WebRTC Solutions Featured Article

Is My WebRTC Application Tracking Me?

November 16, 2015

There are few technologies out there that don't have privacy concerns. As highlighted recently in a webrtcHacks posting by Philip Hancke, the ability to use WebRTC for tracking purposes has come under scrutiny. 

The idea that WebRTC could be used as a tracking system began with industry observations of Google Chrome behaviors. Starting with Chrome's recent move to cache Web certificates for 30 days, and ending with the Incognito mode's reaction to this, some new potential vulnerabilities seemed clear.

With Chrome caching certificates, some noted, this could create a new breed of cookies, which also means the potential to use cross-origin tracking against users. More distressing is that the Incognito mode didn't seem to stop this at all, leading to some noting that its behavior was “inconsistent” as relates to certificate caching.

A closer look at caching certificates didn't ease any worries. Previously, Google Chrome generated a self-signed certificate for every WebRTC PeerConnection engaged in. But with Chrome 46, and potentially earlier, the certificates are now valid for one month, and every PeerConnection from a certain domain uses that certificate. Thankfully, there was some explanation for this, as Chrome has reportedly been caching certificates this way for the last two years as a way to reduce expenses in generating private keys.

The issue of cross-tracking, meanwhile, was also found to be no worse than the use of cookies, as the World Wide Web Consortium (W3C)'s mediacapture specification actually addresses security concerns when certificates are involved, noting that “...the per-origin persistent identified deviceId (should be treated) as other persistent storages (e.g. cookies) are treated.”

Image via Shutterstock

The concerns about Incognito Mode also seem unfounded, particularly in terms of the use of localStorage. In order to generate new certificates, all Incognito tabs needed to be closed first. This is said to be persistent with how the system should act in both Chrome and Firefox.

So in the end, WebRTC appears to be behaving normally on several fronts. The idea that it may be tracking its users seems to be without much ground. However, even if the panic was largely unfounded this time, such concerns may crop up in the future. WebRTC is still in many ways a new technology, and identifying potential problems is the best way to fix these.

Edited by Kyle Piscioniere

Article comments powered by Disqus