171 comments

[ 4.8 ms ] story [ 205 ms ] thread
Just want to point anyone looking to test their own VPN to https://ipleak.net/. That's been my go-to, and it seems more comprehensive than the linked service.
FWIW, I show that Opera's free VPN does not leak the client's IP address.

https://www.opera.com/computer/features/free-vpn

Operas VPN is not even a VPN tho. Check their phrasing they call it 'Web vpn' or something like this and already committed in the past that the naming scheme for their proxy was just a marketing trick.

Written from Opera tho. So not saying it sucks :)

You can test WebRTC IP address (and media device id) leakage using https://browserleaks.com/webrtc.

To disable WebRTC in Firefox, set the about:config prefs "media.peerconnection.enabled" and "media.navigator.enabled" to false.

More like this:

    media.peerconnection.turn.disable = true
    media.peerconnection.use_document_iceservers = false
    media.peerconnection.video.enabled = false
    media.peerconnection.video.vp9_enabled = false
    media.peerconnection.video.h264_enabled = false
    media.peerconnection.identity.enabled = false
    media.peerconnection.identity.timeout = 1
I need to find a way to automate the patching of Firefox's about:config when installing a new OS etc, quite a few telemetry/storage/WebRTC tweaks to date now.

There is an extension [1] that'll at least disable the IP address gathering (it doesn't look to disable all of the above settings but may have a similar effect if browser.privacy.network.peerConnectionEnabled disables everything):

[1] https://github.com/ChrisAntaki/disable-webrtc-firefox

Look into vendor.js for patching about:config. I know Arch has one for sure in their package.
Or try https://www.doileak.com . (Shameless plug of of a project of mine)
Nice project - but that name.... Sounds like a bad medical condition!
> WebRTC IP Leak: Your local IP: 10.41.41.2 .

> Your browser supports WebRTC! Your real IP address is visible to every website you visit.

>

> Web Real-Time Communication (WebRTC) is enabled by default in Firefox, Opera and Google Chrome, and enables video chat, voice calling and P2P sharing from within your browser.

> A neat trick, but it allows any website to instantly see your true IP address. The only way to avoid sharing your IP address this way is to disable WebRTC completely.

Nope, that's not my "real" IP address

> Timezone Difference: The time zone of your browser is while your request IP location timezone is Europe/Paris.

Looks like there is a word missing.

Seems my setup has me covered: https://www.doileak.com/?cb=liq1xtjsp37zvit5

Actual location is Kuala Lumpur, which was caught by the time zone... So need to look into fixing that.

For those wondering, my setup is:

ProtonVPN via the ProtonVPN Mac Beta (before I used Tunnelblick - which actually was more reliable - the ProtonVPN Mac Beta disconnects often)

AdGuard Pro, with DNSCrypt using the Adguard Family servers: https://gist.github.com/balupton/48057270a67d70e2ac984fdfa47...

Safari. With Camera, Microphone, Location, and Notifications all set as deny by default.

> To detect data from your torrent client we provide a magnet link to a fake file. The magnet contains an http url of a controlled by us tracker which archives the information coming from the torrent client.

That’s pretty clever. Alternatively they could have a unique file of garbage and have some seeders for it and then when someone connects it would also be the same person. But the tracker solution is less work and probably almost entirely as good.

(comment deleted)
And it needlessly requires Javascript to do things other services don't need Javascript to do. That's not a good plan.

One's IP address should be detectable to at least some degree with data from the packets making the request for the webpage. Some of this is remedied with what appears to be duplicative information further down the page.

DNS Address detection is done better by https://dnsleaktest.com/.

Geolocation detection is likely done by looking up what geolocation is paired with one's IP (and sometimes this data is wrong), so there's no real need for Javascript here either. It's not as if the requesting computer should supply this information, else it becomes even more easily spoofed. Some of this is remedied with what appears to be duplicative information further down the page.

Torrent detection is also needlessly JS-driven, and done better at http://dev.cbcdn.com/ipmagnet/.

There are also some grammar errors confusing singular and plural in the text at the bottom of the page.

Anyone interested in setting up their own VPN should check out Algo: https://github.com/trailofbits/algo
What's the advantage of this over OpenVPN?
It's natively supported by more operating systems. Namely, macOS and iOS. Also generates mobileprofile files that you can AirDrop to your device and have it set up in an instant.
On the flipside, it introduces monstrous dependency (strongSwan) written in memory unsafe C, is nowhere near as flexible as OpenVPN and is blocked by many networks since it can't operate over arbitrary ports and forces you to manage/own the server-end.

