Closed Bug 1126187 Opened 9 years ago Closed 9 years ago

Fingerprinting via IP address

Categories

(Core :: WebRTC: Networking, defect)

Product:
Core
Component:
WebRTC: Networking
Version:
30 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 959893

People

(Reporter: nick, Unassigned)

Details

Not sure what we can do about this, but figured I'd drop it somewhere those with more know how could find:

"Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.

Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. _____This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain._____"

[0] https://github.com/diafygi/webrtc-ips#what-this-does
Browser extensions for enhancing privacy for those that want (especially VPN users) are certainly welcome (and I imagine are in Chrome as well).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
This is a good point about STUN (and you could do other stuff with TURN).

CCing MMC so she has context for tracking protection.
We could reopen and cleanly target this at just the STUN plugin/console/etc issue
What would it take for STUN requests to respect nsIContentPolicy.shouldLoad, which is what ABP, etc. use for blocking connections? Seems like if an ad network wants to set up a stun server to abuse this API, we should provide a way to block it.

The console issue seems like an obvious feature request -- but mostly for warning webrtc developers when requests aren't reaching the right endpoint.
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #4)
> What would it take for STUN requests to respect nsIContentPolicy.shouldLoad,
> which is what ABP, etc. use for blocking connections? Seems like if an ad
> network wants to set up a stun server to abuse this API, we should provide a
> way to block it.


I agree. Are the entries there IP addresses, domain names, or both?



> The console issue seems like an obvious feature request -- but mostly for
> warning webrtc developers when requests aren't reaching the right endpoint.
You need to log in before you can comment on or make changes to this bug.