Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ipleak.net circumvents WebRTC blocking #1995

Closed
vbagirov opened this issue Nov 3, 2017 · 10 comments

Comments

@vbagirov
Copy link
Member

commented Nov 3, 2017

Steps to reproduce

  1. Enable 'Block WebRTC' in AdGuard's Stealth Mode
  2. Go to https://ipleak.net/

Expected behavior

Screenshot: https://lh4.googleusercontent.com/bkvc_c8tF-IS9HvLOSyDHqjy728sLvlY7gWVBq_Uqcz5Nd6txJUx2_4IdG0eSdyhZkgDwEkyNgLhC38=w1366-h637
### Actual behavior
Screenshot: https://uploads.adguard.com/vbagirovnlvjr.png

Your environment

  • Chrome 61
  • Windows 10, v.1703
  • AdGuard 6.2.433.2167
@ameshkov

This comment has been minimized.

Copy link
Member

commented Nov 3, 2017

@adbuker do you see STUN requests in the filtering log?

@ameshkov ameshkov added this to the 6.2 milestone Nov 7, 2017
@adbuker

This comment has been minimized.

Copy link

commented Nov 7, 2017

yes, I see stun-request in the filtering log and it is blocked as it was by design. As it can be seen from the code, they use onicecandidate handler to get info.

@ameshkov

This comment has been minimized.

Copy link
Member

commented Nov 7, 2017

inspect chrome://webrtc-internals

@adbuker

This comment has been minimized.

Copy link

commented Nov 8, 2017

For establishing a p2p connection between two computers (p1 and p2), you must find out a local IP of the p1 (i.e. the address in the local network), the global IP of the p1's provider and send these IPs to the p2 (and then the same procedure for p2).

It's quite easy to get local IP, but to determine global IP you have to use STUN/TURN servers. The main purpose of such servers is to send back the global IP when a request from the computer behind the NAT-router is received. When the option "Block WebRTC" is enabled, AdGuard blocks such requests (as you can see in the filtering log - https://uploads.adguard.com/buker_mhchu.png), so determining of "your" global IP address will become impossible. Thus, establishing of p2p connection is also impossible.

The IP address of the computer, specified in https://ipleak.net/, is the local IP address only. Therefore, the establishing WebRTC connection cannot be ensured.
Checking "WebRTC - leaks" in the service https://ipleak.net/ is based on checking ONLY the existence of the object, that defines the WebRTC connection (this is the member of WebRTC API and named as RTCPeerConnection). However, the COMPLETENESS of this object (in the sense of the ability to determine the global IP, and thus the possibility of establishing such connection) is not checked.

To sum up, in fact, there is no WebRTC leak in case of "Block WebRTC" option is enabled.

@vbagirov vbagirov added invalid and removed bug stealth mode labels Nov 8, 2017
@vbagirov

This comment has been minimized.

Copy link
Member Author

commented Nov 8, 2017

Closing it then.

@vbagirov vbagirov closed this Nov 8, 2017
@ameshkov ameshkov modified the milestones: 6.2, 6.3 Nov 17, 2017
@ameshkov

This comment has been minimized.

Copy link
Member

commented Nov 17, 2017

Guys, let's keep this open. Public IP is protected indeed, but it does not mean we shouldn't do better with JS. Assigned to v6.3

@ameshkov ameshkov reopened this Nov 17, 2017
@Atavic

This comment has been minimized.

Copy link

commented Nov 24, 2017

@ameshkov

This comment has been minimized.

Copy link
Member

commented Nov 26, 2017

@Atavic both use more or less the same algorithm, so you can observe the same issue on browserleaks

@Atavic

This comment has been minimized.

Copy link

commented Nov 27, 2017

Useless tests, as explained above by @adbuker

@ameshkov ameshkov added stealth mode and removed invalid labels Nov 30, 2017
@adbuker

This comment has been minimized.

Copy link

commented Apr 16, 2018

resolved in adguard-windows/pull-requests/48

@zebrum zebrum closed this Apr 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.