1) If I wanted to do that, I'd use OpenVPN rather than strongSwan. They're both written in C, but I get extra flexibility by using OpenVPN. Their "TLS is suspect" stance doesn't hold water in my view.

2) When I don't want to set up my own server, OpenVPN allows me to use or even chain lots of third party servers and create my own nested VPN topologies. Installing an OpenVPN client on my phone or tablet takes a few minutes.

So, to summarize, Algo would be interesting if it didn't introduce dependency on memory unsafe code or minimized such dependency. But it doesn't. On the client, I do not see why I should trust Apple's IPSEC implementation (racoon?) more than OpenVPN client which is another point they tried to make. As it currently stands, it does not compare favorably to OpenVPN in any way.

Or reconsider the need for a VPN at all. By using a VPN you cut yourself off from participating as an equal citizen on the net. If it's just for browsing the web, irc, or the like it's much easier and better just to use a socks 5 proxy to a cheap VPS. I like shadowsocks-libev.

But then again I don't use popular browsers that cram in fancy new features every week to expose new leaks and attack surfaces.

> By using a VPN you cut yourself off from participating as an equal citizen on the net.

What?

You can't host servers off a VPN. You don't have control or use of your own ports. You can consume and that's about it.
I’m not sure why you have that idea. I’m not entirely familiar with how most off-the-shelf VPN providers work, but I have a simple IKEv2 VPN hosted on Digitalocean that just gives me a public IP address, to which I can route a thing I want. This service appears be be specifically tailored for that use case, though I know nothing about it: https://staticvpnip.com
>You can consume and that's about it.

Uploading videos isn't "consuming". Writing blogs/articles isn't "consuming". Contributing to open source projects isn't "consuming". Neither of those activities require forwarded ports.

True enough. But they also aren't participating in the net. They're using other people and companies' resources to do things rather than participating yourself.

And that's bad because it leads to centralization. And centralization leads to perverse incentives to spy and censor.

You've got a weird definition of participation.
If I wanted to host servers, I'd host them somewhere else, not on my home internet connection.

I'm really not sure what point you're trying to make, or how you're defining "participating" in this context.

> If I wanted to host servers, I'd host them somewhere else, not on my home internet connection.

But why? You probably have a tens to hundreds of megabit connection that is always on. You have powerful computers that wouldn't even notice a webserver running. Buying a domain costs $8 and pointing it at home is as simple as changing the DNS entry a couple times a year or using DynDNS services.

And what you don't have is a need for all the complexity and requirements that most automatically assume they need just because they're drowing in them in their day job.

Hosting from home is more than enough for a personal website. It cuts the gordian knot of deciding what types of speech and content will be allowed on any given service. It prevents the perverse incentives of spying and selling users. It allows you to add things to your site on a whim just by copying a file to your web directory or opening an text editor. All the tools of your operating system, this refined and extremely usable software is now just there. Now you don't need a database. No need for a CMS. No need for scaling or containers or 99.9999% uptime.

Hosting from home allows you to participate in the 'net in a way that is just natural. When there's not 5 layers of abstraction between you and the web you really can participate and build whatever you want.

And since you don't need all that abstraction, dynamic content, and CMS (your OS is the CMS!) the security problems everyone loves to jump on simply vanish.

Say you want to monitor your logs, well, you don't need to go install some dynamic language parser and prettifier full of attack surfaces. You just tail the log and grep. You open it in OpenOffice if you really have to have a GUI. You can set alerts as easily as tailing a log.

You see day to day the type of bots, people, and referers and how they come to your site all without google analytics. You can respond to people using your site in real time; I love adding personal messages to people as they browse my site(s).

This is what I mean by participating in the net. Getting down into it. It's a beautiful thing and it solves so many problems that can't even be approached when you're using someone elses computer and someone else's connection.

And if you're in the USA you completely bypass third party doctorine and actually have an expectation of real privacy.

I just don't get the hostility to the concept I see on HN.

> Hosting from home is more than enough for a personal website. It cuts the gordian knot of deciding what types of speech and content will be allowed on any given service.

