My WebRTC VPN Vulnerability Research Findings & Other Security Related Revelations

Recently a VPN vulnerability was discovered that affects all VPN protocols, including OpenVPN. WebRTC is a protocol supported by almost all major browsers that allows the user to make video and voice calls via the browser, without additional plug-ins.

"The vulnerability in WebRTC lies in the method used to establish browser-to-browser connections when one or both machines are behind a NAT. This NAT “traversal” method requires both browsers to execute a bit of JavaScript that connects to a STUN (Session Traversal Utilities for NAT) server on the public Internet, which then facilitates the browser-to-browser connection when NAT is in use. When WebRTC makes the connection to the STUN server, rather than sending only the public IP you are appearing to connect from using the VPN, WebRTC also sends over your actual public IP, as well as your LAN IP."
[source]

Apparently, even the open source browsers like Firefox and Chromium are affected. Users running NoScript on Firefox are probably unaffected, but I suggest you check to be sure. I'm sure Internet Explorer is affected, because it's the worst browser in the world, and although I did not test it myself,  it's safe to assume that if Google overlooked this, Microsucks certainty did as well. I am not sure about systems running OSX, but I do know that (thankfully) mobile browsers are immune to (this) exploit. I did extensively test the problem on my Linux systems, however. It is claimed that Linux systems are not affected, but I can confirm that this incorrect, at least to an extent. After testing Google Chrome, Firefox, and the open source Chromium, I can confirm that Linux systems running Chrome or Chromium definitively do leak the local IP addresses of both the VPN, and your first hop router's local network address. Thankfully, the public IP address remains concealed on Linux, as opposed to Windows, which leaks everything (go figure).

Although there is a patch for Chrome & Chromium, it did not fix the leak, at least in my case. Even Firefox on Linux, which supposedly is not affected, actually did leak my local IP's, until I patched it. I run NoScript, and so should you. The IP's were only leaked after allowing javascript to run, so NoScript does provide some protection. Unfortunatly for Chrome users, Script-Block did not...

I recommend visiting http://ipleak.net to see for yourself. If your local or public IP's are being leaked, you can patch the problem on Firefox like this:

Navigate to  about:config and search for media.peerconnection.enabled. Then right click and click 'toggle'. This disables WebRTC support entirely, effectively protecting Firefox. To be safe, navigate back to http://ipleak.net and confirm that this method worked.

As of this moment, users of Google Chrome and Chromium are out of luck. Although there a patch available in Chrome Web Store, it did not work for me. After enabling the patch, my local IP addresses were leaked just the same when I tested the browser again at ipleak.net. For the time being, I would strongly suggest that users of Chrome based browsers switch to Firefox, until a working patch is available.

You may not think it's a big deal if you use Linux, because your public IP is still concealed, but my network security experience tells me otherwise. Your local IP addresses can tell an attacker quite a bit about how your network infrastructure is configured. Discovering these IP's may help an attacker obtain access to your network, albeit under rare circumstances. At the very least, it certainty would help the enemy build a security profile of you, and also allow them to map out your network(s). If you are connected directly to the internet, for instance by plugging your computer directly into a DSL modem, than it's very possible that your public IP could leak, even on a Linux system. This is purely my assumption, as I do not currently have a direct line to test it on. I suspect that what protected the Linux/Firefox community was the NAT of the routers firewall, but I can't say for sure. As soon as I get a chance I will report back with my findings.

Consequently, and ideally, you should be using a unique IP range on your routers and VPN, not only to avoid routing conflicts, but also to protect against certain IP spoof attacks. You should change your router and VPN subnet to something random (especailly if you discover you have leaked your local IPs) to avoid these scenarios. There are three ranges of IP's reserved for private networking; the 192.168.*.*, the 10.*.*.*, and the 172.16.*.* range. Most home routers default to either 192.168.0.1/24 or 192.168.1.1/24 out of the box. I suggest you change your subnet to something random, such as 192.168.223.0/26 or 10.66.23.0/13. The 10.*.*.* range offers the most amount of unique subnets available, although the 192.168.*.* range should be sufficient for most small networks. And of course, change your VPN subnet as well. OpenVPN defaults to the 10.8.0.0/24 subnet. I suggest changing it to something arbitrary in the 10.*.*.* range,  like the example noted above. Subnet conflicts can make routing a nightmare, take it from me.

