Every time you use a secure channel, like a VPN service or a proxy server to connect to the Internet, you are in danger of exposing your IP addresses due to WebRTC leaks. As soon as this happens, your online anonymity gets compromised.
Fortunately, there are simple solutions for fixing this problem, involving testing and blocking IP leaks, which we will debate in this article. But first, let’s back up a little to find out what WebRTC is, how it affects your online privacy, and if it can really be kept under control by VPN services.
The mission of WebRTC
Supported by Google, Mozilla, Apple, Microsoft, Opera, and others, WebRTC (Web Real-Time Communication) represents a free and open-source project that facilitates real-time communication between web browsers, mobile apps, and IoT devices. With the help of simple APIs, software developers can create elaborate RTC applications, which exchange information through direct peer-to-peer (P2P) communication and basic protocols for audio and video.
Thanks to P2P support, users no longer have to find, download and install plugins or native apps to take advantage of audio/video functionality when navigating the Internet. On top of that, they benefit from increased speeds and decreased lag time when using certain features, such as live streams, video chats, and file transfers.
Popular examples of applications which use WebRTC are Facebook Messenger, Discord, Amazon Chime, Google Hangouts, Houseparty, and GoToMeeting. Any software developer can implement WebRTC into their projects for free since the native code and complete instructions are available on the official WebRTC website.
The privacy risks of WebRTC
At the beginning of 2015, Daniel Roesler identified security risks involved with WebRTC and exposed them on his GitHub page. Due to WebRTC, web browsers permit requests to STUN servers, which means that your public IP address will be exposed to any remote server that uses WebRTC to establish a line of communication with your web browser. To make matters worse, your local IP addresses are compromised, too.
Thanks to this discovery, VPN providers and security experts have drawn attention to the privacy risks involved with the WebRTC technology. Also, your IP addresses can be leaked even if you use a powerful VPN service because WebRTC is controlled by the web browser. Unless it specifically requests permission to change web browser settings, like browser extensions, you should know that VPN applications are not capable of blocking WebRTC leaks.
If you come across any VPN service that claims to prevent WebRTC leaks from happening, don’t just take it at face value: dig into the matter a little to see what it’s actually talking about. For example, the ExpressVPN desktop client cannot prevent WebRTC leaks on its own, but it has browser extensions available for Chrome, Firefox and Safari with this functionality (since you give them permission to modify browser settings at install).
How to test for WebRTC leaks
The same person who discovered the WebRTC privacy risks created a simple online tool to help anyone test their web browser for IP leaks. It’s incredibly easy: if your local IP address, public IPv4 and IPv6 addresses are leaked by your browser, they will be displayed on the webpage. Otherwise, if it doesn’t return anything (blanks), then you’re safe.
Perform regular tests to check for WebRTC leaks, especially when your web browser receives major updates. Although we have already established that VPN services cannot prevent your IP addresses from being leaked via WebRTC, the ones that are secure enough can send a fake IP address when responding to the STUN request, thus giving them a false lead. It becomes a foolproof security measure if you already disabled WebRTC in your web browser but fails out of the blue one day.
In this case, it’s essential to check if your new VPN application is leaking your real or fake IP address. This can be done by following these simple instructions and taking notes:
- Without using a VPN service, visit a website that checks for WebRTC leaks, such as IPLeak, Daniel Roesler’s online tool or WebRTC Leak Test (provides more extensive results)
- Take note of your real IP addresses that are shown on the website
- While having WebRTC enabled in your browser, launch your VPN service, connect to any server, and make sure you have successfully connected
- Visit the same website as before to compare IP addresses: if they are different, then your VPN app is doing an excellent job at protecting your real identity, so you can safely navigate the Internet knowing that your identity is protected
- If the IP addresses are the same, your VPN provides poor security and might need help, so take the necessary steps for disabling WebRTC in your web browser (more on this later)
- While having WebRTC enabled in your browser and while connected to a VPN server, visit the same website as before to compare IP addresses again: if they are still the same, then you must switch to a new VPN provider
Note 2: if you have an IPv6 address that cannot be hidden, it’s possible that your VPN service provider hasn’t yet adopted full support for IPv6 addresses, offering protection for IPv4 only. In this case, your only option is to get another VPN app that’s compliant with IPv6.
How to disable WebRTC
The WebRTC vulnerability initially affected only Firefox and Chrome users. However, this means that it automatically affects all web browsers based on Firefox and Chromium, such as Opera, Brave, Slimjet, Waterfox, and Pale Moon.
Unfortunately, it’s not currently possible to configure WebRTC at the router in order to disable it for all devices connected to the router. Instead, there are two ways to deactivate WebRTC: by tinkering with the browser’s built-in settings or by installing browser extensions that can do this on your behalf.
Please follow the next steps to successfully deactivate WebRTC on Firefox, Chrome, Safari and Internet Explorer:
It’s easy to deactivate WebRTC in Mozilla Firefox and Firefox-based browsers without having to install special tools, thanks to the fact that Firefox is considered pretty secure as it is.
The following instructions are available for Firefox v60.6.1:
- Launch Firefox, type about:config in the address bar and press Enter (like you would visit a webpage)
- When you receive the message that This might void your warranty!, click I accept the risk! to proceed to the configuration page of Firefox
- Type media.peerconnection.enabled in the search bar and press Enter
- Double-click the media.peerconnection.enabled entry to disable it or right-click to open a menu and select Toggle (Value must be changed from true to false).