Cool, and then when I post something to my self-hosted blog that pisses someone off, my home internet gets DDoS'd and I lose my Internet access. It has happened before on IRC. I banned a user because they were spamming racial slurs, and they responded with a DDoS. I was offline for an hour while struggling to get someone on my ISP's support line that understood what it meant to force my IP address to change. Now I use an IRC bouncer in AWS to hide my home IP address.

> It allows you to add things to your site on a whim just by copying a file to your web directory or opening an text editor. All the tools of your operating system, this refined and extremely usable software is now just there. Now you don't need a database. No need for a CMS. No need for scaling or containers or 99.9999% uptime.

I think you misunderstand the reasons people use CMS. It makes it so I can just fill out a single text box and click "Post" and have all the indexes and links on the entire web site update automatically to include that post. I can allow people to write comments. I can create the ability for users of my site to search it.

And maximum uptime is still important. My home internet died shortly after I got to work a couple days ago, and I wasn't able to fix it until I got home. 10 hours of straight unplanned downtime is unacceptable for any server, even a personal website, IMO.

> And since you don't need all that abstraction, dynamic content, and CMS (your OS is the CMS!) the security problems everyone loves to jump on simply vanish.

The truth is quite literally the opposite. If I'm hosting it myself, and my server gets hacked, my entire home network becomes at risk.

> Say you want to monitor your logs, well, you don't need to go install some dynamic language parser and prettifier full of attack surfaces. You just tail the log and grep.

Uh...people can tail and grep logs from any server. You misunderstand there's a reason people use dynamic language parsers and prettifiers. Look at raw logs is awful. It's far easier to fire up a log analyzer and see "Oh, there are a lot of people making requests to X resource and it's creating a bottleneck."

> It's a beautiful thing and it solves so many problems that can't even be approached when you're using someone elses computer and someone else's connection.

It creates more problems than it solves. It puts my home network at risk. It makes me in charge of dealing with hardware failures. If whatever I'm hosting gets popular, and I can't scale.

> I just don't get the hostility to the concept I see on HN.

Because what you're proposing shows extreme naivete.

>Because what you're proposing shows extreme naivete.

I've done it for 20 years without any of the problems you describe. I've never been DDoS'd at home but I suppose if you run in some circles it happens once or twice in a lifetime. On the otherhand the servers and upstream of my paid VPS providers I run other websites on have been DDoS'd and usually once or twice a year. AWS isn't immune from other types of outages either. It's someone elses computer.

>Now I use an IRC bouncer in AWS to hide my home IP address.

If you can do that you can use simple ssh port forwarding of 80 to AWS (or whatever) too.

>10 hours of straight unplanned downtime is unacceptable for any server, even a personal website, IMO.

I've been offline some for tens of hours too but it didn't matter at all because I'm not running an ecommerce site or some business. Is your personal site really that important that it can't ever go offline for half a day? I'd argue that it isn't a personal site if you're using it as a reputation device for work or portfolio or the like. The inability to separate work from life complicates things.

> and see "Oh, there are a lot of people making requests to X resource and it's creating a bottleneck."

And if you don't bring the work mindset home and run all those pretty tools on your server with the $cms turnkey of the month you don't ever run into bottlenecks because you're not running excess crap with 5 more layers of abstraction that create things dynamically when there's no reason to.

> I can allow people to write comments. I can create the ability for users of my site to search it.

A comment system is a bit of a challenge with my mindset. You can always just embed something like discus but I know that's not a strong argument. I personally implemented it with perl script parsing the logs and editing text files and iframes plus 1 line of JS. While parsing the perl script only accepts characters from a list of something like 30 that are harmless. I admit this is definitely not for everyone.

As for search you and I both know that everyone only uses google anyway and it'll work better than whatever you implement.

> If I'm hosting it myself, and my server gets hacked, my entire home network becomes at risk.

The biggest security hole for everyone is using their browser for EVERYTHING by running JS apps instead of self-hosting and just using a native application on their OS. Some 0-day for nginx or $serversoftware is far less likely than the constant stream of browser exploits and far more likely to be patched quickly.

You keep saying it creates a security risk at home that doesn't exist otherwise. But that's only if you make it that way and even then it's magnitudes less of a risk than simply running a modern browser.

