Until WebRTC Javascript did not have access to the computer's networking details. With WebRTC it suddenly has. Any web server can unbeknownst to the user get a list of all IP addresses on all the client computer's network interfaces and a list of all IP addresses with which the client computer can reach a STUN server. On Windows, Firefox even bypasses the routing table trying to reach the STUN server through as many paths as it can and then sends the results to any web server that wants it without approval from or notice to the user. More information and a demo:
https://github.com/diafygi/webrtc-ips We at mullvad.net run an anonymising VPN service and for our users this is a serious privacy problem. For most users any web server can deanonymise them by getting the IP address they have from their ISP sent to them by Firefox. The first of the two problems is that the WebRTC implementation sends all IP addresses on all network interfaces. This gives the web server information about the client's local network and any other networks it may be connected to. If the client computer has a public IP address from the ISP it will be revealed even if it is not used publicly on the internet but only for a VPN. The second problem is that it (on Windows) bypasses the routing table sending requests to the STUN server through paths that should not be used. Again, in many cases this means the STUN server will be contacted with an ISP IP address only intended to be used for the VPN tunnel, revealing the user's identity to both the STUN server and the web server. Just contacting a STUN server to get a public IP address would not be a privacy problem. Is there a chance Firefox might in the future use the more aggressive methods only after simply contacting a STUN server in the ordinary way fails and then only after asking approval from the user? Like when users are asked if they want to reveal their geographical location. Best regards Daniel Berntsson _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
