Many VPN Providers Leak Customer's IP Address via WebRTC Bug (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Many VPN Providers Leak Customer's IP Address via WebRTC Bug (bleepingcomputer.com)

Posted by msmash on Wednesday March 28, 2018 @06:14AM from the you-had-one-job dept.

An anonymous reader shares a report: Around 20% of today's top VPN solutions are leaking the customer's IP address via a WebRTC bug known since January 2015, and which apparently some VPN providers have never heard of. The discovery belongs to Paolo Stagno, a security researcher who goes by the pseudonym of VoidSec, and who recently audited 83 VPN apps on this old WebRTC IP leak. Stagno says he found that 17 VPN clients were leaking the user's IP address while surfing the web via a browser. The researcher published his results in a Google Docs spreadsheet. The audit list is incomplete because Stagno didn't have the financial resources to test all commercial VPN clients.

83 comments

Min score:

Reason:

Sort:

How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 06:20 · Score: 1

Disable WebRTC, you dumb shits.
1. Re:How are VPN providers supposed to stop this? by jellomizer · 2018-03-28 06:23 · Score: 1
  
  Being that many didn't know about this vulnerability. beforehand it means Disabling WebRTC may effect features that their customers expect.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
2. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 06:25 · Score: 0
  
  Being that many didn't know about this vulnerability. beforehand it means Disabling WebRTC may effect features that their customers expect.
  Exactly, features such as the leaking of their IP addresses and possible execution at the hands of their political dictatorship.
3. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 06:30 · Score: 0
  
  Your security is your responsibility. It's up to you to know what is, and what isn't safe to use.
4. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 06:43 · Score: 0
  
  And in other news, the "invisible hand" of the marketplace will protect your from fraud because fraudulent companies will lose to their competitors.
  You just keep telling yourself that....
5. Re:How are VPN providers supposed to stop this? by barc0001 · 2018-03-28 06:43 · Score: 4, Insightful
  
  Not everyone can be expected to be an expert in security. That's like saying if you get on a plane that hasn't had its maintenance done and it crashes, it was your fault for getting on the plane without knowing what its maintenance status was.
6. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 06:47 · Score: 0
  
  Your own death is your own fault, but you are not responsible for everyone else on the plane. They are responsible for keeping themselves safe in situations they have no control and no knowledge about where their lives are in danger, should they gamble and put themselves in such situations. If you wind up as part of a medium-well personburger with the people in the immediately adjacent seats, you made that decision without knowing who worked on that plane - or if anyone at all did.
7. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 07:08 · Score: 1
  
  You can't disable WebRTC on Chrome, true story
8. Re:How are VPN providers supposed to stop this? by jellomizer · 2018-03-28 07:31 · Score: 1
  
  From Wikipedia:
  
  WebRTC (Web Real-Time Communication) is a free, open-source project that provides web browsers and mobile applications with real-time communication (RTC) via simple application programming interfaces (APIs). It allows audio and video communication to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps.[1] Supported by Google, Mozilla, and Opera, WebRTC is being standardized through the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF).[2]
  It would seem just going and disabling the feature may cause some angry customers calling and complaining.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
9. Re:How are VPN providers supposed to stop this? by jellomizer · 2018-03-28 07:34 · Score: 1
  
  It is also the responsibility of everyone else that you use services of as well.
  If I cross the street and fall down an open manhole cover.
  I am responsible for keeping an eye on where I am looking.
  The person who opened the manhole cover is responsible for blocking off the area for others to see that it is open.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
10. Re:How are VPN providers supposed to stop this? by sexconker · 2018-03-28 07:37 · Score: 1
  
  Nobody fucking needs or wants WebRTC.
11. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 07:50 · Score: 0
  
  You make an interesting point; there are various degrees of regulations governing the maintenance requirements for airplanes (FAR part 91); which distinguish between commercial use, private, utility, etc. However, your anecdote might be more accurately put like "if you fly aboard an experimental aircraft..."
12. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 07:53 · Score: 0
  