The WebRTC implementation in Firefox isn't as configurable as it could be, it just assumes that you are behind a firewall that doesn't understand SCTP so encapsulates everything in UDP and searches for the best way to escape to the internet.
What's so "legacy" about L2TP that it refuses to support it? Unlike others it's actually both secure and supported natively on most platforms...
Sorry, I'm not actually affiliated with the project, I just use it, so you'll have to shoot your question to the people behind it.
Not 'anyone'. Algo is not suitable for avoiding censorship, and it doesn't target this use-case.
I use it just to secure open or shifty public wi-fi in cafes and such. I do trust the data center the VPN terminates in more than the open wifi at the corner cafe, so it works for me.
FYI: Windows' built-in IKEv2 VPN client is not leaking IPs. Works great with Algo.
(comment deleted)
Given that its hard to figure out how they could be profitable, should we assume private internet access is a NSA honeypot?
Bandwidth is cheap, massive overcommitment. Why wouldn't it be profitable?
I don't understand this. Is profitability the only metric for if a service can be trusted or not?

It's also not even mentioned in the article linked, not sure why you brought it up at all tbh.

Profitability (or the possibility of profitability) is absolutely a measure of whether something can be relied on. And if it can't possibly be profitable, then it means there is likely a non-obvious revenue stream or funding source, which means a ulterior motive.

So yeah, if a service can't be profitable, it can't be trusted.

A decent emergency medical response service is never profitable.

It requires a vast amount of hospitals to ensure that there is one local enough to wherever you get ill or injured and they all have to be staffed by lots of different highly qualified specialists who are in as regular practice as possible.

If you were going to require that they be profitable, there simply are not enough rich people for the doctors to work on in order to stay in good practice, or to pay for enough suitably equipped hospitals to ensure a short travel time in an emergency.

In the US, we essentially do require that they all be profitable or else not exist at all. This is "solved" by just charging you (or your insurance company) tons of money if you actually need to use it. A medical emergency requiring an ER and an ambulance can easily cost as much or more than an ordinary person will earn in their whole lifetime.
> A medical emergency requiring an ER and an ambulance can easily cost as much or more than an ordinary person will earn in their whole lifetime.

The majority of hospitals with E.R. in the US are non-profits that receive federal subsidies to help them exist.

But not enough subsidy that they are remotely affordable, hence the outrageous bills foisted upon individuals.
Good point. I should have been more clear about "non-obvious" funding sources. If a service isn't profitable, but has a clear funding source (philanthropy, government, etc), that is a little different. But the motive for that funding would need to be clear as well.

So yeah, charities can be ok.

I can see where you are coming from, I just think obvious profitability is a poor heuristic for trust, not only due to altruism, but also because some people like showing off, some people are pure hobbyists, some people are trying to make art and many people are just downright weird, though not necessarily in a way that is going to really do much damage.

It isn't always as simple as looking for an obvious motive, though I would agree to always keep an eye out for where the money comes from and if there is a game and if you are a mark. However that should apply whether or not something looks profitable on the surface, otherwise you drop all cynicism the moment someone tells you the right story.

Makes total sense -- if they aren't making money on the service they sell they will naturally have to do something else to keep the lights / servers on.
It's likely quite profitable, they don't buy bandwidth from Amazon, they get a few colo'd machines or dedicated servers in many DCs - you can get dedicated gigabit lines in several DCs for a few hundred a month. Most subscribers only use the service occasionally and won't place that much load on it.
I worked at a well-known civil rights advocacy nonprofit for a long time and Private Internet Access was one of our major supporters. The owner is a huge ally of Internet freedom and privacy - a very good person who is an activist in their own way and using their success to make a positive impact.

So perhaps I'm biased (even though I'm not in nonprofit anymore), but I would put the chance of an NSA honeypot at close to 0%...

Krita’s 4.0 release was on here recently, which reminded me of this https://krita.org/en/item/krita-foundation-update/

PIA put up £20,000 to keep them going after a tax mixup dropped a large bill on the foundation.

Of course, it could conceivably all be government funded philanthropy to make them look like the good guys, but there’s no evidence to suggest that.

Seems very unlikely to me.

Both the founder (Andrew Lee) and the CEO (Ted Kim) are known in the industry, have made their views on encryption and authoritarianism pretty clear in interviews, articles, and even full-page ads in the NYT and WaPo to argue for broadband privacy[0] and encryption.

