WebRTC "leak" still occurs and the setting to prevent it has been deliberately removed #2267
Comments
meyergru
changed the title
|
Which one proxy you are using and how it is configured? |
|
It's a squid proxy, anonymizing by setting: |
|
I mean, how you are sure your browser is using it? Maybe it's DNS leak? |
|
I can verify that the proxy is being used by looking at a more conventional site that shows the originating IP for the HTTP request (plus some javascript, but not using WebRTC), like: https://whatismyipaddress.com/de/meine-ip Also, the sites offering a "WebRTC leak test" specifically use the WebRTC API in order to do their testing. Which does not imply that an additional disclosure via DNS leaking was not possible, but that would be no excuse for the WebRTC leak I describe. To my knowledge, the DNS resolution is done on the proxy. I just verified via https://www.dnsleaktest.com that there is no DNS leak, i.e. none of the DNS servers is from my local ISP. |
|
What's the matter? The removed setting which just turn browser's option on was to prevent leakage of your private IP address, not public address (when using a proxy ofc) you discuss here. Hiding that is simply not a job of a browser extension. |
|
|
I think that whether "hiding that is simply not the job of a browser extension" is highly debatable. What else does this extension do that to supply privacy mechanisms the browsers do not offer themselves? Considering the reason given for removing the setting (namely that the browsers now fix the local IP leakage themselves), it seems that the very reason to have it was indeed to hide information in the first place. I argue that the leakage has only partly been removed, so there is less ground to rectify removal of the setting. Essentially, you are providing a different reason to remove it (which I do not buy). Regarding your second argument: using squid to hide your identity is a pure neccessity in a lot of countries where free speech does not exist. As I said, I was very disappointed to learn that WebRTC was introduced without a proper "lark's vomit" warning, essentially undermining that. So, technically you are correct in saying that a proxy does not hide your public IP via WebRTC. However, without WebRTC, an HTTP proxy perfectly hides your public IP (modulo DNS leaks). If the maintainers decide that this is out of scope, they may well close this request as unsupported. |
|
The browsers are not supposed to leak local IP addresses, this was fixed years ago. I suggest you rather open an issue with whichever browser you found suffers the issue, I do not consider this a uBO issue. |
|
That is exactly what I am saying: most browsers leak THIS information - I have verified for Edge, Chrome, Firefox and even Brave. What has been fixed is the LAN IP and the IPv6 information leakage, not that the public IPv4 is still visible per default. So, it is correct that this should be fixed in (all) the browser(s), As for uBo, it is not really a "bug", but an incompleteness. As I wrote: Why was the setting there in the first place? To fix something that the browsers didn't. The assumption that they now do this themselves is partly wrong. |
In my tests, I could not see my ISP IP address when behind a VPN -- when using a system wide VPN (Firefox VPN). |
|
Correct, because in that case, the whole network stack is diverted to the VPN endpoint. You will see it when you use an anonymizing proxy, though. I assume you would also see it when you use Opera's "internal" VPN, because that does not operate on the network stack and is (to my limited knowledge) just a proxy tunnel - but I have not tried it. |
Proxies are transparent and not guaranteed to hide your IP. Use a VPN, not a proxy if hiding the IP is your main concern. |
|
I am fully aware of the possible workarounds. |
|
So the issue is not with uBO. That's just how proxies work. |
|
I might as well disable WebRTC in all my browsers - although this is tedious because they have have different means of enabling that, unless I use a specialised extension to do it. Probably not uBo, even if it once did that job when the setting was still available. Oh, and hiding my identity and keeping my privacy is my main concern, I assumed this was uBo's main goal. |
|
Well, the leak won't occur if system-wide VPN is used or if a proxy on top of browser and WebRTC IP handling policy set to "Disable non-proxied UDP" are combined. Apparently only Brave exposes this option to user, at least under GUI. |
|
Related Brave issue: brave/brave-browser#22515 |
Was this an firefox extension ?
uBO doesn't hide your ISP's IP address, there's no functionality for this in uBO. |
|
No, I just set the Firefox proxy to a server that runs squid with the settings I gave. You can do that with an extension like proxy-switch, manually or via WPAD. And yes, that functionality has been removed (see title). I do not argue that it blocks ads. |
Incorrect, the previous functionality that existed only hides local IP. Please don't argue over this as this has been argued before as other OP always had same kind of misunderstanding about uBO. |
|
What matters here is if you use a simple proxy but not a full-tunnel VPN, your ISP IP will be exposed by WebRTC, which can be fixed if uBO sets WebRTC IP handling policy to "Disable non-proxied UDP". Ofc there's no guarantee a proxy totally hides your IP (those who want that should use VPN). But this is something to consider about. |
|
Old version of add-on hide proxy leak? |
|
uBlockOrigin/uAssets#14981 (comment): uBlock Origin: 1.44.4
modifiedUserSettings:
webrtcIPAddressHidden: trueI thought the WebRTC option was removed from uBO? |
|
|
The OP reported on the desktop. uBlock Origin: 1.44.4
Chromium: 103Kiwi Browser is Chromium mobile in reports. |
|
It's the same uBO package on both desktop or android, the setting is just ignored on desktop. |
Prerequisites
I tried to reproduce the issue when...
Description
I know that the WebRTC leakage fix option has been removed a while ago because it apparently has been fixed in the browsers already and it supposedly creates problems if it is applied.
Therefore, the old issue #1723 has been closed to the public.
I also admit that I had to check the box above stating "The issue is not present after wholly disabling uBlock Origin ("uBO") in the browser" just in order to be able to file this bug report while the statement itself is actually untrue.
However, there still is a privacy concern in how this works which I found when I tried WebRTC leak tests over an anonymizing proxy: Using that, one should assume that the originating IP is being hidden from the website. This is true for the HTTP request, but not for the WebRTC IP. Even when using a proxy, WebRTC shows the real IP (i.e. the NATed IP, not the one on the LAN).
Thus, using WebRTC, the cloaking via anonymous proxies can be circumvented, which IS a privacy issue. And before anyone says that: no, this is not a misreading. I do acknowledge that my RFC1918 IP is not disclosed - interestingly enough, I would rather have that exposed in this specific case than my public IP. Thus, it is a separate facet of the WebRTC leak.
I am aware that the setting conflicts with the very feature WebRTC offers. I understand that this is why the wiki warned about that when the setting was still present.
I had not followed the discussion and only found out by chance. I was quite disappointed to learn that a. most browsers allow WebRTC by default (even Brave does it!) and b. uBlock Origin does not prevent it.
A specific URL where the issue occurs
https://hide.me/de/webrtc-leak-test
Steps to Reproduce
Expected behavior
I do not expect to have my public IP disclosed despite using a proxy.
Actual behavior
My public IP was disclosed.
uBlock Origin version
1.44.2
Browser name and version
Firefox 104.0.2
Operating System and version
Windows 10
The text was updated successfully, but these errors were encountered: