Weary drone, o how thou art a filthy procrastinator, wallowing in thy pit of despair and self-pity. Cast aside thy trepidation — the time to embrace the VPN is nigh! What I’m half-jokingly suggesting is: stop procrastinating and grab yourself a VPN already. Security doesn’t have to fall to chance, especially not in this day and age, where information costs money and we don’t see a dime of the market data we generate! We’ve already outlined in great detail the VPNs monumental security benefits and easy set-up proceed. Assuming, security is something you take seriously, then there’s another facet of the VPN to consider: a recently discovered security flaw can reveal your real IP, even if you’re using the VPN.
In theory, the situation appears far worse than it actually is, tossing the entire notion of the VPN as secure and necessary tool on its head. In practice, resolving the issue is as simple as disabling a specific script in your browser and altering a few settings on your router. But first, let’s backtrack a moment and take a closer at what we’re dealing with.
First document on GitHub by developer Daniel Roseler, the security flaw in question takes advantage of the WebRTC (Web Real Time Communication) feature that’s built into most browsers, and uses it to reveal the user’s true IP address, even if connected to a VPN; as you well know, an IP address is enough of a breadcrumb trail to zero in on your location. Fortunately, the vulnerability is browser-based, but may very well extend to any application that leverages web pages as well.
According to Roseler, the process works as follows:
“Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a user’s local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.”
How to test if your VPN is affected
1.) First, verify find out what your current IP address is and jot it down. It’s easily obtained by googling “IP address,” visiting whatismyip.com , or running the command prompt on windows and type “ipconfig.” Alternatively, if you’re a Mac user, open the Terminal App and type “ifconfig.” Any of these methods work.
2.) Next, log in to your VPN and select an international exit server.
3.) Go to “whatismyip.com” and verify that IP address displayed corresponds to your VPN and country of the exit server selected.
4.) Visit Roseler's WebRTC test pag e and document the IP address listed on the page.
If both tools (whatismyipaddress.com and Roseler’s WebRTC) show the VPN’s IP, then you’re in the clear. But, if whatismyipaddress.com shows the VPN and Roseler’s WebRTC test shows your personal IP, then that means that the real IP is bypassing the VPN and leaking through. In the event that your situation falls under the former, fret not, the two methods below will help you easily disable WebRTC.
Solution one
Arguably, the simpler of the two solutions sees us disabling WebRTC in our favorite browser. Take note, while Firefox, Chrome, and Opera have WebRTC enabled by default, Internet Explorer and Safari do not. Nonetheless, your browser may still be affected if test above yields unsatisfactory results.
For Firefox, users may either install the “Disable WebRTC” addon from Mozilla Add-ons, or disable WebRTC directly by opening a tab and typing “about:config” in the address bar then finding and setting the “media.peerconnection.enabled” setting to false. Alternatively, they can install NoScript, which automatically disables all scripts from loading. This last method teeters on the brink of overkill, and may wind-up backfiring as it makes web browsing a huge inconvenience.
Chrome and Opera users must install the ScriptSafe extension from the Chrome Web Store. It’s not natively available for Opera, but there are conversions methods that’ll do the trick.
Currently, popular pop-up blockers and privacy apps such as AdBlock, Ghostery, and Disconnect, don’t inhibit WebRTC, but there’s a high probability they will in the near future.
Solution two
A more permanent solution entails running the VPN at the router-level, rather than on an individual computer-by-computer basis. Not only will this extend the same level of protection and encryption to all the machines in your network, but it will also cover mobile devices connected to the router as well.
So long as it’s not prohibited by your ISP, running the VPN directly from the router is a relatively simple affair. To do this, begin by accessing your router’s admin page. Next, check the “security” and “connection” options and find the VPN section. Here, you will fill-in all the necessary information: the VPN provider’s name, the server hostnames, and your username and password. That’s it.
In the unlikely scenario that the router does not include a VPN section, rest assured, there’s still a workaround. As Lifehacker’s Alan Henry suggests, you may be able to install an open-source router firmware — if you router supports it — such as DD-WRT, Open WRT, or Tomato. (if the router does not support this, then it may be worthwhile purchasing a new router that does.)
Disclaimer: Bear in mind, disabling WebRTC will wreck many webapps and services reliant on knowing users’ location (until re-enabled), including Google Hangout, Yelp, and most food-ordering apps.
Similarly, installing the VPN on the router level may interfere with viewing region-locked content. For example, if the exit server is situated in a country that blocks Netflix, then you won’t be able to change the IP by merely clicking a few things on your computer; instead, you’ll have to it via the router’s admin settings every time this occurs. Some may see this as an inconvenience.
In conclusion
While alleviating the WebRTC vulnerability is a straightforward enough process, its simplicity should not downplay its relevance. Meaning, take care of this ASAP.
Source: Lifehacker via GitHub
courtesy of the latest surveillance trick
Learn more about Electronic Products Magazine