PIA also seems pretty profitable; they certainly have enough to contribute to various open source projects, join pro-net-neutrality lobbying efforts like Fight For the Future, saved the Linux Journal from death (considered an "extremist forum" by the NSA's XKeyScore), and pay to keep Freenode ticking over (they also do loads of glitzy events for the Korean-American community).

You could argue that all of this is an elaborate hoax of course, but you could do that with anything.

[0]: https://twitter.com/Hunckler/status/846204241731575808

What's your take on the recent releases that claim that the US government is funding the Tor network and its development? Information obtained from FOIA requests.
They created Tor, and have been funding it from the start. This is not news.

Yasha Levine has been on a tear ‘exposing’ this for the last few years, but it’s not personally shocking to me.

Did you know that the US government funded Signal, too?

The US Government has a legitimate reason for creating and supporting mechanisms anonymous Internet use by those under the control of oppressive regimes.

Other parts of the US Government appear to have a desire to know everything about everyone all the time.

The "US Government" is not one thing, it's an enormous collection of agencies, bureaus, and humans, who sometimes have desires that are at odds with one another.

Quite funny, I've published this yesterday and went unnoticed until now, lol
I was surprised it didn't tell me it was posted here before. I found the post and your comments on it over at /netsec.

Really appreciate your work on this!

Another thing to watch out for is leaking IPv6 connections. Depending on your configuration your VPN may not set the IPv6 default gateway.
Clickbait? Its not "VPN providers" its "VPN provider software", I never even thought of using their software, most just give you the credentials for OpenVPN/IPSEC/PPTP or similar. Also if anonymity is of "real" concern you should never use a system that knows your real IP address in the first place. Instead create the vpn tunnel on a separate host system and run something like Tails in a VM (or better yet separate physical hardware).
That tunnel won't help against real adversaries. Timing attacks and text content analysis will expose you. It's getting harder to be truly black online.
> text content analysis

The solution to that is to use memes and bad grammar. I am not kidding. Keep your messages really brief and have a community of people that talk in a very similar fashion to one-another.

I think is how the birth of leetspeak came about, no? And why still a lot of "read me" files for pirated software use poor grammar.

Another option is to use translation services, en->fr->ja->de->en. Reread message -- does it say what you mean? If yes, go for it! If not, modify as needed.

Surely you mean an offline translation program, and not an online translation service like google's translator...
>Its not "VPN providers" its "VPN provider software"

OpenVPN leaks DNS on every default Ubuntu installation I have tried. But I think it's actually Ubuntu NetworkManager's fault.

The WebRTC leaks discussed in this article are not prevented by OpenVPN either (last time I checked, which was a while ago). You have to disable WebRTC in the browser.

>You have to disable WebRTC in the browser

Incorrect. An easy and foolproof way of using VPNs is with network namespaces. You start the VPN in your init network namespace and then move the created device into a dedicated VPN namespace. OpenVPN has support for this because it allows you to execute a shell script after the VPN device has been created. Then you simply start your browser, torrent client, whatever in this namespace and you are completely safe:

1. If the VPN fails, then the only network device inside the network namespace disappears (modulo the lo device) and the programs in this namespace cannot use the internet.

2. Since the browser can only see the devices within the network namespace, the only IP it can see is the one assigned to you by your VPN provider (usually 10.x.y.z or similar.)

DNS leaks can be prevented by using a generic DNS provider such as 8.8.8.8.

>DNS leaks can be prevented by using a generic DNS provider such as 8.8.8.8

You mean leaking to Google doesn't count as leaking?

Your namespaces suggestion is interesting, but easy and foolproof?

You can run a DNS resolver in the network namespace that forwards¹ to google DNS through the VPN.

¹ Or run your own recursive resolver

VPNs do exactly that when they are not broken. Ubuntu is broken and dangerously so.
Your parent said:

"DNS leaks can be prevented by using a generic DNS provider such as 8.8.8.8."

... and you replied:

"You mean leaking to Google doesn't count as leaking?"

But I don't understand where the DNS leaks would be coming from if you are using an actual VPN for your entire network stack - wouldn't that tunnel all traffic (TCP and UDP) to your endpoint ?

How are you leaking DNS in that scenario ?

Two things should happen:

1) All network traffic should go through the VPN tunnel.

2) All DNS requests should be sent to the VPN provider's DNS server and not to the one configured in the OS.

