WebRTC Leaks Local IP Addresses
Written by Ian Elliot   
Wednesday, 28 January 2015

The law of unintended consequences seems to have been applied to WebRTC because one small useful feature can be turned into the perfect user tracker. 



The Internet still runs on IP4 and to make it work we need to use Network Address Translation, or NAT. Nearly all internal networks make use of private or local IP addresses that cannot be used on the public internet. When a machine wants to make a connection to the public internet it makes use of a public IP address that it shares with other machines. The identity of the machine is stored as the port number - effectively increasing the number of IP address in use by 16 more address bits. A single public IP address can thus serve around 216 local users. 

Many ISPs also use a dynamic allocation of public IP addresses to users. so you might not even get the same public IP address each time you connect to the internet. 

NAT is an ingenious solution which has allowed IP4 to continue being workable well into an era where IP6, with its huge address space, should be an essential upgrade. As long as you don't need to support incoming connections, or you can use port forwarding if you do, then NAT is as much connectivity as you need. 

It also provides a good degree of anonymity.

When you connect to a website, say, all the website gets is your IP address and the port number to be used to send the data back to you. Given that the IP address may be shared with a lot of users it isn't much use in tracking your browsing.

Put simply a website can't know it is you the next time a request from the same IP address and port number turns up because these are dynamically mapped to local IP addresses, which change. 

This is the reason that the urban myth that you are identified by your public IP address is just that - a myth. Of course, your ISP can log the websites you connect to because the ISP is responsible for issuing you with a public IP address and, if it operates a NAT, an allocated port number. However if your local network attaches via its own NAT then the ISP can't log which user on the local network is viewing what.

While it might not be true that for most users a public IP address identifies them, it is nearly always true that a local IP address is an identifier. Local IP addresses don't change that often so it is alarming to discover that there is a very easy way for a website to discover your local IP address. 

Daniel Roesler isn't the first to notice this, but he has put together a nice demo of the mechanism in action on GitHub.

WebRTC is a peer-to-peer communications protocol that makes it very easy for two browsers to establish voice or video communications without the need of an intermediate server. As you might guess this sometimes needs knowledge of a machine's public and local IP address. 


STUN - (Session Traversal Utilities for Nat) is a protocol that allows a machine to discover its public IP address, even if it is behind a NAT. All that happens is that the machine sends a UDP packet to the STUN server and the STUN server sends back a response packet containing the public IP address. It is very simple and Firefox has a default STUN server that can even be used by Chrome. 

Now, however, we have a WebRTC mechanism that is easy to use in JavaScript that will find the public and local IP address using the default servers. This doesn't make use of the usual Ajax XMLHttpRequest and so currently doesn't show in the developer console and isn't blocked by privacy add-ins. In addition the WebRTC facilities are turned on by default at the moment. 

You can try it out for yourself at: https://diafygi.github.io/webrtc-ips/

The page will display your public and local IP. 

It has always been relatively easy to find the public IP address, it is in the headers, it is the availability of both from JavaScript that is new.

Given both IP addresses, identifying the user without needing to use cookies or fingerprinting is fairly easy and accurate. 

So the unintended consequences are:

  • IP4 needed NAT to support more users and NAT improves anonymity by decoupling public IP and user identity

  • WebRTC needs to know the local and public IP address to provide decentralized and hence more private communications and WebRTC gives this information to anyone who wants it - so reducing anonymity.

Every time security or privacy is protected by one group of programmers it results in a restriction in what you can do which another group of programs spend years working their way around.

In this case it is a storm in a temporary tea cup because come IP6 everyone, and thing, will be uniquely identifiable by their public IP address. Does this mean that civil rights groups will be protesting the introduction of IP6? It will be a universal identity card after all. 



Pg_lakehouse Makes PostgreSQL Quack

Pg_Lakehouse from ParadeDB is an extension that turns PostgreSQL into the analytical engine of DuckDB. Why is that useful? How do you use it?

More Jetpack Compose Updates

The July release of Android Jetpack Compose has some improvements and it is faster, but is it what we want?

More News



kotlin book



or email your comment to: comments@i-programmer.info



Last Updated ( Wednesday, 28 January 2015 )