WebRTC leakage



  • Hi all, It came to my attention that Vivaldi leaks absolutely all that can be leaked via the WebRTC standard. Now, while there might be certain useful cases to have WebRTC enabled (like when using certain video-conference web services), why in the world have I to expose my private IP and hardware unique IDs to the world all the time? Not to mention that WebRTC can leak the real IP even when using VPNs. Please state what is the stance of Vivaldi on this topic and if the company will provide any way to turn WebRTC off and on at will. [b]Note for all Vivaldi users that don't know what I'm talking about[/b] Check this link: https://www.browserleaks.com/webrtc There you can see all your personal unique information this browser is openly sharing with the planet every time you connect to a website. [i][b][color=#ff0000]If you are not scary/upset about this, you definitely should.[/color][/b][/i] Regards.



  • This is an issue with Chromium, and Vivaldi is built on Chromium. If you're very concerned with privacy and security, I would recommend using Firefox (at least until it gets fixed).



  • Hi @Tiamarth,

    Actually FF suffers from the same issue until you disable WebRTC. However it differs with Chromium (which I really like) in that unlike it in FF you can completely disable the leakage via about:config or installing an Add-on for easier management of those settings.

    I believe it would be nice touch, since Vivaldi is 'a browser for our friends' that it provide an extension to disable WebRTC as well - at least all that can be disable, which isn't every part of WebRTC. You know, friends look after their friends.

    Actually there are a couple of extensions in Chrome/Chromium marketplaces that helps mitigate WebRTC issues but they lack of a proper button to make it easier to switch WebRTC state.



  • I've not changed anything in about:config or disabled WebRTC in Firefox - yet the leak test link you included in your op is not reporting any private data for me. It's only displaying my IP address.


  • Vivaldi Translator

    Anyone concerned with security or reliability should not be using an Alpha product.
    Vivaldi is not ready to replace your main browser, and it will not be ready when it is a Beta product either.

    Expect a reliable and secure product when you see it become a Release Candidate (RC).
    In the mean time feel free to join in and report all the bugs you can find.



  • Well Said Dr.



  • @msxx:

    Actually there are a couple of extensions in Chrome/Chromium marketplaces that helps mitigate WebRTC issues but they lack of a proper button to make it easier to switch WebRTC state.

    uBlock Origin has this feature, although buried behind two clicks:

    [attachment=1889]Untitled-2.png[/attachment]
    Attachments:


  • Moderator

    The developers have it on their screen to disable WebRTC and this is known in bugtracker as VB-3226



  • @Gwen-Dragon:

    The developers have it on their screen to disable WebRTC and this is known in bugtracker as VB-3226

    Thanks. How'd you come by the info?


  • Moderator

    Gwen-Dragon is affiliated with the development team. She has access to data we civilians don't get.



  • Ah, thanks.



  • It is not only webRTC, but Flash, as well, which requires the ability to be Turned Off.



  • Thanks msxx for raising this issue; i've been thinking about raising this issue here for ~a week, but hesitated lest i be accused of belonging to the tinfoil hat brigade. :ohmy:

    It was only about a week'ish ago that i discovered this thing called WebRTC wrt its security/privacy implications. At the same time i also discovered the HTML5 Canvas Fingerprinting problem. Both these things utterly shocked me. As a direct result of these two factors, i stopped using V as my default browser [also fueled by my weariness of constantly fighting its ongoing unpleasant habit of abruptly losing my sessions, thumbnails [tabs & SD], & ongoing incomplete incorporation of extensions [eg, cannot access their options by right-clicking their icons, but only from the extension page; with my preferred-default UI scaling of 80%, extension drop-down menus/GUIs are unusable by truncation & overflow (Ghostery, for example)]. Until V has resolved all those issues i shall continue to love & cherish it dearly, but not return it to default-hood.

    Until V has developed a bit more as said, Slimjet has become my default; x86 version in Win10 x64 VM, & x64 version in my Linux Mint x64 17.2 KDE main OS. I really miss my V's tiled & [sometimes] stackable tabs, my visual tabs, my [sometimes] wonderful SD, my substantial customisability etc of Dear V, & will rush back to it as soon as viable… but in the meantime Slimjet [which i've been trialing for a few months now] has proven very stable &, compared to all the alternatives except V, feature-rich… two BIG FEATURES being its built-in protection [user-selectable] against both WebRTC & HTML5 Canvas Fingerprinting. According to both tests on https://www.browserleaks.com, Slimjet passes with flying colours. In comparison:
    [ol]

    • Vivaldi fails both, natively, but fully passes for WebRTC if that setting is invoked in the uBlock Origin extension.
    • Opera Dev fails both, natively, & only half-passes for WebRTC if that setting is invoked in the uBlock Origin extension [at which whilst it then hides my Local IP Address, it still shows my Public IP Address].
    • Chromium - identical comments as per Opera Dev.

    [/ol]FYI.



  • If your concerned about the above, then this link may interest you:-
    http://thehackernews.com/2015/10/track-online-users.html
    And, are you aware of this one:-
    https://www.epicbrowser.com/
    And This article:-
    http://lifehacker.com/the-best-privacy-and-security-focused-web-browsers-1672758270


  • Moderator

    I (and i think all Vivaldi company) dislike privacy leaks such as WebRTC etc., too.

    Dont fear, privacy issues are at high priority. It will be implemented!
    But dont expect all just in a developer snapshot, a pre Beta software. ;)



  • A question that I have raised elsewhere; Does vivaldi 'call home', in the same
    way that Google Chrome does, thereby, tracking the user?.


  • Moderator

    Collects data about diganostic information browser problems, it does not collect stats about visited webpages or similar. Can be disabled!
    Uses malware database for domains. Can be disabled!

    See vivaldi://settings/privacy



  • Hi all,

    Earlier today I sent an email to contact@ about this very same issue before seeing this post, nice to know they have this issue on the radar.



  • As of SS 1.3.534.3 (Developer Build) dev (64-bit), WebRTC IP leaks are stopped [yay]. The next privacy-breaching item i'd love V to block is HTML5 Canvas Fingerprinting.
    …....................................................................................
    My on-SSD OS = Linux Mint x64 17.3 KDE 4.14.2.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.