With the progression of HTML5 WebRTC, browsers are getting ever closer to making pluginless video conferencing a reality. One feature of WebRTC is the ability to discover the local IP addresses of the browsing machine. Does that put us at an increased risk?
Recently I stumbled across Nathan Vander Wilt’s net.ipcalf.com. When opened from a relatively new version of Chrome or Firefox, your computer’s local IP addresses should present itself.
I’ve coded up another example, which attempts to use WebRTC to find your local IPs, and then probe for other live hosts on your network(s).
Others will likely cover the usefulness of these APIs, so I will — for the sake of argument — comment on the tinfoilhat-y perspective. Bear with me.
I know for a fact that some people use multiple browsers on the same PC, in order to separate identities or browsing profiles. These people might browse Reddit’s cute-cat-picture-subreddits with Firefox and the programming subreddits with Chrome. From the web server’s perspective, both browsers will likely have the same public IP address, but their headers, tracking cookies and whatnot will clearly differ.
With the WebRTC local IP discovery technique, those interested in tracking you, be that ad agencies or some spy organization, will be able to do make connections between browsers based on a combination of public and local IP. If they for whatever reason can tie an identity to one browser, they will probably assume that the same person is hiding behind the second one.
There’s also a risk that the local IP info can aid in identification between public IPs. Let’s say that you use some VPN service, or Tor, whenever you surf cute cat pictures, but you use the same browser. EFF’s Panopticlick tells the story of how each browser is pretty much unique, based on HTTP header fingerprinting and so forth. Add local IP addresses, or even subnets to circumvent DHCP lease times, and your browser / PC is even more unique. And by unique, I mean trackable.
The chance of this router being remote exploitable — that is from your public IP — isn’t huge. It has happened, but it doesn’t happen that often. The chance of there still being some obscure XSS flaw hidden in there somewhere, however, is much greater. So what if this evil page, which has now identified that your router is on 10.0.8.1, and figured out which software it runs, then goes on to exploit one of the XSS vulnerabilities — and adds some evil person as remote admin?
So, yeah, your printer is now part of a botnet, and is routinely DDoS-ing powerplants in Iran. Congratulations.
But what does it all mean?
So there are privacy concerns, and the feature can at least make local exploitation easier for an attacker.
On the other hand, there are bigger privacy concerns around today (yes I’m talking to you, NSA), and from a security perspective not yielding the ip is arguably security through obscurity.
So I’ll let you lot make up your own minds. My tinfoil hat stays on.