(Edited on 06/04: in order to reflect the actual situation)
Table of Contents
TL:DR: VPN leaks users’ IPs via WebRTC.
I’ve tested hundred VPN and Proxy providers and 19 of them leaks users’ IPs via WebRTC (16%)
- You can check if your VPN leaks visiting: http://ip.voidsec.com
- Here you can find the complete list of the VPN providers that I’ve tested: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0
- Add a comment or send me a tweet if you have updated results for any of the VPN which I am missing details. (especially the “$$$” one, since I cannot subscribe to 200 different payed VPN services :P)
Some time ago, during a small event in my city, I’ve presented a small research on “decloaking” the true IP of a website visitor (ab)using the WebRTC technology (thx to wsx for the tip).
What is WebRTC?
WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs.
Is a component allowing calls to use the STUN and ICE mechanisms to establish connections across various types of networks. The STUN server sends a ping back that contains the IP address and port of the client
These STUN (Session Traversal Utilities for NAT) servers are used by VPNs to translate a local home IP address to a new public IP address and vice-versa. To do this, the STUN server maintains a table of both your VPN-based public IP and your local (“real”) IP during connectivity (routers at home replicate a similar function in translating private IP addresses to public and back.).
WebRTC allows requests to be made to STUN servers which return the “hidden” home IP-address as well as local network addresses for the system that is being used by the user.
VPN and WebRTC
This functionality could be also used to de-anonymize and trace users behind common privacy protection services such as: VPN, SOCKS Proxy, HTTP Proxy and, in the past, TOR users.
Browsers that have WebRTC enabled by default:
- Edge (it does not leaks at the moment since it doesn’t support ‘createDataChannel’)
- Epiphany (Gnome)
- Mozilla Firefox
- Google Chrome
- Google Chrome on Android
- Internet (Samsung Browser)
16% of the tested VPNs and Proxies services disclosed the real IP address of the visitors making the users traceable.
The following providers leaks users’ IP:
- ChillGlobal (Chrome and Firefox Plugin)
- Glype (Depends on the configuration)
- Hola!VPN (Chrome Extension)
- Hoxx VPN (Firefox Browser Plugin)
- HTTP PROXY in browser that support Web RTC
- IBVPN (Browser Addon)
- PHP Proxy
- psiphon3 (not leaking if using L2TP/IP)
- SOCKS Proxy on browsers with Web RTC enabled
- SumRando Web Proxy
- TOR as PROXY on browsers with Web RTC enabled
- Windscribe Addons (Browser Extension/Plugin)
You can find the complete spreadsheet of tested VPN providers here: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0
Add a comment or send me a tweet if you have updated results for any of the VPN which I am missing details. (especially the “$$$” one, since I cannot subscribe to 200 different payed VPN services :P)
Stay anonymous while surfing:
Some tips to follow in order to protect your IP during the internet navigation:
- Disable WebRTC
- Disable Canvas Rendering (Web API)
- Always set a DNS fallback for every connection/adapter
- Always kill all your browsers istances before and after a VPN connection
- Clear browser cache, history and cookies
- Drop all outgoing connections except for VPN provider
You can check if your VPN leaks through this POC: http://ip.voidsec.com
I’ve updated Daniel Roesler code in order to make it works again and you can find it on Github.