  Anybody who can fuck needs WebRTC, do they?
13. Re:How are VPN providers supposed to stop this? by svanheulen · 2018-03-28 07:56 · Score: 1
  
  Except in this "story" the plane (VPN) has had it's maintenance done... and then the passenger (user) brings a bomb (WebRTC) on the plane. If you, or the software you use, willingly sends your real IP address through your VPN, that's not the fault of the VPN.
14. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 07:58 · Score: 1
  
  Just like it's always the victim's fault for being in the wrong place at the wrong time when they're murdered. Their fault for not fully understanding everything and everyone they chose to be around, right? Or maybe you're dumb as all hell.
15. Re:How are VPN providers supposed to stop this? by ichimunki · 2018-03-28 08:01 · Score: 1
  
  Oh come on! This is Internet101 stuff that anyone can do. I run a private VPN at home using a little Raspberry Pi server (used to be a Mac mini, but trying to go all open source) before my browser traffic even goes out the cable modem. That way even my ISP doesn't know where the traffic is coming from.
  
  --
  I do not have a signature
16. Re: How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 08:02 · Score: 0
  
  You wouldnâ(TM)t know fucking
17. Re:How are VPN providers supposed to stop this? by jellomizer · 2018-03-28 08:09 · Score: 1
  
  But Flash support is going out, and I don't even know if RealPlayer is still in existence.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
18. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 08:09 · Score: 0
  
  Yes, it's for real time cuckholding (RTC)
19. Re: How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 08:20 · Score: 0
  
  You can buy a dedicated little VPN passthru device even cheaper than a raspi but unsure how much I trust them. You can also get some routers with open source firmware that includes VPN support and put your existing ISP router in modem mode.
20. Re:How are VPN providers supposed to stop this? by barc0001 · 2018-03-28 08:22 · Score: 2
  
  > and then the passenger (user) brings a bomb (WebRTC) on the plane
  Your analogy doesn't work because your passenger knows they're bringing a bomb onto the plane. I bet you $100 that 99 out of 100 VPN customers have never heard of WebRTC, let alone know what it does and certainly don't know it breaks the VPN's privacy.
21. Re:How are VPN providers supposed to stop this? by barc0001 · 2018-03-28 08:24 · Score: 1
  
  > Oh come on! This is Internet101 stuff that anyone can do.
  Does your mom or your brother or uncle or cousin run a VPN with an RPi? Did they set it up themselves? If not, why not?
  Internet 101 is AOL level knowledge for most of the population, the people who post to /. have just a little more expertise than the average person...
22. Re:How are VPN providers supposed to stop this? by svanheulen · 2018-03-28 08:45 · Score: 2
  
  Nope, my analogy works perfectly. I didn't specify that the passenger knew. Even if the passenger unknowingly brought the bomb on the plane, the plane was still properly maintained and so that is not the cause of the crash. It's WebRTC that leaks your IP, not the VPN. The VPN has no control over what (buggy) software you use, just like it can't stop you from posting your real IP on Twitter.
23. Re: How are VPN providers supposed to stop this? by Brockmire · 2018-03-28 09:24 · Score: 1
  
  Pilots: ignore this guy. You guys better not get on the plane without knowing the maintenance schedule.
24. Re: How are VPN providers supposed to stop this? by Brockmire · 2018-03-28 09:29 · Score: 1
  
  What? Your ISP will see the traffic come from your pi. Your connection to the pi is encrypted, your DNS lookups from pi to whatever DNS server is easily known by ISP. Did you poorly explain your setup?
25. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 09:36 · Score: 0
  
