in a VPN situation -- it barfs out the VPN's internal IP, which is meaningless to anyone except for the VPN's operator (and they have that data anyway).

Your actual, ISP-assigned IP remains hidden to any site you visit.

[mikeash]

I thought it would provide every IP address held by the system, which would include both the internal VPN IP address and your actual ISP-provided IP address.