If either or both of these two things isn't happening then it's a DNS leak.

If I understood correctly, then mahkoh was saying that (2) doesn't matter if the host DNS is configured to use Google's public DNS server 8.8.8.8. That's what I called "leaking to Google".

I wouldn't say "easy"! I wrote up an article on running a single application in a vpn[1]. It was quite difficult to be honest having never used network namespaces before. Thankfully, someone else wrote a very useful guide which saved me a lot of time.

[1]: http://iamqasimk.com/2018/02/24/single-application-vpn/

>OpenVPN leaks DNS on every default Ubuntu installation I have tried. But I think it's actually Ubuntu NetworkManager's fault.

Yeah, that's known behaviour. I think it's working as intended from Ubuntu/NM's standpoint since that bug has been open for a while with no fixes. The one line fix for that is to comment out dns=dnsmasq in NM's config. This is the bug for reference: https://bugs.launchpad.net/ubuntu/+source/network-manager/+b...

>The one line fix for that is to comment out dns=dnsmasq in NM's config.

There is no such line on either of the two leaking systems I just checked.

I can appreciate the use of Tails in a VM, but doesn't the provider of the "separate host system" have your identity through your payment information?
(comment deleted)
Running Tails in a VM is so your browser can't leak your real IP to the wider internet even if it wants to, because it doesn't know what it is. Your VM provider still knows your real IP address.
>Clickbait?

Partially. Obviously, self-marketing was the motivation for this test. However, it is still a helpful reference. If your provider doesn't even release a properly configured VPN client, you might want to reflect on whether to rely on the rest of their infrastructure.

>Also if anonymity is of "real" concern

You're digressing. Whatever a user wishes to anonymize their information for can be a valid concern but that does not necessarily require absolute anonymity.

I don't use VPNs. For me, the more alarming information here is that SOCKS and Tor proxies are also leaking IP addresses. If a SOCKS proxy is configured in browser, isn't it the browser's responsibility to ensure all outgoing traffic - including WebRTC - goes via the proxy? Are these browser bugs?

Update: Can confirm Firefox Quantum with SOCKS proxy leaks the address. Oh dear!

Update 2: I didn't realize this is how WebRTC actually works. FF even has an entire page for tweaking this stuff https://wiki.mozilla.org/Media/WebRTC/Privacy. I hate it when features like these, which atleast in my case go mostly unused, have such critical weaknesses by design and it's not announced anywhere with a big red danger sign.

> I didn't realize this is how WebRTC actually works.

Yep. STUN is in the spec, and always has been. This has been a thing for years.

STUN is part of the story. The overall process is called Interactive Connectivity Establishment (ICE).
This is the fault of the browser and WebRTC. They know about this but deliberately break it. The truth is WebRTC should never activate without user permission.

But no, WebRTC added data-channels. They have no good use to be silent and especially not to override SOCKS proxy. In fact, some key people on the WebRTC group, when I pressed them, could not provide a single real use-case for silent data channels.

Firefox is absolutely in the wrong to ignore your proxy settings, especially without getting consent first to start a call. It's a complete mess. Regardless of what the "spec" says, Firefox is responsible for implementing broken software that harms users.

Then again, so is STUN/ICE and basically every single thing that has to do with SIP/VoIP. It's like they go out of their way to be obtuse and come up with shitty standards then take glee in how bad it gets. As an example, look up SIP Torture Tests. There's an RFC just to illustrate the moronic edge-cases in SIP parsing that at one point implies your software needs to be conscious to infer the intention of malformed messages.

t. been working in telecom for far too long

TBH just from setting up one (1) PBX with about half a dozen devices from only two manufacturers -- I would never take a job anywhere near anything having something todo with SIP, ever.
SIP is one of a few protocols where two completely standard-compliant implementations are commonly unable to interop.
Oh it gets better. I have implemented SIP software (written, from scratch). On the SIP implementors mailing list, one of the authors defends the insane parsing rules by saying that C and Java allow you to be flexible with syntax, so why not SIP?

They are totally detached from actually implementing elegant or high performance software. Actual engineers achieve this despite of SIP's terrible decisions. Granted, many of those are inherited from HTTP. Tell me how many HTTP stacks handle comments and line folding properly...

It opens up security holes, too. One proxy interprets \r\r\n as 1 line break, another as 2 line breaks and start of body. Oops, now you can end up sending fun headers to your target because they try to be flexible in accepting input.

