Remove disable WebRTC recommendation

mullvad / browser-extension

Mullvad Browser Extension improves your browsing experience while using Mullvad VPN.

Other

191 stars 15 forks source link

Remove disable WebRTC recommendation #27

Closed ruihildt closed 1 year ago

ruihildt commented 2 years ago

Users are unaware WebRTC disabled is disabled by default which makes some users confused, for example when trying to use Jitsi.

Some ideas to address the issue:

create a list of websites relying on WebRTC and warn users visiting those websites
Detect if a website is using WebRTC (Is it possible?)
Add disabling WebRTC as a recommendation on install and keep it activated by default

Maryse47 commented 2 years ago

Is the intent of blocking webrtc in this addon to prevent users from using webrtc at all or to prevent ip leaks on websites that use webrtc only for nefarious reasons?

The former needs user consent anyway for accessing micro/camera and if someone wants to use webrtc then they would simply disable the addon(?) while for people who don't use webrtc it doesn't matter if functionality is blocked or not.

The latter problem was fixed in firefox long time ago except for windows 7/8. This is the reason addons like ublock stopped blocking webrtc.

ruihildt commented 2 years ago

Thanks for the heads up @Maryse47.

The latter problem was fixed in firefox long time ago except for windows 7/8.

Do you have any documentation or info I could look into?

Maryse47 commented 2 years ago

See for example: https://github.com/uBlockOrigin/uBlock-issues/issues/1799#issuecomment-1002992525

https://bugzilla.mozilla.org/show_bug.cgi?id=1588817

https://bugzilla.mozilla.org/show_bug.cgi?id=1544770

G-F-D commented 2 years ago

This “feature” is both very irritating and impacts browser fingerprint. I’d really appreciate for this to be addressed promptly. Even with the “Disable webRTC” recommendation disabled, this extension still sets media.peerconnection.enabled to false every time Firefox is launched, which is not communicated to the user whatsoever. The privacy‐oriented arkenfox user.js setup leaves this set to true because it’s not only unnecessary to disable it and remove functionality when your private IP is not exposed in untrusted scenarios anyway (as discussed above; for instance, Mullvad’s own “Connection Check” page will still show “No WebRTC leaks” even with webRTC enabled), but it affects your browser fingerprint. It’s much more sensible to just leave it enabled so more people share this value in fingerprints while also not barring anyone from accessing any functionality.

ruihildt commented 2 years ago

@G-F-D Thanks for your input, we're planning to remove this recommendation in the next version.

ruihildt commented 1 year ago

After doing an extensive research, we will stop recommending disabling webRTC.

The only webRTC leaks that could happen in Firefox are internal IP addresses (and only if you manually change in about:config the media.peerconnection.ice.obfuscate_host_addresses parameter to false).

We are implementing a webRTC leak check (see #146 ) and will update our guides as well.