[Feature Request] Option to block WebRTC

[HitomiTenshi]

Your project states that µBlock is a general-purpose blocker. WebRTC has recently been discovered to simply uncover real PC IP's, even those that run through a VPN.

You can read the article here: http://torrentfreak.com/huge-security-flaw-leaks-vpn-users-real-ip-addresses-150130/

I'd be glad if you could add an option for blocking WebRTC. You can test if your browser is vulnerable here: https://diafygi.github.io/webrtc-ips/

Extensions already have been made for this purpose, but I'd like to keep my list of Extensions as short as possible.

[gorhill]

Extensions already have been made for this purpose

Example(s)?

When I checked, Firefox wasn't able to intercept stun: requests.

Edit: Ok never mind, I see WebRTC Block just removes all WebRTC-related properties from the window object.

[HitomiTenshi]

Yeah, sorry for not mentioning a few examples. I am using WebRTC Block right now. Does removing WebRTC-related properties from the window object actually block the requests? Or do sites still get my real IP?

ScriptSafe is allegedly also able to block WebRTC on Chrome, NoScript does that too on Firefox.

Though in Firefox you can also set media.peerconnection.enabled in about:config to false. That will also disable WebRTC in Firefox.

[chrisaljoudi]

I can't think of any way this would be implemented other than:

• Disabling WebRTC completely or per domain/page.
• Writing injected script that overrides WebRTC methods and filters requests thusly.

The problem is, even if one could intercept requests, any blocker can't determine whether it's malicious or not.

I can't figure out whether it makes sense to workaround this vulnerability as part of μBlock (and then remove it once browsers fix this).

[rodalpho]

It absolutely makes sense, as it is a privacy issue. It's easy to disable WebRTC entirely without an extension at all (in Firefox, anyway) but doing so per-domain and per-page would be pretty sweet.

[chrisaljoudi]

@rodalpho sure, I understand. I think the most coherent way of exposing this would be having WebRTC a be a request type in Dynamic Filrering.

[naisianaisia]

Ok never mind, I see WebRTC Block just removes all WebRTC-related properties from the window object.

Turns out it didn't block anything, and the users real IP was still leaking. Currently the only way to block this in Chrome is with ScriptSafe.

[gorhill]

Currently the only way to block this in Chrome is with ScriptSafe

It's not ScriptSafe, it's the blocking of scripts. uBlock does that too.

[chrisaljoudi]

I believe this was discussed already, although I'm not quite sure (maybe it was this same issue).

As @gorhill said, ScriptSafe/NoScript/whatever aren't doing anything special. In a sense, the WebRTC issue is a car accident, and ScriptSafe/NoScript are merely preventing you from using a car.

µBlock can do the same thing — you can block 3rd party scripts, inline scripts, all scripts, whatever. That does not solve the underlying problem, however.

You can't intercept WebRTC requests right now. The browsers don't fire the event.

@gorhill is there anything to be done here?

[gorhill]

Doing what uMatrix does to spoof navigator: to spoof WebRTC into becoming a noop.

[TheRyuu]

See my comment in the uMatrix issue: https://github.com/gorhill/uMatrix/issues/124#issuecomment-74095130