WebRTC Leaks Local IP Addresses |
Written by Ian Elliot | |||
Wednesday, 28 January 2015 | |||
The law of unintended consequences seems to have been applied to WebRTC because one small useful feature can be turned into the perfect user tracker.
The Internet still runs on IP4 and to make it work we need to use Network Address Translation, or NAT. Nearly all internal networks make use of private or local IP addresses that cannot be used on the public internet. When a machine wants to make a connection to the public internet it makes use of a public IP address that it shares with other machines. The identity of the machine is stored as the port number - effectively increasing the number of IP address in use by 16 more address bits. A single public IP address can thus serve around 216 local users. Many ISPs also use a dynamic allocation of public IP addresses to users. so you might not even get the same public IP address each time you connect to the internet. NAT is an ingenious solution which has allowed IP4 to continue being workable well into an era where IP6, with its huge address space, should be an essential upgrade. As long as you don't need to support incoming connections, or you can use port forwarding if you do, then NAT is as much connectivity as you need. It also provides a good degree of anonymity. When you connect to a website, say, all the website gets is your IP address and the port number to be used to send the data back to you. Given that the IP address may be shared with a lot of users it isn't much use in tracking your browsing. Put simply a website can't know it is you the next time a request from the same IP address and port number turns up because these are dynamically mapped to local IP addresses, which change. This is the reason that the urban myth that you are identified by your public IP address is just that - a myth. Of course, your ISP can log the websites you connect to because the ISP is responsible for issuing you with a public IP address and, if it operates a NAT, an allocated port number. However if your local network attaches via its own NAT then the ISP can't log which user on the local network is viewing what. While it might not be true that for most users a public IP address identifies them, it is nearly always true that a local IP address is an identifier. Local IP addresses don't change that often so it is alarming to discover that there is a very easy way for a website to discover your local IP address. Daniel Roesler isn't the first to notice this, but he has put together a nice demo of the mechanism in action on GitHub. WebRTC is a peer-to-peer communications protocol that makes it very easy for two browsers to establish voice or video communications without the need of an intermediate server. As you might guess this sometimes needs knowledge of a machine's public and local IP address. STUN - (Session Traversal Utilities for Nat) is a protocol that allows a machine to discover its public IP address, even if it is behind a NAT. All that happens is that the machine sends a UDP packet to the STUN server and the STUN server sends back a response packet containing the public IP address. It is very simple and Firefox has a default STUN server that can even be used by Chrome. Now, however, we have a WebRTC mechanism that is easy to use in JavaScript that will find the public and local IP address using the default servers. This doesn't make use of the usual Ajax XMLHttpRequest and so currently doesn't show in the developer console and isn't blocked by privacy add-ins. In addition the WebRTC facilities are turned on by default at the moment. You can try it out for yourself at: https://diafygi.github.io/webrtc-ips/ The page will display your public and local IP. It has always been relatively easy to find the public IP address, it is in the headers, it is the availability of both from JavaScript that is new. Given both IP addresses, identifying the user without needing to use cookies or fingerprinting is fairly easy and accurate. So the unintended consequences are:
Every time security or privacy is protected by one group of programmers it results in a restriction in what you can do which another group of programs spend years working their way around. In this case it is a storm in a temporary tea cup because come IP6 everyone, and thing, will be uniquely identifiable by their public IP address. Does this mean that civil rights groups will be protesting the introduction of IP6? It will be a universal identity card after all. More InformationSTUN IP Address requests for WebRTC Related ArticlesCat Photos - A Potential Security Risk? Print Me If You Dare - the Rise of Printer Malware Security by obscurity - a new theory Mozilla WebRTC Goes Mainstream First Contact - Firefox & Chrome WebRTC
To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin, or sign up for our weekly newsletter.
Comments
or email your comment to: comments@i-programmer.info
|
|||
Last Updated ( Wednesday, 28 January 2015 ) |