  Not everyone can be expected to be an expert in security.
  Well, no, but they shouldn't be doing dangerous things if they don't know what they're doing. I don't demand a safe stairway to the top of K2 so that I can climb a mountain without learning how. Why are people trying to hide their location? They're probably trying to circumvent streaming services' region limitations or to take advantage of a cheaper offer in a different region. I.e., they're trying to cheat. If you want to play this game, learn how to play the game.
26. Re: How are VPN providers supposed to stop this? by barc0001 · 2018-03-28 10:07 · Score: 1
  
  I'm sure the guy sitting in 24c is a pilot, as is the lady in 14b...
27. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 10:38 · Score: 0
  
  Oh come on! This is Internet101 stuff that anyone can do. I run a private VPN at home using a little Raspberry Pi server (used to be a Mac mini, but trying to go all open source) before my browser traffic even goes out the cable modem. That way even my ISP doesn't know where the traffic is coming from.
  Step 1: Derisively chides people for not knowing something that is "Internet 101 stuff"
  Step 2: Goes on to describe a process that is absolutely no one's idea of "Internet 101 stuff". In fact, 99% of people wouldn't even be sure that the explanation is in english.
28. Re:How are VPN providers supposed to stop this? by AHuxley · 2018-03-28 13:13 · Score: 1
  
  Put the users computer behind a fast ethernet router with the VPN crypto.
  A really great router with the chipset to keep up with the ISP and secure VPN crypto in real time.
  That would ensure the browser, OS, add ons, plug ins, extensions, malware, ads can only see the internet as a VPN ip.
  From the most normal ways around a VPN in the OS.
  
  The security services just collect it all in real time without much effort globally.
  
  --
  Domestic spying is now "Benign Information Gathering"
29. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 18:28 · Score: 0
  
  Supported by Google, Mozilla, and Opera, WebRTC ...
  I always knew that Microsoft (and Apple) browsers were the most secure.
30. Re: How are VPN providers supposed to stop this? by Anonymous Coward · 2018-03-28 19:22 · Score: 0
  
  The security experts are the one who are going back to paper... the more you know the more you wish you didn't know.
31. Re: How are VPN providers supposed to stop this? by x_t0ken_407 · 2018-03-30 08:35 · Score: 1
  
  I was thinking the exact same thing! I was wondering if he knew that the VPN is still getting it's IP from the ISP and that traffic from it is not encrypted...
32. Re:How are VPN providers supposed to stop this? by Anonymous Coward · 2018-04-02 05:19 · Score: 0
  
  Not always what if you are older and need depends do you want everyone knowing you need to research and buy them? The answer in most cases is no. That isn't the only reason you may want to hide what you are doing but it isn't illegal. Maybe you like some offbeat but still legal pron why is that anyone's business but your own. Maybe I would just like to look at a new blender and not receive 600 ads and emails about the latest blender technologies. Why do I have to be trying to cheat to want privacy?
No The VPNs Did Not Leak IPs by Anonymous Coward · 2018-03-28 06:38 · Score: 0

The browsers did. WebRTC is a browser security issue. This is like blaming your VPN for leaking your home address because you posted it on Facebook. If you want to be secure and private online then take the time to learn how.
1. Re:No The VPNs Did Not Leak IPs by Dr_Harm · 2018-03-28 06:43 · Score: 1
  
  It looks to me like the STUN server is the one doing the leaking. And that's a function of whatever WebRTC service you're using, not your VPN provider or your browser.
2. Re:No The VPNs Did Not Leak IPs by Anonymous Coward · 2018-03-28 08:08 · Score: 0
  
  STUN is not the problem, mandatory ICE support in WebRTC is.
3. Re:No The VPNs Did Not Leak IPs by torqer · 2018-03-28 08:15 · Score: 1
  
  in my Experience with a webrtc phone... Chrome leaks it. Firefox doesn't.
4. Re:No The VPNs Did Not Leak IPs by Anonymous Coward · 2018-03-28 19:05 · Score: 0
  
