Login/Register
How to Mask IP Leak from WebRTC in Firefox?
Asked Answered
firefoxproxyipwebrtcprivacy
I

1

8

I was reading about online privacy and became aware that one's IP address is leaked by WebRTC technology even when using proxies. According to an article I read it is possible to disable WebRTC in Firefox by navigating to about:config and setting media.peerconnection.enabled to false. While this indeed turned WebRTC off I think it created a new set of problems and that is that by having WebRTC turned off I am identifying myself as the "guy who doesn't want WebRTC" enabled. Which may be suspicious to some websites. As someone once wrote "I'd rather be a needle in a large hay-stack than a needle in a handful of hay".

How can I keep WebRTC enabled but modify it in a way that it only reveals the IP of my proxy or some random IP instead of my real IP?

Incurrence answered 26/5, 2021 at 0:50 Comment(2)
Hi! Are you talking about public IPs or private IPs?Kasi
@Kasi the IPleaked through WebRTC is the public IP so presumably we are dealing with the public IP.Amon
I
1

To address the potential XY: you don't really stand out merely by having WebRTC disabled. It can be disabled for lots of very routine reasons, like a corporate group policy.

If you're worried about fingerprinting to that degree, you should also worry about fingerprinting by monitor size and resolution, and any number of other features that can be detected via JavaScript. In which case, use Tor browser, which does a lot to obfuscate you.

As to hiding your IP address:

In about:config set

  1. media.peerconnection.ice.proxy_only to true. Undocumented feature that blocks WebRTC that does not come through your proxy.
  2. media.peerconnection.ice.relay_only to true. This can be used to block all local (LAN) and external IP addresses from being generated as candidates. This does not hide your external IP address from the TURN server itself, so if your attacker attempts to start a connection and specifies a TURN server they control, this won't be enough.

To mitigate the risk from #2 above but still use WebRTC, additionally set

  1. media.peerconnection.use_document_iceservers to true and then
  2. media.peerconnection.default_iceservers to the list of servers you wish to use and trust, uch as your VPN's.

When use_document_iceservers is false, it will refuse to use peers specified by the web page and instead only use the ones specified in default_iceservers. If you fail to provide a list of default_iceservers, FireFox may revert use_document_iceservers as a fallback.

As to a "canonical method to deliberately leak a fake IP through WebRTC instead of simply disabling it entirely", in a way which will not disable WebRTC but which will break it, set media.peerconnection.ice.force_interface to a 0.0.0.0, a non-routable address (or anything in 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 should work).

It's probably simplest to just disable it - there are lots of other ways a sneaky page can fingerprint or track you in a regular browser.

References: https://wiki.mozilla.org/Media/WebRTC/Privacy

Note to future readers: These are all moving parts, some are currently semi- or un-documented, so things may change by the time you read this.

Imperium answered 8/6, 2021 at 20:24 Comment(3)
I tried setting media.peerconnection.ice.force_interface to a 0.0.0.0 but my real IP is exposed. If I follow your first 4 steps this disables WebRTC entirely which is precisely what we are trying to avoid. When you go to Firefox -> Settings -> General -> Network Settings and click on Settings and then enter proxy details under Manual proxy configuration the goal is to have WebRTC leak the proxy IP instead of your real IP. In short, whatever proxy IP is being seen by the external website should also be leaked by WebRTC. I don't see how to accomplish this in your response. Thanks.Amon
@Amon Following the first four steps should not disable WebRTC completely: perhaps something is missing in the configuration. It seems like this could depend on two things: either media.peerconnection.ice.proxy_only's provided proxy doesn't support proxying that type of connection, or media.peerconnection.default_iceservers doesn't. Additionally, as ice_prpoxy_only is undocumented, it may cease to work.Imperium
I just tested it now again. Setting media.peerconnection.ice.proxy_only to true disables WebRTC even without changing any other settings. Also I don't understand what you are trying to accomplish with the first 4 steps. Are you deliberately leaking a fake IP through WebRTC or just disabling WebRTC? If your not disabling WebRTC, what IP is being seen by external website such as expressvpn.com/webrtc-leak-test? (The website tells you what IP is leaked through WebRTC or whether WebRTC is completely disabled)Amon

© 2022 - 2024 — McMap. All rights reserved.