However, if you want to occasionally use WebRTC features, then it’s easier to install a browser addon that can be quickly toggled to turn WebRTC on and off. Examples include Disable WebRTC, WebRTC Leak Shield and WebRTC Control. Among many other features, uBlock Origin includes a setting for deactivating WebRTC (available for Firefox, Chromium, and Thunderbird).
Although it’s incredibly user-friendly, Google’s web browser is not exactly top of the line when it comes to privacy. Unlike Firefox, for example, Chrome doesn’t give you the possibility to effortlessly tweak many of its configuration settings, including WebRTC. But it does have some customizable, experimental flags related to WebRTC.
The following instructions are available for Chrome v73.0 as well as other Chromium-based web browsers:
- Launch Chrome, type chrome://flags/#disable-webrtc in the address bar and press Enter (like you would visit a webpage)
- Scroll down until you find WebRTC Stun origin header, then click the box next to it and select Disabled
- Relaunch Chrome to commit the new modifications
A simpler alternative is to install a browser extension. Head over to the Chrome Web Store and enter webrtc as the search term. Examples include WebRTC Network Limiter, WebRTC Control and WebRTC Leak Prevent. The same steps can be taken for all web browsers based on the Chromium engine.
A word of advice, though: as long as a WebRTC toggle option is not clearly supported by Chrome, perform WebRTC leak tests on each web browser update, since you never when a browser extension is rendered useless by Google (intentionally or not).
The native web browser of macOS systems comes with a built-in option for deactivating WebRTC, although it takes extra steps compared to what we’ve already been through in this article. But it’s certainly not difficult, and there’s no need to install browser extensions.
The following instructions are available for Safari v11.1.2:
- Launch the web browser, click Safari from the menu bar and open Preferences
- Go to the Advanced tab, tick the Show Develop menu in menu bar box, and exit the Advanced window
- Click the new Develop menu in the menu bar, open the WebRTC submenu, and click Enable Legacy WebRTC API to disable this option (all four settings in the WebRTC submenu should be disabled)
We’re saying “partially” because only the local IP address can be disabled using Microsoft Edge’s integrated preferences. Of course, having your local IP address hidden while your public address is still exposed is useless, since you can be tracked without any issues. But here it goes anyway.
The following instructions are available for Microsoft Edge v44 as well as Internet Explorer:
- Launch Microsoft Edge, type about:flags in the address bar and press Enter (like you would visit a webpage)
- In Developer Settings, locate and tick Hide my local IP address over WebRTC connections to enable this setting
- Restart the web browser to apply the new settings
About changing built-in browser settings and installing addons
The advantage of manually changing settings is that you don’t have to burden the browser by installing plugins, particularly if you already have tons of extensions installed that consume too much browser memory. Also, by following the set-it-and-leave-it rule, you just have to go through the ordeal once and keep WebRTC disabled at all times.
On the other hand, browser extensions mean that you can easily activate and deactivate WebRTC within a couple of mouse clicks. Although our job right now is to present to you the privacy risks of using WebRTC, we cannot ignore what the technology brings to the table when it comes to enhanced real-time communication, so you might want to re-enable it every once in a while to benefit from it (when protecting your privacy is not top priority).
But there’s also a compromise: have one web browser optimized for secure navigation and another for casual Internet browsing. This way, you can get the best of both worlds.
Premium VPN apps with WebRTC protection
The following VPN applications have browser extensions available for Google Chrome and Mozilla Firefox. Coupled with the desktop client, the addons can ensure your full anonymity by disabling WebRTC.
Please keep in mind that it’s necessary to separately download and install the browser addons, in order to benefit from WebRTC protection:
- ExpressVPN: You can download ExpressVPN for Chrome and Firefox. The setting is called “Block WebRTC” and is enabled by default, so you don’t have to change any settings. The ExpressVPN browser extensions cannot be used without first downloading and installing the desktop client (premium subscription).
- NordVPN: You can download NordVPN for Chrome and Firefox. Here, the option is named “Block WebRTC”, too. It’s automatically enabled after installation, so you don’t have to worry about doing this yourself. Although they don’t need you to install the desktop client, the NordVPN browser extensions cannot be used without signing in with a premium account.
- PureVPN: You can download PureVPN for Chrome and Firefox. In this case, the option can be found as “WebRTC Leak Protection”. It’s enabled by default, so you can simply install the extension and leave it like that. However, the PureVPN browser addon cannot be used without signing in with a valid account. On the bright side, users can opt for a 7-day free trial to check the VPN’s features before deciding whether or not to purchase it.
What can be drawn from WebRTC technology is that it cannot be directly controlled by a VPN service. Because it affects the web browser and other applications with web browsing features, it can only be disabled from there, whether you’re configuring browser settings yourself or installing a special extension that has explicit permission to make this modification.
It’s not enough to simply download, install and launch a VPN application to ensure privacy over the Internet. There are more steps that can be taken to improve your security, and disabling WebRTC from your preferred web browser is one of them. But we’d love to hear more tips and tricks from you, so please don’t hesitate to leave us a comment in the section below.