  It looks to me like the STUN server is the one doing the leaking. And that's a function of whatever WebRTC service you're using, not your VPN provider or your browser.
  Exactly, but it isn't just a "leak" because this is how STUN operates, by design. STUN is hardly compatible with privacy, and protocols using it, like WebRTC, shouldn't be standardized by the W3C and IETF in the first place, nor should its support be included in the Web browsers. The only remedy I see (except disabling WebRTC altogether) is maybe the VPN providers implementing their own STUN emulation, which conceals the clients' IP addresses, and configuring client machines to use it.
The bug and the way around it by Xenna · 2018-03-28 06:46 · Score: 5, Informative

I just discovered this bug today myself by chance, but AFAIK if you're using NAT (which most of us do) this will only reveal your 'local' IP addres, usually something like 192.168.0.x. Still nasty, but it won't immediately identify you.
Also, there's an ad blocker plugin for most popular browsers (uBlock Origin) that has an optional setting that blocks this.
Test for the vulnerability here:
https://www.whatismybrowser.co...
The page will reveal your local IP if your browser is vulnerable (no VPN needed).
1. Re:The bug and the way around it by Bruce+Perens · 2018-03-28 07:47 · Score: 4, Interesting
  
  It did reveal my local-network IPV4 address behind NAT, which is of little use to anyone. But it also showed my public IPV6 address, which is no surprise because there's no NAT. That's the dangerous one. I am not using a VPN, but if it was using one to conceal my identity this would reveal a traceable IP address.
  
  --
  Bruce Perens.
2. Re:The bug and the way around it by Anonymous Coward · 2018-03-28 08:06 · Score: 1
  
  Not possible to detect your local IP.
  I disabled webrtc in firefox the instant i updated to the version which included it. I want a web browser not a god damn app platform. Every new 'feature' is just another attack surface.
  FYI
  about:config
  media.peerconnection.enabled = false
3. Re:The bug and the way around it by Anonymous Coward · 2018-03-28 08:13 · Score: 0
  
  You discovered this just now? I made that conclusion years ago while surfing to a porn site. The site correctly identified my country and started serving localized content even when my VPN endpoint was at the other side of the earth. A few secons of tcpdump later made sure I always disable ipv6 first before starting my vpn client.
4. Re: The bug and the way around it by Anonymous Coward · 2018-03-28 08:30 · Score: 0
  
  Also disable DNS and anything else from escaping out directly through your ISP. Better to have a dedicated VPN client machine between two strict firewalls and drop ALL traffic that does not go through the encrypted tunnel.
5. Re:The bug and the way around it by Bruce+Perens · 2018-03-28 10:01 · Score: 2, Insightful
  
  You discovered this just now? I made that conclusion years ago while surfing to a porn site.
  
  I must confess to being that boring sort of individual who doesn't really have anything to hide. At least yet, the way things are going it could get to the point that every civil person will need to hide.
  Thus, I haven't been using any sort of concealment technology and haven't concerned myself with the fact that my IP address can be identified.
  At the moment it's still legal for you to look at that porn site. Although if those people who take Cosmo off the shelves in stores have anything to say about it, it won't be. FYI, they have nothing to do with #metoo and are just a prudish religious organization. And their behavior concerns me.
  
  --
  Bruce Perens.
6. Re:The bug and the way around it by Anonymous Coward · 2018-03-28 20:18 · Score: 0
  
  FTW!!!
  Firefox config at "true" and "false" was tested with Xenna's suggestion from above....
  https://www.whatismybrowser.co... [whatismybrowser.com]
  True = [my IP address]
  False = "Not possible to detect your local IP"
  Thanx!
7. Re:The bug and the way around it by Anonymous Coward · 2018-03-28 23:25 · Score: 0
  
  I have nothing to hide, but you don't need to know that.
8. Re:The bug and the way around it by Anonymous Coward · 2018-03-29 04:48 · Score: 0
  