IIRC there is essentially no way to implement SIP standardly because of so many broken implementations. You have to make some decisions on certain parsing that will break one but any other way will break another.

Text-based protocols invite abuse by designers and implementors alike. IETF compounds these by living in a fantasy world.

I'm not sure binary protocols are any better, unless you make the first two bytes of every message a version number.

FWIW, I consider the canonical implementation of SIP at this point to be asterisk.

I work on a SIP derived protocol, P25 CSSI - it has all the issues of SIP, and more!

> I'm not sure binary protocols are any better, unless you make the first two bytes of every message a version number.

Actually we've seen people manage to fuck that up royally, too. Examples: Routers confusing MAC addresses starting with "6" with IPv6 packets. Various TLS implementations in proxies falling completely apart when they see an unknown version. Various TLS proxies falling apart when seeing an unknown extension. Far too many instances of "assert version==1" to list.

VoIP phones sometimes just don't work with some destination numbers (OWA/jumbled audio/insta-disconnect/no-connection). Workaround: call with mobile phone.

...

It really seems like adding a permission handler with a warning on WebRTC would be an easy fix for this problem and/or browsers should respect proxies and such when generating WebRTC candidates.

And I say that as someone who thinks WebRTC has some pretty cool use cases.

My impression is that this is a conflict between the WebRTC folks and the UX folks. The WebRTC team is happy to prompt you to use data channels, but the UX team doesn't want to over saturate people with security warnings. Especially warnings that people wont understand.
I'm only going off some in-person dealing with folks behind WebRTC and they know that permissions suck and would hurt adoption and hence fight to make sure they don't happen.

They dismiss all privacy concerns with "you can't have privacy in a browser" and "fingerprinting will work anyways so we can't make it worse". It's head-in-sand approach to privacy and it's bad.

Even then, Firefox is simply wrong to tell people it'll use your proxy, then throw that out.

Lots of people in webrtc are critically concerned with the safety and privacy of their users.
obviously not that critically concerned if leaking sensitive information like this was required by the spec as drafted, and has remained uncorrected.
I'm not sure what that means. It was obvious this would be used for fingerprinting and leaks. The explained reasons for proceeding was that permission prompts for data channels would hurt usage, despite not having clear cases where we need P2P without letting users know.

And none of this excuses overriding the user's expressed network connectivity.

When this was brought up, they immediately jumped to the excuses that fingerprinting can't be helped. And many jumped to saying hey you should use Tor Browser anyway. Total capitulation.

Maybe someone cared, but it's not the official stance from webrtc groups or browsers.

I use wrbrtc for lossy robot pose data. It would suck to require another approval popup in my software, but really, it's no big deal. Certainly the UX cost is worth the security benefits if we can't have both.
What if the entire system is configured to use Tor? Does the use of Tails mitigate this weakness?
To be safe, one must restrict output on the LAN interface to the Tor process. I'm not sure whether Tails does that by default.
I don't know either, but the web browser in Tails is Tor Browser which has webrtc disabled by default.
Yes, this is largely the browser's problem. Because all available uplinks are available. Tor browser doesn't leak, because WebRTC is blocked. But other browsers with WebRTC enabled will leak with a standard Tor setup.

However, using Whonix for Tor, even if you install a random browser with WebRTC enabled, there is no WebRTC leak. Because the workstation VM has no Internet access except through Tor. The gateway VM is not a router. There is no forwarding, and it's firewalled. It just exposes Tor ports to a private internal network, for the workstation VM.

And one can do the same for VPNs, using pfSense VMs as VPN gateways. Apps in workspace VMs have no Internet access except through the VPN client running in the gateway VM.

I tried some of the leak tests here, it seems to leak my NAT address not my nearest public IP? Can anyone chime in?
It's not even the local ip of your home network. It's the ip of the tunnel interface. I don't know how this can be misused. It's only on firefox though. On chromium, it just shows 0.0.0.0 instead.
Yes that's exactly what I see. This seems to me to be a non-issue but perhaps other configurations and VPNs behave differently? I was using my phone into my home router with OpenVPN and it showed my VPN assigned NAT address 10.x.x.x ...
This is why when I actually do anything with tor it's always curl -H ""

Using something as complex as firefox for anything important is just stupid.

