VPN's are a necessity these days for security, but one of the main reasons many people use a VPN is to mask/hide or change their IP address to bypass restrictions on accessible content based upon your location.

 

Recently, a new security flaw has been identified with most browsers that can reveal your real IP address, even while you are actively connected to a VPN, which allows remote sites to take advantage of WebRTC (also known as Web Real Time Communication; which supports browser-to-browser real-time applications for voice calling, video chats, and file sharing without requiring the user to enable external plugins).   Currently, the vulnerability is primarily browser-based, but any application that uses WebRTC can access this.  

 

Unfortunately, there are websites, such as Hulu, which perform deep-packet inspections and are able to determine that a user is connected via a VPN.   This is issue an issue which affects ALL VPN providers, as currently, the only work-around is on the user's end.


The flaw mostly occurs with Chrome and Firefox, which have implemented WebRTC, allowing requests to STUN servers (Session Traversal Utilities for NAT) that return both the local (the IP where you are located) and public IP (the IP broadcasted when connected to our VPN). These requests are also made outside of the normal XMLHttpRequest procedure, making them invisible to the developer console and plugins such as Ghostery and AdBlockPlus.


We highly recommend that all user's check their browsers and VPN connections to see if they are affected by the exploit, and take a couple minutes to make the necessary changes to ensure you are protected right away.


The first thing you need to do is see if the browsers (especially if you use Chrome and/or Firefox to browse the Internet) and VPN you use are affected.  Please follow the steps listed below for instructions on how to check if this exploit affects you:


  1. Visit WhatIsMyIp.com and make note of the IP address displayed on this site when you are NOT connected to the VPN.
  2. Connect to a VPN server/location in another location than where you are located.  (Ie.  If you are located in London; connect to a server in the USA, etc.)
  3. Visit WhatIsMyIp.com again and verify that the IP address displayed on this site is that of the VPN location/server you connected to.
  4. Visit the WebRTC Test Page and note the 2 IP addresses displayed there.  


If Steps 3 & 4 display the IP address of the VPN server you have connected to; you are not affected by this exploit.  


If you are not seeing the IP address change in Steps 3 & 4, and are broadcasting your real IP address; your browser is leaking your real IP address to the entire world.  Since the IP check takes place between the user and the website they are connected to, VPN's are unable to block this on their end, meaning you will need to fix this on your end.


The Fix:

There are a few ways to fix this exploit; which do not involve you switching to a new browser which doesn't use WebRTC.  We will discuss the method's which we have found to be most effective and easiest to deploy.


The easiest way we found is to disable WebRTC in your browser.  If you are using Chrome, Firefox, or Opera; these browsers have WebRTC enabled by default.  If you are using either Internet Explorer or Safari; you do not need to worry about WebRTC affecting you, as these two browsers do not have WebRTC enabled by default unless you have specifically enabled them.  Please see below for details specific to your browser for instruction on how to disable WebRTC:


  • Chrome:   Install the SafeScript browser extension from the Chrome Web Store.
  • Opera:   Install the Chrome Extension Installer for Opera Next 15 or higher in order to have the ability to install Chrome extension in your Opera browser, then download & install the SafeScript browser extension from the Chrome Web Store.
  • Firefox:   Firefox users have 2 methods to choose from to disable WebRTC; you can either install the Disable WebRTC addon, or disable WebRTC directly in the browser itself by opening a new browser tab, then going to "about:config" in the address bar.  Locate "media.peerconnection.enabled", and change the setting for this to "False".


Please be advised that disabling WebRTC may cause some webapps and services to break.  Browser-based apps that use your computer's microphone and camera, or that know your location upon accessing the service will stop working until WebRTC is re-enabled.  


We also recommend that you install a VPN on your router too; as not only does it provide VPN security for every computer and device on your network, but ensures that you are always protected, as with browser updates, browsers may automatically change your WebRTC settings.  


Please contact us for more details and assistance with configuring your router to connect to our VPN servers.