Chromium based browsers leak user local IP via WebRTC foundation attribute (opens in new tab)

Google abandoned that extension in 2016, which is why the last option (for disable_non_proxied_udp) is greyed out.

It's because if you don't leak the local IP, then webRTC calls will typically fail between people on the same LAN. And, if they don't fail, then they will usually have to go via a TURN server on the internet adding a lot of latency.

It's a privacy/functionality tradeoff. But most people consider not being able to videocall or do online gaming with someone in the same building to not be acceptable.

Well, the big non-adtech browser is not vulnerable, so there’s that.

> just block [WebRTC] entirely

I think an opt-in permission seems like the way to go, like the one we already have for microphone/camera permissions, and possibly just merged with these (i.e. grant WebRTC permissions together with A/V permissions).

There are quite a few interesting non-A/V WebRTC applications around – these could be handled via an explicit prompt, similarly to how newer iOS versions handle local network permissions.

If memory serves Ublock origin does just that.

> It's a privacy issue. You can use it to fingerprint a user, local IP will give you quite many bits of entropy. <https://coveryourtracks.eff.org/>

I don't buy it: You have to block IPv6 as well, and that's becoming harder to do.

If the user is trying to protect their "privacy" from their ISP by using a VPN (for example), and are attempting to prevent the application-level leak of providing a list of all the local interfaces, they really need to configure their system to restrict e.g. their web browsers and other sensitive tools to those specific interfaces, e.g.

https://askubuntu.com/questions/1313755/forcing-chrome-brows...

This should be easier, like maybe a button in the VPN software.

If you use Chrome-exclusive links, please at least also link to the closest standard section [0] and preferably, mention the Chrome-linked text directly.

That said, they don't say anything about security, I obviously forgot about fingerprinting, but still don’t see security issues?

[0] https://www.whonix.org/wiki/Data_Collection_Techniques#Finge...

A bit? The site claims it found a host on literally every single private IP that exists ;) And closing it nearly killed my FF (full freeze for ~10 seconds).

I've yet to see a normally configured browser _not_ be uniquely identifiable many times over through fingerprinting.

At some point it feels like trying to drain the ocean with a cup. Maybe we just need to accept that anyone who really wants to fingerprint you _can_ fingerprint you unless you use a specialist browser.

At that point the solution is fairly obvious, make it legally difficult to use unique fingerprinting and move on (ie stuff like gdpr). People will still do it, but they'll have to balance it with not falling foul of the law and wont be able to abuse it too much.

We wont stop real world facial recognition by all trying to make our faces more similar either, we have to accept it's generally possible to do, but discourage the actual doing of it rather than trying to make it impossible.

(note in both cases, actually preventing it when you have a reason to is totally possible and valid, via specialist browser modes and physical masks respectively)

Yeah. All that's needed is to leak link-local IPv6 address from a single interface. There's your unique commputer identifier, unless someone's using mac randomization.

I liked that idea also.

The concern was dialog fatigue. If a web site prompts permission to ‘gather local candidates’ most users are just going to hit OK. So this wouldn’t stop abusive uses of WebRTC as hoped.

Thank you, I will try that. Although I hope that for critical security updates they will be faster... Right now it is lagging behind (105.1.0 vs. current 106.1.0)

Yes, but as far as I understand, the fight against fingerprinting is lost anyway.

Having WebRTC enabled can be dangerous for other reasons. You could be seeding a torrent unknowingly just by visiting a website. This can turn into a freaking disaster if you live in country like Germany.

It's a shame that browsers don't ask you for WebRTC like they do with webcams.

about:config is only available in Beta or Nightly on Android now, though forks like Fennec also have it enabled by default.

They took it away in Stable because changing some settings may disconnect GeckoView from the application containing it and they can't have that.

I run Beta for this reason. Nightly is too unstable for me so I had to give up custom addon lists to bypass Mozilla's outdated whitelist (they were only available in nightly for a while, I believe that's in Beta now).

Mozilla doesn't trust you to use their precious software right and they'll take away your toys if it considers you to be playing with them wrong. I still like Mozilla over Google, Microsoft, and Apple, but it's really hard to be a fan of Firefox when they pull shit like this.

Yeah. It's only available in nightly. Which is fine so long as you're ok with things occasionally breaking or sudden vulnerabilities (I've dogfooded nightly on desktop and mobile for years and it definitely happens. Happened to me just last week) and you also have to be fine with downloading a huge package and writing it to your internal card basically every day which may be an issue with your plan, and after a few years, is also an extra thousand writes that you might have wanted to avoid (my last 3 phones have had replaceable batteries but not internal storage).

> But since not many poeple use Falkon regularly... maybe that's a fingerprint all by itself.

You can check here: https://coveryourtracks.eff.org

I know you said this as a joke, but I think you underestimate the convenience draw of that. Already if I have to sign up for something on not-my-primary-computer I'm annoyed because I can't use the Chrome autofill to take care of entering my address/phone/credit card details. For a large number of people the privacy concerns take a definite backseat to seamless and quick experiences and there isn't anything wrong with making that value judgement.

Your full name is not the same as your local IP. Since your NAT subnet is almost always /24, there really are only 256 local IP addresses. Which one you happen to be using at the time is not really important. There are 10,000 other things about your browser that could be used to uniquely identify you. This is a feature of WebRTC that allows it to do what it does, not a bug. If you are worried about 3rd party web apps sniffing your local IP and somehow using that info against your interests, don't go on the internet.