Or just use Whonix. Or better, Whonix in Qubes.
Why -H ""? AFAICT, it doesn't do anything.
> Update: Can confirm Firefox Quantum with SOCKS proxy leaks the address. Oh dear!

Did you file a bug report?

I searched for one and found some that seem to be related. Will file one today and also work on a fix, since it appears this is known from a long time and nobody has bothered to provide even a simple fix.
Cool, can you link the report here when you do?
I am so annoyed with this. It feels like every advance in web browser technology takes away as much as it gives. Some days, it feels like the web was better back in the HTML4 days.

Can't wait to see how WebAssembly will be used against us.

Just wait till you get a load of content rendering engines being written in (dynamicly re-obfuscated) web assembly and rendered via canvas, so users are totally locked out of modifying content loaded into them or blocking ads.

This is already being worked on.

It's being fought before it's even fully grown.

Computer vision adblockers are also being worked on.

A sad and stupid zero-sum game wasting both talent and electricity.
Any links to that? What kind of enemies of mankind are working on this? Advertisers again?
The weird thing for me is I'm on Firefox on my Mac and I ran all those tests and it said WebRTC is enabled, but never gave my actual factual IP address. I'm running Private Internet Access which they claim is vulnerable... So I'm not sure whose doing that test but they might have their settings a bit jacked up? If you have Private Internet Access there is an "Advanced Settings" panel where you can click on "IPv6 leak protection" it disabled IPv6 while using the VPN, seems to have been enough to fool these leak tests.
It seems Firefox has resigned to some sort of role as 'token' competition to Chrome.

Most of its actions seem inexplicable and counterproductive when strong privacy and user protection should be their reason to exist and keep a dedicated user base.

The bigger problem is exploding complexity in many areas is a huge concern for open source as it's becoming increasingly impossible for small teams to implement or come up with alternatives. This is going to reduce meaningful choice and leave users at the mercy of a mix of corporate or vested interests.

This has been known for a long long time, but keeps coming up in articles as a new finding.
Use the VPN on your gateway / router, problem solved.
VPN isn't leaking anything, your browser is.

A) Don't run javascript

B) Config your firewall to block everything except connection to the VPN entry point.

just for the record, "B" option is not helping here.
My VPN provider is listed as "vulnerable" but testing with their test site does not show IP leak...
I don't have a need for this high level of security, but if I did, here's what I'd do:

1. Run VPN software on host.

2. Download a widely used, generic VM image.

3. Route VM's entire network connection through host's VPN.

4. Do whatever you need to do, in the VM only.

5. Reset VM to initial settings after each use.

Am I missing anything?

Ahhh why is the scrolling messed up :/
I did find a bit of irony that the page warning about VPNs leaking my IP was hijacking my scrolling.
I think I've started reading suggestions to disable WebRTC at least a couple of years ago in regards to avoid VPN detection from Netflix, so I thought it was a common knowledge.
This is a terminology problem. If you are using a VPN, a browser could not possibly leak your real IP, as all traffic would be encapsulated by the VPN.

What is being described is actually a proxy.

FWIW, various arbitrarily strung together components (your OS, DNS, VPN, Browser, WebRTC) are not going to guarantee anonymity. Simply because it is not their job.

The only possible solution is a piece of software that guarantees end-to-end privacy by literally standing guard at each end (from the moment you connect to your network with your hardware MAC address exposed to the final moment when a web page is retrieved for you from your destiantion website).

Shameless plug: my project proposes to do exactly this. https://qwaitwhat.github.io/

I think it's a bit crazy Chrome web tools/inspector doesn't show these connections easily. You can check out chrome://webrtc-internals but most people just look at the network tab which shows nothing...
For firefox the following in about:config should do the trick.

    media.peerconnection.turn.disable = true
    media.peerconnection.use_document_iceservers = false
    media.peerconnection.video.enabled = false
    media.peerconnection.video.vp9_enabled = false
    media.peerconnection.video.h264_enabled = false
    media.peerconnection.identity.enabled = false
    media.peerconnection.identity.timeout = 1
Just tested this with http://www.ExpressVPN.com client on MacOS and it protected my IPv4 Public IP from being exposed but it does leak the local (NAT) IPv4 Private IP that I use on my internal network.

Not good that it leaked anything but at least the public IP is hidden by their software.

Installing their chrome extension will hide all ips