  I would think the recent news about Facebook would have quelled the "have nothing to hide" rhetoric, but alas, no. If someone can build a sufficient profile about you, they can determine how to manipulate you.
9. Re:The bug and the way around it by Lost+Race · 2018-03-29 15:30 · Score: 1
  
  Everyone has something to hide. Maybe you just don't know what yours is yet. By the time you find out it will be too late. Best to bide everything you possibly can.
10. Re:The bug and the way around it by cerberusss · 2018-03-31 03:32 · Score: 1
  
  I must confess to being that boring sort of individual who doesn't really have anything to hide
  For now. However next year, your particular idiosyncrasies and/or opinions could easily become politically incorrect.
  
  --
  8 of 13 people found this answer helpful. Did you?
When will a VPN provider get hacked? by Anonymous Coward · 2018-03-28 06:48 · Score: 0

You are trusting the VPN provider to... * Not keep log info beyond your payment details. * Keep their systems secure in data centers located in many countries. * Not get hacked for a man-in-the-middle attack. and stay in business.
1. Re: When will a VPN provider get hacked? by Anonymous Coward · 2018-03-28 08:36 · Score: 0
  
  So just become your own VPN provider. Easy as renting / co-locating bare metal and hosting your own custom OS with OpenVPN servers on a handful of different providers. Then chain them together and expect way more attention and hack attempts from three letter agencies. Simples!
2. Re: When will a VPN provider get hacked? by Anonymous Coward · 2018-03-28 09:26 · Score: 0
  
  Except if you are using this as an always on VPN for your LAN at home, then that is going to cost you big bucks. I regularly transfer 200-300GB a month though my VPN provider and only pay about $4 a month for it. That would probably cost hundreds for the bandwidth renting at a colo/cloud service
  In the end i use VPN to keep my ISP from trying to hijack my DNS and any targeted snooping they might be doing for advertising. No matter what you do a VPN isnt going to protect you from the 3 letter spooks. If they try and capture your traffic at your ISP and just see an encrypted tunnel running to a data center that the VPN provider is hosting at, they're just going to use whatever means they need to convince the VPN provider to let them capture your traffic, or just capture all the traffic coming out of the data center in the clear.
3. Re: When will a VPN provider get hacked? by Brockmire · 2018-03-28 09:47 · Score: 1
  
  If you buy VPS during promos, you can get one for $12/year. I have some for $6/year. I got a promo for 5 IPv4 with 2GB and 2 cores for $20/year. The cost difference is my time.
How is different from this 2015 article? by Anonymous Coward · 2018-03-28 06:49 · Score: 0

https://torrentfreak.com/huge-security-flaw-leaks-vpn-users-real-ip-addresses-150130/
Sounds like the same thing to me.
Private Internet Access by Anonymous Coward · 2018-03-28 06:50 · Score: 1

The google doc suggests it's vulnerable but visiting https://ip.voidsec.com/ myself everything looked fine. The google doc references https://www.vpncompare.co.uk.
There's nothing about WebRTC in the review of PIA (https://www.vpncompare.co.uk/private-internet-access-review/)
This article about it going open source only mentions WebRTC in the context of a chrome extension blocking IP discovery (https://www.vpncompare.co.uk/private-internet-access-vpn-taking-to-the-open-source-road/)
I just tried https://ipx.ac/run however and it's clear that Flash is leaking my IP address. I'm using Firefox so it was as easy as going into Add-ons and changing activation from Always to Ask.
Moral of the story? Get on your VPN and try https://ipx.ac/run
1. Re:Private Internet Access by Anonymous Coward · 2018-03-28 09:30 · Score: 0
  
  WebRTC is not a bug in your VPN and there is likely zilch your vpn software or provider can do to stop it.
  This is entirely a browser "feature" where the browser returns your PCs physical network interface IP. If you are behind a NAT router this is going to be just about useless since you are likely going to have an IP in one of the ARIN assigned private address spaces for your LAN. Good luck trying to identify someone assigned a 192.168.0.x ip that millions of other people around the world are using on their LANs as well.
2. Re: Private Internet Access by Anonymous Coward · 2018-03-28 17:40 · Score: 0
  
