This article is more than 1 year old

Why you shouldn't trust a stranger's VPN: Plenty leak your IP addresses

WebRTC flaw still dogs so-called 'secure' providers

Virtual Private Networks, or VPNs, turn out to be less private than the name suggests, and not just because service providers may keep more records than they acknowledge.

Security researcher Paolo Stagno, also known as VoidSec, has found that 23 per cent (16 out of 70) of VPN providers tested leak users' IP address via WebRTC.

The privacy problem presented by WebRTC is not new. The issue has been known at least since 2015.

WebRTC is a popular free open-source project that has been implemented in web browsers to allow real-time communication via JavaScript APIs. It's used to implement browser-based chat apps, for example.

The protocol is often employed with the ICE (Interactive Connectivity Establishment) framework and STUN (Session Traversal Utilities for NAT) servers, among other options.

VPNs use the STUN server to translate between the VPN user's local IP address and the public IP address in much the same way that a home router acts as a network intermediary between local devices and the external internet.

VPNs are so insecure you might as well wear a KICK ME sign

READ MORE

According to Stagno, WebRTC can be queried to return information that should remain private.

"WebRTC allows requests to be made to STUN servers which return the 'hidden' home IP-address as well as local network addresses for the system that is being used by the user," he said in a post on Tuesday.

Such requests aren't normally visible because they aren't part of standard XML/HTTP interaction, he explains, but they can be made via JavaScript. Stagno says the technique can be employed in any browser that supports both WebRTC and JavaScript.

And in many browsers – Brave, Chrome (desktop and Android), Firefox, Samsung Internet Browser, Opera, Vivaldi – WebRTC and JavaScript are enabled by default.

The list of leaky VPNs is available on VoidSec's website.

Stagno suggests disabling WebRTC, among other measures to protect privacy. In Chrome, that requires an extension, such as uBlock Origin. In other browsers, the fixes vary.

Besides the WebRTC issue, those in the security industry tend to frown on commercial VPN providers on the basis that they don't always act in their customers' interests. Some log your activity, some track you to push ads your way, and some are just plain insecure. Free ones in particular should be avoided.

El Reg suggests disabling WebRTC, and, if you have the skills, roll your own VPN service using your mastery of network administration: try OpenVPN, Trail of Bits' Algo, or Jigsaw's Outline software. ®

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like