If you have been using Windows in combination with any of these browsers and a VPN, perhaps you should release your IP from your ISP's DHCP server and try to obtain another one. This should be easily doable, unless you are connected via point-to-point (such as over DSL). And if  you have been using a VPN to conceal sensitive activities, I suggest you back up all of your file onto an encrypted drive, and reformat your computers hard drive, making sure to overwrite all free and used sectors with 0's to avoid the possibility of data recovery by a foe (such as the NSA or any other intelligence community seeking to take away your freedoms).

I was curious as to the extent that the WebRTC exploit is being used, so I turned to my old friend Wireshark. While running a dumpcap on my eth & tun interfaces, I fired up Chromium. I discovered that the STUN protocol is being used virtually everywhere on the internet, and most frequently from the very questionable (and confirmed CIA run) amazonaws servers that follow us around the net. If you want to see for yourself, simply fire up a Linux machine, start Wireshark, and open up Chrome, and you will notice that even the Chrome 'recent tabs' page is using the STUN protocol (for what, I have no idea). That's messed up, Google... If any of Google's staff is reading this post, I suggest you look into that, and make sure that at the very least, this is intentional, and not some cross-reference scripting attack perpetrated by the NSA.

I've also suffered several hack attempts on my Google account lately, probably because until recently I would route some of my email accounts through a Tor proxy. I honestly am not a criminal, so it's disturbing to think that our government (who else has the resources to hack Google's TLS encryption?) is arbitrarily hacking civilian email accounts, probably in some fruitless anti-terror effort. After all, in the eyes of our government, we are all potential terrorists. Even more chilling is the recent revelation that meta-data alone is being used to coordinate drone strikes! So yeah, you read that correctly, there really is some quantum computer that is deciding who shall live and who shall die, based on people's browsing habits. Obama's personal selection of targets to kill based on sketchy intel, and usually resulting in more civilian deaths than anything, is pretty bad as it is. To think some greasy machine is now making those decisions based on freaking meta-data is fucking terrifying, so say the least.

Sadly, due to recent experiences, I would not depend on the Tor Network alone for anonymity. Too many relays appear to running SSL-strip, and too many are run by our enemies at the NSA. The distributed trust seems to have fallen apart. I've also had to stop running TOR relays on any servers that I rely upon for security, because it seems every time I start running Tor, strange things start to happen on my server. It is really quite a shame, because I used to run three relays, one of which was an exit relay (and God knows we need more exits), but I can no longer do that and remain secure. I currently only run one middle node relay, and one bridge. I don't think I will ever even run the Tor Browser on the personal computer again, because I no longer trust the network. After all, it was invented by DARPA, and is still partially funded by the U.S. Government. To add insult to injury, American ISP's have began targeting users of Tor, while our government endorses use of the network by oppressed peoples in other countries. The hypocrisy is quite ironic. I am not saying that Tor is dead, useless, or broken, I am simply recommending that if you need to use it, you should boot to a live USB system, such as TAILS, to ensure that if there is a backdoor in the software, or an exploit we are unaware of (I am almost positive that there is), your personal system will not be compromised. Live systems leave no trace of what you do with them, because they never touch your hard disc (unless you mount it), and run strictly off your RAM.

When I find a working patch for Chrome based browsers, I will let you know. If you know of a method to patch Chrome, please leave me a comment so that I can update this post. Be safe, stay vigilant, and ditch Windows once and for all. You will wish you switched to Linux years ago. Peace.