  Private Internet Access is good. The customer service used to be genuinely awful, but it has gotten better (still needs improvement). It's also dirt cheap and the company has a strong, public track record of defending user rights and supporting the FOSS community.
  @ Rick Falkvinge, Andrew Lee or whosever else from PIA may be reading: here are my main complaints on what PIA needs to improve:
  1. Stealth mode. This is maybe the biggest issue. Some of us travel a lot for business and need our VPN on the road. PIA needs to improve its ability to get around restrictive firewalls, be they corporate or state-sponsored. ExpressVPN is clearly leading the market here; PIA needs to catch up.
  2. The mobile app needs IKEv2 support, especially iOS. OpenVPN is still preferable on desktop and Android. Because of Apple's dumb policy on VPN iOS protocols, PIA needs to get IKEv2 rolled out soon since it's a clear improvement over L2TP.
  3. All the apps should have an option to block WebRTC traffic, as discussed here. Sure, it's really a browser problem, but as a paying customer we can ask our VPN provider to solve the problem. Disabling WebRTC should be a toggle option, not enforced by default; sometimes it actually is necessary to use (for some of us).
  4. VPN chaining. Amazingly, almost no provider I've seen actually does this well. Maybe PIA will be the first. Others who offer VPN chaining typically offer dedicated servers for chaining. This basically defeats the point by making the traffic path predictable. The correct was to implement VPN chaining is to use your entire, current, existing server base and mix chained traffic with single-hop traffic randomly. Maybe let users select their entry/exit locations, but the traffic has to mix randomly through the entire pool of available servers in order to prevent traffic analysis, which is the whole point of chaining.
  5. Corporate / business plans. Unfortunately, PIA doesn't have a clear, defined, manageable option for corporate accounts. I've had to point people in the direction of Nord instead of PIA for this reason. It would be great if PIA rolled out an account service team geared towards enterprise users who want to use PIA for their company.
VPN Overload by ArhcAngel · 2018-03-28 06:52 · Score: 1

I started looking at VPN providers and stumbled across this guys site. Talk about information overload! I don't know anything other than what he has posted but by the looks of it he has way more free time than I do. So if your VPN is "leaking" this might be a good source for deciding who your next VPN provider will be.

--
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
1. Re:VPN Overload by Anonymous Coward · 2018-03-28 08:41 · Score: 0
  
  If money's not an issue, just get NordVPN. It's a bit pricey at $140 up front for 2 years of service (compared to some providers), but it's arguably the most touch'n'go of the bunch and they have a proven track record of not turning over information/leaking data. I used CyberGhost a while back, and while they were cheaper the service was routinely slower.
  Granted, there are probably people on here who'd recommend setting up your own VPN, but if all you want is to cover your tracks easily with minimum hassle, NordVPN is your best bet.
2. Re:VPN Overload by pnutjam · 2018-03-28 12:00 · Score: 2
  
  AirVPN and PIA are not on that list. PIA is US based, which some might like, but some might not. Air is based in France, still 5 eyes, but Euro privacy protection.
  
  --
  Cheap storage VM.
3. Re:VPN Overload by jaa101 · 2018-03-29 14:49 · Score: 1
  
  Air is based in France, still 5 eyes
  I thought the five were US, UK, Canada, Australia and New Zealand. What's your issue with France?
4. Re:VPN Overload by pnutjam · 2018-03-30 02:05 · Score: 1
  
  I thought Eurozone was part of the five eyes, consider me corrected.
  
