The WebRTC story isn’t new and since 2015 everyone should already aware of it, sadly some VPN providers still haven’t addressed this problem. A simple configuration change on their server configuration can already prevent it, but seems some services are still weak and at the end it’s up to the user to react on it or ignore it.
What is WebRTC?
There is a special interface (program) in most Internet browsers (Chrome, Firefox, etc.) called Web Real Time Communication, or WebRTC, and that’s where the so-called flaw is. WebRTC isn’t a flaw at all. It’s actually a special facet of your Web browser. WebRTC allows computers on different networks to perform special browser-to-browser applications, such as voice calling, video chats, file sharing and more. But as it turns out, in the hands of a technically savvy person, WebRTC can be tricked into revealing your actual real IP address, even if you’re actively using a VPN! That’s certainly not what you would expect nor want.
You can check if you have a WebRTC problem on this test page.
Which providers are affected?
- BolehVPN (USA Only)
- ChillGlobal (Chrome and Firefox Plugin)
- Glype (Depends on the configuration)
- Hola!VPN Chrome Extension
- HTTP PROXY navigation in browsers that support Web RTC
- IBVPN Browser Addon
- PHP Proxy
- psiphon3 (not leaking if using L2TP/IP)
- SmartHide Proxy (depends on config)
- SOCKS Proxy on browsers with Web RTC enabled
- SumRando Web Proxy
- TOR as PROXY on browsers with Web RTC enabled
- Windscribe Addons
- others mentioned in the spreadsheet
Which Browsers are affected?
Please keep in mind that open source browser or forks might be in this case more secure since they offer versions without WebRTC or an option to disabled it.
A full spreadsheet can be found here which tests a lot of Browsers and other providers. However, most providers seems secure at this time.
- Use a secure VPN provider like PIA or ProtonVPN, NordVPN,…
- Use a Browser or Fork without WebRTC or an option to disable it.
- Always ask if your VPN provider collects additional data if there is no statement or something written simply don’t use the VPN provider.
- Don’t install any VPN Browser addons, instead do the real deal and set a VPN directly on your router so all devices are protected even your SmartTV. In case you can’t access a page work with Tor or a temporarily Proxy.
- Install AdGuard, which is more than just an ad-blocker. It’s more and more a universal ‘protection’ tool, it also allows you to block WebRTC connections on every Browser.
Just because some providers leaking your IP doesn’t mean it’s not fixable, maybe try to contact them in order to correct this.
The bigger problem still seems that a lot of providers collecting additional information which are being used to make money out of it. That’s something which is not detectable and more dangerous than WebRTC. Who really knows what really happened with your data while you’re connected and what you really expose to them, it’s difficult to answer since the tunnel doesn’t allow to take a deeper look into it. At the end you can only watch some pages in order to get informed and react as soon as possible.
VPN Leak (voidsec.com)