WebRTC Solutions Featured Article

Protecting Your IP Address in WebRTC

November 03, 2015

The increased adoption of WebRTC means more individuals and businesses will be using this technology as part of their online communications solutions.  As with everything digital, the more people use it, the more it becomes a target by cybercriminals. The recent announcement that two browser features, HTTP Strict Transport and HTTP Public Key Pinning, could be exploited for tracking purposes has also exposed the same vulnerability to WebRTC.

The HTTP Strict Transport and HTTP Public Key Pinning have been designed to improve the security of HTTPS user connection. But it has been discovered that users’ privacy on the Internet could be compromised, meaning leaked IP addresses.

Even though almost every site tracks IPs, Firefox and Chrome have implemented requests to STUN servers (Session Traversal Utilities for NAT), thus returning the local IP address for the user. These requests are made outside of the normal XMLHttpRequest procedure, making them invisible in the developer console. And they won’t get blocked by plugins designed to stop this type of action with tools such as AdBlockPlus or Ghostery.

However, IP addresses must be revealed when using WebRTC, because peer-to-peer communications cannot take place without providing an IP. This is why original developers didn’t consider the exposure of the host IP address a bug.

Image via Shutterstock

Even when an IP is behind a Network address translation (NAT) to allow video chats and peer-to-peer functionality, third parties still have a way to identify it. It just takes some Javascript commands to send a UDP packet to a STUN Server, and the server sends back a packet with the IP address.

A browser add-on called Statutory, which is available for Firefox, gives you more control by displaying notifications on pages where the website is pulling local IP information from users. By simply accepting or denying the request, you can give only the sites you trust access to your IP address.

The extension has a whitelist and blacklist so you don’t have to perform these actions for sites you are always visiting. It blocks or allows the sites automatically based on the list you have populated.

As consumers become more aware of digital security, they want to ensure their privacy is protected at all times. By helping fingerprint your IP address, users that want to protect their anonymity, for whatever reason, will have to take additional measure to do so.

WebRTC is a great technology available for free so we can communicate with audio, video and text with browsers that are enabled with the API. However, you always have to take measures to protect your identity when you are online. 

Edited by Kyle Piscioniere

Article comments powered by Disqus