  --
  Cheap storage VM.
Chrome and Firefox Only by petermp · 2018-03-28 07:00 · Score: 1

Let's be a little bit more specific. The bug works with Chrome, Firefox and Opera. Both IE and Seamonkey are not affected. Not sure about Edge....
1. Re:Chrome and Firefox Only by E-Rock · 2018-03-28 07:12 · Score: 1
  
  Edge and IE have webRTC disabled by default. So the MS browsers are safe. I know, I was shocked too. :)
Yep by Anonymous Coward · 2018-03-28 07:03 · Score: 0

I sometimes find a site that knows where I'm located. I'm using PIA (Private Internet Access).
I chose PIA based on multiple favorable reviews.
1. Re:Yep by E-Rock · 2018-03-28 07:13 · Score: 1
  
  It's probably your cookies that are revealing where you are.
2. Re:Yep by Anonymous Coward · 2018-03-28 19:26 · Score: 0
  
  No its ipv6.... disable that and you're good.
Nope, VPN providers just fail to babysit you by Anonymous Coward · 2018-03-28 07:21 · Score: 0

You're leaking your IP address by using a browser with Javascript and WebRTC enabled, you dummy.
The elephant in the room is the browser. by Anonymous Coward · 2018-03-28 07:24 · Score: 2, Insightful

As always (see the Facebook discussion), the browser mutated from a hypertext viewing application into a spyware executing monster, a thing picking up random executables off the 'net and colluding with everyone out there against the user.
The sad part is that even Mozillians have been carried away by "oh, shiny!" and "ours is the fastest javascript engine" instead of throwing some weight into keeping the javascript-free web viable.
1. Re:The elephant in the room is the browser. by Anonymous Coward · 2018-03-28 13:06 · Score: 0
  
  Lol how can Firefox make sure the web is javascript free? That pandora's box was opened decades ago.
Still not as bad as DNS leaks by Anonymous Coward · 2018-03-28 08:26 · Score: 0

DNS query leaks are worse, where a badly configured VPN client uses the DNS server of the ISP. Always ensure your VPN provider offers their own DNS servers or point at 8.8.8.8 or opendns or something other than your ISP.
1. Re:Still not as bad as DNS leaks by pnutjam · 2018-03-28 12:12 · Score: 1
  
  I'm in the process of setting up a pi-hole that uses my VPN providers dns upstream.
  
  --
  Cheap storage VM.
I'm safe! by Anonymous Coward · 2018-03-28 10:02 · Score: 0

I only use Internet Explorer 11. So, have fun with that Chrome users!
your vpn client should be hardware.. by Anonymous Coward · 2018-03-28 11:50 · Score: 0

not software running on the pc you're actually using.
1. Re:your vpn client should be hardware.. by AHuxley · 2018-03-28 13:14 · Score: 1
  
  1+ AC. make it external to the OS and the computer. The last step on the network out.
  
  --
  Domestic spying is now "Benign Information Gathering"
Apple in iOS 11 exacerbated this problem by Anonymous Coward · 2018-03-28 14:40 · Score: 0

Multiple browsers began leaking WebRTC through VPN starting in iOS 11. It's a big, glaring security hole that Apple let through.
Take the ALL IN ONE browser to Mt Doom & burn by Anonymous Coward · 2018-03-28 15:46 · Score: 0

Yes, a good deal of issues rest upon that grotesque wriggling mass of protocols people call the Web.
I've given some thought to the browser problem. It seems like an impossible convoluted insecure mess that can only be solved by doing away with the whole platform completely, but we all know that won't happen.
So, instead I've thought about a way of altering the concept of the ALL IN ONE web browsers as a standard in relation to IT and netsec folks (with the long con of having an eventual trickle down effect to general users) Create a class of browser that is designed to be only used in place of a standard browser to perform sys admin and security tasks on local network resources.
Now, this wouldn't succeed if introduced as a stand alone package, but if it were introduced as a sub package to current open source platforms that have a web server.... well you can see where I am going with it. Meanwhile, stop supporting web config on generic browsers for 'security reasons'. Now do this over and over again.
Nobody cooperating? Target new forks. They are usually eager to differentiate themselves from the original package.
Eventually release a stand alone package that supports all of those platforms. That ought to shake shit up!
NOT a solution! by Anonymous Coward · 2018-03-28 19:44 · Score: 0

The solution is to
1. Never ever use a browser in there! Their attack surface is vast. E.g. you can use JS to just do a network scan and port scan, etc.
2. Use a firewall with deep packet inspection that only allows a fixed sets of protocols it understands completely, and anonymizes or blocks all packers containing your IP addresses.
3. Have your system trust the firewall's certificate, so the firewall can look into and modify encrypted connections too. In fact, don't let anything pass that couldn't fully be verified before going out!
Or TL;DR: Use a whitelist.
Because blacklisting will always leak at some point. It will never be 100%.
1. Re:NOT a solution! by Xenna · 2018-03-28 19:54 · Score: 1
  
  You're right of course. I remember playing with 'beef' sometime and that was pretty sobering.
  https://www.hacking-tutorial.c... (you don't even need to use XSS if you own the site)
Sigh by ledow · 2018-03-29 00:12 · Score: 1

Nothing to do with the VPN.
For a start, they shouldn't be opening packets and inspecting protocols, so they can't "fix" this for you in any way, shape or form, if they're doing their job.
This is the browser talking to an outside STUN server deliberately saying "My internal IP is X.X.X.X". The VPN shouldn't be interfering with that. No VPN (hardware or software) should be combatting that.
If you're worried about it, don't use browsers that do that.
VPNs are NOT there to provide protection from data-escape. They are there to provide a secure unmonitorable connection to a device that may then connect to the Internet. EVERYTHING on the other end is monitorable anyway. And if you're literally sending your IP address via STUN, or in an email, or by telling people it on the web, a VPN is not even supposed to know, let alone try to stop you (which it can't).
This is a case of people culminating "VPN" and "web proxy", and then using a piece of software that talks entirely different protocols out anyway, and does so at your request, and expecting the VPN provider to "just take care of my own stupidity".
I mean, I'm quite glad. Stupid criminals are the ones most easily caught, so they will just think they are safe because they bought some $5/month VPN and they can't possibly be found when planning their acts of terrorism, illegal acts, software piracy, whatever it may be. But if you're using a VPN like this to just bypass a content restriction, or to enable you to browse without people casually snooping on you, and not for 100% anonymity, then you're pretty much unaffected.
However, if I demanded secure anonymous access to a resource, a commercial web browser of any kind probably wouldn't figure very highly at all. There's just too much junk in there from javascript and cookies to WebRTC (a lovely useful technology), extensions, automatic-updates, history recording, etc. etc. etc.
Honestly, if you're doing something critical for which you don't want to ever be identified, then... this is not the answer. It's not even close to the answer. For a start, paying a VPN provider is a really dumb idea, even if you do it with Bitcoin. Let alone "hoping" that they aren't secretly complying with FBI etc. orders to open their logs etc. (I'm sure if I was an intelligence agency, I'd find a way to own at least one major VPN provider claiming to provide anonymity myself, even if it meant setting it up from scratch and operating it like any other business without any formal contact).
If you want to be "private", then asking a bunch of computers along the way, all belonging to different people, corporations and nations, to keep your secret is really stupid.
Won't happen on Pale Moon by Rexdude · 2018-04-05 21:50 · Score: 1

Pale Moon intentionally does not support WebRTC:

WebRTC. Apart from opening up a whole can of worms security/privacy-wise, "Web Real Time Chat" (comparable with Skype video calls and the likes) is not considered useful or desired functionality for Pale Moon (both according to the developers and the users of the browser at large). This is best left to dedicated programs or at most a browser plug-in.

--
"..One hosts to look them up, one DNS to find them, and in the darkness BIND them."